--- Log opened Tue May 15 00:00:20 2018 00:02 < Aeso> Can broadcast storms flow in only one direction around a broadcast domain? Imagine there's an ACL on a port, or a weird port config where a given switch receives untagged but sends tagged (and therefore is ignored by the other switch on egress), etc. 00:03 < Aeso> I'm eyeballing a handful of loop protection mechanisms, and trying to figure out how important it is to look for rings in 'both' directions. 00:26 < djph> fairly certain STP (etc) expect all the ports in a potential loop to be marked for it 00:29 < julius> hi 00:29 < electricmilk> julius, hi 00:30 < julius> is there a tool that detects dropped packets between two hosts? im wondering if my router drops udp packets from time to time. do i need to use some packet building library in python and create a test for myself or has it been done already? 00:31 < electricmilk> julius, I believe this can be done with Wireshark 00:31 < julius> how does it detect that for udp? 00:31 < djph> granted, the whole idea of UDP is "you might not get it" 00:31 < electricmilk> But there will be a bit of a learning curve 00:32 < electricmilk> Well...again I don't know for certain but even though there is no guarantee in delivery wouldn't you be able to see the missing packets in the sequence? 00:33 < electricmilk> Also...pretty sure all routers will drop some UDP packets from time to time (but again I have nothing to back that up) 00:33 < djph> electricmilk: depends on which end of the stream you're losing stuff, I suppose 00:34 < electricmilk> julias, I'm going to tell you a UDP joke but you might not get it... 00:34 * electricmilk ducks the tomatoes being thrown at him. 00:49 < admiralspark> anyone in here use ASR901's? 00:49 < admiralspark> Wondering if the "usb" port allows you to plug in a 4g dongle or if it's just a secondary management interface over the microusb one 00:51 < julius> djph, sure...you might not. but you should get almost all of them if you dont overdose your line 00:51 < julius> admiralspark, maybe try #avr or #electronics 00:52 < admiralspark> for a Cisco asr 901? 00:52 < julius> oh 00:52 < julius> maybe not 00:52 < admiralspark> ;) 00:52 < Maarten> admiralspark, likely not. The issue usually is drivers to get the 4g dongle working, they probably don't exist for the Cisco.... if you need 4g backup, there ARE 4g modules that have an ethernet port, which could be made to work with a plethora of routers. 01:01 < julius> djph, electricmilk looks like this does it: client: iperf -u -i 1 -t 20 -c "serverip" server: iperf -su -i 1 shows loss, jitter, troughput 01:03 < admiralspark> Maarten: thanks. It's not a dealbreaker, just curious 01:04 < electricmilk> julius, Sorry have no clue. 01:15 < julius> electricmilk, i tried it...it works 01:15 < electricmilk> Solid thanks for sharing 02:33 < spaces> Maarten where are you from ? 02:37 < Evan1929838483> My school IT has 20+ years of experience 02:47 < stonelore> your school IT what 02:48 < ^7heo> your school IT what what? 02:49 < mast> what what wat? 02:50 < test1337> w00t 02:54 < eahm> The walls 02:55 < ^7heo> you know what's really stupid, in the end? 02:56 < xamithan> Dolphins 02:56 < ^7heo> no. 02:56 < ^7heo> People 02:56 < ^7heo> gosh, I wish you all were dolphins 02:56 < ^7heo> at least you'd be cute and entertaining 02:57 < S_SubZero> did we have a bad day little guy 02:57 < xamithan> Can Dolphins IRC? 02:57 < ^7heo> no, they cn't 02:57 < ^7heo> cun't* 02:57 < xamithan> Ooo thats a bad word 02:57 < S_SubZero> uh, excuse me http://clicksandwhistles.com/ 02:57 < ^7heo> xamithan: it is not 02:58 < ^7heo> xamithan: it cunnot be. 02:58 < xamithan> No, you are just trying to obfuscate it 02:59 < ^7heo> xamithan: I'm tyng to make a joke, bt you're not a dolphin 02:59 < ^7heo> trying 02:59 < ^7heo> but 02:59 < xamithan> You trying to spell words 03:00 < ^7heo> xamithan: no, I'm using an UI designed by people 03:00 < ^7heo> but I get your confusion 04:03 < LuMint> hi guys. I'm trying to block ICMP requests for a specific group. Here's the command: iptables -A OUTPUT -m owner --gid-owner nonet --proto icmp -j DROP 04:03 < LuMint> but it doesn't work for some reason 04:04 < LuMint> here's the error: iptables -A OUTPUT -m owner --gid-owner nonet --proto icmp -j DROP 04:04 < LuMint> sorry, here: iptables v1.4.21: owner: Bad value for "--gid-owner" option: "nonet" 04:05 < LuMint> how do I fix that? 04:13 < xamithan> What is nonet 04:14 < LuMint> a group 04:14 < LuMint> xamithan: 04:16 < xamithan> I'd say you don't have that group as primary memeber to anyone 04:16 < xamithan> That is just speculation though 04:16 < LuMint> maybe I should use the group id? 04:16 < LuMint> in my case it's 1004 04:18 < xamithan> I don't know about the ID but from the documentation it only checks for primary group, not supplemental 04:18 < xamithan> So if you got a user in that group and it isn't primary, it isn't going to work 04:21 < LuMint> xamithan: used that user's primary group (same as the user's name), didn't work either :( 04:22 < xamithan> Did it give the same error? 04:22 < LuMint> no, it just doesn't work 04:22 < LuMint> pings still working for that user. 04:22 < xamithan> Is the rule at the top of the chain ? 04:23 < xamithan> It might be matching another rule if you got it at the bottom 04:24 < xamithan> Kind of weird to be using -A for drop rules if there is other stuff in there 04:28 < LuMint> successfully applied it through export and restore 04:28 < LuMint> thank you! 04:28 < LuMint> xamithan: i should I handle it otherwise? 04:28 < xamithan> Well just using "-I OUTPUT 1" will pop it at the top of the list 04:29 < xamithan> or whatever number you pick 04:32 < LuMint> :) 04:32 < LuMint> i'm trying to block the input icmp packets as well. 04:32 < LuMint> that's what i'm getting: [40656.987163] x_tables: ip_tables: owner match: used from hooks INPUT, but only valid from OUTPUT/POSTROUTING 04:33 < xamithan> You can't use that in input chain 04:33 < LuMint> so I have to manually add it to the output chain? 04:34 < nshirelaptop> how would I go about SSHing into a vm hosted on this machine while the host machine is not necessarily connected to a network? 04:34 < nshirelaptop> loopback? 04:34 < LuMint> because when I'm executing sudo iptables -A INPUT -m owner --gid-owner noicmp --proto icmp -j DROP, it would through this error 04:35 < xamithan> You can't use the owner in the input chain though 04:36 < xamithan> How is the server going to know the gid of incoming packets anyway 04:36 < LuMint> hrm 04:37 < LuMint> xamithan: the purpose was to prevent ICMP leakage when using torsocks 04:37 < LuMint> xamithan: do you think dropping outward icmp is enough in this context? 04:37 < xamithan> Well if the user can't icmp back i'd say mission accomplished 04:38 < xamithan> Unless you want to just block icmp for everyone on input 04:38 < LuMint> i'm running an untrusted application from a different user, and running it via torsocks (which is known to leak ICMP). 04:39 < LuMint> xamithan: So I guess blocking the outward ICMPs should deal with the problem, right? 04:39 < xamithan> yeah 04:39 < xamithan> Even if an incoming icmp packet comes to the user there won't be any response 04:40 < LuMint> wouldn't that still reveal the IP? 04:40 < LuMint> somehow 04:42 < LuMint> xamithan: that is, the user's real IP 04:43 < xamithan> I don't see how unless there is a vulnerability in the tor proxy 04:43 < xamithan> It might leak DNS 04:46 < LuMint> xamithan: is there any way to prevent it? 04:47 < xamithan> You could always use dnscrypt 04:49 < LuMint> not an option, as it would require restarting the system 04:50 < xamithan> It does? I just run it in a docker container 04:53 < LuMint> that's tempting, but also tricky: there is a lack of free space 05:02 < LuMint> xamithan: i think torsocks takes care of DNS requests 05:04 < LuMint> I did some tests on https://dnsleaktest.com with torsocks and a browser. Not sure if it covers the case where faulty or malicious application would sens DNS requests on its own 05:29 < temp1> Hey everyone. I am trying to learn how to hack. I generally understand what to learn but I dont have any clue about order of things to learn. would anyone have a good suggestion for an outline/learning-path that I should take? Thanks in advance. 05:32 < nshirelaptop> programming is the best way to get into it 05:33 < temp1> I am in the process of learning languages yes, started with c and python. But is it better to start with that or networking for example..? 05:34 < temp1> and when and how does pentesting come in the picture? 05:48 < quesker> I added a nat rule on osx with pfctl and it doesn't work. the rule is nat on gpd0 from en0 to any -> (gpd0) gpd0 is my vpn interface and en0 is my local ethernet. I want to share the vpn with my lan. pings from a lan box come out gpd0 with the box's lan ip, not the gpd0 interface ip 05:54 < quesker> hmm found another syntax to try, the example looks like pass out on tl0 from 192.168.1.0/24 to any nat-to 198.51.100.1 05:55 < cluelessperson> So I have an apartment with a roof theater, and I'd like to beam my wifi up there somehow when I wanna watch stuff with friends/family 05:55 < cluelessperson> I figure some highly directional repeater from unifi would be good 05:55 < cluelessperson> any suggestions? :) 05:58 < quesker> this rule gives sytax error: pass out on gpd0 inet from en0:network to any nat-to (gpd0) 06:08 < quesker> ah pf is disabled 06:09 < cluelessperson> :P 06:09 < quesker> yep 06:24 < quesker> ok the working nat rule is nat on gpd0 from en0:network to any -> (gpd0) now how do I also add a "reply-to" rule for symmetric routing? 07:18 < quesker> what is wrong with this rule? pass in on gpd0 from route-to ({ 10.10.10.1 }) 07:24 < quesker> tried this too pass out on en0 from gpd0 route-to (en0 10.10.10.1) 07:44 < quesker> ok this syntax doesn't have errors but the logic is still wrong pass in on en0 route-to {(en0 10.10.10.1)} from to en0:network 08:08 < pabed_> hi , how should I arpwatch in specific network , when I use "arpwatch -n 192.168.0.0./24" I encouterd May 15 10:25:17 localhost arpwatch: (nflog) Link layer type 239 not ethernet or fddi 08:09 < pabed_> hi guys , how should I arpwatch network when I use this command " arpwatch -n 192.168.0.0/24" 08:10 < pabed_> I ecounterd "(nflog) Link layer type 239 not ethernet or fddi" and "(nfqueue) Link layer type 228 not ethernet or fddi 11:39 < lpapp> hi, what is the rationaly for a cisco firewall not supporting dynamic dns-ip updates, like services running on AWS with load balancers? 11:40 < djph> Cisco probably is of the mindset "if you can afford us, you can afford static IPs" 11:41 < lpapp> seriously? 11:42 < djph> wait, are we talking Cisco proper (i.e. the enterprisey costs as much as a car stuff), or tbe crap they sell to small businesses? 11:42 < lpapp> I am actually not sure. Our sysadmins have not disclosed that information yet 11:42 < djph> That's kinda key (although, even if it is the "crap small business stuff" ... ) 11:43 < nojeffrey> Following a Cisco guide called: Configuration example to migrate Spanning Tree from PVST+ to MST 11:44 < nojeffrey> It says: Do not connect switches with access links because access links can partition a VLAN. 11:45 < nojeffrey> So I have a couple of ports that connect to other building that are currently access ports that connect to the other buildings layer2 switches 11:45 < djph> would need more context, but ... yes. 11:45 < nojeffrey> These are being blocked 11:46 < nojeffrey> So once MST is enabled I cannot connect other layer2 switches from access ports? 11:46 < djph> it's only got to do with specifically using the wrong port type. 11:47 < nojeffrey> I dont follow, aren't my only two options trunk or access? 11:48 < djph> yes, and they're saying to not use "access" ports for this, since it does funny things with the VLAN (in terms of PVST+ / MST) 11:49 < nojeffrey> so I'd need to replace these layer2 switches with something that can handle trunks? 11:49 < djph> sounds like. 11:49 < nojeffrey> hmm ok, thanks 11:49 < djph> I mean, at least that's what the little you copy/pasted implies. 11:49 < nojeffrey> https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/72844-MST.html 11:51 < detha> One would think that applies to switches taking part in the MST. If you just hang a dumb switch off an access port, why not 11:51 < regdude> I think it is mean that some switches that tag ingress traffic will also tag BPDUs, that will result in tagged BPDUs that are most likely to be dropped by Cisco 11:51 < regdude> BPDU guard should even block this port 11:53 < nojeffrey> Hmm: Gi1/0/35 Desg BLK 20000 128.35 P2p Dispute 11:53 < nojeffrey> let me read up on what Dispute meanns 11:54 < purplex88> is server not simply a computer? 11:55 < purplex88> why these are called servers: https://www3.lenovo.com/in/en/towers/c/towers 11:55 < detha> server is a role 11:55 < purplex88> server hardware? 11:56 < regdude> no, it functions as a server 11:56 < nojeffrey> server grade hardware(xeons, ecc ram) 11:56 < purplex88> can't i use it as as a powerful personal computer? 11:57 < nojeffrey> you can 11:57 < detha> you can. you will be disappointed with its gaming performance. Server hardware has the shittiest video chips ever 11:57 < purplex88> as i see it just has more cores, more memory, more ram, more gpus 11:58 < nojeffrey> sound of the server might drive you nuts 11:58 < purplex88> so it is really a computer that is built to run a server software? 11:58 < nojeffrey> motherboards in servers can take 4 physical CPU's, TB's of ram, etc, desktop hardware cant 11:59 < Roq> lpapp: Which firewall? You can do dyndns functionality on an ASA via the cli 11:59 < nojeffrey> giant databases, virtualisation, etc 11:59 < purplex88> hardware designed to act as a server.. but this hardware can be used for anything other than a server like a computer? 12:00 < grawity> servers are literally computers 12:00 < purplex88> e.g. virtualization, yes 12:00 < detha> One could. Just like one could use a 30-ton truck as daily from/to work vehicle. 12:00 < purplex88> lol 12:01 < grawity> it's got more power and more convenient hotswappable hardware and probably an absolutely shitty GPU, and you probably get some support contract 12:01 < grawity> that's all 12:01 < nojeffrey> and monitoriing/virtual consoles - iLo, iDrac 12:03 < purplex88> server grade hardware = just a powerful computer (not really limited to be used as a server). 12:03 < purplex88> e.g. i can use it for a heavy processing. 12:03 < regdude> there are countless stories where someone gets a cheap old server MB+CPU and throws in a GPU to get a cheap gaming setup 12:05 < purplex88> regdude: cheap but more powerful than any consumer grade gaming computer? 12:06 < regdude> not really, the difference is not that large 12:06 < regdude> for that purpose 12:07 < purplex88> e.g. i can use four monitors with that setup and do work in background and play games at the same time. 12:08 < regdude> it depends, multitasking requires more cores (and in some cases RAM) 12:20 < hphuoc25> Hello. I have a question about sticky sessions in load balancers. How is it done? Do they do it by IP only or does it read cookie header from the requests? 12:21 < mAniAk-_-> yes 12:21 < hphuoc25> Yes mean which one? The former or latter? 12:22 < djph> LBs I've used are all L3 devices... they don't even look at L4+ information... 12:23 < mAniAk-_-> hphuoc25: lb's can look at either 12:23 < mAniAk-_-> depends on the lb 12:24 < mawk> L4 load balancers are still in research I guess 12:24 < mawk> or in development at least 12:25 <+xand> our LBs do layer 4 and 7 12:25 < mawk> my school wanted me to contribute to one, because the existing solutions are bad in some way or another 12:25 < hphuoc25> If it only looks at IP, is it a problem? Cause I assume that nowadays almost every device is behind a NAT, so when a request comes to the LB the IP it sees is the router's IP, hence a lot of requests would go to one instance 12:25 < mawk> didn't seem very interesting 12:25 < mAniAk-_-> mawk: what? they've been common for years 12:25 < mawk> yeah common maybe, I don't remember the rationale 12:26 < mawk> they are unergonomic maybe 12:26 < djph> hphuoc25: it depends - most *companies* utilizing loadbalancers have either a slew of public IPs, or the LB is the router 12:28 < hphuoc25> I'm sorry I don't see how that solves the problem. I mean, for example, there're hundreds of device in my subnet which trying to access the server. If the LB, says nginx, only do sticky session based on IP, doesn't it mean that there will be a server overloaded with a lot of requests while another one sits free? 12:28 < mawk> why would it match only on IP hphuoc25 ? 12:28 < mawk> (ip, port) would be the least 12:31 < hphuoc25> Correct me if I'm wrong, if a client opens multiple connections to the server, all those connections will have different ports right? But they carry the same cookie, hence they should be redirected to the same server instance 12:31 < mAniAk-_-> hphuoc25: some loadbalancers have that feature 12:32 < hphuoc25> If match (ip, port) some requests will be redirected to some instance without cookie info and that instance will reject the request which should be valid 12:33 < hphuoc25> mAniAk-_-: 'route based on cookie header' feature? 12:33 < mAniAk-_-> they call it different things 12:33 < mAniAk-_-> some lb's can insert their own cookie, or look at an existing cookie 12:34 < hphuoc25> I see 12:35 < hphuoc25> Thanks 12:36 < eimiar> c'è qualcuno di voi che conosce/usa Matrix? 12:41 < audia5> if you won on lottery powerball many millions who would you tell it :) 12:47 < dnel> #join #linux 12:47 < mawk> /join ##linux 12:48 < dnel> typo 12:48 < linux_probe> lol 12:48 < eimiar> join /linux 13:10 <+catphish> #join //linux 13:24 < padr0ck> hi! 13:25 < padr0ck> how do PoE injectors like https://images-na.ssl-images-amazon.com/images/I/61lVG-plIZL._SL1200_.jpg work? if i plug the "LAN" port into a switch and the "POE" port into some device, does that device then get power AND data? 13:26 < Apachez> yes 13:26 < regdude> yes, it will always get power and data, even if your device does not support poe in 13:26 < padr0ck> okay 13:26 < padr0ck> but it won't be damaged if it doesn't, right? 13:26 < regdude> if your device does not support poe-in, then it generates a nice pleasant smell 13:26 < padr0ck> hmm 13:27 < padr0ck> well, it's only the one device anyways, which relies on PoE in 13:27 < regdude> if the voltage is right and the pinout matches for your vendor, then you will be fine 13:27 < Apachez> no it doesnt 13:27 < tds> for "proper" poe that shouldn't be the case, there's a standard for negotiating it (802.3af iirc) 13:27 < Apachez> if you connect a non poe device to the poe output nothing happens 13:27 < Apachez> no smell or anything 13:27 < padr0ck> and i thought PoE is a standard, so the injector and the device don't *have* to be from the same vendor? 13:28 < tds> for passive poe where you just use a pair as a standard power connection, then yes, you will have issues if the device on the other end isn't designed for it 13:28 < regdude> Apachez: this is not always the case, there are a lot of passive poe injectors 13:28 < detha> there's PoE, and 'passive PoE' 13:28 < djph> padr0ck: injectors are *PASSIVE* -- so you have to get the pinout and polarity right, else it won't work. 13:28 < regdude> 802.3at/af is a standard 13:28 < Apachez> regdude: still no smell, thats how electricity works 13:28 < regdude> that standard will power on a device only if it supports it 13:29 < djph> padr0ck: think of it like those barrel-connectors on many devices -- you can't just grab any wall-wart and have it work. Gotta make sure the polarity is right (and voltage / amperage too) 13:29 < padr0ck> that specific device (https://www.amazon.de/kwmobile-Injector-Adapter-Ethernet-802-3af/dp/B018SBHVKE/ref=sr_1_4?ie=UTF8&qid=1526330201&sr=8-4&keywords=poe+injector&dpID=41b9hq5EL1L&preST=_SY300_QL70_&dpSrc=srch) says "IEEE 802.3af" in the description. the router i want to use it with is https://www.ubnt.com/unifi/unifi-ap-ac-lr/ which mentions "802.3af/A PoE & 24V PoE" in its decription... 13:29 < regdude> Apachez: what happens if you run 48V over a diode that is capable of passing through only 10V? 13:29 < djph> padr0ck: if you're buying an AC-LR (single unit), it'll have the correct injector in the box. 13:29 < Apachez> regdude: there is no diode involve on the rj45 end 13:30 < djph> regdude: something something, argue with an idiot ... 13:30 < regdude> i mean... well if you insist 13:30 < padr0ck> djph, hmm that's a good question then. the only place they're available in Germany is via eBay ... 13:30 < AlexPortable> How do I solve TX and RX packets dropped and errors on wifi? I'm already in the cleanest channel (6) and my devices are quite close by 13:30 < Apachez> AlexPortable: dont use wifi 13:31 < djph> padr0ck: lies. go ask on the UBNT forums for close-ish resellers. 13:31 < padr0ck> djph, too late, already bought it. but it was listed as "new", not "used". 13:31 < djph> padr0ck: then it should be alright 13:31 < padr0ck> ah, and there's a phone number listed. i guess i'll just call the guy. 13:31 < djph> padr0ck: that'd work too :) 13:32 < regdude> padr0ck: UBNT uses 4,5 and 7,8 Ethernet pins for PoE, same for 802.3at/af, you should be fine 13:32 < djph> AlexPortable: by not arguing with us that trying to blast wifi through concrete walls is perfectly fine and there will be no problems whatsoever. Also, getting off 2.4 GHz (for 5 GHz wifi), or a cable. 13:33 < mnemon> AlexPortable: better devices(/radios), channel with least interference from other devices, better antennae ... and you will still get some packet loss in most cases. 13:35 < padr0ck> djph, nice shop, he actually took a look into the box, and there's an injector in there. 13:37 < djph> told you ;) 13:41 <+catphish> regdude: afaik there's no limit on the voltage a diode can pass through 13:44 < detha> for current, on the other hand, there is definitely a limit 13:45 < regdude> catphish: there are ratings, large voltage just breaks the chemical structure, then it can turn into a resistor. But lots of diodes are on the PHY chip and/or SoC (depends on the design). You don't want to give 48V where they expect 1.1V 13:45 < Apachez> they dont expect 1.1V when the output is 5V on regular tp 13:47 < detha> regdude: there's a limit to what voltage a diode can block. not to what it can pass. 13:47 <+catphish> what would these diodes be doing? 13:47 < detha> there's probably some zener diodes for spike suppression in a PHY 13:47 <+catphish> detha: that's what i thought 13:48 <+catphish> well if you were using a zener as a 5v supply regulator, you probably wouldn't want to apply 48v to it, indeed, more for the sake of the resistor 13:48 < detha> well, typically you get 0.4 to 0.6V across the diode in pass - run too much current, and some of that goes up into heat. 13:50 < detha> A zener as 5V supply fed by 48V? do you, or have you ever, worked as a designer for Philips audio equipment? That sounds like an 80s Philips design ;) 13:51 <+catphish> lol 13:51 <+catphish> technically it can work if you get the resistor right, but you're just burning up power for fun 13:52 <+catphish> also, linear regulators aren't expensive 13:53 < detha> yup. and smaller than a 5W resistor 13:58 < nojo7> hi, is it worth running conntrack on a high bandwidth bgp server on linux? 13:59 < Apachez> what for? 13:59 < detha> also, define 'high bandwidth' 13:59 < nojo7> idk, traffic shaping? i guess not 14:00 < nojo7> >5gbps per second and high amount of pps 14:01 < detha> going from one interface to another interface? 14:04 < padr0ck> bye! 14:05 < tds> also, by "bgp server" do you mean a router? is this 5gbps of traffic to route, or do you have some kind of very busy route collector? 14:06 < spaces> why is everyone yelling IoT is something new ? 14:08 * bezaban listens for yelling 14:09 < spaces> Maarten ping 14:09 < nojo7> it is a bgp router 14:10 < nojo7> having 3 uplinks as bgp neighbors and full view 14:11 < nojo7> we have conntrack enabled on this server and increase its limits on demans which costs a lot of cpu 14:11 < nojo7> demand* 14:12 < grawity> does it act as a firewall? 14:13 < nojo7> no 14:13 < grawity> then it doesn't need conntrack 14:16 < Apachez> conntrack is used anyway to keep suff internally 14:16 < Apachez> but sure 14:16 < Apachez> you could add a raw rule for the bgp port so that traffic isnt monitored at all by conntrack 14:16 < nojo7> i think i got it, it is needed for a stateful fw only 14:17 < Apachez> which can be handy on a host too 14:17 < Apachez> so root decides which ports are allowed in/out on that box 14:18 < grawity> I'm quite sure you can turn off netfilter conntrack without affecting e.g. TCP state tracking 14:18 < grawity> the former uses information from the latter, but not the other way around 14:19 < grawity> and once you've turned it off, no real point in using raw rules I think 14:19 < Apachez> the difference is that with that disabled any bad packet will hit your bgp process 14:19 < Apachez> and unlucky crash it and whatelse 14:19 < Apachez> with that in place you can use it as an acl for the box 14:19 < grawity> nah, it will still get rejected by the OS due to not belonging to a known socket 14:19 < Apachez> however due to performance you can disable the conntrack itself but keep the portfiltering 14:19 < grawity> because that's not part of conntrack 14:19 < Apachez> so like you know you have 3 peers for your bgp 14:20 < Apachez> then put those ip's and dstport as allowed 14:20 < Apachez> and block the rest 14:20 < Apachez> then evil haxor will have a hard time attacking your bgp process 14:20 < grawity> ah, you mean connections from weird hosts 14:20 < grawity> yeah, sure 14:20 < Apachez> since the local fw will just drop those packets 14:20 < grawity> filter by IP, or in fact filter by TTL 14:21 < Apachez> or all three things 14:21 < Apachez> ip + ttl + port 14:22 < Apachez> and with conntrack disabled that wont take many cpu cycles per packet 14:22 < nojo7> yes i have bgp peer ips filtered already for this purpose 14:23 < nojo7> thanks guys for suggestions 14:48 < Marc_one> Hello. I solved my issue from yesterday. The cause: my loopback interface is down at boot. i can bring it up manually. any idea how to make it work without a systemd service or like? 14:48 < petemc> Marc_one: what os? 14:49 < Marc_one> petemc: I run Arch Linux 14:50 < Marc_one> petemc: The device is a raspberry 2 14:51 < petemc> never used arch, sorry 14:51 < Marc_one> petemc: np 15:02 < mnemon> Marc_one: what init system? 15:03 < nojeffrey> https://i.imgur.com/ZSVbeVM.png All Vlans(1-4094) are configured to use MST instance 1, but for some reason the ports show up in both 0 and 1, is this normal behaviour? 15:04 < Marc_one> mnemon:systemd 15:04 < AlexPortable> djph: well im in the same room as the router 15:05 < mnemon> Marc_one: then the best bet is having a systemd service/oneoff wanted by multi-user.target or something like that that brings it up 15:06 < mnemon> doesn't mean you have to run the full systemd-networkd 15:06 < djph> AlexPortable: is this still the same 3+ year old consumer box that we've already told you you should replae, since it's likely dying 15:06 < nojeffrey> it is now 11:06pm and I don't want to go home til I understand this 15:07 < djph> nojeffrey: time to put on more coffee :) 15:07 < nojeffrey> broke, have to drive to 7-11 heh 15:07 < nojeffrey> *coffee machine broken 15:07 < Marc_one> i tried a systemd service. but it has no effect. (maybe it runs to early?) 15:07 < regdude> nojeffrey: not very familiar with Cisco, but in MSTP you should be able to have an option to set path cost and priority for each VLAN group (MSTI). The first MSTI0 is CIST (the RSTP part of MSTP), that should list all ports, but I suppose for MSTI1 it is going to displayed the same 15:07 < djph> nojeffrey: FIX THAT NAO! 15:07 < AlexPortable> djph: also with another device 15:08 < djph> AlexPortable: is it new, or some random (also old) box? 15:08 < AlexPortable> random 15:08 < AlexPortable> ill get new 15:08 < nojeffrey> Could it be because this core stack is both the root bridge for MST0 and MST1 15:09 < djph> that's the first step. consumer gear only lasts about 3 years 15:09 < nojeffrey> djph ive sent it off under warrenty 15:09 < djph> nojeffrey: okay, at least you've got your priorities straight 15:10 < djph> AlexPortable: and "three years" is kind of a best-case MTBF for the upper-end of "consumer" 15:10 < regdude> nojeffrey: it can be the root bridge for both MSTIs, but I suppose Cisco displays MSTI information along with MST override so that is why you get all ports 15:10 < AlexPortable> planned obsolescence ? 15:11 < nojeffrey> regdude i see 15:11 < grawity> Marc_one: bringing up lo is always done, so I'd say it's something else bringing it *down* during boot 15:11 < nojeffrey> its at least working, if I plug in a loop it blocks the port 15:11 < djph> AlexPortable: more "cheap components" -- gotta cut corners to get a router + switch + wifi + modem in a $100 box. 15:12 < nojeffrey> and a 3way loop between 1 cisco and 2 ubuqiti switches - it shuts down one interface 15:12 < djph> AlexPortable: that being said, even "high-end" kit only lasts 5-7 years. 15:12 < regdude> nojeffrey: MSTP should be tested with load balancing, you should assign a different VLAN group a different MSTI then check if you can manage to forward traffic through different interfaces for different VLANs 15:13 < nojeffrey> regdude how would I test the direction of vlan traffic? 15:14 < Marc_one> grawity: but systemd-resolved fails and complains about failing to read on loopback. 15:14 < grawity> that's all besides the point 15:14 < regdude> nojeffrey: I would generate random UDP traffic with a unicast DST MAC address, for each VLAN, then I can monitor which interfaces are forwarding the traffic 15:14 < grawity> lo being down is going to cause many other problems 15:14 < nojeffrey> but this is an upgrade from 1g between buildings to a 10G trunk loop, i dont exactly need to load balance this traffic just yet 15:14 < grawity> the question is *why* lo is down 15:15 < nojeffrey> i see 15:15 < regdude> nojeffrey: then yes, it is just a way to tell if MSTP is set up properly. Do you even have any doubts that MSTP is not set up properly? 15:16 < Marc_one> grawity: i didnt change much after installation. i created a bridge for eth0 and tap0. but that runs as it should 15:17 < nojeffrey> I have a layer2 switch that sits above our esxi/san stack, if I plug 2 cables from core stack to this, one initially goes into a blocked mode, but then comes out of it..... then maybe every few minutes it goes back to blocked for a bit, rinse/repeat, this is a little daunting 15:18 < regdude> nojeffrey: this sounds more like something is sending BPDUs that one of your devices do not like, I have seen Cisco doing this with tagged BPDUs 15:18 < nojeffrey> Would "errdisable recovery cause link-flap" and "errdisable recovery interval 60" have anything to do with this? 15:20 < nojeffrey> Actually it's a SG300-28, is this a layer 3 switch? Never touched the config on this, just treating it as a dumb switch 15:21 < nojeffrey> OK it is a layer3 switch, but I've never enabled the routing on it, so it's just acting as a layer2 switch 15:21 < regdude> nojeffrey: that would be a Cisco specific thing, but MSTP should allow all ports in the worst case scenario with link flaps 15:23 < regdude> nojeffrey: you shouldn't need any routing, are there any other devices running MSTP in your network? 15:24 < nojeffrey> Just these new Ubuquiti switches 15:24 < Marc_one> grawity: found the error. really stupid. i accidentially switched "Name" and "Match" in the bridge configuration. why this touches loopback is strange 15:24 < grawity> configuring extra IP addresses on lo is a thing people do 15:24 < nojeffrey> Maybe I shhould disable the errdisable stuff, to see if it puts it into a permanant blocking state 15:25 < regdude> does UBNT even supprot MSTP... 15:25 < nojeffrey> yep 15:25 < regdude> either way MSTP is backwards compatible with RSTP 15:25 < AlexPortable> is 802.11g more stable than n or b? 15:26 < Aeso> AlexPortable, depends on what you mean by stable 15:26 < Aeso> generally, no 15:26 < AlexPortable> less interference, better connection, etc 15:26 < nojeffrey> AlexPortable 11G goes through walls better 15:26 < AlexPortable> better than 11N ? 15:26 < Marc_one> grawity: but thanks for your time 15:26 < regdude> nojeffrey: disable the error recovery feature, this might indicate if you need to manually specify some MSTP related values 15:27 < Epic|> Your frequency selection will have a significant impact 15:27 < Aeso> man, did 802.11g even use MCS indexes? 15:27 < AlexPortable> i'm using 2.4ghz only 15:27 < Aeso> how do you make an apples to apples comparison? 15:32 < nojeffrey> Removed the errdisable stuff, it still goes from blocking to forwarding every few minutes 15:35 < nojeffrey> spanning tree config: https://paste.ofcode.org/RLqxuGnpGVBjREVHcNA96y 15:38 < nojeffrey> if there was a broadcast storm, and with no one on the network at this hour, would I notice pretty quick? 15:39 < regdude> nojeffrey: not really, some switches might not be accessible. Maybe you want to monitor the interface and see if there are not abnormalities 15:39 < purpleunicorn> What are some other private messaging apps besides signal 15:40 < mAniAk-_-> telegram 15:40 < purpleunicorn> Is it secure on desktop 15:40 < iceman> hey guys 15:40 < nojeffrey> Ive removed the double cable to the SG300 switch, but there are other switches around that could cause issues, dont want a call at 6am saying network is down 15:41 < iceman> how do i fully specify the context of the environment 15:41 < nojeffrey> i might switch back to pvst for now untiil I understand this more 15:41 < purpleunicorn> Hi iceman 15:41 < iceman> hi purpleunicorn 15:42 < purpleunicorn> Is telegram secure on desktop 15:42 < mAniAk-_-> why wouldnt it be 15:43 < regdude> nojeffrey: it sounds like some device is causing the port to be blocked, possibly could use packet analyzer on that port to find what BPDU blocks the port. This can also be improper implementation from other vendors, MSTP should work very easily 15:43 < purpleunicorn> Idk I just think since signal had a security problem others could too mAniAk-_- 15:44 < regdude> use your own messaging app 15:45 < purpleunicorn> Yeah because IMessage is super secure 15:49 < nojeffrey> regdude on the port that flaps from disabled to forwarding? 15:50 < regdude> nojeffrey: yes, STP blocks a port because it receives a BPDU on that port. It could be useful to know from where it came and what are its STP related values 15:50 < nojeffrey> got it, thankyou 15:50 < regdude> it might be that BPDU guard blocks something, dunno if it is enabled by default on Cisco 15:51 < purpleunicorn> Guys can you please help iceman 15:51 < nojeffrey> PortFast BPDU Guard Default is disabled 15:51 < iceman> :( 15:53 < purpleunicorn> He’s having trouble with hooking his WiFi with an Ethernet Cable from his desktop to laptop 15:53 < GenteelBen> Purple unicorns in league with icemen? This is madness. 15:53 < GenteelBen> He wants wifi over Ethernet, you say? 15:53 < GenteelBen> Aka WoE? 15:53 < iceman> there's no ethernet port in the room 15:53 < iceman> i tried powerline at first to no avail 15:53 < GenteelBen> So he wants the Ethernet over Wifi, aka EoW? 15:54 < kottt> sounds like somebody's trying to get an internet connection to their desktop using a laptop as a wireless bridge? 15:54 < iceman> just ignore the ethernet bit lol 15:54 < GenteelBen> Maybe he needs to explain wtf he's trying to do. 15:54 < iceman> it's a computer with a wifi card 15:54 < GenteelBen> iceman: we demand an MS Paint drawing of your topology. 15:54 < iceman> oh jesus 15:55 < iceman> so i tried powerline at first and it didn't improve the speeds at all, so i bit the bullet and got a pcie card 15:55 < iceman> and even that hasn't improved anything 15:56 < iceman> so i know it's not the isp or the router because my laptop is right next to it and working fine, i've monitored the network, i've disconnected and reconnected everything, disabled one and not the other band etc. 15:56 < iceman> and the desktop's connection has been consistently awful 15:56 < iceman> it's on the latest drivers from tp link 15:56 < nojeffrey> iceman does the speed also suck at the source? 15:56 < iceman> how do you mean 15:57 < iceman> the laptop is on the same network and is 10 times faster 15:57 < nojeffrey> speed to internet or just local lan? 15:57 < iceman> internet 15:58 < nojeffrey> what does speedtest say for both? 15:58 < iceman> 12mbps/110mbps 15:59 < iceman> both 10ms ping 15:59 < GenteelBen> I can't really help you without an MS Paint topology diagram, iceman. 15:59 < nojeffrey> heh 15:59 < GenteelBen> Either that, or a sane explanation of what you're trying to do, on one line. 15:59 < nojeffrey> laptop has 110mbps to internet over wifi, pc which also has wifi only get 10mbit to internet? 16:00 < iceman> yes 16:00 < GenteelBen> Is this using your motherboard's built-in wifi, or a separate wifi PCIe card, or a USB wifi dongle? 16:00 < nojeffrey> are you using 802.11g? 16:00 < GenteelBen> Notice how I ask the important questions. 16:00 < iceman> pcie 16:01 < GenteelBen> What is the model # of your PCIe card? 16:01 < GenteelBen> Break your case open with a hammer and tell us 16:01 < GenteelBen> Or go into Device Manager and paste the model. 16:01 < iceman> TP-Link Archer T6E AC1300 16:01 < TotallyNotKim> Get an RGB keyboard. It'll boost your signal x100 and add 65fps to every game! 16:01 < GenteelBen> From that model number, I can deduce it's 802.11ac, 1300Mbps. 16:02 < GenteelBen> So it'll be dual band too. 16:02 < NeuterYourPet> problem is that your using windoze.. 16:02 < GenteelBen> TotallyNotKim: that's ridiculous, stop spreading bad advice. Everybody knows RGB only adds 50fps tops. 16:02 < iceman> it's win7 16:02 < TotallyNotKim> GenteelBen: you didnt count my rgb mouse in 16:02 < TotallyNotKim> and my mousepad 16:02 < GenteelBen> That changes everything. 16:03 < GenteelBen> iceman, why on God's gay earth have you not upgraded to Windows 10? 16:03 < GenteelBen> We should just refuse to help people who stay on W7/W8 out of choice. 16:03 < iceman> telemetry and i'm comfortable with win7 16:03 < TotallyNotKim> dont be stupid 16:03 < TotallyNotKim> you're getting spied on anyways 16:03 < GenteelBen> iceman: lmao they backported the telemetry to Windows 7 via a patch. 16:03 < iceman> i bet you're one of those that got vista when that came out too 16:03 < iceman> smh 16:04 < tds> GenteelBen: I think you should change that to "We should just refuse to help people who stay on windows out of choice." ;) 16:04 < GenteelBen> Not only have you been feeding MS full telemtry, but you've been doing it from a 9-year-old OS. 16:04 < iceman> windows has commercial software 16:04 < GenteelBen> tds: why would we punish them for using the most superior operating system family? 16:04 < iceman> legitimately should i upgrade to windows 10 16:05 < iceman> i've been on win7 for so long 16:05 < NeuterYourPet> heal thyself windoze.. 16:05 < GenteelBen> If he was on Linux I'd have advised him to upgrade to Microsoft® Windows® 10™ Professional™ with April™ 2018 Update™. 16:05 < GenteelBen> iceman: yes, Windows 10 is a much better OS. 16:05 < GenteelBen> Needs fewer resources, better UI, more features, more secure, etc. etc. 16:06 < iceman> should i do it right now before anything 16:06 < GenteelBen> Plus it lets you run certain Linux apps under the Windows kernel, which means you don't need Linux anymore! 16:06 < iceman> could it solve the problem 16:06 < GenteelBen> iceman: nah, see if your network problem is fixed first. 16:06 < iceman> ok 16:06 < GenteelBen> So you say you only get 10Mbit/s between your PC and your wireless router. 16:06 < GenteelBen> Is it a wireless router? Or just a wireless access point? 16:07 < iceman> its a router 16:07 < GenteelBen> This is the kind of thing I could solve in 3 minutes if I had physical access to your home. 16:07 < GenteelBen> I'd probably have to wade through all the empty cans of Mountain Dew and Tab 16:07 < GenteelBen> All the empty Doritos bags 16:07 < GenteelBen> But I'd get it fixed. 16:07 < iceman> -_- 16:07 < iceman> you forgot the pounds of weed 16:08 < GenteelBen> Ok, so on Windows, what speed is your wifi connection according to Connection Manager or whatever it's called? 16:08 < iceman> the status is actually 144mbps 16:09 < GenteelBen> This thing http://cache-www.belkin.com/support/dl/SF136766-014_EN_v2.png 16:09 < iceman> which is more or less what i've paid for 16:09 < GenteelBen> So the link itself is 144Mbps but when you run a speedtest, you only get...what? 16:09 < GenteelBen> No iceman 16:09 < GenteelBen> That makes no sense. 16:09 < GenteelBen> Your real-world wifi speed is often half what the link speed is. 16:09 < iceman> do you want me to send you a screenshot 16:09 <+catphish> your link isn't actually the speed you transfer data at 16:10 < GenteelBen> The link speed is the peak theoretical speed. 16:10 < iceman> you asked me what the number was 16:10 < iceman> it says 144 16:10 < NeuterYourPet> check your wifi device with device manager and confirm your settings are optimal 16:10 < GenteelBen> Install an 802.11ac 5GHz antenna in your anus for optimum reception. 16:11 < NeuterYourPet> full duplex ie 16:11 < GenteelBen> Either that, or tell us what SpeedTest thinks your speed is. 16:11 < TandyUK2> just use a fucking cable, end of lol 16:11 < GenteelBen> NeuterYourPet: all wireless is half-duplex, I forgot about that too. 16:11 < GenteelBen> I did read something a while ago about a new full-duplex wireless spec. 16:11 < iceman> i can't use a cable 16:11 < TandyUK2> if you care _at all_ about your data, use a cable 16:11 < GenteelBen> WHAT IS UR ACTUAL SPEED 16:11 < GenteelBen> ON THE WIFIS 16:11 < NeuterYourPet> half duplex.. for wireless, hmm. good to know 16:11 < iceman> 10-15mbps 16:12 < GenteelBen> Is that megaBITS per second or megaBYTES per second? 16:12 < iceman> BITS 16:12 < TandyUK2> how far, and how many walls between your device and the access point? 16:12 <+catphish> iceman: if wifi is slow, start by tuning the settings, try to find a free channel, make sure you're using 20MHz bandwidth 16:12 < GenteelBen> Show me the Speedtest screenshot. 16:12 <+catphish> iceman: if that doesn't work, you could try better wifi hardware, else you'll need to use a cable 16:12 < NeuterYourPet> buy a lenght of cable.. best solution 16:12 < TandyUK2> how many other access points in range? 16:12 < GenteelBen> Way to jump in at the end catphish 16:12 < iceman> but how is that possible 16:12 < GenteelBen> You're like the sub @ 89 minutes who runs onto the field and starts sprinting everywhere. 16:13 <+catphish> GenteelBen: too many vague answers :) 16:13 < iceman> it should be a capable wifi card 16:13 < TandyUK2> buying a length of cable?? you go to ebay or lol 16:13 < GenteelBen> I'm probing all possible avenues. 16:13 < TandyUK2> 30M cable can reach everywhere in most houses :P 16:13 < GenteelBen> For all we know his board isn't shielded properly, or his antenna is pointed towards his toilet. 16:13 < iceman> what speed test would you like me to use 16:13 < TandyUK2> or he put it up his anus and didnt clean it after 16:13 < NeuterYourPet> hostile enviroment with wifi 16:13 < kottt> if a question seems so dumb that you have to make a joke answer, consider that maybe you have misunderstood the question. 16:13 < GenteelBen> iceman: speedtest.com, the normal one. 16:14 < GenteelBen> speedtest.net 16:14 < GenteelBen> ffs 16:14 < TandyUK2> anyone who cares about their connectivity, uses a fucking cable 16:14 < TandyUK2> unless its a phone or tablet, there is ZERO excuse for not using a cable imho 16:14 < GenteelBen> TandyUK2: surely the wireless signal would more easily permeate through his biogas? 16:15 < GenteelBen> TandyUK2: not everybody wants to pay someone to run cable through their house. 16:15 < SirLagz> TandyUK2: even for my tablet, I have a USB -> Ethernet adapter :P 16:15 < Epic|> I use wifi on some stuff I care being stable 16:15 < GenteelBen> Or maybe he's not comfortable with a drill, or a hammer + tacks. 16:15 < Epic|> The trick is to avoid shitty wifi hardware 16:15 < TandyUK2> GenteelBen: like i sais, anyone who actuaslly cares abotu their connectivity..... 16:15 < iceman> the fucking laptop is in the same room and using wifi and is 10 times faster so what the hell are you on about 16:15 < GenteelBen> Just remember 16:15 < GenteelBen> You don't need to be a certified electrician to run Ethernet. 16:15 < GenteelBen> That's the beauty of PoE. 16:15 < SirLagz> GenteelBen: depends on the country :P 16:15 <+catphish> it's quite possible to get extremely stable wifi, but really you need some control over interference to do that 16:15 < GenteelBen> What 16:16 < GenteelBen> Is there a country where you need to be certified to run Ethernet, for insurance purposes? 16:16 < TandyUK> yeah, very much so, in the UK, data cabling still very much comes undfer electrical regulations 16:16 < SirLagz> GenteelBen: Australia requires someone to be an electrician...as dumb as it is 16:16 <+catphish> there's a laptop? 10x faster than what? 16:16 < Epic|> This znc box is on WiFi and serves some other stuff as well 16:16 < TandyUK> it doesnt need signing off in the same way, but you can still easily breach the regs 16:16 <+catphish> if one client is good and another client is bad, replace the bad client hardware, not rocket science 16:16 < TandyUK> little things like, if you ran a cable along a hallway, or over a door, did you secure it with metal clips? 16:17 < NeuterYourPet> wifi will use dhcp, with a cable static parameters can be set manually.. i like to set up a false gateway and use a proxy for internet 16:17 <+catphish> what? :| 16:17 < GenteelBen> What? You can set a static IP with wifi.......... 16:17 < TandyUK> NeuterYourPet: you can do all that with either cable or wifi 16:17 < GenteelBen> Or just do what all the chads do, set a DHCP reservation. 16:17 <+catphish> there is no relationship between wifi, and the physical connection 16:18 < NeuterYourPet> static ip but not gateway or dns server 16:18 <+catphish> *between dhcp, and the physical connection 16:18 < TandyUK> "wifi" just replaces "the wire" 16:18 < SirLagz> NeuterYourPet: why set a false gateway? just set your computer to use the proxy... 16:18 < iceman> https://i.imgur.com/3bHoSU7.jpg 16:18 <+catphish> NeuterYourPet: what do you mean? there's no link between IP addresses and the physical connection 16:18 < GenteelBen> Not quite, TandyUK, there's stuff like collision detection which is different on the wifis. 16:18 <+catphish> NeuterYourPet: you can use static IPs of DHCp on either 16:18 < GenteelBen> Slightly different. 16:18 < GenteelBen> NeuterYourPet, you need to pirate the same CBT Nuggets CCNA video series I did several years ago. 16:19 < SirLagz> heh good ol' cbt nuggets 16:19 < TandyUK> iceman: 865Mbps: your wireless radio speed to your access point/router/whatever. 6.89Mbps: your routers connectivity to the wider world via the internet 16:19 < GenteelBen> Or rather, the updated one. I wonder if the delightful Jeremy Ciaora still does those videos? 16:19 < iceman> if i could use ethernet i obviously would, there's no port in my room and the closest one is on the other side of the house 100 feet away 16:20 < GenteelBen> iceman, DID YOU TRY WIRELESS FROM THE LAPTOP TO YOUR ROUTER FROM THE SAME PHYSICAL LOCATION AS YOUR COMPUTER????????????? 16:20 < iceman> yes of course i did 16:20 < iceman> that's how i made the comparison 16:20 < iceman> one at a time 16:20 < GenteelBen> Did you properly install the wifi antenna on your PCIe card? 16:20 < TandyUK> he means "Were the antennae in EXACTLY the same place" 16:21 < TandyUK> behind your metal box (pc) !== sitting on the desk where your keyboard goes 16:21 < GenteelBen> Ok, without a physical home visit this is impossible to diagnose. 16:21 < NeuterYourPet> hmmm. my wifi are all dhcp.. and android doesnt allow proxyiing without rootingh 16:21 < GenteelBen> I'd say just go into your router settings 16:21 < TandyUK> and tbfh, if thats where your PC's antenna is, do yourself a massive favour and get an extension kit 16:21 < GenteelBen> Whip out your Android phone 16:21 < GenteelBen> Whip out your nae nae 16:21 < GenteelBen> Open up Wireless Analyser or whatever that app is called 16:22 < TandyUK> Wifi analyzer (on android) 16:22 < GenteelBen> Look for 2.4GHz and 5GHz bands with little contention 16:22 < iceman> how can antenna technology have such poor margin of error that them being 30 angles in the wrong direction would make the connection ten times worse 16:22 < GenteelBen> Switch to those, let your router rejig, then redo a speed test. 16:22 < GenteelBen> Try on both 2.4GHz and 5GHz bands. 16:22 < iceman> that's complete nonsense 16:22 < TandyUK> [15:22] how can antenna technology have such poor margin of error that them being 30 angles in the wrong direction would make the connection ten times worse <<< Because its pointing in the wrong direction 16:22 < GenteelBen> Your router should, if it's newer, default to "auto". 16:23 < iceman> i've tried both the bands already 16:23 < GenteelBen> TandyUK: most home routers have directional antennae. 16:23 < TandyUK> both? there are 12 bands within 2.4ghz alone 16:23 < TandyUK> omni-directional i think you mean 16:23 < GenteelBen> In fact I wouldn't buy an omnidirectional antenna for a business, either, unless it was in the middle of a floor. 16:23 < iceman> bands not frequencies 16:23 < iceman> jesus christ 16:23 < iceman> don't be obtuse for the sake of it 16:23 < TandyUK> answer questions then 16:24 < iceman> what question 16:24 < GenteelBen> I think we've earnt a water break. 16:24 < TandyUK> [15:12] how far, and how many walls between your device and the access point? 16:24 < GenteelBen> It's the end of the first quarter for solving iceman's problem. 16:24 * GenteelBen hands out the Mountain Dew 16:24 < test1337> genteelben, be gentle 16:24 < GenteelBen> What a play by TandyUK at the bottom of the first, eh guys? 16:24 < iceman> 3 walls and 100 feet roughly 16:24 < TandyUK> and also, what are the wall made of - wood? brick? reinforced concrete? 16:25 < GenteelBen> What is the composition of those walls? 16:25 < iceman> not solid wood 16:25 < GenteelBen> Get out your mass spectrometer you gotdamned n00b. 16:25 < test1337> n00b 16:25 < GenteelBen> Ok 16:25 < GenteelBen> Go into your router 16:25 < iceman> log into it? 16:25 < GenteelBen> Make sure you've got a 2.4GHz 802.11n SSID configured 16:25 < TandyUK> ^^ (ie NOT b/g/n) 16:25 < iceman> how do i know it's 802.11n or not 16:26 < GenteelBen> Go into that SSID's settings and check every option to "extend range" at the expense of throughput. 16:26 < GenteelBen> I would toy around with those settings. 16:26 < GenteelBen> "Greenfield" and other bullshit. 16:26 < GenteelBen> It's going to take you maybe half an hour to find the best balance between range and speed. 16:27 < GenteelBen> Most of that will be your router rejigging itself after you change wifi settings. 16:27 < TotallyNotKim> OR GenteelBen wants a half an hour break 16:27 * GenteelBen pauses before biting into his sub 16:27 < kottt> genteelben okay but how do we do it so it doesnt take half an hour 16:27 < GenteelBen> Not true, TotallyNotKim, not true. 16:27 * TandyUK finds running cables SOOOO much easier than debugging wifi :P 16:27 < iceman> it says n and ac mode 16:27 < iceman> or just ac mode 16:27 < iceman> that's my options 16:27 < GenteelBen> What's it set on now? 16:27 < TandyUK> ok, so n mode then 16:27 < GenteelBen> Ok 16:28 < iceman> n and ac mode is what it's on now 16:28 < iceman> change to ac only? 16:28 < TandyUK> if you have 3 walls bewteen you and router, 5ghz is going to be useless 16:28 < TotallyNotKim> ^this 16:28 < GenteelBen> iceman, do you know what Teamviewer is? 16:28 < TandyUK> iceman: N 16:28 < TotallyNotKim> oh god 16:28 < iceman> how is it connecting to the laptop though... 16:28 < GenteelBen> It's that bad, TotallyNotKim. 16:28 < iceman> i'm pretty sure it's not the isp 16:29 < TandyUK> laptop has better designed/positioned antennae? 2T2R etc? 16:29 < GenteelBen> I only dial into people's PCs if I feel sorry for them, like I feel sorry for a disabled donkey I see on the side of the road. 16:29 < TotallyNotKim> iceman: set 2.4ghs and 5ghz radios to different ssids 16:29 < iceman> ok 16:29 < TotallyNotKim> force the pc on the 2.4ghz once 16:29 < TotallyNotKim> ??? 16:29 < TotallyNotKim> profit 16:29 < kottt> get a feeling like this would've been resolved 20 minutes ago if somebody just engaged iceman in PMs :( 16:29 < TotallyNotKim> a/s/l? 16:29 * kottt touches nose "not it!" 16:30 < GenteelBen> PMs? Who am I, his mother? 16:30 < TotallyNotKim> hey 16:30 < TandyUK> Old/Yesplease/UK :P 16:30 < TotallyNotKim> you wanted to enter teamviewer 16:30 < GenteelBen> Teamviewer, because I am effectively his IRC father. 16:30 < iceman> ok i'm on 2 different ssids now 16:30 < TotallyNotKim> ask TandyUK, seems like hes open for some entering 16:30 < GenteelBen> PM is a whole different matter. 16:30 < kottt> so teamviewer is for dads 16:30 < kottt> PMs are for moms 16:30 < kottt> im learning! 16:31 < kottt> learnding* 16:31 < TotallyNotKim> iceman: great. Connect the pc in question to connect to the 2.4ghz one and delete / forget the 5ghz one 16:31 < iceman_> ok ive done it 16:31 < TotallyNotKim> test again 16:32 < iceman_> it's on 2 different SSIDs 16:32 < winsoff_> I'm on a 10.0.0.0 subnet, but the mask is 255.255.255.0. Is this allowed? 16:32 < iceman_> i'm on the 2.4 one rn 16:32 < TotallyNotKim> thats right 16:32 < TotallyNotKim> do your bandwidth test whatever 16:32 < GenteelBen> winsoff_: I'll allow it. 16:32 < iceman_> what should i do now 16:32 < GenteelBen> We don't follow CIDR here. 16:32 < winsoff_> GenteelBen: You've come so far from "winson, winsoff" 16:32 < TotallyNotKim> iceman_: do your speed test from before damn 16:32 < iceman_> on the laptop or the desktop? 16:33 < TotallyNotKim> the one that had the problems before 16:33 < kottt> dont follow CIDR...? wat 16:33 < iceman_> ok which band? 16:33 < iceman_> 2.4? 16:33 < TotallyNotKim> 2.4 16:34 < Emperorpenguin> kottt: CIDR has been dead since the early 90s 16:34 < iceman_> just got 16 mbps 16:34 < Emperorpenguin> Classful Is Dead, Reeks 16:34 < kottt> but 16:34 < TotallyNotKim> okay. Now try again on the 5ghz band 16:34 < kottt> cidr is classless... 16:34 < Emperorpenguin> oh 16:34 < Phil-Work> kottt, really? 16:35 < Emperorpenguin> no 16:35 < kottt> ??? am i crazy? 16:35 < Phil-Work> if only they put that in the name, then it'd be clear 16:35 < Emperorpenguin> no wait no 16:35 < kottt> CIDR = classless inter-domain routing 16:35 < Emperorpenguin> ah yes 16:35 < kottt> guys come on im getting paid $12/hr 16:35 < iceman_> got 19 on 5.0 16:35 < Emperorpenguin> kottt: and you're complaining? 16:35 < winsoff_> kottt: Sounds like you need to change jobs. 16:35 < kottt> im trying 16:35 < iceman_> lmfao 16:35 < TotallyNotKim> iceman_: your life is doomed, you need a dlc to continue, goodbye 16:35 < iceman_> 19 down/1000 up 16:36 < iceman_> im not even joking 16:36 < winsoff_> iceman_: how are you testing 16:36 < iceman_> speedtest.net 16:36 < winsoff_> lame 16:36 < winsoff_> a better test is with one computer, one ap, one router, and then another computer on the other end 16:36 < iceman_> i literally just asked one of you which one to use 16:36 < tds> seeing as you only care about local network speeds, do you see the same bandwidth issues to another local device using something like iperf? 16:36 < iceman_> and he said the normal one 16:37 < winsoff_> speedtest is fine for that, but it makes way more sense to just test local shit locally 16:37 < iceman_> no 16:38 < iceman_> laptop just got 80 mbps on the 2.4 band 16:39 < iceman_> *90 16:39 < winsoff_> what hardware are you using? 16:39 < iceman_> did he leave? 16:39 < iceman_> my own pc i made 16:39 < iceman_> is the desktop 16:39 < winsoff_> try with two diferent nics 16:39 < winsoff_> your phone, for example 16:39 < iceman_> i'm using a late 2012 mbp as the laptop 16:40 < winsoff_> with those two accounted for, what else is in this test setup 16:40 < winsoff_> and what the hell are they doing 16:42 < iceman_> just tested on my phone 16:42 < iceman_> its 45 mbps for that 16:44 < iceman_> latest speed is 45 for phone, 90 for laptop, and 25 for desktop 16:44 < iceman_> is anyone there? 16:46 < hfuller> no 16:53 < GenteelBen> TandyUK I told iceman_ you'd go round his house to fix the problem in person, hope it's not out of your way. 16:53 < iceman_> i live in socal 16:54 < GenteelBen> I also gave up on the Teamviewer thing. 16:55 < iceman_> how can you give up if you never did anything in the first place 17:06 < winsoff_> Ah damnit, he left. I was busy. 17:06 < jax> hello. can i get help on bluetooth here? 17:06 <+pppingme> maybe but doubtful, whats your question? 17:06 < winsoff_> jax: Nah, you can only get help on IRC here. 17:06 < jax> i'm trying to interface with a bluetooth printer from python or node.js. i can establish a connection to the device via serial port, but have no idea how to for instance send a file. 17:06 < jax> not finding the right specification... 17:07 < GenteelBen> pppingme don't be modest, you are the Bluetooth expert here. 17:07 < GenteelBen> If anybody can fix jax's problem, you can. 17:07 * GenteelBen reads up 17:07 < GenteelBen> "Bluetooth" "python" "node.js" 17:07 <+pppingme> you generally don't "send a file" to a printer, it must first be converted to whatever "printer language" that printer talks (postscript, pcl, even old epson protocols) 17:07 < Sout> cups, / epl? 17:08 * GenteelBen twitches 17:08 < Sout> tehre we go ^^^ 17:08 < jax> well, it's a bit of a special printer 17:08 < jax> it's one of those polaroid ZIP bluetooth mobile printers. 17:08 < jax> usually you send stuff via the iphone/android App 17:08 < jax> it could of course be that the jpegs are converted to PS or whatever. 17:09 < jax> ok lets make it simple: how do i read the battery level of the device? :D 17:09 < jax> if i have a serial port open to the device 17:10 < winsoff_> GenteelBen: lol 17:10 < winsoff_> jax: Do you have a mobile app open? Just sniff the bluetooth traffic 17:10 < winsoff_> and see what it's doing. 17:10 < jax> good idea 17:11 < Sout> so random googling of polaroid blue tooth + linux looks like you simple push images to it. ala https://www.raspberrypi.org/forums/viewtopic.php?t=186183 17:12 < jax> thanks Sout / winsoff_ that helps 17:12 <+pppingme> jax not really a standard deal to read battery level of a serial printer.. probably some command you send to it and it responds with its status 17:13 <+pppingme> your best bet is probably to capture data off the port and evaluate it after testing with whatever does work 17:14 < _TheDude> anyone know of a good site that checks blocks of ip's to see if they are dirty? There are plenty of IP checkers for blacklists but not entire /20's etc 17:14 < _TheDude> I'm shopping around for ipv4 space 17:17 < Phil-Work> _TheDude, define "dirty" 17:17 < _TheDude> Used before by spammers / hackers etc. Sometimes you'll see a dirty net someone sells and ends up being on a bunch of lists 17:18 < _TheDude> I found a good site to check 17:19 < winsoff_> soudns like you just want to be a spammer/hacker 17:19 < _TheDude> No I want to buy a new net that isn't already blacklisted. 17:19 < GenteelBen> _TheDude = John McAfee. 17:19 < _TheDude> For my customers duh 17:19 < GenteelBen> Sure sure. 17:19 < GenteelBen> Meanwhile _TheDude rests on his giant pile of cocaine. 17:20 < _TheDude> If I'm going to shell out 150k for IP space it better be fucking clean 17:20 < GenteelBen> 150k on cocaine space 17:25 < Phil-Work> 150k for a /20? 17:26 < _TheDude> no /19 possibly plus /24's 17:27 < Phil-Work> hmmmm 17:27 * Phil-Work should sell some space 17:28 < GenteelBen> To _TheDude? 17:28 < GenteelBen> I'm glad I could introduce you two. Now, about my fixers' fee of 20%... 17:29 < Phil-Work> not quite got a /19 lying around, I'm afraid 17:42 < winsoff_> Phil-Work: We should instead work to invalidate ipv4 17:45 < kenlumbo> anyone have a windows 7 workstation they can verify that speedtest.net is not working? (or barely working) 17:45 < kenlumbo> seems that on a mac, it's fine 17:45 < kenlumbo> windows server 2012 seems fine 17:45 < kenlumbo> windows 7...not so much 17:56 < king_button> How do you run a web server/app as non-root if it needs to listen to port 80? 17:57 < king_button> reverse proxy? 17:59 < SporkWitch> that's one way 17:59 < SporkWitch> you can also add TLS thay way (which is generally advisable) 17:59 < SporkWitch> *that 18:01 < king_button> it looks like there's also some capabilities system on Linux 18:03 <+pppingme> kenlumbo doubtful its a win7 issue, when you say "its not working", what do you mean? 18:03 < skyroveRR> Hi pppingme 18:14 < digin4> is CompTIA Network+ a good certification? 18:15 < test1337> eew 18:15 < redrabbit> fuck certs 18:16 < Andrew_0010bit> SSL certs saved my marriage. 18:16 < digin4> XD 18:16 < redrabbit> lol 18:16 < Andrew_0010bit> I'm getting divorced. Don't listen to me. 18:17 < redrabbit> heh, gettin in the club 18:18 < redrabbit> dang, clicking with a foot pedal is weird. 18:18 < redrabbit> livin that ergo life 18:19 < irwiss> sounds a bit anti-ergonomic 18:19 < redrabbit> im gonna get the better switch 18:19 < redrabbit> this one isnt fit for so much use 18:20 < redrabbit> ill get feet rsi 18:20 <+pppingme> digin4 most people dont' really give comptia certs any real weight 18:20 < redrabbit> its ok for the right click 18:20 < digin4> :( 18:21 < redrabbit> certs are a business 18:21 <+pppingme> to put more bluntly, they are viewed as a joke by many.. 18:21 < digin4> pppingme, what's a good networking cert then? 18:21 < SporkWitch> CCNA 18:21 <+pppingme> lots of vendor specific stuff out there 18:21 < redrabbit> you get a paper they get green paper 18:22 < redrabbit> who is the winner here 18:25 <+catphish> me 18:26 < redrabbit> hehe 18:28 * redrabbit watches lockpickinglawyer 18:29 < kottt> here's a fun one, fellows... 18:30 < digin4> :> 18:30 < kottt> circuit provider claims that one of our end-sites is overdriving the connection, and this is why we regularly see 25% packet loss on a 100M connection, when our bandwidth charts (which take the 5 minute average every 5 or so minutes...) shows them never exceeding 50% of their allowance 18:32 < redrabbit> can you migrate? 18:33 < kottt> we've replaced equipment on our end (even changing device model) in the past, with no effect. And I'm wondering how it could even be possible. I mean, potentially if they're just hitting 120-150Mbps in very very brief spurts, that might explain it, but how do you correct that? how do you check for it? <_>; why is it even being allowed to happen? if bandwidth can reach up to 100M, shouldnt it just get caught at a buffer and prevented from exceeding that 18:34 < kottt> im not making a lot of sense, but now im thinking that maybe if we set the LAN interface to 100/Full instead of Gig it might help... (as much as that would suck to do...) 18:34 < redrabbit> use TC? 18:34 < irwiss> or may be they're just overselling and want you to trim down your bandwidth :D 18:35 < redrabbit> id give em the finger tbh 18:35 < kottt> redrabbit: TC? 18:35 < redrabbit> yes, tc 18:35 < redrabbit> man tc 18:35 < kottt> oh gee thanks for clarifying. ... actually, fwiw, we ARE giving them the finger, because we're changing the transport provider 18:35 < kottt> this summer sometime 18:35 < redrabbit> good 18:36 < kottt> what do you mean by TC? 18:36 < kottt> traffic control i guess? 18:37 < redrabbit> yes 18:37 < kottt> our CPE isn't really up to that 18:37 < kottt> afaik 18:38 < detha> kottt: hard limiting on your side (either by switching interface to 100Mb, or a policer somewhere) should at least give you an idea 18:39 < redrabbit> its on every linux box kottt 18:39 < detha> That way, they can't claim you are bursting, and if you are, you can see what traffic is dropped and when 18:39 < kottt> yeah, i just checked and it is technically a (brand new!) feature for Ubiquiti EdgeOS 18:40 < kottt> but the EdgeRouter Lites have pretty feeble CPU, not sure how well it'd hold up 18:40 < redrabbit> tc is old stuff 18:40 < kottt> plus we try to keep things standard across our network 18:40 < kottt> i'll run it by the boss 18:40 < kottt> thx 18:50 < quesker> trying to do a simple pfctl rule "pass in log on gpd0 flags any" but it doesn't log return packets that were NATed. it only sees non NATed packets that are replies to packets that originated from this host (not ones that routed/nated through) 18:51 < quesker> the only other rule is nat on gpd0 from en0:network to any -> (gpd0) 18:58 < Project86__> How can I allow ssh BEFORE user login? Currently, I have to logon first, then ssh, or have auto login (very unsafe) to do the same. Running a headless rpi3 19:00 < birk0ff> is MCITP out of date as of now ? 19:00 < Project86__> Is it because different users might have different network settings, therefore the account needs to be logged in first? Because it doesn't seem to establish network connection until logging in 19:01 < djph> set up networking statically. 19:01 < djph> although I've only seen that mess with wifi 19:10 < Apachez> kottt: the packetpushing isnt done in the cpu but in the asic 19:11 < kenlumbo> pppingme: as in everyone gets 15m/15m (or something close) 19:12 < kenlumbo> so nobody has an issue with win7 and running a speedtest from speedtest.net? 19:12 <+pppingme> kenlumbo so the win7 box gets slower? or what? still not clear whats "broken" 19:12 < kenlumbo> yes, slower 19:12 < kenlumbo> sorry I used the word broken 19:13 <+pppingme> ok, what kind of speeds does the win7 box get? 19:13 < kenlumbo> 15m-ish 19:13 < kenlumbo> 15m/5m sometimes 19:13 <+pppingme> ok, what do the non-win7 boxes get? 19:13 < kenlumbo> 900m/900m-ish 19:14 <+pppingme> ok, how many win7 boxes do you have? 19:14 < kenlumbo> guess nobody has a win7 box to test, thats all I was looking for 19:14 < kenlumbo> the majority are win7 19:14 <+pppingme> I can prommise, this isn't a win7 issue 19:14 < kenlumbo> promise, nice 19:14 <+pppingme> are all of these getting the slower speed using wifi or are they wired ethernet? 19:14 < kenlumbo> all wired 19:15 < kenlumbo> besides the promise, happen to have a win7 box to test? 19:15 <+pppingme> no, I'm mostly linux 19:15 < kenlumbo> promise... 19:15 <+pppingme> but again, this is not a win7 issue, there is nothing in win7 that would make a particular website run slower 19:17 < fnDross> pppingme, daemon.warn dnsmasq-dhcp[1205]: DHCP packet received on ... which has no address << are you familiar with this error? 19:18 < fnDross> https://ibin.co/3wZx0gWjNDUu.jpg << getting it on the DIR-601 19:18 <+pppingme> I don't use dnsmasq 19:18 < fnDross> im thinking its the 601's wifi over vlan4 to the dva 19:19 <+pppingme> kenlumbo is this a "new" issue? did it work normally before? 19:21 < fnDross> so far im thinking either dnsmasq.conf{except-interface | dchp-relay} or dhcp{ignore} 19:50 < quesker> this is weird, I can add routes as a user. /sbin/ip is 755. is that normal? 19:51 < grawity> quesker: does it have capabilities (run getcap on it), do you have ambient capabilities, are you on Debian, and what iproute2 package version do you have? 19:52 < quesker> iproute2 3.16.0 this LFS 19:52 < quesker> /sbin/ip = cap_net_admin+eip 19:52 < grawity> 1) jeez that's old 19:52 < grawity> 2) you gave it the capabilities to work without root 19:53 < quesker> weird, I never even heard of capabilities 19:53 < grawity> it's like making it setuid, only specifically for networking 19:53 < quesker> think the iproute install adds that? 19:53 < quesker> make install 19:54 < grawity> no it doesn't 19:54 < quesker> very strange. I've never run setcap that I know of 19:54 < quesker> heh I see it in the history 19:55 < julius> hi 19:55 < poisonby> Hey. Wanting to use a VPN and I have a hard time properly configuring a firewall (to only allow connections to the VPN). The problem is it doesn't connect to a single IP but to a domain name, which I assume is some sort of pool. Can I just use nslookup on that domain to get the proper gateway IPs? What do I do if a certain port is used (like "remote domain port" in the openvpn config)? 19:55 < quesker> I must have done that so I can run vpn as a user and just forgot about it. thanks 20:07 < little> hi 20:07 < little> Wondering the best way to see the IP of the switch I am connected to? I'm on Ubuntu 20:09 < quesker> do switches have an IP? 20:09 < Apachez> some do yes 20:09 < Apachez> mostly for mgmt 20:09 < Apachez> but can also be used for routing if its a l3-switch 20:09 < Apachez> and configured for such 20:09 < ||cw> little: a switch's management ip is just another device on the LAN, port scan for it 20:10 < quesker> or broadcast ping 20:10 < ||cw> there's no inherent association between the IP and your PC's lan port though 20:11 < little> dling nmap for this comp, one sec 20:11 < little> I'm trying to open a port for a safety system remote monitoring at work 20:14 < ||cw> little: "open a port"? 20:15 < tds> depending on what the switch is running, you might also be able to see the ip in lldp/cdp/similar broadcasts 20:15 < little> Forward a port. 20:16 < little> It's a Netgear M4100 20:16 < ||cw> lol 20:16 < little> :p 20:16 < ||cw> you don't want the switch IP, you want the router IP. 20:16 < little> I've already done rules on both routers 20:16 < djph> little: rtfm 20:16 < little> But the company wants the switch IP 20:16 < ||cw> if you can't find that, are you sure you should be messing with your work's router? 20:17 < ||cw> "the company"? are you translating this? 20:17 < little> Translating this? No? 20:18 < ||cw> sorry to be kinda harsh, but IMO work related stuff should not be messed with willy nilly. 20:18 < little> Essentially, a third-party electrical company and the IT technicians before me set up a network. 20:18 < little> It's modem --> router --> fibre-run --> switch --> router #2 20:19 < ||cw> you don't need the switch IP, you need router IPs, and maybe public IPs. 20:19 < little> I have "opened" (forwarded) a port for our remote monitoring third-party that manages site safety. 20:20 < ||cw> unless you want to monitor the switch itself 20:20 < little> I have the router IPs, WAN IPs, and public addresses, yes. 20:20 < SporkWitch> read: i don't know how to do the absolute most basic aspects of my job, please internet people, do my job for free so i can get paid 20:22 < Project86__> djph: was the response "12:01:33 PM although I've only seen that mess with wifi" to me? 20:22 < little> Sorry for asking a question. 20:23 < ||cw> questions are fine, it's the followup that makes me thing you're about you're about to take down your wok's lan 20:23 < Aeso> little, nothing wrong with asking a question. But you're not giving us enough information to help you, which tells us you're in a little over your head 20:23 < little> Found it tho, thanks. 20:24 < Project86__> 12:01:26 PM set up networking statically. What does this mean? 20:24 <+xand> little: a lot switches don't have IP addresses. 20:24 <+xand> little: switching does not use IP 20:24 < djph> Project86__: maybe? did you ask about networking on boot? 20:24 <+xand> based on that setup I bet it's not a proper manager switch 20:24 < little> I set it up with the console port and it was assigned one by DHCP, but we have gone thru a drastic reorganization as we are a new company so someone lost a piece of paper. 20:24 < Project86__> djph: yes. Allowing networking before login so that I can ssh in 20:25 < djph> Project86__: wired or wireless networking? 20:25 < Project86__> Wireless 20:25 < grawity> NetworkManager involved? 20:25 < little> Anyways, got it working, test worked. 20:26 < Project86__> grawity: I believe so 20:26 < Project86__> Yes 20:26 < grawity> run nm-connection-editor, edit your network, check the box that says "All users may connect", tab to Security, click the icon next to password input, select "Store for all users", click Save 20:27 < djph> ^ beat me to it 20:27 < Project86__> Thanks a bunch you two 20:47 < Project86__> Now, I have 2 seperate pi's, both configured as a router. Neither have internet access (and don't need it as of yet), I want those 2 routers to have an established connection to each other. Sort of like wireless p2p, or wireless ad hoc? (Not sure the proper term for this configuration). The idea, is if I'm carrying one, and the other is a few blocks away, I want to be able to connect to the distant one to use its 20:47 < Project86__> offline vuln scanning tools, using the one in my pocket. This sort of relates to the ssh question, because I've read you can ssh into a machine that doesn't have internet access, as long as you are connected to that router. My idea was to connect to pocket router through ssh from phone, which in turn will allow me to ssh back to distant router. Any guides or helpful info into this? 20:47 < Apachez> am I missing something here or are all 40G multimode modules MTP/MPO? 20:52 <+catphish> Project86__: you're just describing normal routing, there's nothing special about having an internet connection or not having an internet connection, "a few blocks" is a pretty implausible range for wifi though 20:54 <+catphish> Project86__: seems like it would be easier just to use the cell network and internet 20:54 < batch> Project86__ hey man, you got it t work allready? routing or bridging? 20:56 < batch> i'm giving up on raspberry 21:08 < Project86__> catphish: if each one uses a usb wifi antenna so connections are made via wlan1 on both sides, then no, it's not at all implausible. My Alfa gets me 2 to 2.5 blocks of range(with optimal conditions). That's a plausible 5 blocks. And I was unaware that it was just basic routing..still new. I thought the red have to be some certain setup, like making a host and client router or something more advanced 21:09 < Project86__> batch: just switch pi Zero usb mode so it sort of acts like a BadUSB. Except just scans. 21:09 <+catphish> Project86__: you just need to learn about IP routing, and set up the appropriate routes at each end, that part is fairly simple once you know how routing tables work 21:10 <+catphish> i'm serious doubtful about your wifi range though 21:10 <+catphish> i don't know how far a "block" is, but i imagine there would be multiple houses in the way 21:11 <+catphish> if its line of sight with decent antennas you might get a couple of hundred metres, but you're talking about a small device in your pocket 21:11 < lnks> hello, I am having a strange issue here, I am trying to connect to my company's VPN using cisco anyconnect. If I connect from any other network than my home network it works fine, but when trying from home it doesnt work, BUT if I used a different computer on my home network the VPN works fine...I tried to use wireshark to capture what is happening during the VPN connection process but it is not producing any related traffic. 21:12 < lnks> also, every once in a while it does allow me to connect, but it just seems to be random 21:12 < lnks> I was thinking maybe my ISP was blocking me at first, but the fact that I can connect using a different device disproves that 21:12 < lnks> any ideas? 21:12 < batch> Project86__ sounds nice aswell, i think i go with openwrt for my project and a tplink tl-mr3020 21:15 < Project86__> catphish: could you point me to a decent tut or good site to learn? And I said "with optimal conditions" (like clear line of site, or if ones higher, clear skies, routers not being beside interfering devices...ect.) . And I'd obviously pull it out of my pocket first.. set it up somewhere close enough to ssh in from phone. Maybe even on car dashboard. Antenna upright, of course 21:15 <+catphish> Project86__: that might work then :) 21:16 <+catphish> i'm not sure where one learns ip routing 21:16 < Project86__> catphish: See, I have some smarticles. The pocket router (a pi zero) is basically acting as a repeater, I suppose? 21:17 < batch> Project86__ you wanna go wired to wireless? 21:17 <+catphish> Project86__: no, not a repeater, a router 21:17 < batch> or have usb-to-ethernet aswell? 21:17 < batch> yes Project86__ what catphish says, you need to become a routing person 21:18 < batch> google: raspberry as a router iptables 21:19 < batch> my reason to quit it is the usb-to-ethernet adapter is not optimized for routing i think 21:19 < batch> r8152 21:19 < Project86__> But that will just teach me how to make One. Not how to make them route to other routers.. 21:20 < batch> yeah you want to learn iptables: forwarding, prerouting, postrouting, ... 21:20 < batch> and accept specific traffic 21:20 < qoxncyha> is 1.1.1.1 not working for anyone else? 21:20 < qoxncyha> dns-over-tls specifically 21:20 < Project86__> batch: I will go wireless for simplicity. But wanted the bare bones, for if there is no/or I need no WiFi (like scanning networks) 21:20 < batch> i gave up on it, it's out of my timelimit 21:21 <+catphish> qoxncyha: can you ping it? 21:21 < batch> you can use airodump or airmon iirc Project86__ 21:21 < qoxncyha> catphish: yes 21:21 < qoxncyha> stubby is giving me errors though 21:21 <+catphish> qoxncyha: dunno then :( guess their tls is broken 21:24 < Project86__> batch: exactly. Don't need WiFi to use those tools. So why connect to a WiFi and go through covering tracks if I can just do it offline? ;) 21:24 < qoxncyha> it's working with raw :53 DNS 21:25 <+catphish> this is starting so sound a tad illegal 21:25 < batch> Project86__ aye :p 21:25 < batch> sniffing isn't illegal catphish :p, only when other disobey :p 21:26 < bn_work> does iptables by default log drops? or does one need to explicitly add commands to do so? 21:26 < batch> most places don't know if they beeing sniffed or scanned for just one time 21:26 < SporkWitch> batch: actually, sniffing open traffic IS illegal in the US under the wiretap laws, thanks to a totally braindead judge 21:26 <+catphish> intercepting communications is definitely illegal where i live 21:26 < batch> ow hmm really 21:26 < batch> damn 21:27 <+catphish> although, if you're sending cleartext over radio, it's kinda assumed it's going to be listened to, so probably not so much 21:27 < SporkWitch> not sure about where catphish is, but in the US non-secure 802.11 traffic is NOT considered radio anymore and is afforded the same protection as cordless phones, without having a sane law written to add the exception 21:27 <+catphish> sniffing someone phone line definitely would be, just sniffing cleartext out of the air, ptobably not 21:28 < batch> yeah, depending on the strength of the signal iirc 21:28 < SporkWitch> catphish: that's the big thing about that bullshit ruling, it effectively defines wifi as != radio 21:28 < WeirdTolkienishF> 802.11 transmits on the ism band 21:28 <+catphish> SporkWitch: that's interesting, i don't know for sure here, i think it would be purely a matter of intent and what a jury thinks 21:28 < Project86__> catphish: purely educational purposes sir. Testing against my own network at home. I simply want to understand and explore different ways my system could be attacked. 21:28 < batch> i think here it's illegal if you go over 5ghz or something 21:28 <+catphish> SporkWitch: well IMO that's a good ruling, provides a way to prosecute people intercepting wifi for evil 21:29 < SporkWitch> catphish: it was big news and a big deal, because the laws are very clear that a radio broadcast without any attempt to conceal the contents is NOT private and anyone with a receiving is welcome to listen and record 21:29 <+catphish> i think there's a big difference between a voice radio transmission sent over distance, and someone usin wifi to send a private email to their local router 21:29 < SporkWitch> catphish: these same existing laws would make attempts to decode encrypted wifi traffic a violation of the wiretapping laws, because the attempt to conceal the traffic establishes a presumption of privacy 21:30 < Project86__> batch: ya, me and SporkWitch had the convo about that law. And how they are "radio" anymore. So how can you get charged wiretap for sniffing an open radiowave that isn't even a radiowave any longer? 21:30 < Project86__> Lulz 21:30 <+catphish> it would likely be an extremely gray area here, you could likely be prosecuted if you used it for evil, probably not if you were just curious 21:30 < batch> yeah 21:30 < qoxncyha> can anyone curl https://1.1.1.1? 21:30 <+catphish> qoxncyha: works in my browser 21:30 < SporkWitch> it is an objectively horrific ruling; if they wanted non-secure wifi to be protected like a phone call (which is, itself, absurd) they should have passed an explicit exception, rather than making a ruling that contradicts the law outright 21:30 < fnDross> Project86__ Q: how are vcr's/pvr's legal? 21:30 < qoxncyha> catphish: it's timing out for me 21:31 < qoxncyha> can anyone else repro? 21:31 < fnDross> im going somewhere with this 21:31 < batch> but if it's really about a single braindead judge 21:31 < batch> yeah 21:31 < xingu> SporkWitch: doesn't the same principle mean that anything obtained via stingray can be thrown out? 21:31 < Phil-Work> SporkWitch, what about VoIP over unprotected wifi? 21:31 < Phil-Work> is that not exactly the same as a phone call? 21:31 < batch> you maybe saw zuckerberg in courth 21:31 <+catphish> qoxncyha: in my experience, when ping works, but https doesn't, you have a MSS issue 21:31 < batch> perfact example :p 21:31 < qoxncyha> catphish: it was working 15 minutes ago 21:32 <+catphish> IMO any communication which a reasonable person thinks is private should be protected 21:32 <+catphish> if i send an email over wifi, any normal person would consider that a private communication, so it's illegal to intrcept it here 21:33 < koala_man> I'm glad that's the case these days 21:33 <+catphish> on the other hand, if i am using PMR to have a voice conversation, i think most reasoable people would understand they were broadcasting and hence not private 21:33 < SporkWitch> xingu: something like stingray likely violates quite a few laws already, since it's an impersonation of a legitimate, secure station 21:35 < SporkWitch> catphish: no reasonable person thinks a non-secure access point is in any way private, it's called "open" in every user-facing tool for a reason. ANY attempt to protect the contents is sufficient to receive protection from the law (that means WEP with key 12345678 is sufficient; even PL codes on walkie-talkies are arguably suficient) 21:36 <+catphish> SporkWitch: obviously if it's encrypted then it's considered private, but just because it's "insecure" doesn't mean it's not private 21:36 < SporkWitch> catphish: in order to establish protection for cordless landline telephones, which transmitted non-secure, they explicitly added an exception in the law, on the grounds that phone traffic is, by its nature, presumed to be private between the known parties on the call. What it _did't_ do was rule that it's no longer a non-secure radio broadcast 21:36 < Phil-Work> realistically, protecting wifi shouldn't actually be required as the underlying communcation should be encrypted 21:36 <+catphish> if i leave my front door open, i know my house it's secure, but that doesn't mean it's legal to take my stuff 21:36 <+catphish> *isn't 21:36 < SporkWitch> that's the important distinction. One is an exception to the prior law, the other objectively contradicts reality 21:36 < Phil-Work> if you're happy to sniff unencrypted comms on wifi, is it OK to splice into fibre and tap it off there? 21:37 < batch> but what about if you are learning for IT security and pentesting, it's still illegal to do such education practices? 21:37 < batch> you'll really need it for ur job later right 21:37 <+catphish> the context matters in sane criminal laws 21:37 < batch> right 21:37 < Project86__> xingu: great point. But like SporkWitch said, already illegal. They're just allowed to get away with it because "terrorists" *in my redneck "Murica" voice* 21:37 <+catphish> batch: that's an easy one, it's perfectly legal to attack your own stuff, not other people's 21:37 < SporkWitch> catphish: absolutely abysmal example, nothing is being stolen. If you shout in the language of the land at the top of your lungs, you have no expectation of privacy. 21:37 < batch> here ya go Project86__ 21:37 < batch> :p 21:38 <+catphish> SporkWitch: it's about context, people aren't expecting their local wifi to be being sniffed, you need special tools (by normal person standards) to do this 21:38 <+catphish> i compare it to PMR446, where anyone with an off the shelf radio can just listen 21:38 < SporkWitch> catphish: and that is what an open radio broadcast is and always will be. Everyone KNOWS anyone can connect and listen, there is no presumption of privacy. Connecting without authorization would violate exsting laws on unauthorized access, but passively listening to a radio broadcast is not that. 21:39 <+catphish> whereas wifi, you'd have to install special "hacking software" and go out of your way to intercept someone else's traffic 21:39 < SporkWitch> catphish: context is irrelevant, what matters is the presumption of privacy, and there is none 21:39 <+catphish> that's how a court would look at it 21:39 < SporkWitch> catphish: no, you wouldn't, again, that's the point 21:39 < Phil-Work> SporkWitch, is there a presumption of privacy on fibre? 21:39 < Phil-Work> what is the difference between deliberately sniffing wifi and deliberately tapping fibre? 21:39 < precise> Fiber is more difficult to tap vs copper vs listening to wifi broadcasts 21:39 < SporkWitch> Phil-Work: fibre isn't broadcast for anyone to hear 21:40 < SporkWitch> Phil-Work: it's the difference between handing someone a post card and shouting at the top of your lungs. 21:40 < batch> i think scanning wifi devices and wiretapping a phone is very different for example aswell 21:40 < Phil-Work> nor is wifi 21:40 <+catphish> SporkWitch: the point is, you can't accidentally intercept someon'e wifi traffic 21:40 < Phil-Work> it's only those who listen, that hear 21:40 < SporkWitch> Phil-Work: NON SECURE wifi is the radio equivalent of shouting at the top of your lungs 21:41 < SporkWitch> catphish: yes you can, because anyone with a receiver can receive the plaintext 21:41 <+catphish> you'd have to go out of your way to do it, it's not like just turning on a radio and turning the dial, i believe (and ianal) that a court would consider that something only a hacker would do 21:41 <+catphish> hence the context is relevent 21:41 < Demos[m]> even with secure wifi it's easy to find out that you are communicating 21:41 < SporkWitch> catphish: that's WHY non-secure radio broadcasts are not considered private 21:41 < winsoff_> SporkWitch: speaking of, i'm on unsecured wifi and i can't see dick for packets 21:41 < SporkWitch> catphish: the context is that you're a retard shouting at the top of your lungs and think people shouldn't listen to you 21:42 <+catphish> SporkWitch: no, you're not transmitting in a manner people could hear by accident 21:42 <+catphish> it's not like shouting 21:42 < SporkWitch> catphish: if you want a protect-the-retards law, by all means, pass a law making an explicit exception. DO NOT make rulings that contradict reality and completely fuck everything else to do with radio up 21:42 < Project86__> 2:36:37 PM if i leave my front door open, i know my house it's secure, but that doesn't mean it's legal to take my stuff. You make some good points tbh. But this reminded me of that case where the guy left his car running on the curb or driveway, it got stolen, and police or anyone wouldn't do anything, because it was his fault for leaving it running and unlocked. Yet your 21:42 < Project86__> aforementioned point is still law. Smh. They makes no sense 21:42 <+catphish> no consumer tools will listen and show you that data 21:42 < SporkWitch> catphish: it is 100% exactly like shouting, and any rational person knows it. 21:43 < SporkWitch> catphish: 1) wrong, 2) not a requirement. 21:43 <+catphish> Project86__: the police would not be justified in that afaik 21:43 <+catphish> SporkWitch: i'm just saying how i believe a court would interpret it in my country 21:43 < xingu> in a world where children can buy thermal cameras that see through worlds, and machines can lipread, is any conversation protected? :) 21:44 < SporkWitch> catphish: and i'm saying that your country is also retarded, like anyone else trying to argue that shouting isn't shouting. 21:44 < xingu> s/worlds/walls/ 21:44 < SporkWitch> catphish: again, the issue isn't making it illegal, it's HOW. You make an exception in the law, you don't redefine reality so it contradicts itself 21:44 < Project86__> xingu: lol 21:44 <+catphish> courts are far more interested in taking down bad people, than in technicalities 21:45 <+catphish> (fortunately_ 21:45 < SporkWitch> yeah, "technicalities" like THE LAW and REALITY 21:45 < fnDross> kinda like with the downloading music one 21:46 <+catphish> that's why in england, all evidence is admissible in court, they're more interested in the truth 21:46 < Project86__> I didn't mean to make a debate guys, although be it a good one. I was just curious on abilities and such. 21:46 < Project86__> Lol 21:46 < Project86__> My b 21:46 < fnDross> vcr's /pvrs arent illegal 21:46 < batch> usefull info Project86__ :p 21:46 < xingu> Project86__: privacy is one of those irregular verbs; I have no expectation of privacy, you are a state actor, they are above the law 21:46 < fnDross> how many people have a music channel you get for PAYING 21:46 <+catphish> fnDross: they're legal here for the specific purpose of "time shifting" only 21:46 < fnDross> or multiple 21:47 < Project86__> xingu: agreed 21:47 < fnDross> so any music played is paid for 21:47 <+catphish> you can't legally use a VCR to make copies of a video for example 21:47 <+catphish> although this strays into civil law which is much less simple :) 21:47 < SporkWitch> xingu: presumption of privacy in this context is actually well-defined; the reason that protections were extended to cordless phones is that the way phones work provides an assumption of privacy, and no one thought about the implications of a "cordless" phone. The same doesn't hold for wifi, because the very nature of it DEMONSTRATES that anyone can connect and listen 21:48 < SporkWitch> catphish: in the US, you can. What you're not allowed to do is 1) attempt to defeat DRM, 2) distribute your archival backup 21:48 < fnDross> so pretty much anyone who pays a cable bill can download music 21:48 <+catphish> SporkWitch: yeah, that DRM thing is really stupid IMO 21:49 < Capprentice> Ahem, what can I use to simulate qinq on GNS3? Which virtual platform supports all switching capabilities maninly qinq? 21:49 <+catphish> SporkWitch: in the UK it's a purely civil matter, so it only matters if the copyright holder minds, but there's no exemption for personal backups 21:49 < SporkWitch> catphish: copyright law in the US does allow you to make an archival backup under fair use; the DMCA provides no exception to the DRM rule for this purpose (this is intentional, as the DMCA, like nearly all copyright and patent law in the US, is actively malicious and arguably unconstitutional) 21:49 < S_SubZero> it's always stupid to people who aren't having their stuff copied willy-nilly 21:49 < SporkWitch> catphish: it's a civil issue in the US as well, though there's certain levels that reach criminal status (I do not know where that line is) 21:50 <+catphish> SporkWitch: here the physical media is considered sacred, technically the idea of copyright is that only the copyright owner can make physical copies when they wear out, you buy a new one, it's an unpopular concept, but its now copyright law was designed 21:50 < fnDross> its the same as hitting record on your pvr 21:50 < SporkWitch> S_SubZero: stupid is thinking it affects anyone but legitimate customers 21:50 <+catphish> SporkWitch: so there's no concept that you "bought the rights to the media" and are allowed to make your own copies for backups 21:51 < xingu> I wonder if you can sue the contractors the no such agencies employ for unauthorised public broadcast of copyright material 21:51 <+catphish> technically ripping a CD to listen on your ipod is illegal here, it was specifically ruled as such, but no copyright holder is going to sue you 21:51 < SporkWitch> catphish: copyright law in the US has a very different purpose, as defined in the constitution. Congress _only_ has the power to make copyright and patent laws, and _only_ if it promotes the sciences and useful arts. That's why the fair use rules provide an exception for a backup: it's the CONTENT, not the medium, that is protected 21:52 < S_SubZero> SporkWitch: that's awful, but a small indie game company only needs to watch their make-or-break title show up on TPB two days before launch to think DRM may have merit. 21:52 <+catphish> of course ultimately the purpose is the same 21:52 < SporkWitch> catphish: this is also why it's not at all difficult to argue the unconstitutionality of current laws, because we can objectively show a decrease in the pace and breadth of innovation and progress. 21:52 < SporkWitch> S_SubZero: they may think that, though they'd still be wrong 21:52 <+catphish> to ensure that people who create content can make money from its reproduction 21:53 < SporkWitch> catphish: no, that's not the purpose. In fact, in the US, that argument was ruled AGAINST. Compensation for creators is NOT the goal. Encouraging creators to create IS. 21:54 <+catphish> we don't believe we have that absurd "breaking encryption" law here, but we also have no fair use for personal backups, though everyone ignores it 21:54 <+catphish> SporkWitch: how is that different? 21:54 <+catphish> SporkWitch: the reason they're encouraged is because they can make money 21:55 < SporkWitch> catphish: again, it's the end goal. Compensation is ONE way you can try to encourage them, but compensation itself is not a legal justification for laws regarding copyright in the US. 21:55 <+catphish> seems like a strange argument 21:57 <+catphish> we have no written constitution, so fortunately, debates here focus on the situation right now, rather than trying to guess historical intent, which is probably better 21:58 <+catphish> we could have a referendum tomorrow and totally replace our entire system of government with direct rule by barack obama if we wanted 21:59 <+catphish> but it probably won't happen :) 22:00 <+catphish> on the other hand, english constitution is unwritten, though probably very complicated, and involves the monarchy in ways i couldn't begin to understand 22:00 < SporkWitch> catphish: it's a very important distinction. The purpose is to promote the sciences and usful arts, it is not to make creators money. Literally ANYTHING that does that can be tried (as long as it doesn't break other laws). But if the GOAL is COMPENSATION for creators, there's a WHOLE lot more you can do that's actively detrimental to the promotion of sciences and useful arts 22:01 <+catphish> SporkWitch: i see, well that's quite sensible then 22:01 < SporkWitch> (classic example is buying up a patent to PREVENT that thing from being released into the world; no one is allowed to do it, even if they come up with it independently) 22:01 < SporkWitch> catphish: again, don't know about the UK, but this is explicit in the US constitution, article 1, §8 (IIRC) 22:02 < xingu> I thought publishing a patent inherently released it into the world 22:02 < fnDross> it does 22:02 <+catphish> afaik we have nothing like that here, copyright just is what it is, and is the result of international treties anyway 22:02 < SporkWitch> xingu: the INFORMATION is out there, but it can't be USED without license by the creator 22:03 < SporkWitch> need to relocate; i'll be back on in half an hour probably 22:03 < fnDross> like microsoft did with its XP sounds 22:03 < xingu> used, or used as part of a value chain? 22:03 < SporkWitch> will catch up on the convo then 22:03 < SporkWitch> xingu: used, full-stop 22:03 <+catphish> xingu: yeah, it's public, but can't be used without permission of the owner, so they could in theory unreasonably withhold that permission 22:03 < SporkWitch> xingu: a patent means "whatever this is describing, you can't do it without my permission" 22:04 <+catphish> what SporkWitch said 22:04 < fnDross> ...in that country 22:04 <+catphish> it's designed to allow a temporary monopoly to compensate inventors 22:04 <+catphish> again, they're subject to internaional treties 22:04 < fnDross> which are ignored 22:04 <+catphish> though less so than copyright 22:05 < SporkWitch> (it's also one of the reasons you can't patent software without immense corruption and stupidity, like the US; look up Diamond v Diehr for another example of legal fictions actively contradicting reality and fucking everything up as a result) 22:05 < SporkWitch> back in a bit 22:05 <+catphish> personally i hate patents, they're so prone to abuse, because it's so difficult to prove that other people wouldn't have come up with your idea 22:05 < apathor> hi. could someone explain to me in the context of linux IPv6 what 'preferred_lft 0sec' means? 22:06 <+catphish> it means "Preferred Lifetime" 22:06 <+catphish> but i don't know what it does 22:07 < apathor> thanks catphish. i have a v6 address tagged 'preferred_lft 0sec' that keeps getting marked 'deprecated' then fails to route 22:09 < arooni> if i want to whitelist my ISP's ip addresses when i connect to my VPS; and right now my ip address is 24.124.xx.xx ; is whitelisting them like 24.124.0.0/16 ; good enough? too broad? too small? 22:12 < fnDross> is /etc/dnsmasq.conf>>/except-interface=0.4/ the same as /etc/config/dhcp>>/config dhcp guestlan option ignore=1? 22:13 < fnDross> gettin " DHCP packet received on br-guestlan which has no address" errors 22:13 < Apachez> arooni: depends on which ip you expect to receive from your isp 22:13 < Apachez> arooni: and if you got some other backdoor into managing this vps 22:13 < Apachez> if you got some other backdoor then I would select a much smaller window 22:16 <+pppingme> fnDross does the dhcp server have an interface into that vlan? does that interface have an IP? 22:22 < fnDross> pppingme: https://ibin.co/3wZx0gWjNDUu.jpg << its the dir-601 22:23 < fnDross> the 601 wifi is bridged to vlan4 protocol:unmanaged 22:25 < fnDross> theres a dhcp server running on that IP.3.1 uplink 22:28 < fnDross> https://pastebin.com/Yd32V9ZF <--601 was replaced with 615 22:29 < fnDross> pppingme ^^ 22:30 < fnDross> i get it on the dir-835 aswell just not nearly as much.... it also has a similar wifi/vlan4 sent to the dva 22:46 <+pppingme> fnDross read my question carefully in the context of your network, from what I'm gathering, the answer is NO, it needs to be YES 22:56 < nikivi> can someone help with an OAuth question, I hope this is the right place to ask this 22:56 < nikivi> I created a personal token to use from GitHub and now want to make HTTP request using OAuth 22:56 < nikivi> However all I got was the token but to make request it seems I need some key AND token 22:56 < nikivi> Where do I get this key? 22:57 < nikivi> https://i.imgur.com/9Lbvg0L.png 22:59 < rhineheart_m> Thank you catphish 22:59 <+catphish> arooni: you can't really guess what IPs your ISP might give you, but you can look up all their IPs 23:00 <+catphish> rhineheart_m: did i do something? 23:01 < rhineheart_m> Yes. I threw a question here last time regarding FOC deployment. 23:01 <+catphish> ah :) 23:01 <+catphish> sometimes i'm helpful 23:02 < rhineheart_m> Yes it is. :) 23:02 < rhineheart_m> Can I ask further, tho? :) 23:02 <+catphish> normally i'm just a sarcastic asshat 23:02 < rhineheart_m> You are not. You are in fact helpful. 23:02 <+catphish> ask the channel, i might help, someone else might too :) 23:03 < rhineheart_m> Great! Call. 23:04 < rhineheart_m> In a fiber run with like 4 cores...I want to drop 2 cores of it in a building..what will happen to the other 2 cores? 23:06 < Apachez> how do you mean? 23:06 < rhineheart_m> And what if I want to bring again back the 2 cores to the fiber run for the next building...my understanding is I just need to insert both to the network switch just like we usually do with ths copper. Am I right? 23:06 < Apachez> normally you dont drop just a subset of the strains 23:06 < Apachez> you drop the full cable 23:06 < Apachez> and then continue your run to the next place 23:07 < Apachez> this way you can choose to just patch all pairs or "tap" in whatever direction you wish 23:07 < Apachez> so if you got 3 buildings (as an example) and a 8 pair fibercable 23:07 < fnDross> pppingme on that device, yes:but its not for it, the one its warning about is the unmanaged [vlan4&wifi]bridge: which is handled by the dva 23:07 < rhineheart_m> Do you have a picture illustration of that to help me more understand? But that's helpful. Thank you. 23:07 < Apachez> you normally do that as build1 <-> 8 pair cable <-> build2 build2 <-> 8 pair cable <-> build3 build3 <-> 8 pair cable <-> build1 23:08 < Apachez> this way if build1 needs to reach build3 you just patch at build2 site so this pair goes straight through 23:09 < Apachez> so the cabling becomes build1 <-> cable <-> build2 <-> patchpanel <-> patchpanel -> build2 <-> cable <-> build3 23:10 < Apachez> this way at lets say building1 you have 2 patchpanels 23:10 < Apachez> one for a cable to building2 and one for building3 23:11 < Apachez> and while you are at it put up a 48 pair singlemode cable while you are at it 23:11 < Apachez> normally its the labour that costs and not the cable itself 23:11 < Apachez> so you get (at building1) one 48 pair LC patchpanel to building2 and one 48 pair LC patchpanel to building3 23:11 < Apachez> at building2 you have one 48 pair LC patchpanel towards buildnig1 and one towards building3 23:11 < fnDross> pppingme: that dhcp for the 3.0/ should be ignoring it, but its not.. from what im guessing 23:12 < Apachez> and at building3 you got one towards building1 and one towards building2 23:12 < Apachez> so you end up in total with 3 cables and 6 patchpanels 23:12 < Apachez> patchpanel buildingX <-> cable <-> patchpanel buildingY 23:14 <+catphish> rhineheart_m: you can join 2 pieces of fiber together 23:15 < Apachez> or just use a patchcable 23:15 < Apachez> much more freedom that way 23:15 <+catphish> so you bring 4 cores into one building, you can connect 2 of them to that building's network, then you can join (splice) the other 2 cores to another fiber cable that goes to the next building 23:15 < rhineheart_m> I see, catphish. I need to watch more videos on this at youtube. 23:15 <+catphish> or as Apachez says, you can use a patch panel to plug them together rather than splicing 23:16 <+catphish> my house has this 23:16 < rhineheart_m> Thank yoh Apachez 23:16 < Johnjay_> does anybody have super saiyan linux knowledge? 23:16 < Johnjay_> i'm trying to get networking under a VM to work atm 23:16 < Apachez> if the distance is fairly short and you can drag the cable on your own you can order all you need from fs.com and do this yourself 23:17 < fnDross> pppingme: bringing me to confirm with the gurus if im on the right path of it being either /etc/dnsmasq.conf>>/except-interface=0.4/ OR /etc/config/dhcp>>/config dhcp guestlan option ignore=1? 23:17 < Apachez> if you choose to use professionals then make sure you get a OTDR report of each pair before payment 23:18 < rhineheart_m> The longest run I think is like 400 meters. I will be using multimode coz it is cheaper. I hope my concept is right. 23:18 < Apachez> dont use multimode 23:18 < Apachez> use singlemode 23:18 < Apachez> not much pricedifference 23:18 < Apachez> but you will end up with all sort of problems in the long run with multimode 23:19 < rhineheart_m> Even at 400 meters? 23:19 < Apachez> yes 23:19 < Apachez> https://en.wikipedia.org/wiki/Multi-mode_optical_fiber 23:19 < Apachez> the table is for a perfect cable 23:19 < Apachez> so you cant do 40G when you have 400 meter multimode cable 23:20 < Apachez> also in your case you need to patch it at both ends so the total length device to device will be a bit more than 400 meters 23:20 < Apachez> and since your cable isnt "perfect" thats equal to lets say 450m 23:20 < rhineheart_m> So all I need is a patch panel. Does it require a power source just like a normal switch? 23:20 < Apachez> while if you use singlemode you dont have to care about length 23:20 <+catphish> Johnjay_: you'll need to get started yourself and ask when you have specific questions 23:20 < Apachez> you can use 100G optics for a 30 year old singlemode installation 23:20 < Apachez> while 100G optics doesnt work in a multimode installation you do today 23:21 < Apachez> for the length of 400-450 meters 23:21 <+catphish> rhineheart_m: it seems that nobody likes MM fiber, i see no benefit to it 23:21 < Apachez> a patchpanel is just a physical device where you can connect the cables 23:21 < Apachez> there is no power involved here 23:21 < Johnjay_> catphish: my specific question is why does the netctl start profile command fail after copying the ethernet-dhcp example file from /etc/netctl/examples directory 23:21 <+catphish> i don't know netctl 23:21 < Johnjay_> but that seems a bit devoid of context so I asked something more general first 23:22 < Apachez> the good thing with singlemode cabling is that length isnt an issue and you can easily multiplex if you run out of pairs and cannot install more cabling 23:22 < Johnjay_> probably a better question would be if ppl know about networking under arch since that's what i'm on 23:22 < Apachez> multiplexing is when you multiplex by wavelengths different connections over a single singlemode pair 23:22 <+catphish> Johnjay_: you may want to ask an arch specific channel too 23:23 <+catphish> i only really know debian networking 23:23 < rhineheart_m> Nice. I will go for singlemode then. This channel is helpful. 23:23 < Johnjay_> yes apparently there are some subtle differences between them as i'm finding out 23:24 < Johnjay_> e.g. you don't have ifup instead you type ip link set eth0 up 23:24 <+catphish> Johnjay_: the kernel and actual networking work the same, but how you configure it is totally different :( 23:24 < Johnjay_> i see 23:24 < Johnjay_> so it could be different under gentoo, fedora, suse, etc as well? 23:24 <+catphish> Johnjay_: "ifup" is a command in many dustros that tells the distro to use its scripts to configure the interface 23:25 < Johnjay_> ah ok. i thought it just turned it on in debian 23:25 <+catphish> Johnjay_: "ip link set eth0 up" is part of "iproute2" which almost all distros have, it's a specific command that brings up the physical interface, but won't configure any IPs of anything else 23:26 < Johnjay_> ok yeah it did mention iproute2 23:26 < Johnjay_> i didnt' know what that was though 23:26 < Johnjay_> arch has it by default 23:26 <+catphish> iproute2 (ip) is basically the backend command that all distros use to do the actual work 23:26 <+catphish> their scripts sit on top 23:27 <+catphish> for example "ip addr add 10.0.0.1/24 dev eth0" will add that ip to that interface and will work on pretty much any linux system 23:27 <+catphish> but it's instant / won't survive a reboot 23:27 <+catphish> the distros have their own scripts that call commands such as this at boot 23:27 < Johnjay_> ah ok. would explain why arch has it then 23:28 <+catphish> everything has it, but you normally don't use it directly to configure things, you use the scripts 23:28 < Johnjay_> by the way once i asked it to install a proper network manager that would persist it also wanted to install like 20 other prerequisitc packages 23:28 < Johnjay_> like libdaemon, libndp, libnewt, and libsodium 23:28 <+catphish> depends on the network manager, but some do a lot of things 23:29 < Johnjay_> bluez-libs, that's bluetooth i think 23:29 < Johnjay_> so yeah, lot of things apparently 23:29 < Johnjay_> the weird thing is that the installation procedure explicitly calls for the network connection to automatically happen and then you download a bunch of things 23:29 < Johnjay_> yet a network manager isn't part of that... o_0 23:30 <+catphish> "network manager" usually refers to a gui 23:30 <+catphish> but there'll normally be scripts anyway with manual config files 23:30 < Johnjay_> i think not because it's not pulling in xorg 23:30 < Johnjay_> in fact that is the next post install task, to install xorg 23:30 < kuahara> On a lot of our customer sites, we have a two server setup for our records management software. The linux server is where the data processing happens and where the database lives. When it is done it sends the document to the image server (windows) via FTP. Since these two live in the same subnet, usually right next to each other, this is almost never an issue. 23:31 < djph> kuahara: ...but...? 23:31 < kuahara> In a few cases, we've had to move a linux server offsite and setup outside to inside FTP (calm down). 23:31 <+catphish> Johnjay_: don't know then :) 23:31 < SporkWitch> kuahara: scp is your friend 23:31 < djph> kuahara: and you still use FTP? are you mad!> 23:31 < djph> '? 23:32 < djph> fuck this keyboard 23:32 < SporkWitch> lol 23:32 < kuahara> I know FTP is ancient and a lot of people hate it, but try to stay focused here for a sec. We have one client that had a server crash and we quickly resurrected their server, but in one of our datacenters. 23:32 < djph> we are focused -> ftp is shit 23:33 < SporkWitch> if ftp is somehow relevant, replace it with scp 23:33 < kuahara> Which calls for an outside to inside FTP setup again. Only this time, two of their offices are in two different buildings, but same public IP, same subnet. 23:33 < kuahara> and they have two gateways. 192.168.88.10 is the edge and has routes to 10.1.6.1 for one office and 10.10.10.1 for the other 23:33 < kuahara> Our offsite linux server needs to store records on servers in each of those inside subnets 23:34 < kuahara> that sound pretty impossible in that scenario? 23:34 < SporkWitch> kuahara: vpn or port forwarding; i recommend vpn because it addresses the security issue with ftp 23:34 < SporkWitch> (partially, anyway) 23:34 < djph> (1) don't use FTP. (2) sftp to two different target ports, and set up NAT 23:34 < SporkWitch> or that ^ 23:35 < kuahara> Sporkswitch, I prefer VPN as well, but unfortunately, it's not an option. The server software is only designed to FTP out (our parent company wrote it). 23:35 < SporkWitch> if your company wrote it, your company can unfuck it lol 23:35 < djph> tell your parent company they're bad and should feel bad. 23:36 < kuahara> Our devs can change some things, but they are limited to what is produced by the "toolkit group". They write the tools the devs can use. 23:36 < djph> tell the toolkit group to stop fucking using FTP 23:36 < SporkWitch> ^ 23:36 < kuahara> We can have tkt make changes, but it'll be a long time before that happens. 23:37 < djph> should've been making those "long time" changes 10 years ago 23:37 < kuahara> anyway, getting back to the issue. Does outside to inside FTP going through two gateways sound like something that will ever work? 23:37 < SporkWitch> no one competent is going to help you run plain old FTP over a public network 23:37 < kuahara> SporkWitch, you'd be surprised what people are interested in trying to make happen. 23:37 < djph> SporkWitch: then again, anonymous FTP does make for great backups 23:37 < SporkWitch> no, i wouldn't; i never underestimate stupid 23:37 < kuahara> Sometimes I do things just to see if I can. 23:38 < djph> ^ that 'splains the new goatse images 23:39 <+catphish> FTP doen't really work with port forwarding because of the port allocation 23:39 < djph> anyway, back on topic, FTP is bad. nothing will change that. VPN may help mitigate the complete lack of security 23:40 <+catphish> best option if you must use ftp is VPN as mentioned 23:40 < djph> catphish: hence "(1) don't use FTP" 23:40 < djph> ohhh, right 23:41 < kuahara> catphish, yea, that's where outside to inside FTP usually breaks down. That said, I have a forward setup on my sonicwall and it works fine. 23:41 < kuahara> TZ600 23:41 <+catphish> kuahara: some firewalls have an FTP ALG that understands FTP and adds rules dynamically 23:41 <+catphish> it's a terrible mess, but it can work 23:42 < kuahara> I don't have it opened up to the world though. Only our telx facility can ftp from wan to lan. The rest of the world is cut off 23:42 < redrabbit> whitelist --- Log closed Wed May 16 00:00:21 2018