--- Log opened Thu May 17 00:00:22 2018
00:00 < mnemon> catphish: naw, that's just the different waveforms for different symbols
00:01 <+catphish> sure, but it's not a sine wave right, so there must be other frequencies mixed in there somehow?
00:01 < mnemon> hmm, sorry, there's two different
00:02 < mnemon> which modulation is that?
00:05 < mnemon> nvm, one frequency just shifted ... long time since I looked into the basic keying stuff
00:15 < HEROnymous> another day, a little more ibgp, a little less ospf/static routes
00:35 < zeldafan78> How the fuck can they know if the people I'm e-mailing really have (previously) signed up to receive my newsletter if I just somehow grab a ton of random e-mail addresses?
00:35 < zeldafan78> (They do detect this and don't make them actually go out)
00:36 < Apachez> who are "they"?
00:39 < S_SubZero> it's me.  I'm 'they'
00:49 <+catphish> who?
00:51 <+catphish> afaik every email sending tool just trusts you to provide legitimate lists
00:51 <+catphish> though they will monitor spam complaints and quickly ban you
00:52 <+catphish> plus you have to pay, it's not cost effective to send unsolicited spam with a professional paid email service
01:17 < sleepy6> poll: should i watch the sunset this friday at the beach?
01:37 < sla3k> Hi guys, I am going for a new 10G swtich, from a point of view of an SMB, what would you suggest, D-link or Netgear?
01:38 < sla3k> It will be hammered with traffic (basically it will connect 8 10G ethernet links on 8 servers to a centralized NAS box over 10GBe link)
01:38 < HEROnymous> sla3k, neither.  those are both garbage brands.
01:38 < sla3k> Bummer! What would you suggest then, apart from Cisco, that's way above what our pockets allow
01:39 < HEROnymous> will 48x SFP+ (10gig) ports and 4x QSFP (40gig) ports do?  if so, check out Nexus 3064's on ebay.
01:39 < HEROnymous> how many ports do you need?
01:39 < HEROnymous> ubiquiti makes a 16x SFP+ switch.
01:39 < sla3k> minimum 16 for now, right now we have 8 servers, but I want to keep some room for growth.
01:39 < HEROnymous> but you can get older cisco gear for cheap on ebay a lot of the time
01:40 < sla3k> RJ45 would be more preferable, otherwise I would need to buy ether SFP+ enabled network cards, or the convertors.
01:40 < HEROnymous> that's gonna get more expensive, but you can find nexus 3064TQ or 3172TQ switches on ebay.
01:48 < sla3k> Damn, they are expensive, cisco nexus ones. I don't think we can afford that at this moment. So no other brand would do any good apart from Cisco?
01:48 < HEROnymous> what's your budget look like?
01:49 < HEROnymous> part of it is just the copper thing - SFP+ is a fair bit less expensive and like I mentioned, ubiquiti has a 16port offering...
01:49 < sla3k> Budget wise I'd say below $2k or max $2.5k
01:49 < sla3k> I'll look at Ubuqiuty..
01:49 < sla3k> Ubiquity
01:50 < HEROnymous> you can't find a 3064TQ for under $2k on ebay?  used to be they were around $1700
01:52 < sla3k> Maybe a used one, but that too minimum I could find on ebay was $2600
02:11 < VincentHoshino> hmmm downstream -4.9 dBmv avg and fluctuates upstream 57.3 dBmv and stuck .. packet loss comes and goes
02:12 < VincentHoshino> Comcastic!
02:21 < spaces> anyone having a bitchy network at the moment ?
02:22 < xamithan> Nah my network is male
02:22 < spaces> xamithan following the transgender hype it might be the biggest bitch around then ;)
02:26 < spaces> xamithan ask if it wants children
02:26 < xamithan> It is getting too fat,  need to remove the children and find homes for them
02:28 < spaces> xamithan what about the alimony ?
02:28 < spaces> you will lose it
02:29 < xamithan> child trafficking has no alimony.  They just give me a few bucks and take them away
02:29 < xamithan> Then I shift the work to one of the other siblings that has too light a load =)
02:30 < spaces> xamithan you reinvented slavery ?
02:30 < xamithan> Machines have no soul
02:33 < spaces> xamithan heh so you are a machine ?
02:58 < arooni> anyway to find given an ip address; any urls taht are hosted on it?
03:00 < xamithan> You mean like this?: https://reverseip.domaintools.com/
03:01 < xamithan> Only shows you three results but I'm sure there are better lookup tools
04:14 < patientplatypus> i have a server i can ssh into but i cant make any curl requests out of
04:14 < patientplatypus> does anyone know whats going on?
04:23 < linux_probe> jailed/sandboxed?
04:23 < xamithan> Check the firewalls
04:24 < linux_probe> failwalls =p
04:24 < xamithan> It'll be a firewall after proper configuration though O.o
04:25 < linux_probe> maybe i is proper, keepign them from curling junk in
04:25 < xamithan> Might be if he isn't the admin
04:27  * linux_probe random guesses further, no dns address, no route lol
04:29 < patientplatypus> hi
04:29 < patientplatypus> i have a server that just decided not to respect any curl commands curl: (6) Could not resolve host: google.com
04:30 < xamithan> DNS issue
04:30 < light> check your resolv.conf
04:30 < patientplatypus> does anyone know how i could go about debugging this? this is a new one on  me
04:30 < light> run an nslookup
04:30 < linux_probe> lol
04:30 < light> could not resolve host is pretty clear
04:31 < patientplatypus> you mean like this https://hastebin.com/ahoxahedoh.rb
04:31 < light> well that's a problem isn't it
04:31 < light> you'll need at least one nameserver
04:31 < patientplatypus> it is? treat me like an idiot - what should i do?
04:32 < light> turn your computer off and on again
04:32 < patientplatypus> lets say that's not possible
04:33 < light> then I question how you've been updating your system
04:33 < linux_probe> updates, bah, who needs'em
04:33 < xamithan> First you should google "could not resolve host $yourOSandversionhere" then follow some steps
04:34 < patientplatypus> look - my environment admin is at home for the night and i cant get a hold of them and they have the log in for the server restart - but i need to get this project done. so i cant restart. is there another way to fix this?
04:34 < xamithan> There is an easy temporary fix
04:34 < patientplatypus> sure whats that
04:34 < light> if you don't have permission to restart, what makes you think you can modify system files to add a nameserver?
04:34 < xamithan> sudo echo "nameserver 8.8.8.8" > /etc/resolv.conf
04:35 < xamithan> If you don't have sudo or root access though...
04:36 < patientplatypus> @light - man come on. i have root, i dont have gui cloud access. start from the assumption that i know *maybe a little* about the environment. i dont want to argue about what is and isnt possible to do. i just can't restart the box ok?
04:36 < light> if you have root you can reboot the box
04:37 < patientplatypus> *possible* or i could nuke the environment entirely.
04:37 < patientplatypus> but this temp solution worked.
04:38 < patientplatypus> but weird ... i have no idea why that file was deleted.
04:38 < patientplatypus> hmmmm
04:38 < patientplatypus> docker apparently fucks it sometimes
04:39 < xamithan> I'm not even sure how the normal services like that work in docker,  dnsmasq or systemd-resolve services takes care of that file
04:50 < BeastyBSD> hi people i need help with a allied telesis at9924t l3 switch
04:53 < BeastyBSD> my problem it's that i need to make that five vlans with different subnets /28 on network 192.168.10.0/24 use one ip addr inside switch as gateway
04:54 < BeastyBSD> i mean every subnets will use the switch ip as gw, that's could be possible to do?
09:35 < regdude> Does anyone know if by standard (R/M/PV)STP should work in QinQ (802.1ad) setups? Can't find anything why it shouldn't work
09:39 < Gollee> it should work
09:44 < regdude> Gollee: have you used a similar setups anywhere?
10:08 < Apachez> how many of you are utilizing per-packet loadbalancing over ECMP/LAG links?
10:11 < regdude> LACP
10:12 < Phil-Work> Apachez, yes
10:18 < Gollee> Apachez: I haven't heard anything good about it, usually per flow or based on ip/mac hash is more consistent
10:29 < Apachez> Gollee: Im not after rumours but rather reallife experience :)
10:29 < Apachez> like a regular file transfer you have buffers on receiving end so packets arriving out of order shouldnt be too much of a problem
10:29 < Apachez> unless they arrive with like seconds out of order
10:30 < Apachez> looking at some ix stats many seem to already utilizing per-packet loadbalancing
10:37 < mAniAk-_-> doubt it
10:37 < Gollee> running voip and per-packet loadbalancing is asking for trouble, I don't know what network you run though. I just don't see any good coming from possibly causing out-of-order packet delivery, what do you gain from per-packet loadbalancing really?
10:37 < mAniAk-_-> you think you can tell that from an ix graph?
10:38 < regdude> TCP
10:39 < mAniAk-_-> not like its hard to test this either if you want to
11:07 < Tazmain> wow, I really hate cisco umbrella, it blocks 1.1.1.1 dns queries and proxies. Unless that is just how it was setup here
11:07 < Gollee> 1.1.1.1 proxies? what's that?
11:07 < Tazmain> 1.1.1.1 dns
11:07 < Gollee> you said 1111 dns and proxies
11:08 < Gollee> 1.1.1.1 only does dns, not proxies afaik
11:08 < Tazmain> yes dns , and proxy
11:08 < Tazmain> so query to 1.1.1.1 and any access to a proxy
11:11 < Tazmain> what kind of internal dns had 40 open ports
11:11 < Tazmain> with 88 as kerberos-sec
11:19 < Apachez> Gollee: the gain from per-packet is to better utilize available links
11:19 < Apachez> imagine you got 8x1G and per-packet enabled
11:19 < Apachez> this way a single flow/session can push 8G
11:19 < Apachez> with per-flow a single flow can only do 1G
11:20 < Apachez> and if you are unlucky two flows are hashed into the same physical link so now you are down to 0.5G
11:20 < Apachez> while the other physical links remains unused
11:20 < Apachez> it seems like vyos/vyatta/edgeos defaults to per-packet for ecmp
11:20 < Apachez> same goes for some other vendors
11:21 < Apachez> so other than VoIP who wants pakcets within 10-30ms (depending on codec) are there any other reallife scenarios where this really matters?
11:21 < Apachez> I mean a modern box today have plenty of receive window buffer
11:21 < Apachez> so if the packets arrived 1, 2, 3 or 1, 3, 2 shouldnt really matter since packet no2 is in the RX buffer in both cases
11:25 < Gollee> "If too many packets are received out of order, TCP will cause a retransmission of packets similar to what happens with dropped packets."
11:25 < Gollee> how is that ever a good thing?
11:28 < jurislav> anyone experienced issues with consumer skype accounts, when more than 2 people join a call, the audio quality decreases rapidly? i mean, can that be a network issue at any of the 3 places?
11:28 < jurislav> esp. if the side that was heard OK, was suddenly heard very bad, once 3rd participant joined..
11:32 < veegee> Hey guys, what's the special name (if any) for ethernet cable whose outer insulation is more tightly wrapped around the twisted pairs?
11:33 < Gollee> shielded maybe?
11:33 <+xand> more tightly than what
11:33 < Phil-Work> veegee, you mean the thin stuff?
11:33 < veegee> such that you can see the  bumps of the twisted pairs over the insulation
11:33 < veegee> I'm not sure that it's thin, I just like that kind of cable
11:33 < veegee> the opposite would be having too much space between the insulation and the wires inside and therefore too much play
11:34 < veegee> it's not wrapped tightly enough around the twisted pairs so it looks like smooth insulation
11:36 < veegee> Let me give you an example. Here's a pic of the smooth one whose insulation is loose: http://www.pccableworld.com/images/cat6_1.png
11:38 < veegee> And here's an example of a cable whose insulation is tight: http://www.webro.com/wp-content/uploads/2014/02/Webro-U.UTP-Cat6-Cable-1024x275.png
11:39 < veegee> You can see the bumps from the twisted pairs inside on the cable insulation itself
11:43 < Apachez> Gollee: define "too many"?
11:43 < Apachez> is it when packet no2 arrives 2 hours later?
11:43 < Apachez> then yeah I get the point
11:44 < Gollee> Apachez: http://www.jacn.net/vol3/170-E012.pdf I found that
11:44 < Apachez> but if packet no2 arrived 0.001ms after packet no3, how is that an issue since packet no2 will be in the RX buffer once the stack wants to process it?
11:45 < Gollee> unfortunately, I don't know. I tried reading the PDF I sent you but I kept losing interest
11:45 < Apachez> veegee: the standard defines how many twins per inch you are supposed to have
11:45 < Apachez> I have never seen any tp cable with less twinning (or more) than what the standard defines
11:45 < Apachez> what you do have is various shielding
11:45 < Apachez> where either the full cable can be shielded or a single pair
11:45 < Apachez> or both
11:45 < Apachez> and the method to shield either foil or a meshed net
11:46 < Apachez> S = meshed net, F = foil
11:46 < Apachez> so S/FTP means (if I recall it correctly) each pair is shielded with a meshed net and then the whole cable is shielded with foil
11:46 < Apachez> there is also S/STP, F/FTP and F/STP
11:51 < veegee> I'm talking about purely UTP
11:52 < veegee> one of my cat 6 cables seems to hug the twisted pairs inside harde
11:52 < veegee> I like that because it feels a bit more stiff
11:53 < Apachez> ?
11:53 < Apachez> perhaps that vendor used the same machine as for the cat7 cable?
11:53 < Apachez> but then later only verified it for cat6 and stamped a cat6 mark on the cable?
11:53 < Apachez> usually the higher cat's have more twists and more distance between the pairs etc
12:17 < zamanf> hello
12:17 < zamanf> I would like to find a firewall for windows that can be equivalent to iptables
12:18 < zamanf> iptables -A INPUT -p udp -s 1.2.3.4 -m length --length 100:1000 -j DROP for example set rules in this art
12:18 <+xand> good luck with that.
12:28 < Reventlov> Does linux subsystem for windows can run iptables? :D
12:41 < easy_ref123> is there a command I can run to see which interface packets for IP N.N.N.N are sent through?
12:43 < Kryczek> easy_ref123: route
12:54 < MarkusDBX> I've used authssh and reverse tunnels to for have various servers out on the open internet contact a central hub of mine, and I then use that hub to connect to the various ssh, since then no server needs to expose their ssh ports. Is this a good approach?
12:55 < MarkusDBX> I contact the servers having auto-ssh'ed and forwarded their ports, by using just local host on the "hub"
12:55 < light> And when that single point of failure goes down?
12:56 < Kryczek> MarkusDBX: the hub has the SSH port open?
12:59 < MarkusDBX> Kryczek: yes, but not the standard port, and also each of the "nodes out in the open" contacting it, has their IP whitelisted.
13:00 < MarkusDBX> light: currently it's single point of failure, but I can just shell into the various nodes through their various vps providers also. But two hubs, wouldn't hurt, yes.
13:01 < Kryczek> MarkusDBX: it is not a bad approach but may I suggest one that I believe is even better: OpenVPN (to the central hub and/or not) since it does not have to run as root like OpenSSH but you can reduce its privileges to the minimum with the user/group/chroot/setcon options, and to solve the single point of failure I add a Tor hidden service protected by the HidServAuth option
13:02 < MarkusDBX> Kryczek: thanks for the feedback
13:02 < Kryczek> and for machines that require me getting on a plane to go fix in case SSH dies or something, I add telnet-ssl :P
13:03 < Kryczek> ...with both client & server certificate authentication
13:03 < MarkusDBX> Kryczek: I got all these on various vps providers, so I can always shell that way
13:04 < Kryczek> nice
13:05 < MarkusDBX> Kryczek: I mainly use ssh, since it's often not as filtered as openVPN, think traffic filters from 4g rate limit and such.
13:05 < MarkusDBX> mobile providers limiting vpn
13:05 < Kryczek> really?
13:05 < MarkusDBX> it happens
13:05 < Kryczek> I believe you, just hadn't heard of it
13:05 < Kryczek> VPNs on phones are common for business use
13:05 < MarkusDBX> vpn is promoted and common
13:05 < MarkusDBX> also advertized to gamers and what not
13:06 < MarkusDBX> ssh is more rare
13:06 < MarkusDBX> so rarely filtered or limited
13:06 < Kryczek> is it that they block port 1194 for example, or they actually have heuristics detecting OpenVPN traffic?
13:06 < MarkusDBX> depends on provider
13:07 < MarkusDBX> thats my reason anyways =)
13:07 < Kryczek> I have my OpenVPN accessible on all UDP and all TCP ports, then I connect with whatever works / whatever I feel like using (e.g. UDP port 4500 to make people think it's IPsec :P )
13:07 < Kryczek> but having it at least on TCP 443 should be enough
13:10 < MarkusDBX> Kryczek: good advice
13:10 < MarkusDBX> I might consider open vpn.
13:11 < MarkusDBX> the tor advice was also solid
13:11 < MarkusDBX> thanks
13:12 < Kryczek> :)
13:13 < Kryczek> MarkusDBX: is there a vps provider your would particularly recommend? I don't really need one, but I've been curious about using one if it's really cheep
13:13 < Kryczek> cheap*
14:20 < regdude> Anyone knows a popular protocol that uses 01:80:C2, I know LLDP, 802.1x, STP, but there must be other widely used ones
15:05 < peter111111> hello folks
15:05 < peter111111> anybody familiar with skolelinux (debian)
15:05 < peter111111> ?
15:06 < shtrb> DebianEdu and #debian might have some users
15:34 < foo_> When I'm capturing packets in Wireshark, how do I find all ICMP requests with certain source and destination IPs? When I enter just "icmp" I get all of them. How to specify src? Typing "icmp src host ..." etc. doesn't work.
15:35 < kottt> i think you want icmp && src host
15:35 < kottt> you're combining two filters
15:37 < Sout> icmp && ip.src_host == 192.168.1.1 and nice connec foo____
15:39 < foo_____> Sout: Thanks, and thanks, lol.
15:40 < Sout> tobe fair kottt answered it first but you dced :D
15:41 < kottt> =(
16:26 < hiya> There is email server running on a Windows PC with static IP, when I setup VPN client on it. My friend wishes to exclude email server from VPN
16:26 < hiya> How is that possible?
16:28 < tds> hiya: you likely want to do policy routing; have two routing tables with one having a default gateway over the vpn and one over the local gateway, add marks to smtp connections (could just do it based on port), and have traffic with the mark use the second routing table
16:28 < hiya> tds, all this on windows is possible?
16:28 < Phil-Work> hiya, what type of VPN?
16:28 < tds> ah oops, sorry, I was assuming linux
16:29 <+xand> > email server
16:29 <+xand> > windows PC
16:29 <+xand> oh boy
16:29 < tds> ah, I'm an idiot, completely missed in the first message that it's "running on a windows pc"
16:29 < tds> but yeah, email server = linux in my mind ;)
16:29 <+xand> that's a sane mind tho
16:32 < Smallville> hello folks
16:40 < paradis> Is there any free secure VPN for me?
16:40 < paradis> is hola safe?
16:41 < Thebe> Hola allows others to user your system as a gateway. Definetly not ideal.
16:41 < Thebe> Secure and free are a difficult combination, imho
16:41 < paradis> imho?
16:41 < Thebe> In my humble opinion
16:41 < paradis> lol
16:44 < Smallville> paradis: watch this video about free VPNs it's really informative https://www.youtube.com/watch?v=vDbPjgXstHg
16:45 < regdude> nothing is free, just the payment is in different form
16:46 < Smallville> regdude: yes, usually it's in the form of personal info
16:46 < Smallville> like facebook
16:46 < paradis> what about opera vpn browser?
16:46 < Smallville> paradis: please stay away from VPNs, they're more trouble than they're worth
16:47 < paradis> okey
16:47 < Smallville> from "free" vpns
16:47 < regdude> if you do need to protect your traffic or access blocked content, then use a paid VPN, they are so cheap these days or hack a server and use it as a VPN
16:47 < regdude> though you will be in for a surprise
16:48 < Smallville> Use PIA
16:48 < Smallville> wait for a deal, when the prices drop
16:48 < Smallville> it happens every few months
16:48 < Smallville> they also don't keep logs and have decent speed
16:51 < Smallville> can you guys help me figure out an alternative for the IP phone service I have? I work for a company that pays a local voip phone service monthly, but we're having issues with the phones disconnecting
16:58 < Smallville> What’s the best voip service to have?
16:59 < hiya> Phil-Work, OpenVPN but built-in L2TP or IKEv2 is also an option
16:59 < hiya> Sorry for late
16:59 < hiya> tds, no problem
17:00 < regdude> your own VoIP...idk, I set up one here for LAN use
17:01 < qman__> I've had good luck with vitelity in the past, but if you'e getting poor service it's most likely your local internet loop
17:01 < qman__> Which won't be fixed by changing voip providers
17:56 < jarlopez> Is there a tool for measuring baseline TCP throughput on loopback with fixed buffer sizes?
17:57 < jarlopez> (currently on Debian)
17:59 < Poster|n> iperf?
18:02 < jarlopez> Poster|n: Aha, that is perfect. Thanks :)
18:12 < Poster|n> =D
18:24 < Smallville> qman__: hmm
18:26 < Smallville> regedit: i'm not too familiar with voip, how do you assign a phone number to the voip network? You still have to pay a service provider for a phone number, right?
18:27 < Phil-Work> Smallville, depends which country you're in
18:28 < Smallville> USA
18:29 < Smallville> pretty sure you have to pay for a phone number anyway
18:29 < Phil-Work> so yes, you take a "SIP trunk" or similar from a telco and they provide numbers on that
18:29 < Smallville> might as well let that service provider manage the voip
18:29 < Smallville> pbx
18:29 < Phil-Work> usually best
18:29 < Phil-Work> (says the guy who works for a VoIP telco)
18:30 < Smallville> you do?
18:30 < Phil-Work> I do
18:30 < Smallville> cool. you like it?
18:30 < Phil-Work> it's alright, as IT goes
18:30 < Phil-Work> pretty diverse in terms of techologies - better than, for example, the web hosting stuff I was doing prior to this
18:31 < Smallville> I prefer to work with domains and computer networks. it's more fun for me
18:31 < Phil-Work> we have networks ;)
18:31 < regedit> Smallville: you probably meant another re<tab> here in the channel?
18:32 < Smallville> ?
18:32 < regedit> "12:26 PM <Smallville> regedit: i'm not too familiar with voip...."
18:32 < hiya> Phil-Work, any suggestions?
18:32 < Phil-Work> I believe it was for regdude
18:33 < Phil-Work> hiya, oh - sorry. Got distracted
18:33 < regedit> 👌
18:33 < Smallville> probably was
18:33 < Phil-Work> if the OpenVPN server pushes routes to the clients, it can also push route exclusions
18:33 < Phil-Work> e.g. route 1.2.3.0/24 except 1.2.3.4/32
18:33 < Phil-Work> (that's not the right syntax)
18:35 < Sarah8086> Hello
18:37 < Sarah8086> I have two questions: 1) Is the WPA 4-way handshake same as WPA2 4-way handshake? 2) In the 3rd step of the 4-way handshake, how is the GTK protected against being sniffed by an attacker?
18:38 < cthulchu> guys, what VNC do you use to connect from Windows to MAc?
18:38 < mAniAk-_-> Phil-Work: a route exclusion?
18:39 < Phil-Work> uhu
18:40 < mAniAk-_-> that would just be another route
18:40 < hiya> Phil-Work, Yes, I will try it
18:40 < Phil-Work> mAniAk-_-, that's what the client does with it, yes
18:42 < mAniAk-_-> weird terminology, but whatever
18:42 < Phil-Work> yes, that was my terminology rather than OpenVPNs
18:42 < Phil-Work> push "route 1.2.3.0 255.255.255.0"
18:42 < Phil-Work> push "route 1.2.3.4 255.255.255.255 net_gateway"
18:42 < Phil-Work> that's the syntax
18:43 < mAniAk-_-> it's just a more specific route
18:43 < Phil-Work> indeed
19:07 < LiquidatorBrunt> sup networks
19:07 < test1337> soup
19:07 < chrustler> sup bru
19:09 < LiquidatorBrunt> how does Lets Encrypt verify you own a domain?
19:09 < DoctorDick> DNS
19:09 < DoctorDick> You can use a txt record too
19:09 < LiquidatorBrunt> so the DNS record needs to be configured before you try and get a cert?
19:09 < tds> ^ they can do dns-01 where they confirm a txt record is in place, or http-01 where they make a http request to a specific url and confirm the get the right reply
19:10 < electricmilk> Whats the best free network monitoring software that has SNMP v3 capability?  I'm using Spiceworks and quite disappointed.
19:10 < LiquidatorBrunt> and they are trusting that, if the A record matches the IP address from where you are running the client, it's you?
19:13 < tds> LiquidatorBrunt: no, they make a http connection to that IP and verify that you return the right file (for http-01)
19:14 < Phil-Work> electricmilk, Zabbix is alright
19:14 < electricmilk> Phil-Work,  I don't need anything fancy.  Only need to monitor like 12 devices
19:14 < electricmilk> if that
19:15 < Phil-Work> Zabbix isn't particularly fancy
19:16 < electricmilk> awesome thanks
19:18 < electricmilk> Phil-Work,  Is it a terrible idea to run Zabbix from a fairly decent workstation that is always left on?
19:19 < electricmilk> Our server is old as hell but about to upgrade.  Was thinking I just run it on my workstation for the time being
19:19 < d3r3k> Does macOS have a built in IPv4 tunnel thing or something? I'm on a IPv6 only network, and for some reason macOS claims that it's possible to connect to my IPv4 VPNs... (it doesn't work though.)
19:25 < electricmilk> Ah crap it looks like Zabbix is Linux only
19:26 < DoctorDick> Put it in a VM
19:26 < d3r3k> Anyone have suggestions for a tool to NAT a IPv6 subnet to a IPv4 subnet?
19:27 < d3r3k> Guess it's NAT46 I'm trying to do?
19:27 < Dagger> most v6 subnets are far too big to NAT into a v4 subnet of any size
19:29 < d3r3k> Dagger: I could map a /96 into a /0, no?
19:30 < electricmilk> DoctorDick,  Wont that eat up a lot more processing, disk space, and memory than just using a Windows based Network Monitoring Tool?
19:30 < Dagger> I guess, but what are you trying to do?
19:30 < Dagger> connecting to v4 hosts from a v6-only network would be done by mapping the v4 space into a /96, not the other way around
19:31 < d3r3k> Dagger: i'm at a CTF event where they only provide a IPv6 network; a lot of pentesting tools only support IPv4.
19:32 < d3r3k> I was going to use socat for each individual host to provide IPv4 to each IPv6 host, but that's a lot of manual work.
19:32 < DoctorDick> electricmilk, No?
19:32 < d3r3k> Dagger: Is there such a thing as like NAT46?
19:32 < Dagger> oh... well. time to start hacking on the tools then, or getting better ones :)
19:33 < Dagger> tayga can do NAT46 for individually-configured IPs
19:33 < Apachez> or look how the other scriptkiddies does it at this CTF event =)
19:33 < d3r3k> Apachez: socat :)
19:33 < d3r3k> Dagger: orly? :D Thanks, lemme look into tayga again. Is nat-pt similar?
19:36 < DoctorDick> electricmilk, my debian container only uses 45 mb
19:36 < d3r3k> my DOS uses less.
19:36 < electricmilk> ah ok
19:36 < Dagger> I guess it must be similar. but that's a Cisco thing, isn't it? so meh
19:37 < sla3k> I have a weird situation here, there are 4 machines on the same network, and h1, h2, h3, h4; h4 has a static IP set, h1 and h3 can ping it and access h4 but h2 cannot, they are on the same network though, makes no sense
19:37 < Dagger> (also RFC 4966)
19:37 < SporkWitch> TFW your ISP's website 404's on "/"
19:37 < d3r3k> Dagger: where do you see TAYGA supporting NAT46?
19:39 < Dagger> "map" directive, IIRC
19:39 < d3r3k> Dagger: would I have to restart the service every time I need to add a new host?
19:39 < djph> sla3k: firewall in teh way?
19:40 < d3r3k> Dagger: hmm, is it DNS46 that I'm probably looking for?
19:40 < Dagger> it probably needs a restart. like I said, individually-configured IPs
19:45 < d3r3k> Dagger: hmmmmm.... I'm debating if I should try to write my own DNS46 server tonight/tomorrow morning.
19:46 < Dagger> https://packages.debian.org/jessie/net/tnat64 <-- there is also this thing
19:47 < d3r3k> Dagger: how is that NAT64? Isn't that NAT46?
19:49 < Dagger> it's bump-in-the-API, to allow accessing v4 hosts via a NAT64 with AF_INET sockets
19:49 < Dagger> maybe not the best name they could've picked, but still
19:50 < d3r3k> Dagger: it's providing IPv4 access to IPv6 servers, isn't that "46"?
19:51 < Dagger> there are no v4 packets being generated though, so not really NAT46
19:52 < d3r3k> oooh. So it's not really NAT64 either, since there's no "4" involved :p
19:52 < d3r3k> okay, so I think it's going to be the most fun to implement a DNS46 and NAT46 server quickly :p
19:52 < Dagger> but there is a NAT64 service involved somewhere in the background :p
19:53 < Dagger> just not implemented by that particular bit of software
19:55 < d3r3k> so I need two little services: one that's a DNS server for A->AAAA, and then that needs to inform another service about the 4->6 mapping.
19:58 < d3r3k> Dagger: heh, just found out about 464XLAT..
19:59 < zeldafan78> Lately, both YouTube and Twitch have been buffering and buffering constantly. My own connection is 100/100 fiber, but I use a VPN. Could this be related to "net neutrality" somehow and how my video streams don't get prioritized because they go through the "dirty" VPN?
20:00 < Dagger> ...right, that's also a thing. apparently it's also a thing that I have a hard time remembering exists :/
20:00 < zeldafan78> Fucking unwatchable. :/
20:00 < zeldafan78> It seemed to start just after I paid for a full year in advance.
20:00 < d3r3k> Dagger: I'd only want half of it though, not sure how trivial it would be to the 4XLAT part...
20:01 < d3r3k> *to remove the 4XLAT part
20:06 < sla3k> djph: not really, I've checked that already.
20:07 < dionysus69> hey all
20:07 < dionysus69> can't nmap -p somePort hostIP a guest VM from my host
20:08 < dionysus69> I am using a bridged adapter for connection, I can ping the guest, but cannot access the port
20:08 < dionysus69> guestIP I meant
20:13 < d3r3k> Dagger: oh nice, there's a golang project for OVS! https://github.com/digitalocean/go-openvswitch/tree/master/ovs <- I'm thinking I can make a DNS46 server that simply adds a new route for each DNS request.
20:14 < shtrb> is it normal to employ "connection has timeout" on forbiden sites ? (couldn't understand why I can see anything with fb/twitter .. on a corporate net only later to be told there is a new anti social rule that interrupt traffic )
20:15 < Sout> my work firewall, inserts a warning page saying this paged is blocked for reason xyz
20:16 < shtrb> That it was like before, but that slow approach is just amazing
20:17 < Sout> hmm we must have the same firewall. As know im just getting time outs shtrb
20:17 < shtrb> lol
20:17 < shtrb> fortigate ?
20:17 < Sout> I think so.
20:17 < shtrb> it did start this morning
20:17 < shtrb> :D
20:18 < Sout> know i have to ask do you happen to work in ottawa canada?
20:18 < shtrb> no
20:18 < Sout> ah k. I would have laughed really funny if we were on the same network :D but yeah i know the vpn i connect to is a fotigate.
20:20 < WishBoy> what channel can i ask about ransomware?
20:20 < shtrb> victim or developer ?
20:20 < WishBoy> victim
20:21 < WishBoy> my customer
20:21 < shtrb> assume all lost, restore from backups, assume any "smart applience" had been hacked
20:21 < WishBoy> shabius some ransomware can be decrypted
20:21 < d3r3k> Sout: do you have the WPA2 enterprise stuff deployed yet?
20:21 < chrustler> they can all be, isn't that the point?
20:22 < chrustler> if it's really ransomware that is
20:22 < shtrb> WishBoy, forget decrypt , if you pay / decrypt it does not mean it will not hit you again and this time worse
20:22 < Sout> I'm just an end user of this system. d3r3k.
20:22 < d3r3k> Sout: the fortigate stuff is so useless, Windows itself can do IPSec... nobody in the city seems to know what group policies are.
20:23 < d3r3k> Sout: well, do you have wireless as an end user yet? :p
20:23 < shtrb> d3r3k, fortigate make it look intellectually chalenged  easy
20:23 < Sout> the vpn, is interesting. woot not letting user save there passwrods.
20:23 < d3r3k> Sout: probably cached on disk somewhere knowing them.
20:23 < shtrb> miraculous auto replace , removed the word `stupid
20:24 < d3r3k> Sout: e.g. crash dumps with memory to extract from
20:24 < shtrb> Sout, why are using fortinet vpn and not some foss client ?
20:24 < d3r3k> shtrb: because his employer doesn't know IPSec is already included in Windows.
20:25 < d3r3k> and wants to pay a vendor to provide a worse solution but say they "support" it.
20:25 < d3r3k> oh and it needs to be in French.
20:25 < shtrb> vu application merde ?
20:25 < shtrb> 'applicasion
20:25 < tuppabox> hey i would need help with apache anyone here?
20:27 < Sout> shtrb, because good luck finding one on linux.
20:27 < shtrb> Sout, shrew ? racoon ?
20:27 < shtrb> openswan ?
20:28 < Sout> and d3r3k I work at a small start up and technially our IT is done thew the people we rent the space from. ie we have next to 0 control over it
20:28 < Sout> those work with fortinet?
20:29 < d3r3k> Sout: oh. Thought you were working for the large employer.
20:29 < d3r3k> Sout: you kanata or downtown?
20:29 < shtrb> depending on the config, but yes, Fortinate even give you  explanation how to use openswan
20:29 < Sout> kanata :D
20:33 < kottt> client wants to 'block all vpns' on our simple stateful firewall. no DPI, nothing fancy, just wants to shut down the ports. sigh...
20:34 < d3r3k> inb4 they want to block all UDP.
20:35 < shtrb> Sout, http://kb.fortinet.com/kb/documentLink.do?externalID=11835 http://kb.fortinet.com/kb/documentLink.do?externalID=FD33774
20:35 < shtrb> kottt, can you afford to block access to cloudflare and amazon (because of domain fronting)  , UDP and  ICMP ?
20:36 < HEROnymous> kottt, I hear lots of vpns run on port 443/tcp.  I recommend blocking that first.
20:36 < shtrb> also have a script that will try to connect to any server someone try to connect to 80 , 443 and check if there is sslh running
20:36 < shtrb> 443 will do a lot of harm (no https)
20:37 < HEROnymous> clearly they don't care - they just want to block "all vpns" by closing ports.
20:37 < shtrb> checking for sslh and domain fronting (blocking)  is a good way
20:37 < Sout> thanks shtrb will take a look.
20:37 < detha> HEROnymous: easy. block all ports, both tcp and udp, and you have blocked all vpns
20:37 < shtrb> Sout, that are just two options , I do not know your config but fortinet are good with complaince in their docs
20:38 < shtrb> detha, and then someone uses ICMP tunnel
20:38 < shtrb> !whitelist
20:38 < shtrb> no factoid for whitelist ?
20:38 < detha> shtrb: don't tell them, in case I need to work from there
20:39 < HEROnymous> detha, there ya go, now you're thinking
20:39 < detha> besides, they said 'block ports'. ICMP no can haz ports
20:39 < HEROnymous> right?
20:39 < Sout> it's easy to block all vpns. just cut the ethernet line </trollface>
20:39 < shtrb> lol , let's hope they do not don't use fortigates new and amazing feature , we don't block stuff we make it SO slow that your browser go to lunch
20:40 < shtrb> and then someone uses his phone line as a dialup servoce
20:40 < shtrb> *service
20:40 < HEROnymous> I've gotta write an email response to someone who thinks all vpn protocols are compromised and that changing his system's mac address every time he reboots improves his privacy, and that we blocked him because of his changing mac address (which we'd never see because internet.)
20:41 < shtrb> HEROnymous, I do not know where your client lives , but MAC address and IMEI are begining to be registered ... so he does have a point if hes from Turkey or far east
20:42 < HEROnymous> still doesn't cross layer3 boundaries
20:43 < HEROnymous> and if someone is "registering it" then changing it once when you buy the system should be sufficient
20:43 < turtle> he's got a point of view from the jive turkey
20:43 < turtle> all my vpns are hacked so i deleted all my routes and you guys broke my internet help
20:43 < shtrb> He does not know that ... (also ipv6 can be constructed using a MAC , so are some ISP providered routeres leak macs back to the provider )
20:44 < shtrb> :D
20:44 < shtrb> forget the IPV6 comment , I need coffee
20:48 < eahm> it will be logged for your grand children to see
20:48 < shtrb> Grandma I have found your old address ...
21:00 < biax_> anyconnect ocserv complains: main: TCP wrappers rejected the connection (see /etc/hosts->[allow|deny])
21:00 < biax_> i suppose i need to add something to hosts.allow
21:01 < biax_> any idea how to add it? i suppose 443 : something.... but im not very sure how. i havent found much google results
21:01 < BenediktXVII> Hello everybody. Is there a tool in Linux to mask my public IP when connecting to a remote server through the command line ?
21:03 < Aeso> BenediktXVII, what you're asking for is a VPN, not a tool.
21:04 < shtrb> BenediktXVII, vpn/proxy/socks/ssh etc
21:04 < Aeso> Consider: If you spoof your source IP address, how would the remote server know where to pass your traffic back to?
21:05 < BenediktXVII> Aeso: I will go through VPN then. It's for a stress test on a server I am maintaining.
21:06 < Aeso> BenediktXVII, you'll want to choose your VPN provider carefully. A lot of them rate limit common DDoS attack vectors for obvious reasons.
21:07 < BenediktXVII> Aeso: I suppose so indeed.
21:07 < biax_> tcp wrappers is so damn annoying
21:07 < BenediktXVII> Aeso: TOR ?
21:08 < shtrb> BenediktXVII, you could find some skiddies to ask for a DDOS to do a stress test
21:08 < BenediktXVII> shtrb: skiddies ? :p
21:09 < shtrb> think of brats, but with enough time to run some scripts
21:10 < BenediktXVII> Just need to find them skiddies now ... :)
21:10 < shtrb> just post , I built an amazing system you will never be able to hack it :D
21:10 < shtrb> or DDOS it
21:11  * shtrb plays die hard music and imagine an old cop with a card board get's into the right hood
21:13 < BenediktXVII> shtrb: any idea for a channel or forum ?
21:13 < shtrb> no
21:14 < shtrb> BenediktXVII, but if you will post stuff like that , expect to get hit by a crowd of packets that will come as a hail storm from all directions, and when you think it ends it will start again
21:16 < BenediktXVII> nice
21:16 < BenediktXVII> the server sits behind a dmz, a hard firewall and a soft firewall
21:31 < zeldafan78> Do you never get tired of perpetuating this bullshit lie about "script kiddies" who supposedly can launch DDoS attack to the left and right?
21:31 < zeldafan78> No such thing exists.
21:32 < shtrb> ha ?
21:32 < turtle> there are definitely a couple of them
21:33 < shtrb> You know what is the best way to get the correct answer on stackoverflow ? Write a wrong one . which to get a free DDOS boast about your unbrakable system
21:34 < joro_> hi guys, how can i check what version of Apache a web uses ?
21:34 < shtrb> joro_, HEAD to the server
21:34 < joro_> it gives just the Apache
21:34 < joro_> nothing more
21:34 < shtrb> I meant HEAD http command
21:35 < Aeso> zeldafan78, skiddies don't build botnets, they buy time on other people's botnets to DDoS with mommy's credit card
21:35 < joro_> shtrb, i do that with telnet to port 80
21:35 < shtrb> ah ok
21:35 < Aeso> not all DDoS attacks are launched by skiddies, but certainly some of them are
21:35 < Apachez> Gollee: http://www.cl.cam.ac.uk/~as2330/docs/reorder.pdf   https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt   tcp_reordering   tcp_max_reordering
21:37 < shtrb> joro_ , try to access a forbiden oage (it might have the version there
21:38 < joro_> sorry, what do you mean by forbiden page ?
21:39 < shtrb> forbidden anything that will give you a 403 result
21:41 < joro_> name or service not known
21:42 < Llama052> alright guise, whats a free serial client that can space out large pastes so it doesn't fuck the output? Putty aint cutting it
21:43 < shtrb> Llama052, nc ?
21:43 < shtrb> ssh
21:43 < joro_> minicom
21:43 < Llama052> shtrb: serial
21:43 < shtrb> oh feces , you need "serial"
21:43 < joro_> Llama052, minicom
21:44 < shtrb> minicom or socat
21:47 < joro_> how noisy is sU in nmap guys ?
21:47 <+catphish> i need to have a little chat with my neighbour about bandwidth: https://i.imgur.com/HkItoQa.png
21:47 <+catphish> also, sky, this is quite an antisocial default configuration
21:47 < shtrb> catphish, the shared single account ?
21:48 <+catphish> shtrb: no, look at the image
21:48 < shtrb> I have seen , who needs their own wifi range anyway
21:48 <+catphish> they have somehow managed to consume the entire 5GHz spectrum with one SSID
21:49 < shtrb> The fun part would be if that it's a faulty router that does not work anymore
21:49 <+catphish> 2.4GHz is fine: https://i.imgur.com/HiopWn8.png
21:49 <+catphish> and weirdly a BT and Sky are different ISPs, i have no idea why he'd have CPEs from both
21:54 < shtrb> MOFO , I was able to log in blindly #@%@ (some genious manged to disable the screen and I remember where on screen should be the user / pwd input menus )
21:55 < shtrb> sorry , had to choose a better place to share
22:05 < HEROnymous> I'm becoming an msp for msp's
22:05 < HEROnymous> little msp's without their own infrastructure are leasing infrastructure from me and it's awesome.
22:08 < drathir> mornin/evenin...
22:09 < drathir> catphish: lol nice graph ^^
22:10 <+catphish> HEROnymous: sounds like a special kind of hell
22:10 <+catphish> i did that very briefly, then threw my toys out of the pram because i got fed up of spam and fraud
22:10 < HEROnymous> catphish, actually not bad for the most part
22:11 < HEROnymous> oh yeah we're pretty exclusive to where we don't really attract that sort of stuff, and the msp's we work with are the sort who deal with small local businesses
22:11 < HEROnymous> so I enforce some sane security rules on them and things run pretty smoothly
22:11 <+catphish> that's not too bad then
22:12 <+catphish> we just accepted signups from the world because we had no particular funnel of trusted customers
22:12 < HEROnymous> we've tried mass marketing to the mass market... got nothing out of it, waste of money
22:13 < HEROnymous> so instead we've been focusing on developing local relationships and stuff
22:13 < HEROnymous> which has worked out very well, along with throwing more and more value adds at customers as they come to trust us
22:14 < drathir> btw 4x4 mu-mimo looks nice...
22:18 < ironpillow> hi all, noob question: what do you call when ipaddress+prefixlen are together: 192.168.0.1/24. thanks!
22:20 < grawity> the /prefixlen notation is called "CIDR notation", but I'm not sure if the whole combination has a specific name
22:21 < ironpillow> cool. the reason I am asking is because I am trying to name a variable which is a string "192.168.0.1/24"
22:23 < HEROnymous> I'd just call it the cidr
22:23 < HEROnymous> kind of a shorthand thing, but common
22:23 < ironpillow> got it. makes sense :)
22:23 < grawity> or just "address" tbh
22:24 < ironpillow> I want indicate that the string not only contains an address but also prefix
22:24 < ironpillow> length
22:25 < spaces> is there a network my are allowed to messup ?
22:41 < Gambit15> Hey guys
22:42 < Gambit15> With regards to LACP/Link-Aggregation & load-balancing, is the ingress port defined as the individual physical port, or the aggregated VIF?
22:43 < Aeso> Gambit15, depends on your vendor
22:43 < Aeso> and what context
22:43 < patientplatypus> hi guys
22:43 <+catphish> from what i've seen, the aggregated vif
22:43 <+catphish> once ports are bonded, i've never seen the raw ports used for anything
22:44 < Gambit15> For example, traffic going from LAGG 1 to LAGG 2, would the ingress hash count just the VIF, or the LAGG member it was transmitted from?
22:44 <+catphish> but technically it may be vendor dependent
22:44 < spaces> Gambit15 what do you need ?
22:44 < Gambit15> Just trying to work something out
22:44 < spaces> tell us what
22:44 < patientplatypus> im using a ravello instance and im finding that i'm getting 502 Bad Gateway request every time i try and either http in or out of the collection of Ravello instances
22:44 <+catphish> my money'd on VIF, but you should test or RTM to be sure
22:44 < spaces> or is it a secret ?
22:44 < Gambit15> This particular stack is HP 5130s
22:44 < grawity> in some switches the VLANs get configured on the raw ports
22:45 <+catphish> spaces: what are you talking about? his question was quite clear
22:45 < spaces> catphish depends on vendor but I think both can be possible
22:45 < grawity> always fun to find out that *half* the LAGG ports are missing a vlan
22:45 < spaces> catphish we don't have any good info
22:45 <+catphish> spaces: sure, but your reply was "odd"
22:45 < spaces> grawity depends on vendor as well
22:45 < spaces> catphish you know we share love ;)
22:46 < spaces> I'm not that bad
22:47 < Gambit15> On the note of VLANs, I read today that VLANs (other than the default) are only supported in static mode or with a certain function enabled/disabled
22:47 <+catphish> yeah, it's messy if things are configured on the raw ports :(
22:47 <+catphish> i always configure vlans the same on both to be extra sure
22:48 < spaces> indeed
22:48 < spaces> and is also nicer when you make it a single one later on
22:48 < spaces> but some vendors remote the tag when it's a lag
22:48 < spaces> lagg
22:48 < Gambit15> IIRC, when I configure VLANs on the LAGG, the switch configures the members
22:49 < Gambit15> Not sure what happens if you add a member after that though
22:50 < Gambit15> Come to think of it, I don't know what that doc was talking about. My LAGGs are all a mix of tagged, untagged, & hybrid
22:53 < Gambit15> Anyway, re the original question, "the ingress port is *probably* the VIF, but it's worth checking".
22:53 < Gambit15> Cheers chaps!
23:06 <+catphish> Gambit15: you're welcome, good luck
23:15 < Apachez> Gambit15: hashalgo is performed before physical interface is selected for the particular frame
23:16 < Apachez> usually it takes available physical links and use that as divider
23:16 < Apachez> so if you got like 4x10G and link no2 goes poff (and you are left with 3x10G) then the loadsharing will be on the remaining 3 links
23:25 < Gambit15> Apachez, I was referring to the load-sharing algorithms
23:26 < Apachez> Gambit15: what about them?
23:27 < Apachez> in comware5 there two settings
23:27 < Apachez> one for L2 links and one for L3 links
23:27 < Gambit15> These switches only support XORs for the src-dst MACs & IPs, which is a problem between my streaming server & reverse proxy, all connections are sent over a single link
23:27 < Apachez> I use this for my comware boxes:    link-aggregation load-sharing mode destination-ip source-ip destination-port source-port
23:28 < Leonarbro> hey networking guys, any of you have a favorite cloud storage provider?
23:28 < Apachez> that was for 5820
23:28 < Apachez> the command for 5120EI goes: link-aggregation load-sharing mode destination-ip source-ip destination-port source-port
23:28 < Apachez> so I dunno why comware7 on 5130 should have changed that
23:28 < Gambit15> Apachez, in my case, all of the packets are between the same two servers, as everything is routed through my proxy
23:29 < Apachez> you do this in the global system-view
23:29 < zeldafan78> Hmm...
23:29 < Gambit15> I'm trying to see if I can configure the proxy to round-robin outbound IPs
23:29 < Gambit15> (nginx)
23:30 < zeldafan78> The only possible way that any e-mails are gonna get delivered seems to be to do a "double opt-in" mechanism, where SOMEHOW, people "express their interest" in my e-mail list and then get a verification e-mail that they need to click on some link or reply to it in order for the subscription to be complete, but how in the hell do you get people to do that?! Back to square one...
23:31 < Gambit15> It's interesting, the switch shows source-port as an option in the global load-sharing config, but it says the hardware isn't supported when I try to use it
23:31 < Gambit15> source-port would be perfect
23:31 < zeldafan78> And don't tell me "by offering something for free if they subscribe to the mailing list", because I've given away stuff forever without anyone wanting it.
23:32 < zeldafan78> (Or knowing it exist in the first place.)
23:32 < zeldafan78> *exists
23:33 < Gambit15> zeldafan78, did you harvest these recipients from some marketing list, or did they activley register with you?
23:34 < Apachez> Gambit15: which hardware?
23:34 < Apachez> like that productid JD938 or whatver its named
23:34 < Gambit15> HP 5130
23:34 < Apachez> and which firmware?
23:34 < Apachez> no
23:34 < Apachez> thats the family name
23:34 < cthulchu> dudes, MAC is not propagated outside, right?
23:34 < Apachez> if you look at the front there is small tag saying something like JE884  or JC123   or whatever
23:35 < cthulchu> it gets overwritten every time for a TCP/IP packet
23:35 < Gambit15> 5130-24G-PoE+-4S        5130-3207-US
23:35 < cthulchu> so, like, if I'm a website, I can't get a user's mac
23:35 < Gambit15> cthulchu no
23:35 < cthulchu> unless it's deliberately collected and put in tcp packet
23:35 < Gambit15> Not from the network at least
23:36 < cthulchu> okay, thanks, thought so
23:36 < cthulchu> people claim to be banned by mac on the web
23:36 < cthulchu> weird
23:36 < Gambit15> Probably more like some sort of OS/browser "fingerprint"
23:36 < Apachez> Gambit15: HPE 5130-24G-PoE+-4SFP+ EI ?
23:36 < Apachez> so JG936A
23:37 < cthulchu> yes
23:37 < Gambit15> Apachez that's the one
23:37 < Apachez> https://h10145.www1.hpe.com/downloads/SoftwareReleases.aspx?ProductNumber=JG936A
23:37 < Apachez> latest firmware is 5130_EI_7.10.R3208P03-US
23:38 < Apachez> so not much of a difference but I would still recommend installing the latest
23:42 < Apachez> http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c04771730-4.pdf
23:44 < Apachez> link-aggregation global load-sharing
23:44 < Apachez> mode { destination-ip | destination-mac
23:44 < Apachez> | destination-port | ingress-port |
23:44 < Apachez> source-ip | source-mac | source-port } *
23:45 < Apachez> so you should be able to type (while in system-view with enough of previleges):
23:45 < Apachez> link-aggregation global load-sharing mode destination-ip destination-port source-ip source-port
23:46 < Apachez> and do NOT set this on a particullar BAGG
23:46 < Apachez> because if you do then you can only choose from destination-ip, destination-mac, source-ip, source-mac
23:46 < Apachez> so leave this empty on the BAGG
23:46 < Apachez> and the BAGG will use the global setting
23:46 < Apachez> and tada!
23:47 < Apachez> now your lacp/bagg will loadbalance on the combo of srcip+dstip+srcport+dstport
23:53 < Gambit15> Indeed, source-port specifically would be the perfect solution, however whilst available, it's apparently not supported
23:53 < Gambit15> "The load sharing mode is not supported because of hardware limitations."
23:53 < Gambit15> ^^ anything including port based filtering
23:54 < Apachez> are you sure you are in global mode (system-view) when you type this?
23:54 < Apachez> and not on the bagg interface itself?
23:55 < Gambit15> The default is "packet-type", however I've not been able to find any details on that is exactly. Regardless, it doesn't seem to be balancing things evenly very well
23:56 < Gambit15> Yes, that's in global mode. In interface mode, it only gives the options for IP & MAC based filtering
23:56 < Apachez> file a complain with the support :)
23:56 < Gambit15> global mode show port & ingress, although I've not tried ingress yet
23:56 < Apachez> according to the manual there is no word of that that port wouldnt be supported
23:57 < Gambit15> Yeah, I know, I've been through it a couple of times now :/
--- Log closed Fri May 18 00:00:24 2018