--- Log opened Thu May 10 00:00:14 2018
00:01 < seven-eleven> hi
00:02 < seven-eleven> where do I add this in ubuntu's network configs? http://dpaste.com/1PT1EM7
00:02 < seven-eleven> if i put it inside /etc/network/interfaces its removed upon reboot, maybe is should put it into /etc/network/if-up.d or /etc/network/interfaces.d/?
00:03 < E1ephant> are you using network-manager?
00:03 < seven-eleven> not using NM
00:03 < E1ephant> in my experience that should absolutely stay, 14/16/18 LTS?
00:04 < seven-eleven> yeah using ubuntu 16.04
00:04 < E1ephant> this is under an interface stanza correct?
00:04 < seven-eleven> yes
00:05 < seven-eleven> maybe my vps provider which uses openNebulo to create my VM, forces to overwrite the interfaces file on reboot
00:06 < seven-eleven> ill try to add my stuff to interfaces.d
00:09 < E1ephant> yeah interesting, I would say yes that is not default behviour
00:15 < seven-eleven> hm, so custom configs in interfaces.d/ aren't deleted, just interfaces file is overwritten
00:40 < luxio> what's the name for that circular connector with one pin in the center that you tighten
00:41 < luxio> nvm its coaxial
00:43 < Evan1929838484> How much do you guys earn being an IT?
00:47 < SporkWitch> Evan1929838484: that's a google question; lots of resources compiling average pay rates
00:48 < Evan1929838484> Yea, but I want to hear it from a peesom
00:48 < Evan1929838484> Working person*
00:48 < SporkWitch> you mean like the people those statistics are compiled from, and has nothing to do with ##networking?
00:49 < SporkWitch> not to mention it being generally considered rude to ask random people what they make
00:52 < luxio> is it possible to buy coax to cat6 and connect the coaxial cable from wan straight to a router through that converter?
00:52 < luxio> or do i need a modem
00:52 < Holo> o.o
00:53 < Holo> luxio to what?
00:57 < luxio> nvm what's the difference between cheap modems and expensive modems
00:57 < luxio> they both do the same thing right?
00:58 < SporkWitch> luxio: https://duckduckgo.com/
01:00 < Artemis3> luxio, i wonder why do you want coax in the first place.
01:00 < luxio> Artemis3: because thats where my internet comes from
01:01 < SporkWitch> ...
01:01 < Artemis3> luxio, the connector is called BNC, they haven't used those in decades. And yes, transceivers did exist for that.
01:01 < Artemis3> luxio, so you mean cable modem?
01:01 < luxio> i dont think its bnc
01:02 < luxio> i googled that and it doesnt look like bnc
01:02 < luxio> i will take a picture 1 minute
01:02 < Artemis3> nah don't bother
01:03 < luxio> https://i.imgur.com/mFRCAmK.png
01:03 < Artemis3> and yes you need your cable modem
01:03 < luxio> that is what i connect my modem to
01:04 < c|oneman> yes?
01:04 < xamithan> Is there another device that does docsis that isn't a cable modem?  If so,  use that
01:04 < Donjuanal> luxio: yes you need a modem. Modem is a modulator demodulator.
01:04 < Artemis3> you can move your cable modem closer, just use a longer coax, there are female/female of those
03:02 < mast> Its a good thing my fiancee is away while I'm buying all this server crap
03:11 < ghostyy> whatd oyu get?
03:38 < neoweb> why would a connection ever give me a 12 second to 20 second ping
03:38 < neoweb> would it not just drop the ping?
03:39 < Criggie> cos the devices between you and it have got buffers
03:39 < neoweb> qos buffers right?
03:39 < Criggie> they don't care how old an ICMP packet is
03:39 < neoweb> I have only ever seen this on a t1
03:39 < Criggie> routers generally only drop ICMP when TTL is expired .
03:39 < neoweb> Can I force them to drop packets?
03:40 < neoweb> set a TTL via firewall rule i suppose?
03:40 < neoweb> I am being told that when I use over 80% of a T1 speed that a t1 will degrade.
03:42 < Criggie>  a T1 is 1.544 Mbit/s right   ?  Not a lot.
03:42 < neoweb> right
03:42 < neoweb> but even when I setup QoS and specify icmp as king, limit the bw to the max
03:42 < neoweb> t1 pings = bad
03:43 < neoweb> I have done 1.25 mbits
03:43 < neoweb> 1 mbits
03:43 < neoweb> etc
03:43 < Criggie> that's probably the acks being delayed
03:43 < Criggie> try adding ACKs to the high prioritisation list.
03:43 < neoweb> did that too
03:43 < Criggie> personally I set http/https to low.
03:43 < neoweb> i mean, this should not be happening if I do it right?
03:44 < Criggie> No idea - I'm not in your position
03:44 < Criggie> But a 1.5 Mbit link should be achieving 90% all the time minimum
03:44 < Criggie> I have 30 Mbit at home and routinely get 33 Mbit out of it.
03:47 < neoweb> dammit man
03:48 < neoweb> teir 2 verizon
03:48 < neoweb> bah
04:49 < Terminus> turtle, ||cw: so i actually checked the latest samba package for freebsd. you're right, it comes with a whole load of options enabled now. that wasn't the case before with samba 3.x.
05:12 < ash_mobile> Do you consider a device which maps ips, "routing"?
05:26 < Logg> ash_mobile, a router passes packets from one network to another.
05:49 < vlad_> hello
05:51 < vlad_> So I setup an environment which can be VPN'd into, I want to limit this so that only one VPN connection can be established at anytime from each .ovpn config file. However, I know people could broadcast their tun0 or tap0 or w/e ifconfig interface pertains to the VPN connection via an external NIC and thereby have multiple connections while it appears to be only one established VPN connection. Is there a way to prevent this?
05:53 < CHENG08> guys can you help about openwrt in linksys e1200 I cant access the web gui and ssh. When I try to reset it using failsafe mode its not working
05:57 < CHENG08> I try all the method on google but it still not working.
06:01 < CHENG08> guys can you help about openwrt in linksys e1200 I cant access the web gui and ssh. When I try to reset it using failsafe mode its not working?
06:02 < mast> Have you tried connecting your computer directly to the router?
06:02 < mast> And attempting the webgui that way,
06:03 < mast> If yes, have you tried a full system reset CHENG08
06:03 < mast> I had to deal with something similiar on my e3000
06:08 < jair> Hello there I am looking at one of the stack switches in one and and another stack switch on one of our chassis and I see lights on all ports going nuts
06:08 < skyroveRR> You have a loop somewhere, jair
06:09 < jair> skyroveRR: I believe so
06:09 < skyroveRR> Remove all the cables one by one, and check.
06:09 < CHENG08> mast: yes i try to use lan to connect on the router
06:09 < jair> I am wondering what will be the best way for me to do a packet capture
06:09 < skyroveRR> jair: you can't, in a dumb switch.
06:09 < jair> skyroveRR: right
06:09 < skyroveRR> It does not have packet mirroring.
06:09 < mast> And you've tried connecting using the Routers IP address?
06:10 < jair> skyroveRR: that is what I was trying to find out, what can I do to isolate the issue and identify what is causing it
06:10 < CHENG08> yes I configure ip4 to 192.168.1.1
06:10 < mast> My other suggestion would be a full reset. Which would be, while the router is powered on, pressing and holding the RESET button for 10 seconds,
06:10 < skyroveRR> jair: only option is to unplug all the cables, and see if the craziness is stopping.
06:10 < jair> skyroveRR: I am thinking about connecting to the switch via console and check the logs?
06:11 < mast> Powering the device off, and then power it up while also pressing the reset button
06:11 < mast> That's what I had to do to get mine to stop all that nonsense
06:11 < CHENG08> mast: I try it but not working
06:11 < jair> skyroveRR: you mean unpluging all the clients I have connected in the switch hmm :(
06:11 < skyroveRR> jair: you haven't told us whether it's a managed switch or not, so it's kinda hard to answer your question.
06:11 < CHENG08> before when dd-wrt is installed on my router it works but when I change to openwrt not working
06:12 < skyroveRR> jair: I'm assuming you have a dumb switch. And in dumb switches, that's the only way
06:12 < jair> skyroveRR: this is a production environment and this will require letters and outage notice to everyone :(
06:12 < jair> skyroveRR: the switches are DELL
06:12 < mast> So you have tried this full reset that I just suggested? CHENG08
06:12 < jair> I can pass the exact models
06:13 < skyroveRR> jair: managed or unmanaged?
06:13 < CHENG08> mast: yes I try it.
06:13 < jair> skyroveRR: managed
06:14 < skyroveRR> But are they configured per port?
06:14 < jair> skyroveRR: the switch has an IP address configured and they also have bgp configured as well
06:14 < jair> skyroveRR: yes, they do support vlans
06:14 < jair> let me share the models
06:14 < skyroveRR> What's the configuration of each port?...
06:15 < CHENG08> mast: other solution to reset the router openwrt?
06:16 < jair> skyroveRR: hold on please
06:16  * skyroveRR holds on..... to what? This isn't a phone call.
06:18 < CHENG08>  guys can you help about openwrt in linksys e1200 I cant access the web gui and ssh. When I try to reset it using failsafe mode its not working?
06:19 < mgolisch> are loops even a thing with (m/r)stp? i always thougt it would just shutdown a port that would form a loop
06:19 < jair> skyroveRR: I will share the details via a paste site
06:19 < jair> skyroveRR: sorry for the delay though
06:20 < skyroveRR> jair: I'll be gone in 2...
06:20 < jair> :(
06:20 < jair> skyroveRR: http://paste.debian.net/1024077
06:21 < skyroveRR> Yeah, not configured in any way.
06:21 < skyroveRR> You'll have to do it the old (hard) way.
06:21 < skyroveRR> Unplug it all, see if the loop stops
06:22 < jair> skyroveRR: I see OK
06:23 < jair> skyroveRR: thank you for the help
06:23 < skyroveRR> * Not configured in any way to avoid a loop.
06:23 < jair> skyroveRR: http://paste.debian.net/1024077
06:23 < skyroveRR> Hm?
06:23 < jair> skyroveRR: should I add to all the ports spanning tree?
06:23 < jair> I know stp will prevent loops?
06:24 < jair> or add it port by port and see?
07:00 < z3t0> hi, what is the right place to ask about configuring servers, vmware, and windows server related questions?
07:03 < light> just ask away, no one else is talking
07:05 < z3t0> Alright
07:05 < z3t0> I am learning about servers and ansible etc
07:05 < z3t0> So far I have been given access to home server that is running on windows server
07:05 < z3t0> From there I can use vmware vsphere to setup virtual machines
07:05 < z3t0> Now, my current workflow is to rdp into the windows server, and then ssh into the other servers from there
07:06 < z3t0> Is it possible to skip the rdp, and ssh directly from my machine?
07:06 < light> yes
07:06 < z3t0> Currently the IP I am using for ssh is a local one
07:06 < z3t0> So I am assuming there must be some way to bind it to the rdp ip so that is externally accessible
07:07 < light> you could just give that IP to the VM you want to SSH into
07:07 < light> if you only have 1 IP and you want to access multiple machines you will need to port forward
07:07 < z3t0> There are multiple vms running on that server
07:08 < z3t0> Okay thanks, I'll do some searching on how to port forward
07:24 < neoweb> it looks like a bad interface configuration and possibly a bad ethernet cable too fyi
07:50 < vlad_> So I setup an environment which can be VPN'd into, I want to limit this so that only one VPN connection can be established at anytime from each .ovpn config file. However, I know people could broadcast their tun0 or tap0 or w/e ifconfig interface pertains to the VPN connection via an external NIC and thereby have multiple connections while it appears to be only one established VPN connection. Is there a way to prevent this?
07:53 < detha> vlad_: short answer: no. longer answer: some commercial vpn clients (anyconnect for example) have options to forbid that, which they implement by fucking with the client's routing tables.
08:10 < password-1> hi
08:11 < password-1> is there a way i can now the mac adress of the switch my computer is plugged in ?
08:11 < password-1> I have a need to for devices to know where they are plugged in automagically
08:12 < detha> managed switch? can it do LDP or CDP ?
08:13 < password-1> might be managed
08:13 <+pppingme> if its not managed, it doesn't have a mac address..
08:13 < password-1> someone asked me in passing , and I've been pondering if it is possible
08:13 <+pppingme> what switch?
08:13 < password-1> idk
08:14 < password-1> 'My responses are limited"
08:14 <+pppingme> switches don't need a mac to operate, the mac address on a switch is only for the purpose of management
08:14 < password-1> i though each port had a macadress?
08:14 <+pppingme> nope
08:14 < linux_probe> lol
08:14 < linux_probe> snort my port
08:15 < password-1> hmm
08:15 < password-1> tehn my networking knowledge is skewed
08:15 < linux_probe> pooed
08:15 < myxenovia_> how can I reset openwrt I try failsafe but not working?
08:16 <+pppingme> only for management, interactive management like ssh, www, etc, or infrastructure management (lldp, etc)
08:16 <+pppingme> for actual doing its job as a switch, not needed..
08:16 < myxenovia_> I use ssh and the web gui but I cant access it.
08:16 < password-1> but the switch do know which mac are on which ports internally?
08:17 <+pppingme> it learns by listening..
08:17 < password-1> yeah , that i remember
08:17 < password-1> and to the computer all macs is on the 1
08:17 < password-1> port
08:18 <+pppingme> it only needs to know where other mac's reside, so it knows where to forward traffic..  none of that requires that it actually have a mac
08:18 < password-1> what is LDP or CDP then?
08:18 <+pppingme> lldp is link layer discover protocol, cdp is just a branded similar protocol
08:29 < vlad_> detha: Would it not be possible to coun't the MAC addresses to see if their are multiple users connecting over on VPN connection?
08:29 < vlad_> count*, there*
08:30 < Mead> Vlad:  no, mac addresses get stripped when it hits layer 3
08:31 <+pppingme> If your vpn is operating at Layer2, its setup wrong
08:32 < Mead> a VPN gateway opperates at layers 3 and above anyway.
08:32 < phocking> Mead: unless it's mpls-vpn operating at the magical layer 2.5 lulz
08:33 < vlad_> Mead: Oh okay, so there's basically no way to protect from multiple connections over one .ovpn config (if the interface is broadcasted by an external NIC allowing multiple users to connect to the VPN service)?
08:36 < detha> vlad_: people will just hang a bunch of clients behind NAT. You can usually spot it in the traffic patterns if you look closely, but not guaranteed
08:37 < detha> Mead: L2 VPNs are a thing too
08:37 < Mead> I'm not horribily familure with .ovpn, but I know if someone wants to hide a load of clients behind a IP running PAT you really can't do anything about it without some form of packet inspection after it leaves the otherside of the gateway.
08:37 < myxenovia_> guys can you help me about openwrt I change the config br_wlan to wlan0 the default is set to eth0.
08:37 < Mead> myxenovia_ there is a openwrt channel that could be more helpful
08:39 < myxenovia_> okay sir Mead thank you.
08:40 < Mead> myxenovia_, good luck I know they can be helpful.
09:41 < regdude> HI! In switches, there are uplink ports and (???) ports. What are the opposite ports called?
10:07 < jurislav> anyone can recommend an ldap server for proxying multiple backends together, so they appear as a single sync source?
10:22 < Apachez> what about an ldap proxy?
10:23 < Apachez> but I doubt you can do it over the same port for all
10:23 < Apachez> how will you handle collissions?
10:29 < detha> regdude: 'ports'. In some cases, you could say 'access ports'
10:30 < regdude> detha: I don't like the name access ports since that is more used for VLAN setups. How about uplink and isolated ports?
10:31 < detha> isolated ports? I would only use that in PVLAN setups
10:32 < regdude> detha: true, how about downstream ports?
10:34 < detha> regdude: downstream sounds like aggregation layer to access layer in traditional setups. What is wrong with just 'ports' ?
10:34 < marktiell0> Could anyone please take a look at this weird SSL issue? https://stackoverflow.com/questions/50267953/android-socket-proxy-server-randomly-fails
10:34 < detha> As in, no specific function, connect to it what you want
10:36 < regdude> detha: dunno, seems like there must a decent name for ports that are not uplink ports, I guess will need to stick with just ports
10:39 < regdude> did a US navy ship cut off a optical line in the ocean?
10:41 < mast> Why is Netflix buffering now
10:51 < Apachez> regdude: again?
10:54 < regdude> last time I think it was India and almost started WW3
11:16 < GodOfSea> Hi
11:16 < GodOfSea>  anyone got a link or tutorial on how to add a new user/ email to an existing postfix config
11:23 < light> you don't need to edit the postfix config to add users
11:24 < Kryczek> indeed, and iirc you add the firstname.lastname addresses as aliases (since usernames usually look like flastname)
11:26 <+xand> thye do?
11:27 <+xand> that's a terrible username format
11:27 <+xand> people can chnage their name and then their username would be "wrong"
11:28 < Apachez> whats your flastname?
11:28 < Kryczek> xand: what other format are you thinking of?
11:28 < Apachez> let the users have a random num
11:28 < Apachez> user00029938
11:28 < Apachez> and then alias their name to that
11:29 < Apachez> so when they go SJW and change gender and whatelse all you have to do is to append another alias
11:29 < Kryczek> yeah but then you'll have a never ending queue of people at the IT helpdesk because they forgot their username
11:29 < Apachez> why would you?
11:29 < Apachez> the users have smartcards to login
11:29 < Apachez> all they need to remember is their pincode
11:30 < Apachez> they will never have to care about usernames and passwords
11:30 < Kryczek> hah! I have been recommending that everywhere for years, nobody cares :(
11:30 < irwiss> wonder how people like nobody even survive on irc with a nick like that :P
11:31 < Kryczek> especially now that you can merge building access control badges with computer access smartcards, notably with dual interface (contactless & contactful) cards
11:38 < djph> Kryczek: nobody cares, because the suits are too dimwitted to see why it's a good idea (or how much money they're wasting because *the users* suck)
11:42 < Kryczek> yeah :/
11:44 < djph> they just see that *you* spent 80 hours last pay-period doing "???????" so you're a cost-center
11:45 < djph> had one BOFH who was on good terms with the CEO, he got OK'd to use "dealing with people who should know better in YYYY" as a time bucket (we just had to tag tickets into it on the sheets)
11:45 < Kryczek> djph: yep... and those 80 hours were probably spent writing emails trying to convince people that "password" is not a good domain admin password, and that sort of waste of time
11:47 < djph> I was only there for like 2 years (college) - but there was a *sharp* decrease in luser behavior by the end of it.
11:49 < djph> I mean, there were still a couple of "un-firables" who kept being able to be useless, but the rest of them became competent enough that we got christmas bonuses, since the CEO realized the only reason they got whatever couple of contracts in at the "early bonus" was because we were allowed to use a clue-by-four
11:49 < Kryczek> djph: how where the users encourages to change? The time bucket slots were attributed to each user who wasted the operator's time?
11:50 < Kryczek> lol I didn't know the clue-by-four expression, love it
11:54 < djph> Kryczek: "users are useless" bucket -> notes -> list the tickets
11:54 < Kryczek> :)
11:55 < djph> it effectively got sold as a "hey look, we know helping them is our job, but we're burning 20+ hours a week dealing with 'I'm too stupid to remember to breathe' type issues"
12:04 < djph> and once we proved that the major "delay" wasn't "IT are meanies" ... well, CEO started taking a hard line on "computer issues" as an excuse
12:19 < darsie> What are better keywords to search for 'mobile router vpn'?
12:22 < darsie> cellular, 3g
12:23 < darsie> Is VPN common in cellular routers?
12:24 < djph> darsie: what're you trying to do?
12:25 < darsie> Connect a device (e.g. raspberry pi or microcontroller with wifi) to a VPN via a cellular router.
12:27 < darsie> Trying to find out if an EPS8266 or EPS32 is viable for this.
12:28 < darsie> Or if the VPN has to be implemented in the EPS.
12:32 < djph> the device using the network needs to do the VPN
12:32 < djph> I mean, I don't fully recall how the EPS works - it's more than just a "dumb(tm)" bridge, isn't it?
12:32 < darsie> I read about routers doing VPN and devices connecting to the router with wifi.
12:33 < Apachez> I read about big breasts
12:33 < Apachez> doesnt mean they are good
12:34 < djph> darsie: sure, if the router has a VPN client, and then routes downstream (wifi) clients over that VPN connection
12:34 < djph> Apachez: because you're *reading* about them.  "A picture is worth 1000 words"
12:36 < darsie> ESP8266 *
12:36 < djph> darsie: sounds like you need (1) a Cellular modem (2) A router that can do VPN, and (3) a wifi access point for a client device, right?
12:37 < darsie> I haven't dived too much into the ESP. It's a wifi enabled SoC with a scripting language (NodeMCU – A Lua-based firmware.) https://en.wikipedia.org/wiki/ESP8266
12:38 < djph> yeah, I know
12:38 < djph> have one around here somewhere, I think.
12:38 < darsie> Then you are ahead of me :).
12:39 < djph> can't remember if I pulled the trigger on it though when I got all the other bits
12:39 < darsie> We're trying to decide using that or something with Linux.
12:40 < djph> anyway, for your modem / router / ap - look into say a Cradlepoint.  They're not cheap by any means, but they do everything you listed (IIRC)
12:41 < jurislav> does freeradius support password expiration?
12:41 < Apachez> I doubt it
12:42 < Apachez> thats for the software using the ldap server to maintain
12:42 < djph> jurislav: I *think* so; although it may actually rely on an outside service (e.g. LDAP backend)
12:42 < regdude> darsie: we have been playing around with ESP, for now it seems to be quite limited, a VPN might not be possible. We did manage to make a wifi connection
12:42 < Apachez> you could do this on your own with a script
12:42 < djph> regdude: they are - I mean, they're intended for low-power arduino projects, afterall
12:42 < djph> well "intended for"
12:43 < Apachez> jurislav: see freeradius as a dbserver
12:43 < Apachez> same as mysql uses sql as api and myisam (among others) as table format
12:43 < Apachez> freeradius uses radius as api and ldap as table format
12:45 < djph> I'm not sure "LDAP" is actually a table format
12:45 <+xand> it's not
12:45 < djph> maybe you meant x.500?
12:46 < Apachez> well whatever
12:46 < Apachez> its up to you what you fill in those tables and how to use them
12:46 < djph> I think it's x.500 ... x.509 is what's on certs, and that looks different ...
12:46 < Apachez> freeradius just serves the data same as mysql in this context
12:46 < djph> meh
12:48 < darsie> djph: Right now we use a cellular modem/wifi router and a pi with vpn. I don't think we'll use cradlepoint.
12:48 < djph> darsie: then it sounds like you have what you need
12:48 < jurislav> trouble is, freeradius doesn't allow me to connect to the network, unless a valid password is specified, does it? and a valid pwd doesn't exist once it's expired in the backend (ldap, ad...). at least this is how I understand it, and i'd expect many people dealing with this, but to my surprise, googling isn't getting me anywhere :/
12:48 < darsie> Yeah, but I've been asked to look for more reliable solutions.
12:48 < darsie> "industrial"
12:48 < djph> darsie: Cradlepoint.
12:48 < darsie> k
12:49 < darsie> That doesn't eliminate the pi.
12:49 < djph> Okay, now I'm confused
12:49 < darsie> I think they are concerned about the reliability of the pi.
12:50 < Apachez> darsie: here you got more reliable solutions: http://www.consilium.europa.eu/en/general-secretariat/corporate-policies/classified-information/information-assurance/eu-restricted/
12:51 < djph> darsie: Okay, so you have a cell router already, great.  The RPi is doing ... what, exactly?
12:51 < darsie> turning something on and off.
12:51 < darsie> with gpio.
12:51 < djph> darsie: I misunderstood before, and thought the Pi was acting as the router
12:51 < Apachez> why dont you let the rpi doing the vpn too?
12:52 < Apachez> new rpi's have two rj45's too
12:52 < darsie> Apachez: We do, but it seems they think the pi is unreliable, as in might crash or so.
12:52 < djph> OK, you're not going to find anything much better than that solution.  I mean, an "industrial" solution would probably have a ton of extra RF shielding, and a warranty against catastrophic failure (i.e. it would fail "safe" on the machine it's runnign)
12:53 < djph> which, may be worth it, depending on what the "thing" it's power-cycling is.
12:56 < Apachez> darsie: so if it crashes then you have nothing to use your vpn anyway so point being?
12:56 < Apachez> you have the "industrial" solutions above when it comes to vpn
12:58 < darsie> Apachez: They appearently want to replace the pi (which turns the thing on and off) with something more reliable which will not crash for years.
12:59 < darsie> the pi is the wifi client
13:00 < Apachez> you are doing it wrong
13:00 < Apachez> use two rpi's then?
13:00 < Apachez> one as cold standby
13:00 < Apachez> problem fixed
13:00 < Apachez> NEXT!
13:04 < detha> darsie: there are industrial modems that do VPN, can switch the odd thing on or off, and some have a built-in wifi access point. Different price class than a raspberry though
13:06 < darsie> detha: That's cool, but there may be several things in one location and we don't want a separate cellular router in each one, I think.
13:06 < darsie> Rather connect 4 things to one router.
13:07 < detha> router and ethernet?
13:07 < darsie> cellular modem/router/wifi
13:07 < darsie> in one box
13:08 < detha> that's one device, hook the other points up to it via wifi or ethernet
13:08 < darsie> yes
13:11 < detha> darsie: I would use one of the cheaper 3G modems, Maestro E200 or E220 or so, hook odd devices up to it over the wifi
13:11 < Apachez> your mum is sweatty and you eat hear spaghetti
14:39 < Apachez> https://www.youtube.com/watch?v=dJRsWJqDjFE
15:28 < MrNaz> assuming the same hardware, will I get better performance if i use a NAS as an iSCSI target than if i just use it as a SMB share? If so, how much of a difference?
15:32 < Assid> hi, so im re-evaluating a few things. i was just wondering would it make more sense to host your own DNS servers, or use free ones .. like dyn / he .. etc
15:33 < cluelessperson> MrNaz: depends, also, I think you'll find it slightly more difficult to manage/backup iSCSI depending on the size.  Also, I would suggest NFS over SMB
15:34 < Assid> 1 major advantage of your own.. is you can move your dns around .. /interchange servers without really any down time . since the records are already present.. doing that with changing free dns providers would be much much more difficult
15:37 < MrNaz> Assid realistically, even free DNS providers have propagation time that is measured in minutes
15:37 < MrNaz> do you change DNS settings often enough that you can't plan around that?
15:38 < Assid> MrNaz: currently i run my own with a free slave from dyn .. but the propogation time is pretty slow
15:39 < MrNaz> cluelessperson what are the advantages of NFS ?
15:39 < Assid> i was planning to having my own subdomains etc running a dyn type script.. but i scrapped that for dyn anyways.
15:43 < eto> hello does anybody know about other reasonably priced network taps (besides sharktap) ?
15:49 < MrNaz> if i understand correctly, you can get the same functionality if you have a good switch by turning on port mirroring
16:01 < OnkelTem> Hi al
16:02 < OnkelTem> I have problems with my OpenVPN connection on Kubuntu 17.10. I have it configured in NetworkManager, it's a regular OpenVPN connection. For some reason once I start it, it just disconnects after few seconds
16:03 < OnkelTem> https://apaste.info/xfj6 - this is how it looks in logs
16:04 < OnkelTem> From user perspective it looks like it disconnects when I try to "use"  it
16:04 < OnkelTem> For example, when I open a page in a browser
16:04 < OnkelTem> And this connection is not the only one which I have problems with. Before I had the same behaviour with so called "StaticVPN" service
16:05 < OnkelTem> There is used just pptp
16:15 < ||cw> OnkelTem: connection reset could be anything between you and the provider.  is your ISP connection pretty stable?
16:16 < ||cw> maybe you can up some timeout value in the openvpn config?
16:20 < OnkelTem> ||cw: can it be related to MTU size?
16:20 < OnkelTem> ||cw: well, connection is stable enough, it is a 4G one
16:20 < ||cw> why does everything think everything is MTU related?
16:21 < ||cw> mtu is pretty much never the problem unless you've set it to something oddball
16:21 < OnkelTem> Sorry was disconnected
16:21 < OnkelTem> ||cw: can it be related to MTU size?
16:21 < OnkelTem> ||cw: well, connection is stable enough, it is a 4G one
16:22 < ||cw> mtu is pretty much never the problem unless you've set it to something oddball
16:22 < OnkelTem> I don't set it at all - neither in server config not in the clients one
16:22 < OnkelTem> nor*
16:22 < djph> ||cw: or you're using something oddball, like VPN over xDSL, or xDSL itself, or a cell 3/4G modem ...
16:23 < OnkelTem> djph: what's wrong with 3/4G? This is my case
16:25 < djph> OnkelTem: just that *sometimes* they do funny things with MTU, because of encapsulation overhead.
16:26 < OnkelTem> Oh that, yeah I'm familiar with DSL related mtu issues  :)
16:27 < OnkelTem> 10 years ago I had to use something like 1420 or near
16:27 < djph> yeah, it's usualy like 149x with 1452 mss-clamp
16:27 < OnkelTem> But it worked anyway, just that some websites didn't work becaue of the fragmentation
16:30 < regdude> Anyone had success setting up bonding with arp ip target in Debian?
16:32 < regdude> I have seen some 3G/LTE modems do weird stuff when receiving packets over 1480 bytes long
16:35 < ||cw> regdude: balance-alb?  I think I've done it once
16:35 < ||cw> I usually just bond for switch redundancy though
16:36 < regdude> nvm, I needed to remove bond_miimon value, for some reasons I think arp_ip_target will override it
16:36 < regdude> obviously it does not
16:41 < OnkelTem> Lol, I just had a call with mobile operator and they told me that haven't been paying for this number for about 5 months and then I shouldn't have Internet at all
16:42 < OnkelTem> So probably they deliberately drop openvpn connections due to this limitation
16:43 < CarlosSutana> hello . can someone help me with an issue? i have a tp-link 1043ND router. in this router i have connected my PC and an Allied Telesis AT-FS750/16 managed switch
16:44 < Apachez> CarlosSutana: good for you, and the question is?
16:44 < CarlosSutana> the problem is that when i start the PC it won't connect to the internet unless i unplug / disconnect the switch from the router
16:44 < regdude> RSTP?
16:44 < regdude> or BPDU/Root guard
16:45 < CarlosSutana> adn if i try to acces the router on 192.168.0.1 it points me to the management interface of the switch
16:45 < waqstar> In windows, when I want to ping IP 10.1.0.11, how do I reroute this so the traffic actually goes to a different IP address. Basically map 10.1.0.11 to another ip address instead?
16:45 < regdude> somebody has a conflict
16:46 < CarlosSutana> regdude sorry but idk what is rstp ( real time streaming protocol maybe )
16:46 < Apachez> so how did you configure this switch?
16:46 < Apachez> how do you connet everything?
16:46 < Apachez> which are the interface settings for each box?
16:46 < CarlosSutana> Apachez i did not configure it at all jus bought it second hand and used it
16:46 < Apachez> like link/duplex along with ip/subnet/defgw/dns
16:46 < regdude> CarlosSutana: ignore RSTP and BPDU guard, you have an IP conflict, change one address
16:46 < Apachez> well then you should check the settings first
16:47 < Apachez> most likely some ip conflict
16:47 < ||cw> CarlosSutana: so you configured the switch's management interface to 192.168.0.1? that's a problem
16:47 < regdude> waqstar: one way is to add a switch or a router that will rewrite this address
16:47 < Apachez> or vlan configured so your box cannot reach your tplink
16:47 < CarlosSutana> the problem is i don't have the credentialss for the switch
16:47 < ||cw> waqstar: you don't
16:48 < ||cw> waqstar: what are you actually trying to do?
16:48 < ||cw> CarlosSutana: factory reset it
16:48 < CarlosSutana> ||cw i would but i checked and it does not have a reset button wtf ??
16:48 < CarlosSutana> do i have to open it ?
16:49 < CarlosSutana> maybe it is inside the case ?
16:49 < waqstar> regdude, what about without a router, i.e. in windows only. I have an application hardcoded to use 10.1.0.11, however this IP has moved to 10.1.0.12 and the application has not yet been updated (will be in a few days). 10.1.0.11 doesnt exist anymore so I want to map/route 10.1.0.11 to 10.1.0.12 locally on Windows
16:49 < ||cw> CarlosSutana: or, change the IP block of your LAN on the router.  192.168.0 is overused anyway
16:49 < waqstar> ||cw, ^
16:50 < ||cw> replace that 0 with any number you want as long as it's less then 256.  or use a 10.x.x range
16:50 < ||cw> waqstar: you can't add .11 as an additional IP to the server?
16:51 < ||cw> waqstar: and while you're making changes, reconfig the app to use a DNS cname instead of an IP, then you'll never had to deal with this again
16:51 < waqstar> ||cw, Thought of that, but this is in aws and they allow you to have only 2 Ip's per interface, this server already has a second IP assigned at 10.1.0.31 (for a different purpose)
16:51 < CarlosSutana> ||cw i will try to change the ip of the router . i hope i won't fuck up something . i'm a complete noob on networking
16:52 < ||cw> waqstar: if you don't have local DNS, you can use hosts files
16:52 < CarlosSutana> i would put 192.168.1.1
16:52 < ash_work> anyone have experience with rancher-os? do you use user accounts or just expect people to log in as `rancher@rancher` ?
16:52 < waqstar> ||cw, Well i did try and tell the developers this but they didnt want an "extra overhead" of dns.
16:52 < ||cw> CarlosSutana: change the DHCP first, then change the router IP and save/reboot once.  then release/renew your PC
16:53 < ||cw> waqstar: lol
16:53 < waqstar> But in any case, is there a way to do what im trying? I know it sounds stupid but maybe at firewall level etc?
16:53 < ||cw> your devs are idiots
16:53 < ||cw> no, there is no way to what you want.
16:53 < waqstar> ||cw, oh mate, dont get me started on my devs. They are a bunch of wankers
16:54 < waqstar> ah man. ok thank you ||cw
16:54 < ||cw> your devs premature optimization is costing you downtime
16:54 < ||cw> bill then for it.
16:54 < waqstar> exactly. and i always get the blame
16:55 < waqstar> i said use dns. it can return multiple ip's and we can turn off servers and move ip's with ease. but they had none of it
17:08 < FireSnake> hi. if a router drops ip fragments, is it a practice or a "MUST" in some rfc to also send an icmp message to the originating host?
17:09 < darsie> FireSnake: That might add to the load of an overloaded link.
17:10 < regdude> FireSnake: RFC is not a must, IEEE is a must. As far as I know, none routers does that, then again many people filter out almost all ICMP messages
17:13 < FireSnake> what i'm asking is: is it common to not inform the sender that you dropped his packet?
17:14 < FireSnake> i mean, is it widely adopted to not inform, or is it widely adopted to inform?
17:14 < regdude> quite common, yes. Mostly set action=drop instead of action=reject
17:15 < FireSnake> when i say 'router', i mean not a home router but isp grade
17:15 < FireSnake> sorry for not saying that first
17:15 < djph> If you DROP the packet, the whole idea is it disappears silently.
17:15 < regdude> ISPs tend to drop everything that they don't like silently
17:15 < FireSnake> ofcourse, but i want to understand if majority drop or reject
17:16 < regdude> this does keep the link less crowded
17:16 < djph> If something else happens (e.g. a packet with the Don't Fragment flag set) that causes a problem, then send a "heyo this isn't gonna work" response to the sender.
17:16 < FireSnake> no, the DF is not set
17:16 < FireSnake> (in my case)
17:18 < FireSnake> isp was dropping a single large fragmented udp packet. i kept banging my head until i setup the ipsec client to use ike fragments before sending the data to the wire
17:18 < djph> I'd only ever consider "reject" on trusted networks (e.g. my lab, or the IOT network ... well, not that I trust it, but you get the idea)
17:18 < djph> UDP is a bit weird, since it's stateless
17:52 < CarlosSutana_> ||cw thanks for the advice . i changed the LAN IP of the router . i will see it there is still a conflict next time when reboot the PC
17:53 < CarlosSutana_> as for the switch , idk why they designed it withour a reset button
17:54 < CarlosSutana_> this is kind of stupid but at the same time is a security measure
17:54 < CarlosSutana_> but i saw the newre models have a reset button
17:55 < Wernis> Hello. I have an AWS machine running ubuntu, I have pointed my domain to the machine. How do I run a service on a port (say 17171) and connect to it via something like domain.xyz:17171? (Without using nginx)
17:56 < Wernis> I have a Minecraft server on it at 25565 and I can connect via a client just by using domain.xyz and somehow Minecraft knows what port. I am a little lost understanding how this works.
17:59 < tpr> maybe it's the default port for minecraft?
18:00 < Wernis> Yes that is correct. 25565 is the default port. Is there a way I can make my applications default port 17171?
18:00 < tpr> minecraft also supports srv records, but if you haven't touched your dns that's not the cause I suppose
18:01 < tpr> you modify your application to use that as a destination port
18:02 < Wernis> So somewhere inside my application it would have to connect to my domain and application like domain.xyz:17171 knowing* that 17171 is the default, is that right?
18:03 < tpr> no, generally you use some sort of highlevel socket api which allows you to use hostnames (which resolves domain.xyz to the ip address), and you pass any port you want to use as where to connect to on that host
18:04 < Wernis> Genius. So I don't connect directly to the domain, I resolve it first. That's awesome. Because my application works if I use IP:Port. Thanks man, I really application it!
18:06 < tpr> yes, check out getaddrinfo() if you are doing some low-level stuff
18:06 < tpr> usually it's simply better to let some higher-level library handle all those nasty details tho
18:23 < n0c> anyone here in an AD environment where you're using a non microsoft dhcp server? wondering about getting dns zone updates done from for instance, a fortigate
18:24 < n0c> microsoft dhcp has always and continues to suck badly, but it's nice to have the secure dynamic dns updates handled
18:24 <+pppingme> what issues do you have with ms dhcp server?
18:24 < n0c> it being crappy
18:24 < n0c> management / querying wise
18:25 < n0c> surely i am not the first person you've heard this sentiment from right?
18:25 < n0c> anyway, that isn't the question.. just looking for folks who have done this well / successfully
18:25 <+pppingme> not that I'm a ms fan boy, but this is an area that when there are issues, it tends to be the person behind the server's keyboard, not the service itself..
18:26 <+pppingme> in an AD environment, you're best to let MS do its thing, on all parts
18:26 < n0c> so I assume you've run several dhcp services then, and you are of the mind that Microsoft's is... good?
18:26 < n0c> right
18:27 <+pppingme> Its not my favored, but in an MS AD environment, its really the only thing that works smoothly, and when it doesn't, its always an issue with the admin, not the service
18:27 < GenteelBen> n0c, I strongly recommend migrating to MS-DHCP servers.
18:27 < GenteelBen> However
18:27 < GenteelBen> 3rd-party DHCP should be just as good.
18:27 < n0c> gee whiz thanks
18:28 < GenteelBen> What does DHCP have to do with DNS zone updates?
18:28 < n0c> anyway if anyone has a clueful response drop me a line. thank you
18:28 < GenteelBen> Ok, go fuck yourself.
18:28 < skyroveRR> lol
18:28 < GenteelBen> He might be using DHCP reservations on servers.
18:28 <+pppingme> n0c you still haven't stated what your actual problem is, just seems you have a vendetta against MS
18:28  * GenteelBen twitches
18:29 < GenteelBen> There's nothing special about MS-DHCP - it's a standard implementation. It's just much easier to manage than foreign DHCP services.
18:29 < GenteelBen> E.g. MS-DHCP integrates into MS' IPAM role.
18:29 < GenteelBen> Has anybody here used NordVPN? I'm weighing up my VPN options.
18:30 < GenteelBen> My thinking: buy a Synology RT2600AC router, configure a VPN service on it, and rest easy.
18:31 <+pppingme> why do you think you need a vpn?
18:31 < GenteelBen> pppingme: privacy. UK has intermittently looked at central registers for people who want to look at porn online, and I figure I'll beat them to the punch and just go dark.
18:32 < GenteelBen> privacy/piracy, I forget which.
18:32 <+pppingme> you realize that just attracts their attention, right?
18:32 < GenteelBen> Well, NordVPN is based in panama and doesn't log anything.
18:33 < GenteelBen> Also, posting a tweet being critical of government censorship is more likely to garner their attention than the ISP noticing you're using a VPN.
18:33 <+pppingme> ha ha ha ha, doesn't log anything, you actually believe that?
18:33 < GenteelBen> Yes. The risk is that they become compromised and then start logging stuff.
18:34 < eahm> https://torrentfreak.com/vpn-services-keep-anonymous-2018/
18:34 <+pppingme> no, thats not a risk, thats a guarantee!
18:34 < GenteelBen> Yeah that's the one I looked at eahm.
18:34 < eahm> :)
18:34 < GenteelBen> "Express VPN International Ltd. is a BVI (British Virgin Islands) company. Being under BVI jurisdiction helps to protect user privacy, as the BVI has no data retention laws, is not party to any 14 Eyes intelligence sharing agreements, and has a dual criminality provision that safeguards against legal overreach."
18:34 < GenteelBen> This one looks more promising.
18:34 < GenteelBen> The UK government will never, ever threaten the BVI's status as a tax haven and wild west for all things.
18:35 < GenteelBen> Most tax havens / money laundering islands are UK territories, funnily enough.
18:35 < GenteelBen> E.g. the Cayman Islands.
18:35 < GenteelBen> Anyway
18:36 < GenteelBen> pppingme, there's risks all round, but fuck the Tories, I'm getting a VPN.
18:37 < eahm> also the first two links here can be useful https://www.reddit.com/r/Piracy/wiki/megathread#wiki_.25BA_vpns
18:37 < GenteelBen> Thanks eahm.
18:38 < n0c> I'm impressed. The topic says 'if you have a question, ask it!' since Jan 1 pppingme has asked a question in 26.9% of his 2,696 utterances. bravo!
18:38 < n0c> no wonder I thought I was in #philosoraptorz
18:39 <+pppingme> I doubt I've asked that many questions..
18:39 < GenteelBen> Probably things like
18:39 < GenteelBen> "Oh yeah?"
18:39 < GenteelBen> "You feeling lucky punk?"
18:39 < GenteelBen> "Are ya?"
18:39 < eahm> oh damn damn, Proton makes VPNs too now, they take privacy very seriously.
18:42 < n0c> assuage your doubt, sir > http://paste.debian.net/1024167/
18:46 < n0c> fukken prochamp inquisitor sir, bravo for srs
18:49 < eahm> the graph shows that BolehVPN may be the best
18:49 < eahm> not may be, according to that it is
18:50 < eahm> and Mullvad is the only one with all green BUT the first one
18:51 < n0c> to the authorities, vpn technologies only definitively proves that conversations are indeed yours. tread veeeery carefully padawan
18:51 < n0c> he who holds the keys, becomes the jailer
18:51 < eahm> i dont use vpns
18:52 < eahm> personally i think theyre useless but thats my opinion
18:52 < n0c> maybe not useless, but misused
18:53 < eahm> encryption is the only measure to keep stuff safe, not VPNs
18:53 < eahm> once you plug the eth cable youre exposed, vpns or not
18:53 < djph> for some value of "safe"
18:53 < n0c> yeah it's an important distinction for sure, one that's probably conflated by the unwashed ignorant masses
18:53 < eahm> youll only protect yourself from your ISP, not from bigger govt agencies
18:54 < sielicki> can anyone recommend a simple (ie: CLI, database free) long-term connection monitoring program? Basically something that can run in a tmux/screen window that will watch a ping and log longterm when an outage occurs or whether jitter is high at some point, etc.
18:54 < djph> VPN's are *great* when you use them right (e.g. getting from starbucks to "home")
18:54 < Apachez> sielicki: mtr ?
18:54 < n0c> second mtr^
18:54 < eahm> yes for sure, but you could just enable one on your home router for that
18:54 < djph> eahm: exactly (although, I just use ovpn on a rpi)
18:55 < GenteelBen> " <n0c> to the authorities, vpn technologies only definitively proves that conversations are indeed yours. tread veeeery carefully padawan"
18:55 < GenteelBen> This was always my principal objection to VPNs.
18:55 < GenteelBen> If they log, or start logging, you're fucked.
18:55 < eahm> i use privatetunnel occasionally
18:55 < GenteelBen> The only solution is to VPN through a VPN, inside another VPN, and in turn, another VPN.
18:55 < sielicki> Apachez: perfect! thanks! I think I have heard of this before but never have actually used it
18:55 < GenteelBen> It's like the chicken-goose-turkey thing.
18:55 < eahm> my god paid what, 6-7 years ago? still have like 20-30 GB left
18:56 < n0c> GenteelBen: or control the endpoints, or not even that, but a path just beyond the endpoints (which they for sure do)
18:57 < eahm> oh noes, they dont even offer data plans anymore, only monthly payments
18:57 < eahm> i guess they like bling bling too now
18:57 < n0c> so it's moot, and guess what? they already know GenteelBen prefers dragon-prons
18:57 < Apachez> sielicki: mtr as far as I know doesnt store the stats (do a "man mtr" to find out)
18:57 < Apachez> but I once forgot it running over a weekend towards ping.sunet.se :)
18:58 < n0c> i stick it on -i5 or -i10 and let it ride for long periods
18:58 < hugge> Apachez: your not alone.
18:58 < hugge> we have about 200mbit of ICMP at any given time to that node
18:59 < n0c> 90% of that is deprioritized or dropped no?
18:59 < n0c> i guess if the hostname is ping they don't interfere heh
19:00 < n0c> anyway I have been using zerotier and have been happy with it
19:00 < n0c> stitching together islands of jump hosts can be super super handy
19:03 < Apachez> hugge: :)
19:03 < Apachez> hugge: its a great node
19:04 < Apachez> great for quick and easy troubleshooting
19:06 < at0m> GenteelBen: yes, and pay all for these VPN with your visa card.
19:06 < at0m> GenteelBen: then log in to your fb
19:20 < n0c> just buy your lifetime subscription to the vpn service on facebook marketplace duh!
19:20 < hugge> n0c: no, we never drop icmp to that node(s)
19:20 < hugge> thats kinda the point :P
19:21 < ash_work> can network configurations be tested in a vm? like firewalls and routers? is that wise?
19:21 < n0c> you had me a testing and wise.. yes
19:22 < hugge> a few years ago that ping-node was actually just a single node, answering on ping, and when it died (NPE just got completetly toasted)
19:22 < hugge> we had alot of weird people calling in to the noc
19:23 < hugge> asking why our pingnode was gone, because it was integrated into their monitoringsystem to look "is internet working yes/no ?)
19:23 < hugge> so we quickly built it into a anycastservice
19:28 < Apachez> hugge: but you do policing it?
19:28 < Apachez> otherwise its a great ddos reflector
19:31 < ||cw> ash_work: sure, cisco even has a VM system for learning their routers and switches
19:35 < E1ephant> "great ddos reflector?" I think is questionable
19:35 < E1ephant> okay for hiding sure, but most want amplification too
19:35 < E1ephant> where there always seems to be a bigger fisdh
19:35 < E1ephant> fish even
19:42 < skyroveRR> Heya E1ephant
19:42 < E1ephant> hey-o!
19:43 < hugge> Apachez: nah, its open pipe, but it kinda sucks to use for DDOS :P
19:43 < hugge> each node cant really do more then like 500mbit best case of icmp echo reply
20:08 < Apachez> E1ephant: reflector != amplificator
20:08 < Apachez> hugge: enough to put most connections offline
20:27 < subvhome> I have a two switches connected together via fiber. When i ping the switch that I am connected to via copper i get <1ms sometimes 4ms... when i ping the switch that is connected via fiber i get <1ms.. but randomly spikes to 10,30,40ms.. the spikes seem random and well spaced out
20:28 < subvhome> what could cause this. I tried replacing the switch im connected to via copper.. the fiber patch cable... the sfp module... i am hoping that its not the 300 ft of fiber
20:29 < djph> teh SPF acting up, or the other switch being busy
20:38 < Apachez> most likely because icmp is handled by the mgmt plane and that is doing something when you ping it at the same time
20:38 < Apachez> so which gear is this?
20:39 < Apachez> also check the statcounters for each involved interface
20:44 < subvhome> its an HP 1820
20:45 < Apachez> that has like an arm cpu as mgmtplane
20:45 < Apachez> and some asic as dataplane
20:45 < Apachez> so ignore the latency for icmp replies from the switch itself
20:45 < Apachez> what do you get from the device connected to this switch?
20:56 < subvhome> I will test that.. Thanks
20:59 < subvhome> so far it looks like its behaving.. i will let it run.. pinging attached devices so far is showing <1ms
21:00 < subvhome> thanks...we see the spikes on the switch itself but not on attached devices..
21:01 < subvhome> was going crazy for a few days wondering why thank a bunch
21:01 < OnkelTem> Guys, I think I'm stupid, but I'm not sure what exactly I do wrong. Recently today I was reporting about a connection problem via OpenVPN. Basically the connection was dropped after few seconds. Now when I'm exploring OpenVPN server logs I see a lot of messages like: client_name/11.22.33.44:56193 MULTI: bad source address from client [192.168.129.100], packet dropped
21:02 < OnkelTem> I'm connecting to the OpenVPN server from my working machine, not a router. So I wonder why I see such messages on the server-side
21:02 < OnkelTem> Because to my understanding there should no be 192.168.x.x addresses as they are local to my machine
21:06 < OnkelTem> https://apaste.info/4nAD - here are both server and client configs
21:07 < OnkelTem> https://apaste.info/yrRw - here are my routes, after connecting to the OpenVPN
21:10 < tds> OnkelTem: that site seems to be broken
21:10 < tds> doesn't load over ipv6
21:10 < OnkelTem> tds: would you recommend some other good (fast) paste?
21:10 < OnkelTem> pastebin
21:10 < tds> see the topic ;)
21:10 < OnkelTem> ooh
21:11 < tds> someone should probably let apaste know that their site is broken though
21:11 < tds> I would, but I can't view the site to find an email address :P
21:11 < OnkelTem> tds: I will try to report this in #httpd, maybe they know
21:13 < OnkelTem> https://paste.debian.net/1024186/
21:18 < tds> OnkelTem: is it possible you have incoming connections from the LAN side with public IPs in other subnets, so the response packets would hit your default route over the tunnel?
21:18 < tds> I think the source address of those would end up being the 192.168... address, assuming the connection was made to that IP
21:21 < OnkelTem> tds: I have a virtual machine working locally, or rahter not vm but docker. But I believe docker containers shold act as local clients
21:22 < mawk> not really
21:23 < mawk> containers act like hosts on a LAN, with your computer
21:24 < AlexPortable> how do i prevent wireless errors and dropped packets?
21:25 < mawk> OnkelTem, who's 192.168.129.100 exactly ?
21:25 < mawk> your computer LAN ip ? please paste the output of iptables -t nat -L -v --lin
21:25 < mawk> with sudo in front
21:27 < OnkelTem> mawk: let me create a picture of my connections
21:27 < hfuller> n0c: We are running non-Microsoft DHCP, and we delegate our AD domain DNS to the domain controllers. Works well.
21:27 < qman__> AlexPortable: you don't - you just give yourself the best chance by improving signal to noise ratio, removing interference and choosing clearer channels
21:28 < hfuller> the platform we are on is BlueCat DNS+DHCP (which is standard BIND and ISC DHCP underneath)
21:28 < AlexPortable> cant choose clearer channels
21:29 < AlexPortable> how do i improve signal to noise ratio?
21:29 < xamithan> Get dirty stuff out of the line
21:31 < qman__> by picking clearer channels, choosing appropriate antennas and locations, shielding noisy equipment as appropriate, etc.
21:32 < djph> cable :)
21:35 < qman__> Yeah, if you want to not have this problem, run wires instead
21:36 < OnkelTem> mawk: https://i.gyazo.com/60e26aad10eeeee8dce9cb6bbe96395d.png
21:36 < AlexPortable> i dont have any noisy equipment
21:37 < AlexPortable> can't really put wires to smartphones
21:37 < AlexPortable> and how do I put wires on a lawn?
21:37 < mawk> I see OnkelTem , and can you paste the output of the following ? sudo iptables -t nat -L -v -n --lin
21:37 < OnkelTem> yeah, doing it
21:37 < mawk> ah, thanks
21:37 < qman__> Under it
21:38 < AlexPortable> yes but the connection points
21:38 < qman__> think of it like being in a crowded venue where everyone is talking loudly
21:39 < qman__> The only way to talk to someone is to speak really loudly at close range or find a quieter place
21:39 < tds> OnkelTem: is that router configured to DNAT any traffic from the original WAN IP to 192.168.129.100?
21:39 < tds> since that would make sense for having packets going back over the tunnel with that source IP
21:39 < OnkelTem> mawk: http://paste.debian.net/1024191/
21:40 < mawk> tds, my theory is that it's docker who's doing that
21:40 < mawk> with the docker containers
21:40 < tds> ah oops, missed that we were dealing with the networking mess of docker ;)
21:41 < mawk> yeah ok it's a masquerade rule, it shouldn't masquerade to 192.168.129.100
21:41 < mawk> unless openvpn did something unusual with the routing
21:41 < mawk> ip route get 8.8.8.8 shows the tun0 interface as oif right ?
21:42 < mawk> right after "dev"
21:48 < n0c> hfuller thanks
21:49 < AlexPortable> would putting the signal higher help?
21:50 < djph> AlexPortable: no.
21:50 < AlexPortable> oh
21:50 < djph> if you're in RF soup, having one side louder just makes it worse for everyone.
21:50 < djph> Remember that WiFi is *bidirectional*
21:50 < AlexPortable> as long as it works for me it's fine
21:52 < djph> go out to a football pitch with some friends, you get a megaphone, and they don't.  Now stand at both ends of the pitch.  Is it "easy" to hold a conversation with them?
21:52 < AlexPortable> well they can hear me better then
21:53 < AlexPortable> right now wifi is not working every one minute or something
21:53 < AlexPortable> its broken now
21:53 < djph> AlexPortable: they can hear you, sure.  But *you* have to /also/ hear *them*.
21:54 < AlexPortable> now it works again for a bit
21:54 < AlexPortable> well if neighbours are interefering at the location of my AP, then it's fine if i give my AP a megaphone
21:54 < djph> what frequency (2.4 or 5 Ghz), and what channel?  How many other APs are on that channel?
21:54 < djph> AlexPortable: that's not how wifi works.
21:54 < AlexPortable> 2,4 ghz
21:54 < AlexPortable> as for other ap's  depends on where i go to
21:55 < djph> okay, 2.4 GHz - what channel are you on?
21:55 < AlexPortable> the areas im in the most has the least overlap on channel 6
21:55 < AlexPortable> err i mean 5
21:55 < djph> channel 1, 6, or 11 - you can use those three, and only those three.
21:55 < AlexPortable> well neighbours are exactly avoiding 5
21:56 < djph> doesn't matter
21:56 < djph> 5 is interfered with by 6
21:56 < AlexPortable> oh it's set to 'auto 6' now
21:57 < djph> every channel is a 5 MHz step, starting at 2412 MHz on channel 1.  channels are 20 MHz wide - so channel 1 is from 2402 to 2422 MHz.  Channel 6 (2437 MHz) is from 2427 to 2457 MHz
21:58 < djph> channel 5 (2432) is 2422 - 2442, so everyone who is sharing channel 6 will be stomping all over you, since you just look like noise to them.
21:59 < OnkelTem> mawk: sorry for the delay. Yes, ip route get 8.8.8.8 shows: 8.8.8.8 via 10.8.0.5 dev tun0 src 10.8.0.6
22:05 < AlexPortable> so channel 6 is better
22:06 < djph> AlexPortable: than 5? absolutely.  However, you should compare channels 1, 6, and 11 to find the least busy of the three
22:06 < AlexPortable> dependso n where i am
22:06 < AlexPortable> some positions 6 is better, some 11
22:07 < djph> so then either (1) you need more APs transmitting quietly, to take advantage of the different places in the office having different "best case" channels, or just figure out the best looking one for your one AP, and call it a day.
22:07 < djph> s/, or /, or (2)/
22:10 < mawk> alright OnkelTem , from the server side you can't get precisely in the logs where does that .100 address come from ?
22:11 < OnkelTem> mawk: I'll try to enable it, I can increase the verbosity
22:12 < AlexPortable> so what can i do more to improve wifi?
22:13 < AlexPortable> it still breaks every two minutes or so
22:14 < qman__> Buy some 5ghz equipment so you have more channels to work with
22:14 < AlexPortable> not enough coverage for 5
22:15 < qman__> Your statement is invalid, please clarify
22:17 < AlexPortable> don't want to have an AP in every room since that requires a lot of cables
22:18 < djph> AlexPortable: what's the place you're trying to cover? What're the walls made out of?
22:20 < AlexPortable> house and garden, and no idea
22:20 < AlexPortable> just normal walls, i think concrete
22:20 < djph> If they're "normal(tm)" drywall-over-studs, 5 GHz will (usually) cover the room it's in, as well as traverse through one wall.
22:21 < djph> CONCRETE is hardly a "normal" wall ... also, you're fighting physics - wifi doesn't like to penetrate dense things like concrete / masonry / etc.
22:21 < AlexPortable> why is it not a normal wall?
22:21 < AlexPortable> i dont know any buildings that don't have concrete walls
22:22 < AlexPortable> well 2.4 ghz works fine, that's why i dont use 5
22:24 < detha> Apparently is does not work fine, or you wouldn't be complaining about it.
22:24 < djph> because most buildings use wood / drywall as interior partition walls
22:25 < detha> tl;dr: wifi sucks, and different continents have different ideas of how to build houses
22:31 < AlexPortable> well anything else i can use to fix my 2.4ghz?
22:31 < detha> More access points, at lower power.
22:31 < AlexPortable> but coverage is good
22:38 < qman__> Just because you see a loud signal does not mean you have coverage
22:41 < djph> ^
22:41 < AlexPortable> then why more
22:41 < djph> detha: yeah, true ...
22:41 < AlexPortable> how will more AP's solve it?
22:42 < djph> AlexPortable: why more APs?  So that you're not trying to fight physics (and your concrete walls)
22:42 < AlexPortable> just put them next to each other?
22:42 < qman__> more access points will mean less distance and obstacles to traverse improving the odds of success
22:42 < djph> no, the APs go in places where you need better signal (i.e. everywhere not the room you already have an AP in)
22:42 < AlexPortable> well the issues are in the same room as the AP
22:43 < djph> o_O
22:43 < MarkusDB1> Looking for a nice nms, that has cli views, think of something that has views easily used with tmux.
22:43 < djph> then go 5 GHz
22:43 < AlexPortable> not all my devices have 5 ghz
22:43 < qman__> then get new devices
22:43 < djph> good thing that 5 GHz APs also have 2.4 usually
22:43 < AlexPortable> then those devices will use 2.4, how will that solve the problem
22:43 < djph> also, it could be as simple as "the AP you have is dying, so you need a new one anyway"
22:44 < AlexPortable> how can an AP die?
22:44 < qman__> Yes, or the tx power could be too high causing its own interference with nearby devices
22:45 < djph> AlexPortable: electronics get old and die, same as anything else.  They don't last forever
22:45 < MarkusDB1> usually it's the PSUs that age most
22:45 < AlexPortable> i've set output to 'low'
22:45 < qman__> given concrete walls, it's probably set pretty high to try and penetrate them
22:46 < qman__> And yes, APs do die
22:46 < djph> MarkusDB1: or the RAM, or the CPU, or the tranceiver (although that one's rare), or the firmware
22:46 < djph> s/firmware/nvram/
22:46 < qman__> Not.just the power supplies although that's a common failure
22:46 < AlexPortable> so how do i know if it died or not
22:46 < MarkusDB1> djph: I've rarely seen that, way more common is psu, or that there is a small fan cooling the cpu, what gets covered in dust, so the thing constantly overheats.
22:47 < djph> AlexPortable: (1) is it disconnecting frequently, (2) is it more than 3 years old?
22:47 < MarkusDB1> never ever seen ram suddenly go bad
22:47 < AlexPortable> djph: in the evening and night yes, during the day not so much. 2 yes
22:47 < qman__> 3 years is generous
22:47 < djph> MarkusDB1: I've seen it all. RAM usually is "open it up and "oh hey, there are melty marks on the RAM chips ..."
22:47 < qman__> The cheap consumer stuff can go bad much quicker
22:48 < djph> AlexPortable: then it's dying.
22:48 < AlexPortable> why does it only die during the night
22:48 < MarkusDB1> djph: ah, I've got that on a hdd cache once
22:49 < djph> qman__: because that's when you're using it heaviest (and/or it has to fight with all the other stuff nearby because *everyone* is busy blasting WiFi to get thru their concrete walls)
22:49 < MarkusDB1> On stuff dying, it usually dies now in the coming months, since summer
22:49 < djph> errr
22:49 < djph> AlexPortable: ^^
22:49 < AlexPortable> well these problems have been here for some time
22:49 < AlexPortable> they got better after i switched from b/g/n to n only
22:49 < djph> qman__: yeah, I didn't wanna give him the harsh reality of "is it just out of warranty"
22:50 < sammm> is there such a thing as a NBNS storm? i'm not a networking guy generally as you will soon learn but I am having a switch drop packets, andfiring up wireshark shows me about 70mb/s of fucking NBNS broadcasts
22:51 < AlexPortable> sammm: from which IP?
22:51 < djph> sammm: sure, if you've got a winbox misbehaving
22:51 < sammm> AlexPortable: its from a shitty sql server,im trying ot remote in but it's proving difficult
22:51 < sammm> djph: we had a power outage and a surge broke some equipment..
22:52 < sammm> djph: wouldnt surprise me
22:52 < djph> sammm: uhoh :)
22:52 < sammm> djph: uh oh indeed
22:52 < qman__> the netbios protocol is essentially a shouting match, so it doesn't surprise me
22:52 < djph> sammm: note that "misbehaving" may also be "malware" (one would hope not, but :) )
22:53 < sammm> djph: :) time for INVESTIGATIONI
22:53 < djph> sammm: or to format and upgrade to Linux :)
22:54 < qman__> Hey, at least it's not sending 70mb/s of emails
22:54 < sammm> djph: i've been converting systems otlinux, web servers etc,, i wish we could use linux 100%
22:55 < sammm> djph: our devs are WINDOWS ONLY and dont know how to develop for anytihng other than MSSQL, etc
22:55 < qman__> .net core 2.0 runs on linux
22:55 < djph> qman__: hah, quite
22:56 < qman__> I work at a .net shop and that's the general direction we're headed
22:56 < sammm> qman__: linux scares these people,i had to tell one that it was possible fora machine to have more than1 nic
22:57 < sammm> qman__: not that multiple nics have anything to do with linux, but you get an idea of how these people (dont) think
22:57 < djph> and they're DEVS?!
22:58 < sammm> djph: :^)
22:58 < djph> This is how we get shit like Docker and systemd!!
22:58 < sammm> djph: oh god how i wish we could containerise their crap
22:59 < djph> ... only container it should be in is the wheelie-bin
22:59 < djph> hangon, I just had an idea
22:59 < djph> ima make a new app called wheeliebin for all these millennial crap "devs" ...
23:00 < sammm> hahaha do it
23:01 < sammm> and make it write everything to/dev/null
23:01 < djph> no no.
23:01 < djph> it saves everything in its folder
23:02 < djph> then deletes it all at 9 AM on Wednesdays (or whatever day you configure as "trash day")
23:02 < E1ephant> Apachez: yeah that is the entire point, miscreants want amp+hiding, not just hiding.
23:05 < sammm> djph: beautiful
23:13 < djph> sammm: unless it randomly decides monday was a holiday, then it's one day later
23:14 < sammm> djph: HAHAHAHA i disabled netbiosover tcp ip
23:14 < sammm> no packetloss
23:14 < sammm> i just took over an overnight shift
23:14 < sammm> and the poor bastards were going to RMA the switches
23:14 < sammm> :^)
23:15 < djph> hooray, now you have more responsibility, and the same crap pay
23:16 < sammm> wtf, these servers are set up so badlyt
23:16 < sammm> 2 NICS, 2 gateways each
23:16 < sammm> of course they are broadcasting like mad
23:16 < sammm> the two nics go into the same switch
23:16 < sammm> different vlans
23:16 < sammm> but... wtf isgoing on
23:17 < sammm> okay, now another serveris shouting NBNS
23:17 < AlexPortable> cleaning up someone else's mess is always fun
23:17 < voices> Hey, say I have a service listening on port 8080 of a raspberry-pi (Device Z). And it's behind a typical NAT enabled residential router (Device Y). The other device, say a laptop in a different city (Device X), should connect to the routers external IP on port 8080 (Device Y), which should be configured to forward packets to port 8080 on the listening device (Device Z). Is that correct?
23:18 < djph> yes
23:19 < djph> or you could use 8081, 9000, whatever on the router
23:19 < djph> sammm: time to get a network guy involved
23:21 < djph> sammm: s/network guy/network guy who knows what he's doing/
23:22 < Apachez> 25min to go for livefeed https://www.youtube.com/watch?v=yYJWeK-kVB0
23:22 < voices> djph: yeap. In which case, X should connect to 8081, or 9000 on Y, to reach 8080 on Z? I just used the same number for simplicity.
23:22 < djph> yup
23:22 < sammm> djph: i hada network guy here from 8pm to 5am
23:22 < sammm> idk what they were doing,
23:23 < sammm> now another server is broadcasting and clogging up the link
23:23 < sammm> hopefully i can just go and stop all these broadcasts
23:23 < djph> unplug le server
23:28 < voices> djph: so when the port forwarding is configured on the router (probably via it's http server), an nmap scan from the pi should show that port 8080, 8081, 9000 (or whatever we've chosen) is open on the router, right?
23:34 < ||cw> voices: only if somethings is listening on them
23:35 < ||cw> voices: but if the PI is on the lan side, not all routers do port forwards for the lan side, only the wan
23:36 < voices> ||cw: well, it has to be open and listening in order to forward the port, no?
23:36 < ||cw> no
23:36 < voices> Otherwise the connection request will hit a closed port on the router and go nowhere
23:36 < ||cw> well, sort of.  if the final isn't listening it drops it
23:37 < voices> Z is listening
23:37 < ||cw> at some level your kernel is listening on all ports.  forwarding works like that.
23:38 < voices> so if the port is closed on the router, that's not indicative if a problem?
23:38 < ||cw> if what it's forwarding to is not listening, the forward behaves as though it's a closed port
23:39 < voices> Z is listening. A scan shows the destination port is open.
23:39 < voices> A scan to the router Y shows the forwarded port is closed
23:41 < djph> check the firewall on the router (assuming you set DNAT rather than a "port forward" that takes care of the firewall for you).  Also check to make sure you didn't specify anything like "only from <trusted_sources>" if you used a firewall rule.  Finally, check that Z is listening to the right (or all) IP address(es).
23:43 < Apachez> T minus 5min...
23:44 < voices> djph: Z hasn't specified a specific IP for this exercise.
23:47 < ||cw> voices: a scan from where?
23:47 < Apachez> abort at T minus 58 secs...
23:48 < ||cw> ?
23:48 < ||cw> oh, spacex
23:49 < voices> ||cw: well, from everywhere. Including Y and Z
23:49 < voices> X and Z
23:49 < voices> i meant to say
23:50 < djph> Apachez: YOU BROKE IT
23:50 < voices> The router is Y
23:50 < djph> voices: err, if Y can't talk to Z, there's a problem
23:53 < voices> Y is the router. It provides Z with an internet connection. So they have to be communicating.
23:53 < djph> but from Y to Z, you can hit port 8000.  What about from another host on the same network as Z?
23:53 < ||cw> voices: no, lan or wan?  many router will only forward if the request is from the WAN
23:54 < djph> voices: also, you're not dealing with any CGNAT shenanigans, are you?
23:58 < voices> Here are the scans. Here is the router config: http://i.imgur.com/FCLAXRU.jpg https://www.irccloud.com/pastebin/lgqoaMtp
23:59 < djph> did you click the "apply" button on the router?
--- Log closed Fri May 11 00:00:05 2018