--- Log opened Fri May 18 00:00:24 2018
00:06 < spaces> Apachez is your network still gay ?
00:11 < electricmilk> Jeez. I apologize for keep disconnecting
00:11 < electricmilk> If it happens again I'll stop reconnecting
00:16 < Apachez> spaces: my packets are always gay
00:22 < cthulchu> do you guys think IP is a personally identifiable information?
00:22 < varesa> sounds like GDPR :p
00:22 < cthulchu> yeah
00:23 < cthulchu> I'm in a meeting. we're deciding what to do with the data
00:23 < cthulchu> more like what to hide
00:24 < cthulchu> I mean, GDPR is ridiculous
00:24 < cthulchu> but it's in Europe.
00:24 < cthulchu> North America is smart enough to watch and learn first
00:24 < varesa> I mean from the perspective of the end user it is a good thing but from the admin side it can be a pain
00:25 < cthulchu> I don't think if it's good
00:25 < cthulchu> it seems good from an uneducated perspective
00:28 < Gambit15> Going from piracy court cases, I'm not sure it's entirely agreed. I've seen outcomes both where the IP has been accepted as an ID of the user, other times when it hasn't
00:28 < varesa> I mean I might not agree with all the fine details but the basic principles are good if you ask me
00:28 < Gambit15> I don't think keeping IPs for logging purposes would run afoul though
00:30 < varesa> https://eugdprcompliant.com/personal-data/
00:30 < varesa> according to that page: "The conclusion is, all IP addresses should be treated as personal data, in order to be GDPR compliant."
00:31 < cthulchu> we decided just to encrypt all names, addresses and phones
00:31 < varesa> so unless you can explain the logging with something like security logs / audit trail then you probably shouldn't collect them without permissions
00:32 < djph> That's entirely contradictory to the two immidately previous sentences
00:32 < varesa> them = IPs
00:32 < djph> great logic there
00:32 < cthulchu> ahahah
00:32 < cthulchu> we don't even consider IP to be PII
00:32 < djph> ^
00:32 < cthulchu> to the hell with GDPR.
00:32 < cthulchu> let it boil
00:33 < djph> I mean "it's personal information so long as the ISP was subpoena'd"
00:33 < cthulchu> right!
00:33 < cthulchu> good point
00:33 < djph> well, given that *they have to be subpoena'd* in order to make it "personally identifiable" (and even there, llolololol NAT)
00:33 < cthulchu> ahahahahah
00:34 < varesa> exactly this is the part that makes GDPR a mess, nobody knows what is the correct interpretation of this stuff
00:34 < cthulchu> I wish they thought about a subject before judging
00:34 < cthulchu> and deciding
00:34 < cthulchu> it's more politics and less service to the public
00:34 < electricmilk> Ah much better.  Darn Opera's built-in VPN kept disconnecting me from Freenode
00:35 < electricmilk> Should I add a dmarc setting if using O365?
00:35 < djph> I mean, okay, so the ISP finds out that 192.0.2.127 (some mall) downloaded $bad_stuff on $date ... and then they have to go and ... it was uh, uhmmm, uhh, the MAC address 09:F9:11:02:9D:74
00:36 < electricmilk> mail-tester.com is saying I should add a txt record for v=DMARC1; p=none
00:36 < varesa> https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
00:38 < djph> GDPR in short -> "We have no fucking clue how to behave 'on the internet'"
00:39 < electricmilk> Also what are optimal RDNS settings to try and make an IP as transparent as possible?
00:39 < electricmilk> Does an IP even need to have an RDNS setting?
00:40 < djph> Seriously, I don't get it.  We get brought up our entire lives "don't talk to strangers", "don't take candy from the creeper in the van", "watch out for your friends so they don't get roofie'd" ... and we can't fucking apply the same goddamn though-processes to "on the internet".  I don't want to live on this planet anymore.
00:42 < electricmilk> Is it simply best practice to  have no RDNS entry? Wonder if the ISP will allow that
00:46 < Gambit15> electricmilk for email, yes, PTR helps
00:46 < electricmilk> No email
00:46 < electricmilk> Not anymore
00:46 < electricmilk> Switched to O365
00:47 < Gambit15> Well the DMARC stuff is also only relevant for email
00:47 < Gambit15> Probably just recommended settings for using exchange
00:48 < electricmilk> Gambit15,  I have SPF and DKIM set...Microsoft never recommended a DMARC change.
00:48 < varesa> DMARC seems like it would be still relevant with O365, no?
00:48 < electricmilk> I suppose it would hurt to add v=DMARC1; p=none
00:48 < electricmilk> That I don't know
00:48 < electricmilk> I did a mail-tester.com with another O365 server and they have identical settings.
00:49 < electricmilk> Also the RDNS settings don't resolve correctly..for both O365 instances
00:49 < varesa> irrelevant of what is handling the mail some recipients will want to see SPF, DKIM and DMARC
00:50 < electricmilk> Ah okay. Thank you.  I'll add v=DMARC1; p=none
00:55 < electricmilk> Seems useless to use p=none though
00:55 < electricmilk> Perhaps I should implement p=quarantine
01:05 < Gambit15> Apachez: So just for a test, I enabled src-dst IP based balancing & set off 6 servers to grab a 4GB file from my proxy. It still only maxed out a single member of the BAGG
01:07 < Gambit15> I'm actually impressed, it got to 993Mbps on a Gbit interface! But still, not the desired outcome :/
01:35 < likcoras> I have a setup that routes all traffic through an openvpn server. From the looks of it, when I try to do too many connections through the vpn, it dies on me, no errors anywhere (that I could find at least).
01:36 < likcoras> What should my next steps be to verify exactly what causes my connection problems and start trying to address it?
01:36 < likcoras> For one, trying to torrent eg. linux ISOs will immediately just kill my connection unless I severely limit the download speed.
01:36 < HEROnymous> by "dies" do you mean the vpn session dies, or the openvpn process?
01:37 < HEROnymous> openvpn can be configured to log problems.  I'd say figure out the config you need to log what you want, then watch the logs that it generates.
01:37 < dw1> weak DNS server?
01:37 < dw1> try 1.1.1.1
01:38 < likcoras> Dies, as in no errors absolutely anywhere, the connection just comes back on after ~30 seconds (and dies again if the torrent is still running)
01:38 < dw1> i had similar issues with my crappy ISP DNS
01:38 < likcoras> It's not the DNS, I get packet drops.
01:39 < likcoras> and torrenting should not trigger DNS lookups, anyway. I do have an unbound server forwarding to 1.1.1.1 and co., has not given me trouble ever, at least from what I can notice.
01:39 < likcoras> HEROnymous: I guess higher verbose?
01:44 < HEROnymous> likcoras, yeah I generally use pfsense to manage openvpn configs for me so I don't know the specifics off the top of my head, but I know you can get it logging more.
01:44 < HEROnymous> are you connecting to openvpn from behind a nat ?
01:44 < HEROnymous> could be that whatever's doing the nat is taking a dump with all that udp traffic or something.
01:48 < likcoras> Just did some rudimentary testing before restarting with verbose, as low as 4 tcp connections  (curl speedtest.server...) disconnects me after ~30 seconds.
01:57 < likcoras> Hrm.
01:57 < likcoras> Server side: Fri May 18 08:56:06 2018 us=404618 ram/$client-public-ip MULTI: bad source address from client [192.168.0.2], packet dropped
01:58 < likcoras> client: Fri May 18 08:56:09 2018 us=359791 PID_ERR replay-window backtrack occurred [42] [SSL-0] [000000000000000000000000000000000__________000000000000000000000] 0:26706 0:26664 t=1526601369[0] r=[-4,64,15,42,1] sl=[5,64,64,528]
01:58 < likcoras> No idea how to interpret this.
02:00 < likcoras> Ah, I'll try tuning --replay-window. Fingers crossed...
02:00 < chendricks> hi guys - is it possible to see what connects to the vpn I use? for example, when I use a vpn I don't see any track of udp connections as when I dont use it
02:30 < likcoras> HEROnymous: it got fixed! I think. I still see some occasional errors, but packets are no longer dropping. ... and my connection dropped just as I was writing this.
04:35 < Peng_> Is it possible to contact AWS's NOC? Without a $xxxx support contract?
04:36 < Peng_> If so how? :D
04:46 < tds> Peng_: if you run your own network, they have contact details available on peeringdb
04:47 < Peng_> I don't. :<
04:48 < Peng_> It would be easy to contact either of the ISPs affected, but I don't want to give up :P
04:48 < Peng_> easy to contact the ISPs and ask them to contact Amazon*
05:42 < BeastyBSD> hi team i need help with layer3 switch allied telesis
06:43 < ibn-batot> hi
07:17 < zrx> eyo's
07:25 < WizJin> 12
07:25 < GenteelBen> WizJin: you take that back.
07:26 < WizJin> haha
08:50 < GenteelBen> I really wish my router's web login page didn't 1) list the router company name, and 2) list the router OS version
08:51 < GenteelBen> :|
08:53 < Roq> You can probably configure an accesslist on the specific webinterface port
09:01 < GenteelBen> This is for home use, Roq. I'm only concerned with access over the WAN port.
09:01 < GenteelBen> Good news: it has 2FA
09:01 < GenteelBen> Bad news: 2FA applies to both LAN and WAN logon attempts (I'd only want 2FA for WAN connections).
09:02 < mAniAk-_-> why would you wan to expose it on wan
09:02 < Roq> Can you close access to the webinterface on the wan port and connect via VPN or something?
09:02 < Roq> You dont want it publicly open
09:02 < GenteelBen> I'm just playing around with it, until I decide which VPN service to pay for.
09:03 < GenteelBen> Web interface is disabled already over the WAN - I think it's disabled by default anyway.
09:03 < GenteelBen> I guess I'm complaining about nothing. There is an option to strip all branding from the router logon page, but IMO it should be debranded by default.
09:13 < Atro> its funny that "cur" means ass in romanian, and hp switches  have  "display cur"
09:13 < Atro> hehehehehehehehehehehehe
09:17 < Apachez> Gambit15: contact support, according to the manual it should work and no hardware limitations
09:45 < easy_ref123> Hi. Trying to understand basic switch configuration.
09:45 < easy_ref123> http://termbin.com/peqo
09:45 < easy_ref123> Do the configuration snippets in the link above align with the descriptions I've given of them?
09:45 < Phil-Work> easy_ref123, no
09:46 < Phil-Work> an access port (0/1) doesn't accept tagged traffic
09:46 < Phil-Work> it simply puts all traffic it receives on vlan 123
09:46 < Phil-Work> it also doesn't tag traffic that it sends
09:46 < Phil-Work> what you say about the trunk port (0/2) is fine
09:48 < easy_ref123> Phil-Work, thanks.
09:49 < easy_ref123> Couldn't all the traffic that port (0/1) receives, be put onto the LAN rather than the VLAN, to achieve the same thing?
09:50 < Atro> into the what now
09:50 < Atro> easy_ref123: there's Access and Trunk, Access does not encapsulate VLAN ID, Trunk Does
09:51 < Atro> So switchport access vlan 123, means all untagged traffic coming through that port, gets tossed into vlanid 123
09:51 < Atro> switchport trunk allowed vlan 123, means all TAGGED traffic with vlanid 123, gets tossed into vlanid 123
09:52 < easy_ref123> thanks
09:54 < Phil-Work> easy_ref123, everything is a VLAN on a managed Cisco switch - if you don't set a VLAN specifically on a port, it goes into the default VLAN (1 I think??)
09:54 < Atro> ye its 1
09:54 < Atro> 0 for for juniper
09:56 < regdude> and juniper forwards everything across the network with VLAN 0 or does it only keep this VLAN ID internally?
09:58 < Atro> regdude: only internally
09:58 < ibn-batot> what is the easist simulator for learning networks ?
09:58 < Atro> ibn-batot: you can use packet tracer
09:59 < ibn-batot> it is not generic in addition it cannt simulate manet
09:59 < regdude> ok, then all good
09:59 < regdude> GNS3 seems to be the most popular "simulator"
10:00 < easy_ref123> So switchport access vlan 123, for port (0,1), would drop frames that arrived tagged with vlan id 123
10:01 < easy_ref123> (because it's Access and only accepts untagged)
10:01 < Atro> easy_ref123: drop frames that arrive with ANY tag
10:02 < Atro> be 1-4096
10:03 < regdude> internally all switches should look for 0x8100 tag after SRC-MAC address in a packet. If it is anything else, it is untagged
10:03 < regdude> except, of course, if you switch to 802.1ad
10:05 < ibn-batot> does any1 have the tetcoss network simulator "netsim"?
10:34 < r0n0x> heyo
10:35 < r0n0x> i have a question, i wanna get an Asus AC87A
10:35 < r0n0x> do fakes exist and how do i verify if what i buy is a fake?
10:36 < r0n0x> AC87U*
10:36 < Phil-Work> buy it from a reputable retailer and you'll be fine
10:37 < ibn-batot> does any1 have the tetcoss network simulator "netsim"?
10:38 < r0n0x> reputable retailers sell it for heaps
10:38 < r0n0x> im buying one off ebay second hand
10:39 < r0n0x> possibly considering from china
10:39 < hyperair> if you can't tell the difference, does it matter? :)
10:39 < hyperair> </westworld-reference>
10:39 < r0n0x> this is in case i can tell the difference
10:39 < r0n0x> but need to prove it
10:39 < ibn-batot> does any1 have the tetcoss network simulator "netsim"?
10:39 < ibn-batot> plz help me guys
10:39 < ibn-batot> i need that sim urgently
10:39 < hyperair> r0n0x: can't you just open a dispute with ebay?
10:39 < mardraum> hyperair: that doesn't look like anything to me.
10:40 < r0n0x> yes, but not unless i can prove anything
10:40 < ibn-batot> hyperair mardraum r0n0x
10:40 < hyperair> ibn-batot: no
10:41 < hyperair> r0n0x: well some considerations are the first three octets of the mac address, which are specific to vendor
10:41 < hyperair> r0n0x: apart from that i don't think there's a reliable way of telling the difference. just play spot the difference with it and just look for discrepancies
10:42 < hyperair> r0n0x: i would think that the webui would be the most likely bet -- cheap chinese clones are likely going to have shitty english
10:42 < hyperair> r0n0x: and at the end of the day, if you can't tell the difference, then it doesn't matter so just enjoy your cheap but good router :)
10:43 < r0n0x> well, i wanna install openwrt on it too
10:43 < hyperair> ah
10:43 < hyperair> does openwrt support it?
10:43 < r0n0x> i guess if it cant that might be a giveaway
10:43 < r0n0x> yes
10:43 < r0n0x> very well so
10:43 < hyperair> interesting, i didn't think that there were any asus routers supported by openwrt
10:43 < hyperair> afaik you needed asuswrt
10:43 < r0n0x> eh, same thing isnt it?
10:43 < hyperair> which was a modified version of the stock asus firmware
10:43 < hyperair> no
10:43 < hyperair> asuswrt is based on the stock asus firmware. it's got no relation to openwrt
10:44 < r0n0x> oh
10:44 < r0n0x> well, for this one it has support
10:45 < r0n0x> ah shit
10:45 < r0n0x> theres some issues it seems
10:46 < r0n0x> ah well, its still a kickass router
10:47 < r0n0x> what features might asuswrt and openwrt not share?
10:47 < hyperair> r0n0x: everything
10:47 < hyperair> the whole config mechanism is different
10:47 < hyperair> the webui is different
10:47 < hyperair> every feature that's of a higher level than the linux kernel is different
10:47 < r0n0x> so, i cant use password protection?
10:47 < hyperair> what's password protection?
10:47 < r0n0x> or  change my ssid name?
10:47 < r0n0x> lol
10:47 < hyperair> lol
10:48 < hyperair> you mean wpa passwords?
10:48 < r0n0x> when you put a password on your wifi
10:48 < hyperair> you can do that in stock
10:48 < r0n0x> you said they dont share functions
10:48 < hyperair> everything you can do in stock firmware you can do in asuswrt too
10:48 < r0n0x> ok, so, what else then can asuswrt do that stock cant?
10:48 < hyperair> okay more specifically, they don't share the same implementation of functions
10:48 < hyperair> i forgot
10:49 < hyperair> i wasn't too happy with asuswrt so i largely ignored it and turned it into a dumb accesspoint
10:51 < zrx> Got a pfsense question. I am not able to connect to https sites. Is this because of my certificate authority?
10:51 < r0n0x> im just curious about what i could do with asuswrt that stock firmware doesnt support, or, is asus stock firmware pretty full of features?
10:51 < hyperair> stock has quite a number of features
10:51 < r0n0x> one thing specifically i want to do is ban access to a certain IP address
10:51 < hyperair> oh whoops asuswrt is stock
10:52 < hyperair> https://www.asus.com/ASUSWRT/
10:52 < r0n0x> my current shitbox router seems to support it but doesnt enforce it
10:52 < hyperair> asuswrt-merlin is the one i was talking about: https://asuswrt.lostrealm.ca/
10:52 < hyperair> https://asuswrt.lostrealm.ca/features <-- features page is here. see for yourself
10:52 < r0n0x> also theres IP logging, i was hoping for, to aquire said IP
10:52 < r0n0x> ty
10:53 < hyperair> i'm pretty partial to tp-link routers, personally
10:53 < hyperair> they tend to run really well with openwrt
10:53 < hyperair> cheap and good chinesium equipment
10:54 < linux_probe> tp-stink =p
10:54 < r0n0x> i rather like asus
10:54 < r0n0x> havent been let down so far in mid range but good value for money
10:55 < r0n0x> dd-wrt is supported too, but maybe i wont have to use anything
10:56 < hyperair> pfft dd-wrt
10:56 < r0n0x> is it not good? or probably worse?
11:04 < zrx> I've been looking all around. Can't seem to connect to an https website cleanly since installing PFSense. Is concentrating on the SSL cert what I should be doing? Or is there something else that could cause issues with connecting to https sites?
11:05 < djph> MTU is the usual culprit
11:06 < djph> at least for me (lotta DSL people around here)
11:06 < zrx> i'm using coax
11:06 < zrx> let me try forcing to 1500
11:07 < easy_ref123> VLAN question. Is untagged traffic actually tagged with VLAN ID 1?
11:08 < zrx> ha aha ha!!!
11:08 < detha> easy_ref123: no. it has no tag
11:08 < zrx> I've been on this all later half of the day. Didn't know MTU could have been the issue
11:08 < TotallyNotKim> zrx: it worked I suppose? Get djph a cookie
11:08 < zrx> thanks. much graz from here
11:09 < zrx> testing my other machine...
11:13 < djph> odd that forcing 1500 is the fix, usually here (for DSL) it's 1492 MTU / 1450-something MSS
11:16 < easy_ref123> detha, thanks
11:17 < easy_ref123> is vlan 1 significant in any way?
11:17 < Phil-Work> easy_ref123, depends on the vendor
11:17 < detha> protocol-wise, no. vendor-wise, some vendors will not let you delete vlan 1
11:18 < djph> yeah, it's the one you should never fucking use, because that one vendor does things funny-like, and it WILL bring your network down.
11:18 < easy_ref123> Cisco? I'm looking in a config with the line, "switchport trunk allowed vlan 1, 5, 6, 7"
11:18 < easy_ref123> 5, 6 and 7 are used for application traffic. I'm not sure why 1 is allowed.
11:19 < easy_ref123> The config is autogenerated so it may just be an "artifact"
11:19 < detha> some people put management on 1
11:20 < zrx> back
11:21 < detha> (because there are some stupid vendors that hardcode management to vlan 1, or can only handle vlan1 as default for untagged traffic, or some such nonsense)
12:29 < leafwiz> Hey. I'm sitting here pondering what people use for generating network configs. Do people make their own tool or is there a tool people use more often? I have been googeling a bit, but it seems there is no good answer excpet for the solarwind Network Config Manager
12:30 < chrustler> A horde of higly trained monkeys
12:30 < Roq> I use ansible sometimes
12:31 < Roq> puppet and chef are other alternatives
12:31 < leafwiz> it is kinda simple problem, but when you start to think about variable contraints (eg. vlan ids are integers between 0-4096 ) and stuff like that
12:32 < leafwiz> And how to organize the snippets, how to edit the snippets and stuff around that (eg edit from CLI, or a web gui)
12:32 < leafwiz> yeah, I have been looking into ansible
12:34 < chrustler> OpenDaylight?
12:39 < mAniAk-_-> leothrix: ansible with dynamic inventory and jinja templates maybe?
12:40 <+daemonkeeper> leafwiz: A lot of people built their automation around pyeznc or ansible/salt.
12:43 < leafwiz_> daemonkeeper: cool. oki. I can google that then.
12:44 <+daemonkeeper> If you have a heterogenous environment, or an environment where you also cover serevers the latter two might be better. pyeznc is for Junos only, the more agnostic framework for network devices is NAPALM
12:45 <+daemonkeeper> yada yada: if you care only about network devices use NAPALM, if you have servers or funny stuff salt/ansible. Which is is a matter of preference.
12:45 < mAniAk-_-> you can run napalm through ansible as well
12:46 <+daemonkeeper> But then you still have ansible :p
12:46 < leafwiz_> daemonkeeper: sure. I'm kinda into how people organize their global variables. Do they use a db, or yaml files, do they use some form of constraints on their vars and so on
12:46 <+daemonkeeper> We have a git repo with tons of semistructured textr
12:47 < leafwiz_> Because making the templates seems fine. Its just all of the vars , and the work flow around those
12:47 < leafwiz_> because my team kinda wants it presented in a web-form
12:47 <+daemonkeeper> Both, salt and ansible have that
12:47 <+daemonkeeper> Alreeady included I mean
12:48 <+daemonkeeper> Personally I'd hate that
12:50 < winsoff> Does anyone know of any decent traceroute utils (even browser-based) that will give me at least a geolocation for each hop?
12:50 < winsoff> Also, I just tried the "modern tcp method" given in linux for traceroute, and it still gets filtered by level3's firewall back to my home network. Any tips?
12:50 <+daemonkeeper> A browser based traceroute would be super useless
12:51 < winsoff> daemonkeeper, webrtc?
12:51 < mAniAk-_-> leothrix: should be easy enough to create some django page that can modify yaml files that ansible uses for vars
12:51 < winsoff> I don't see how it couldn't work.
12:52 <+daemonkeeper> It's either server based, which makes it useless or client based which makes it very limited as a lot of traceroute methodologies need privileged operations
12:54 < leafwiz> but yeah, its just how to organize the variable files for ansible I have to figure out I think
12:56 < mAniAk-_-> leothrix: we have platform vars, group/function vars and device specific vars
12:56 <+daemonkeeper> And mAniAk-_- just disclosed why I hate ansible :p
12:56 < mAniAk-_-> :)
12:56 < mAniAk-_-> what choice do we have
12:56 <+daemonkeeper> salt :p
12:56 <+daemonkeeper> ansible's scoping terribly sucks
12:58 < leafwiz> My other thoughts is to just use plain python with jinja for the templates and yaml files for the vars
12:58 < mAniAk-_-> never had a good look at salt
12:58 < leafwiz> To generate the configs
12:58 < leafwiz> and then to use eg ansible or something like that to push them
12:58 <+daemonkeeper> It's the sane version of ansible also based on Python, mAniAk-_- :p
12:58 < mAniAk-_-> daemonkeeper: im sure it has its own insanities :p
12:59 <+daemonkeeper> It definitely has, but these do never ever counter for loops in a yaml dictionary as syntax.
12:59 < mAniAk-_-> maybe next time i start over from zero
13:00 <+daemonkeeper> As soon as you read http://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html your thinking should be ABORT ABORT EJECT
13:03 < mAniAk-_-> nooo, they are "fun"
13:04 <+daemonkeeper> Was it Telia that caused your brainsickness? :p
13:04 < regdude> Anyone is familiar with EtherType 0x9100? Does any switch even support this "compatibility 802.1ad mode"?
13:04 < dionysus69> is it good idea to use https over ssh ?
13:05 < dionysus69> or it doesn't add ANY security over http over ssh
13:05 <+daemonkeeper> It won't hurt at least.
13:05 <+daemonkeeper> Sure it does, you probably mean a SSH tunne
13:05 <+daemonkeeper> tunnel
13:05 <+daemonkeeper> Which means everything behind would be unencryted to the final destination
13:05 < dionysus69> yea, doing a ssh port forwarding
13:05 <+daemonkeeper> Unless you use HTTPS
13:05 < dionysus69> ssh tunnel is encrypting
13:06 < dionysus69> you said unencrepted
13:06 <+daemonkeeper> The SSH tunnel endpoint is not the final destination. It will forward the packet to the actual destination.
13:06 <+daemonkeeper> That part would be unencrypeted.
13:06 < Kryczek> dionysus69: it would be better to use it over a datagram-based tunnel like IPsec or a UDP configuration of OpenVPN, otherwise you have the TCP-over-TCP problem: http://sites.inka.de/bigred/devel/tcp-tcp.html
13:06 < dionysus69> daemonkeeper: the actual destination is also on the same machine
13:06 < dionysus69> you are assuming machine could be compromised?
13:06 <+daemonkeeper> In that case it won't make a difference.
13:07 < easy_ref123> hi, still trying to understand this Cisco config file :)
13:07 < easy_ref123> it has statements, "interface Vlan123", but I can't see the name Vlan123 defined anywhere else in the config
13:07 < dionysus69> ok thanks daemonkeeper Kryczek
13:08 < easy_ref123> I have "vlan 123", followed by "name APPLICATION_DATA", but that's not important as I can tell
13:09 < easy_ref123> I can guess - when I allow a vlan on a trunk, an "interface" is created with name VlanXXX?
13:09 < mAniAk-_-> daemonkeeper: it was tele2
13:09 < mAniAk-_-> daemonkeeper: they didnt use ansible, salt or anything like it :p
13:10 < mAniAk-_-> daemonkeeper: they did buy tailf, but wasnt in production then
13:10 < Phil-Work> easy_ref123, not inherently
13:10 < Phil-Work> the VlanXXX interface is an internal interface on the switch and allows you to give that switch an IP in that VLAN
13:11 < Phil-Work> ordinarily this is used for managing the switch, so you'd only have an IP in 1 VLAN... however layer 3 switches may have an IP in multiple VLANs
13:11 < chendricks> hi guys - is it possible to see what connects to the vpn I use? for example, when I use a vpn I don't see any track of udp connections as when I dont use it
13:11 < easy_ref123> I have something like this
13:11 < easy_ref123> http://termbin.com/nfhj
13:11 <+daemonkeeper> mAniAk-_-: Not sure if that was good or bad news now :D
13:11 < skyroveRR> Hi daemonkeeper :)
13:11 < skyroveRR> daemonkeeper: haven't been seeing you around these days.
13:11 < easy_ref123> Phil-Work, thanks
13:12 <+daemonkeeper> I am 24/7 here.
13:13 < mAniAk-_-> daemonkeeper: hah
13:13 < purpleunicorn> Hey
13:14 < purpleunicorn> Has anyone used cryptocat
13:14 < at0m> nope
13:41 < easy_ref123> can somebody shine some light on what these statements might be for
13:41 < easy_ref123> http://termbin.com/fhaq
13:41 < easy_ref123> ctrl-f "redistribute" in the switch docs yields nothing
13:42 < mAniAk-_-> annonounces static routes and connected networks in bgp
13:42 < mAniAk-_-> in ospf*
13:43 < easy_ref123> thanks
13:43 < easy_ref123> how about the network statement?
13:46 < Roq> The area commands looks a little weird
13:46 < Sepultura> HAlloa
13:46 < skyroveRR> HELLO
13:46 < Roq> easy_ref123: what vendor is that?
13:47 < Sepultura> are ipv6 beginning with fe80 private IP ranges like 192 and 10 in ipv4?
13:47 < Dagger2> Sepultura: no. they're mostly like 169.254/16
13:47 < Roq> the network command tells the device to send hello's out of the interface within the subnet, and places it in an area X. Your area looks like a wildcard mask
13:48 < Sepultura> Dagger2 aren't 169 local?
13:48 < Dagger2> 169.254/16 is link-local, yes. as is fe80::/10
13:51 < Sepultura> Dagger2 I am wondering why my router is not assigning the router a normal IPv6 from my ISP
13:52 < Sepultura> the other devices have a IPv6 :O
13:53 < easy_ref123> Roq, cisco
13:53 < Dagger> that's a bit more of an involved question... but it might be relevant to note that Linux ignores RAs on an interface if forwarding=1 for that interface, unless accept_ra is set to 2
13:55 < easy_ref123> Roq, thanks. It's saying "send hellos out of the interface with IP 10.123.2.1"?
13:56 < easy_ref123> how does the "area 0.0.0.123" effect this?
13:56 < mAniAk-_-> easy_ref123: its just the area id
13:57 < easy_ref123> Why is the ID in dotted quad form, I wonder
13:58 < mAniAk-_-> the area id is a 32bit value, just like an ip is and can be represented in that way
13:59 < easy_ref123> thanks
14:51 < chendricks> have you guys tried using vpn only for 1 specific destination IP?
14:52 < skyroveRR> chendricks: a VPN typically only connects to 1 destination IP/host..
14:52 < chendricks> I am not sure if you understood my question, I will explain better
14:53 <+xand> chendricks: yes you could do that by just routing one IP via it
14:53 < chendricks> xand, preroute it?
14:55 < mAniAk-_-> just a /32 route over the vpn?
15:16 < lavenders> hello, i 'dig' it
15:27 < aruns> Hi, anyone got a good way of identifying the hosting provider for a site? I have been checking the response headers for a few sites I'm testing against, and have been able to identify a few sites' hosting providers that way
15:27 < aruns> But not all hosting providers send a header in the response.
15:28 < aruns> And lookup tools such as dig don't tell me much.
15:28 < flying_sausages> hey guys did anyone ever run into a problem where udhcpd is straight up not printing anything into the standard output?
15:28 < lavenders> with $ dig www.yahoo.com // i get two ips, is this normal, do you know another host?
15:28 < flying_sausages> when using it with -f it just ends immediately, no errors, no logs, no messages, nothing
15:28 < lavenders> 87.248.98.8 and 87.248.98.7
15:32 < detha> lavenders: that is a perfectly normal beast^Wbehavior
15:33 < lavenders> do you have another example hostname?
15:33 < lavenders> noteven dig http//google.com does that
15:34 < detha> pool.ntp.org normally gives a few addresses
15:35 < lavenders> wow thanks 4 even
15:36 < detha> aruns: do reverse lookups in the site's IP address, sometimes that shows it, otherwise check which AS the IP belongs to
15:40 < likcoras> aruns: also whois lookups on the IP addresses.
15:43 < loganrun> I am trying to program a server in python. The server will start a new thread for each connection. The server will mainly send data but will be able to received commands to stop the flow of data or whatever. I am not sure what the best approach is. It seems like setblocking and select apply only at the server level not for each connection.
15:48 < djph> probably best to ask in #python ...
16:17 < rcvu> Hey I am trying to use the ignore.auto-dns option with NetworkManager to simulate offline situation
16:18 < rcvu> but it isn't working as expected
16:18 < djph> in what way?
16:18 < rcvu> It will work when I apply the setting to the device but this is only temporary so best practice is to change the connection
16:18 < rcvu> but this isn't working at all
16:19 < rcvu> Anyone have any experience with this?
16:19 < rcvu> I've tried reloading the connection after making the change and bringing it up and down but no dice
16:22 < lavenders> how do you use wireshark in linux/debian
16:23 < rcvu> Maybe I am not understanding the change *ignore-auto-dns* is supposed to make, but in the docs it says "automatically configured nameservers and search domains are ignore"
16:23 < kuahara> A user in network A is trying to VPN into network B.  The edge router in network A is a Cisco RV320.  The edge router in network B is a SonicWALL TZ600.  The sonicwall is also the VPN endpoint in network B.  The world outside of network A can connect to network B just fine.  No users in network B can connect to network A.
16:23 < kuahara> Anyone familiar enough with the RV320 to know what we might need to be looking at to find out why those users can't connect?
16:24 < djph> first choice would be a firewall rule (Tunnel's up, right?).  Possibly also routing tables.
16:25 < kuahara> I should probably also mention that we are not using any 3rd party software to connect.  Just the built in Windows VPN client.  The windows firewall is turned off and there's no hardware firewall aside from whatever is on by default on the RV320.
16:26 < kuahara> Windows firewall is off just for testing.
16:26 < kuahara> The offices that can VPN in without trouble have their Windows firewalls turned on and I think most even have hardware firewalls like the sonicwall in place.
16:26 < kuahara> And they have no trouble connecting.  Network B is using L2TP/IPSec.
16:27 < kuahara> I can connect to it fine from my work PC and home PC.  It's just these network A users that can't get in.
16:27 < djph> so again, check firewalls and routing at network A.
16:28 < djph> e.g. the cisco is misrouting traffic, or it's blocking VPN, or ...
16:31 < SoniEx2> anyone knows how LTE redirection is supposed to work?
16:35 < marin__> my router firewalll blocks vpn connection,IPsec passthrough and PPPTP passthrough are both checked and it still doesnt work, turning off router firewall seems to enable me to use VPN
16:35 < marin__> please help
16:36 < marin__> i am using openvpn
16:38 < mnemon> marin__: openvpn doesn't need those passthroughs, it should work as long as you can establish a TLS connection to the port
16:38 < mnemon> so probably the firewall is just blocking the destination port?
16:38 < pekster> mnemon: openvpn uses a single UDP port for all traffic, so there's not usually anything special you need to do when making an outbound connection to a server. Are you using the "multi-client" mode, or the stateless PSK (pre-shared-secret) mode for openvpn?
16:39 < pekster> Or are you acting as the server here?
16:39 < kiokoman> marin__: default port for openvpn is 1194 , u probably need to open it on the firewall
16:40 < pekster> For inbound yes, but if this is an outbound connection there should be no need to open anything on properly configured stateful firewalls
16:40 < marin__> I am using it as aclient
16:40 < pekster> Is your egress (outbound) firewall policy permissive of both TCP and UDP traffic, and configured to "keep state" to accept return traffic that your internal clients initiated?
16:41 < pekster> Also, make sure your VPN server pushes (or your client sets) a --keepalive or --ping value in order to keep the UDP state open
16:42 < pekster> If the server is yours, seeing your server config might help (the full config, but redact any inline private keys you may be using)
16:42 < kiokoman> idk, my default firewall policy is to block all out/in if not specified
16:42 < pekster> That's not usually a good design unless you _really_ know what you're doing
16:43 < marin__> wait i need to reconnect
16:43 < marin__> i am currently connected to it
16:43 < marin__> *without firewall
16:44 < marin__> i have software firewall but iam not sure if it helps mutch
16:44 < patarok> hi
16:45 < patarok> what does a "search www.somedomain.com" do in resolv.conf
16:45 < pekster> Often client-side firewalls, either from the OS or a 3rd party vendor, need to be told to permit client applications to make (or accept) connections. Depends on the firewall settings really
16:45 < patarok> ?
16:45 < marin__> strange, it seems to work now
16:45 < pekster> patarok: Sets that as a search domain suffix for unqualified host names, like "somehost" would try to look up "somehost.www.somedomain.com" before asking for the more unlikqly FQDN of "somehost."
16:47 < pekster> Often the search suffix list is supplied by DHCP, but there's usually a way to tell your DHCP client to ignore it if you don't want that
16:49 < patarok> thank you guys...
17:04 < c_cinap> laptop repair
17:05 < marin_> ok it seems that irc is using a port that my firewall blocks
17:06 < marin_> so my router firewall basiccly blocks irc and vpn
17:06 < marin_> https://www.manualslib.com/manual/1176643/Technicolor-Tc7200-20.html?page=48#manual
17:07 < djph> if your router is blocking on inbound connections that're related to something else, the router's screwey (NOTE though that if you turn on the firewall, it won't necessarily have conntrack entries; so you have to reconnect)
17:07 < kuahara> djph, so I got on and completely turned off the RV320 firewall.  Still no dice.
17:08 < djph> kuahara: o_O
17:08 < djph> routing?
17:08 < LegalDrokz|PI> several switches are logging frequent (every 20 - 40 sec) STP topology changes, what could be causing that?
17:09 < djph> STP topology changes
17:09 < kuahara> There are no additional rules setup under advanced routing.
17:09 < Phil-Work> lol
17:09 < djph> probably one of the ports is flapping
17:09 < marin_> So what should i do, foward 1194 port so ican use vpn and foward other port for irc chat?
17:10 < djph> no
17:10 < LegalDrokz|PI> djph yes that is also being logged
17:10 < LegalDrokz|PI> genious
17:10 < marin_> or i can just turn it off and use software firewall?
17:11 < LegalDrokz|PI> there is a Cisco AP on that port
17:13 < Aeso> LegalDrokz|PI, so there's either a problem with the cable or the AP. Test each individually.
17:13 < LegalDrokz|PI> ive disabled bdpuguard and portfast on the AP port
17:16 < marin_> Does router firewall block irc and vpn ports. Is this normal or is it just my router?
17:16 < LegalDrokz|PI> its probably the AP thats going bad, Cisco WAP 321 crap
17:22 < SoniEx2> nvm I think I figured it out
17:25 < LegalDrokz|PI> it was a newer AP actually
17:25 < LegalDrokz|PI> an HPE Aruba IAP305
17:26 < LegalDrokz|PI> it's probably the patch connection
17:34 < kuahara> Is there another, easy-to-setup and run with VPN option I can use instead of this L2TP connection that seems to get stopped at the door by the RV320?  On network B's end, I have the sonicwall TZ600 and a Windows server at my disposal.
17:34 < jim> is there a way I could get a true/false (or something) where I get true if my host is running ipv6 addresses on the interface with the default route, or false if it's running ipv4?
17:34 < kuahara> That easy to setup bit is critical as it'll be for a customer and I won't be maintaining it.
17:36 < Dagger> jim: that's an underspecified question -- there's no such thing as "the default route"
17:36 < skyroveRR> Dagger: o.O
17:36 < batch> default via 192.168.1.1 dev enp0s25 proto static
17:36 < batch> isn't that the default route
17:36 < Dagger> you can have zero or more default routes for v4, and the same for v6
17:36 < batch> xD
17:37 < skyroveRR> Dagger: that's something new for me, care to enlighten a bit? :)
17:37 < Dagger> no, that's *a* default route for v4. you might have more of them, and you made no mention of any v6 default routes
17:38 < djph> Dagger: explain how "zero" default routes is going to work
17:38 < tds> you just need two /1 routes ;)
17:39 < Dagger> it doesn't affect the basic packet routing algorithm. if there's no matching route then the packet is presumably dropped
17:39 < jim> I'm expanding an existing program that generates iptables rules which taken together form a masqing firewall... and I need a way to know whether I should be generating iptables of ip6tables rules
17:40 < batch> jim what program is it to generate iptables?
17:40 < jim> it's an old package that used to be in debian called ipmasq
17:41 < jim> it's a bunch of scripts
17:42 < jim> batch, I put my copy on github if you want to see it
17:42 < batch> yes plz j
17:42 < batch> yes plz jim
17:42 < jim> ok
17:43 < jim> let me find it :)
17:43 < batch> allrighty
17:44 < jim> it includes everything you need to build the debian package
17:44 < Dagger> you'd need to generate both if both are in use (is there even much of a reason not to just generate both all the time?)
17:45 < Dagger> but remember it's also possible to have default routes pointing out of different interfaces, e.g. on a system where v6 is provided via a tunnel
17:45 < jim> Dagger, probably not... and, I'm just starting on this, and I don'[t know much about ipv6 yet
17:45 < Dagger> or v4, for that matter (hello DS-lite)
17:46 < jim> let me find the git repo
17:47 < jim> found it, now let me see if the remote is set up properly, or if I have to look somewhere else
17:48 < jim> hmm, I see one at gitlab, but I don't think that's the latest code
17:49 < batch> what project is it?
17:49 < batch> or is it own code?
17:49 < jim> no, someone else wrote it then abandoned it
17:50 < jim> I grabbed it from an old version of debian and I've been keeping it running at home
17:50 < kiokoman> marin_: home router with firewall usually don't block outgoing traffic by default
17:50 < batch> oh ok nice jim
17:50 < batch> tell me when you have it
17:51 < jim> I found one from 2016 at gitlab, but that's not the latest code... you see, it has helper scripts that used to parse ifconfig, and I wrote versions of them that parse ip instead
17:52 < jim> so I didn't find the right repo yet, it must be on my gateway box
17:52 < batch> i could really use some iptables generator lol
17:54 < Dagger> ferm is nice, however it has some minor annoyances that make dual stack firewalls more of a pain than they should be
17:54 < jim> ok, I found it, let me get the public repo clone address
17:55 < Dagger> or there's nftables, which seems to have a pretty similar syntax to ferm
17:55 < jim> what's nice about nftables is they made an iptables conversion layer :)
17:56 < jim> so I didn't have to write whole new sections for nftables (and, I was going to until I found out about the conversion layer)
17:56  * batch not impressed
17:56 < batch> xD
17:57 < batch> i mean about nftables then
17:57 < jim> in later kernels, iptables is actually -gone- and just nftables and the conversion layer remains
17:59 < jim>  go to this url and see if you see the github page: https://github.com/jwlynch/ipmasq
18:01 < batch> allright looks nice jim thx!
18:01 < jim> welcome
18:02 < jim> if you're interested in how the helper scripts changed from ifconfig to ip, look in the helper-scripts dir, also it's the latest work, clone it and look at git log
18:04 < jim> if you want to build a debian package, look in debian/control and install the build depends, then...
18:04 < jim> fakeroot debian/rules clean
18:04 < jim> fakeroot debian/rules build
18:04 < jim> fakeroot debian/rules binary
18:04 < jim> look in ..
18:05 < jim> you have to be in the top level dir when you do that, you'll see a dir debian with the rules and control files there
18:05 < batch> oke nice
18:06 < batch> it'll make rules into a file?
18:06 < batch> or just directly run the command?
18:06 < jim> the rules file is actually an executable make file
18:06 < batch> cause i kinda want to make it and transport the rules in a file via scp to another distro maybe
18:07 < jim> which one?
18:07 < batch> ah hmmm
18:07 < batch> ubuntu but hmm
18:07 < batch> maybe that'll be no issue idk?
18:07 < batch> and maybe centos aswell
18:08 < jim> it will build on ubuntu just fine :) just install the build depends and you'll be fine
18:08 < batch> but centos using firewall-cmd aswell bleh
18:08 < batch> ah nice
18:08 < jim> (because: ubuntu is a debian deriv)
18:08 < batch> sweet thx
18:08 < electricmilk> When hosts are behind NAT using port address translation it uses unregistered TCP ports.  How come a port scan never shows these ports as open.
18:08 < jim> but centos is not, you'd have your work cut out for you
18:08 < batch> electricmilk maybe because icmp is disabled?
18:09 < batch> via iptable rules then or so
18:09 < electricmilk> It is but why would that mater?
18:09 < batch> icmp is ping
18:09 < electricmilk> sure but...
18:09 < batch> yeah hmm idk
18:09 < likcoras> Is there some service similar to canyouseeme that works for ipv6?
18:09 < electricmilk> If I scan my WAN IP I see the open ports I've forwarded
18:10 < electricmilk> But I don't see the port address translation ports even though I'm scanning all 65,535
18:10 < batch> ooh
18:10 < electricmilk> Not sure why denying pings would matter
18:10 < batch> damn i rememberd that some time ago
18:10 < tds> electricmilk: only established connections will be allowed
18:10 < batch> to change from filtered to open
18:10 < electricmilk> They don't even show as filtered in nmap
18:10 < tds> so random new tcp connections from other IPs and source ports will just be rejected/dropped
18:10 < electricmilk> ah I see
18:11 < electricmilk> Anyway to tell if my PAT ports are close to being exhausted?
18:11 < tds> what kind of router is this? linux?
18:11 < electricmilk> SonicWALL TZ500
18:11 < tds> ah, not a clue in that case
18:11 < electricmilk> I have a block of IP's and want to see if its worth my time to setup a NAT pool
18:12 < electricmilk> I know how to do this on Cisco but on SonicWALL...not so much
18:12 < electricmilk> Perhaps I'll just call them
18:12 < electricmilk> You'd think the logs would tell you if the ports are exhausted
18:12 < batch> how would you fix it on cisco electricmilk
18:13 < electricmilk> I'd implement a NAT pool so hosts would use multiple WAN IP's
18:13 < electricmilk> The commands are fairly simple
18:13 < batch> oh right hmm wait
18:13 < batch> i have some NAT settings in my tplink
18:13 < batch> but to use NAT it requiers something
18:13 < batch> forgot what, let me see
18:15 < pekster> You can often lower the TTL on established connections to something on the order of an hour or serval; that breaks applications that actually want to keep a long-lived but idle TCP socket, but IMO if they can't send 1 keepalive per hour minimum, they can just re-connect, in most cases
18:15 < batch> in my tplink i can enable NAT and hardwareNAT
18:15 < batch> probably not what you are looking for i guess hmm
18:15 < pekster> That combined with a sufficiently large port-range for ephemeral outbound connections tends to be sufficient unless you have a LOT of sessions going on
18:16 < cowsay> Hey this is related to Azure virtual networks, but I assume the same applies to standard networks.  When this virtual network was set up, the primary subnet was set to 10.0.0.0/24.  I need to open up the address space so I can create other subnets, so I need to change primary to, say, 10.0.0.0/8.  How will windows servers react to this change?
18:17 < pekster> A /8? You want up to 256^3 or 1.7 _million_ hosts on a single network?
18:17 < pekster> I suspect that will end badly for you
18:18 < pekster> If by "other subnets" you mean discrete networks you plan to route between, you wouldn't set the /8 as all on-link. Maybe you'd be happier with a /20 (up to 4k hosts, which is still a LOT for a single subnet in most cases)
18:19 < cowsay> pekster, or /16, whatever.. just an example.  I need to create a 2nd subnet on the same network, but only 255 addresses were reserved on the primary subnet.  I need a secondary subnet on the same interface in order to connect azure AD to an existing VM
18:19 < cowsay> I'm not a network guy
18:19 < pekster> A single NIC can have multiple networks, but unless you're doing VLANS (802.1q tagging) they'll all be sharing the same Ethernet broadcast domain
18:20 < cowsay> there are already servers in the 10.0.0.4-7 range, and i don't want to have any impact on them
18:20 < batch> cowsay google vlsm
18:20 < cowsay> ok thanks guys.. will explore other things
18:24 < cowsay> gah, this is confusing.  I admire you network people lol
18:27 < batch> there's an online calculator for vlsm cowsay
18:27 < batch> http://www.vlsm-calc.net/
18:28 < batch> how many total networks do you actually need in future?
18:28 < cowsay> I am going to try to better explain where I'm at here. Maybe my thinking is just off, I'm not big on networking.
18:29 < cowsay> I'm setting up Azure AD.  It is recommended to set AD up on its own subnet.  There is a caveat on the instructions: "must exist in the same virtual network as the one that contains the network interface currently attached to the VM".  The virtual network attached to the VM is currently the one with a primary subnet of 10.0.0.0/24  .. I need to add a secondary subnet to that network and this is where I'm stuck
18:30 < batch> oh i see
18:31 < cowsay> there are live machines on 10.0.0.5 thru 10.0.0.7 and I don't want any impact on them
18:31 < shibumi> basic questions: When I want to connect two bgp peers that are in a seperate LAN, which options do I need to set in FRR or Quagga for bgpd? I tried it with the same settings as the others but doesn't seemt to work :S
18:31 < batch> yeah like what pekster said last cowsay
18:32 < batch> virtual ethernet adapters would be best
18:32 < batch> vlans or virtual ethernet adapters
18:32 < acoctres> Think they gonna make vnex4 anytime soon?
18:33 < cowsay> hmm, ok.. I'll look into that.. thanks
18:36 < jim> batch, if you build the package on the ubuntu box and it has a few interfaces, it will arrange to start it on boot, at which time it will find the default route and the appropriate ip addresses, and spit out the iptables rules to make ipmasqed (NATed) networks out of the non-default interfaces, and route machines on them through the default route
18:36 < jim> works great :)
18:37 < batch> yeah i hope to get it done once soon :p
18:37 < jim> there's a couple things I didn't finish yet, like the point to point thing, if you have point to point
18:38 < acoctres> What's the point? LOL I will see myself out.
18:44 < batch> jim no sorry hmm
18:50 < CounterPillow> Hi, apparently my distro's default ufw config does not play nice with Hetzner's ipv6. I lose ipv6 connectivity after a few minutes, and I can see the dropped counter in the INPUT chain increase when I try to ping -6 something.
18:51 < CounterPillow> Here's ip6tables: https://0x0.st/seWx.txt here's some ip -6 stuff https://0x0.st/seW3.txt
18:51 < CounterPillow> I've basically spent all afternoon trying to chase down what causes it
18:52 < CounterPillow> and now my shoulders ache, my cat is about to start a hunger-induced mutiny, and I'm about to disable IPv6 and try again in a decade
18:54 < acoctres> Good luck amigo
18:54 < CounterPillow> t-thanks
18:54 < cowsay> Ok, so I think the only reason Azure recommends setting up a separate subnet for Azure AD Domain Services is to keep the resources separate for administrator use (just to keep things organized). Can anyone see a reason why not to just stick it on the default 10.0.0.0/24 subnet?
18:54 < jim> if your networking doesn't do point to point on any of your interfaces, that's good... I just haven't finished that part yet
18:54 < cowsay> It's a small organization, the grouping doesn't matter really
18:56 < jim> anyone know where the git repo of iproute2 is stored?
18:56 < Dagger> CounterPillow: have you tried disabling the firewall?
18:57 < Dagger> CounterPillow: those packet counters are kinda weird. it looks like you have no outbound ICMPv6, but you would surely expect `ping` to generate some of that
19:01 < CounterPillow> may have been due to a ufw reload, here's ip6tables after sending 11 unsuccessful pings to google https://0x0.st/seW0.txt
19:02 < CounterPillow> but yeah, hmmm, still 0
19:02 < Dagger> I see this:   13  1352 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere             ipv6-icmp echo-request
19:02 < CounterPillow> I just tried a ufw disable, and ping -6 still doesn't work, hmmm
19:03 < CounterPillow> $ ip -6 neigh
19:03 < CounterPillow> fe80::1 dev eno1 lladdr cc:e1:7f:ac:7f:17 router REACHABLE
19:03 < Dagger> can you at least `ping fe80::1%eno1`?
19:09 < CounterPillow> Dagger: will try after dinner, currently numbing the pain with beer and tortelloni
19:18 < CounterPillow> Dagger: yep, I can ping that
19:20 < Demos[m]> Why are techs always totally unable to use google while looking for parking?
19:22 < CounterPillow> https://0x0.st/seWn.jpg let's do this!
19:22 <+xand> Demos[m]: driving and using the internet together aren't very wise
19:23 < Dagger> CounterPillow: at least something works... can you try pinging 2001:19f0:7000:8005:1234:1234:1e42:cbe4?
19:24 < zenix_2k2> guys, how can i get the maximum amount of backlogs in python ?
19:24 < CounterPillow> that doesn't work :(
19:24 < zenix_2k2> sock.<some sort of variable> i think but don't really remember
19:24 < zenix_2k2> socket*
19:24 < Dagger> 21:24:01.372915 IP6 2a01:4f8:202:6310::2 > 2001:19f0:7000:8005:1234:1234:1e42:cbe4: ICMP6, echo request, seq 3, length 64
19:24 < Dagger> I'm getting it
19:25 < CounterPillow> interesting
19:25 < Dagger> do you see anything relevant in `tcpdump -ni eno1`?
19:25 < Dagger> either incoming pings, or maybe ICMPv6 from the router
19:26 < CounterPillow> can I filter that to v6 only?
19:26 < Apachez> CounterPillow: dont drink and ping
19:27 < Dagger> `tcpdump -ni eno1 ip6`
19:27 < CounterPillow> hmmm, not seeing anything there
19:27 < Dagger> while you're pinging, I should say
19:28 < CounterPillow> oh, sec
19:29 < CounterPillow> seeing some stuff https://0x0.st/seWF.txt
19:29 < zenix_2k2> uhm... hello ?
19:29 < CounterPillow> (that's ping -6ing google)
19:31 < Dagger> it looks kinda like the problem is somewhere upstream then. outbound packets make it out to the internet, but there's no sign of even an attempt to deliver the return packets to you
19:32 < CounterPillow> welp
19:32 < CounterPillow> weird that it worked for a tiny bit after a reboot then
19:32 < Dagger> you'd expect to see either the reply packets themselves or a neighbor solicitation from the router. since there's neither, I don't think it's even trying to deliver them to you
19:32 < Dagger> yeah, that's weird :/
19:34 < CounterPillow> Maybe I should ask Hetzner and hope they don't answer with "is it okay if we try rebooting your server?" again
19:38 < jason85> Can iptables detect and block SSH traffic by inspecting the TCP packets, so that it could detect SSH traffic on ports other than 22, too?
19:38 < Dagger> https://lists.debian.org/debian-ipv6/2016/09/msg00006.html this seems vaguely related, but doesn't really have an answer... except that their server has two network interfaces, and disabling v6 on one makes the other one work fine
19:38 < zenix_2k2> Uhm, hello ?
19:40 < tds> jason85: https://github.com/betolj/ndpi-netfilter
19:43 < zenix_2k2> guys, how can i get the maximum amount of backlogs in python ?
19:43 < zenix_2k2> with the socket module
19:44 < CounterPillow> Dagger: hmmmm, "net.ipv6.conf.all.use_tempaddr = 2" on my system
19:44 < CounterPillow> but "net.ipv6.conf.eno1.use_tempaddr = 0"
19:44 < Dagger> they'll be in `ifconfig` if they're being used
19:45 < jason85> tds: Thanks
19:47 < CounterPillow> I don't see anything suspicious in ifconfig
19:50 < CounterPillow> well, sysctl.d/10-ipv6-privacy.conf did have the tempaddr stuff set to 2
19:50 < CounterPillow> I changed that and also ran sysctl on the values
19:50 < CounterPillow> Should that be enough to theoretically make it give me my packets again if that was it?
19:51 < CounterPillow> or do I need to reset the ipv6 stuff somehow
19:52 < Dagger> they weren't being used anyway, so it seems like it shouldn't make a difference
19:52 < Dagger> unless maybe it changes something in early boot, but if so then you'd need to reboot to see a change
19:53 < CounterPillow> https://0x0.st/se4X.png there's also this fun file
19:55 < CounterPillow> which may be conflicting with ufw's sysctl stuff, which has this (hopefully inversely labelled?) section https://0x0.st/se4K.png
20:04 < CounterPillow> okay, rebooted and I have ipv6, for now. let's see if it goes away again
20:06 < electricmilk> omg TPx support is embarrassingly bad.
20:19 < CounterPillow> for future reference, here's some output of ipv6 working https://0x0.st/se4m.txt
21:14 < Atro> Guys, how do I networking
21:14 < Atro> These people are ignoring me
21:16 < turtle> Start with a "Hello" finish with a happy ending
21:16 < xamithan> What doing networking?
21:18 < detha> Atro: you take some data. you strap a header to it, and call it a packet.
21:19 <+catphish> Atro: basically you working, but you get first
21:19 < Atro> xamithan: but what about the MTU?
21:20 < Atro> Errr detha^
21:20 < Atro> catphish: wot
21:21 <+catphish> Atro: *net first
21:22 < detha> MTU only applies to unionized packets
21:23 < Atro> catphish: do i need a PSK to understand you?
21:23 <+catphish> Atro: take the red pill and all will be clear
21:23 < pekster> Only if cätphish is using Phase Shifted Keying to talk to you
21:23 < Atro> catphish: you mean the PFS?
21:24 <+catphish> yes http://www.thepfs.org/
21:24 < tyzoid> PSK is mostly useful for low-bandwidth ota communication
21:25 <+catphish> perhaps we should simplify and use CW
21:25 < detha> IP-over-Morse?
21:26 < tyzoid> problem with cw is it's not exactly the most reliable of communication protocols, especially when it's entered by hand a lot
21:26 < tyzoid> the SNR needs to be sufficiently high with cw
21:26 < tyzoid> where afaik, psk can be a bit lower with SNR
21:26 <+catphish> i disagree
21:26 < tyzoid> been a while since I've worked with them, though
21:27 <+catphish> i'd say CW requires by far the least SNR of any protocol
21:27 < tyzoid> I wouldn't say that, given that there are other encoding schemes that can work below the noise floor
21:27 <+catphish> it's so easy to detect
21:28 < detha> And every operator has a distinct 'key' that other operators can pick up. Authentication taken care of
21:28 < tyzoid> lol
21:28 <+catphish> i've only ever done CW once, required to get my radio licence lol
21:29 < tyzoid> no longer required for ham radio in the states, which imo is pretty cool, but also somewhat sad
21:29 <+catphish> shame, it's kinda fun
21:29 <+catphish> you don't have to learn it here, or use it with any skill
21:29 < tyzoid> yeah, I've been meaning to learn it, but haven't had time to practice
21:30 <+catphish> you just have to send and receive one message at any speed you like with a cheat sheet for the test
21:30 <+catphish> to deminstrate that you understand the concept
21:30 < tyzoid> Well, I've already got my license, so I don't need to do it for a test
21:31 <+catphish> i have a 10W licence, one day i should actually get a radio and see how far i can get with that power
21:31 <+catphish> probably a decent distance with the right antenna
21:31 < tyzoid> catphish: What country?
21:31 <+catphish> tyzoid: UK
21:32 < tyzoid> ah
21:32 < tyzoid> catphish: With the amateur radio licenses we have here, I can broadcast at an insanely high power if I needed to
21:32 < tyzoid> up to 1.5kw, depending on intended communication
21:34 <+catphish> tyzoid: in the UK there are 3 licences, with different powers, 10W, 50W and 400W, i know some places allow 1kW+, but we don't
21:34 < detha> "intended communication: CW to neighbour. Receiving device: one fluorescent tube"
21:34 <+catphish> tyzoid: on the other hand, they're not frequency-restricted, so unlike some places, i can do 10W on *any* band
21:34 <+catphish> detha: lol
21:35 < tyzoid> Yeah, ours are differentiated by frequency, so I can only operate VHF/UHF, with a little HF
21:35 <+catphish> so i can do 10W HF, which is actually kind of a cool challenge to see how far you can get with so little power
21:36 < detha> that will need a rather large antenna
21:36 <+catphish> yep :)
21:37 < tyzoid> Yeah, I should really study up for the next class of license
21:37 < tyzoid> the Technician/beginner license is really easy to get
21:37 <+catphish> actually, not totally true about bands
21:37 < tyzoid> but anything more requires a lot more knowledge
21:37 <+catphish> i'm not allowed to use 2.4GHz
21:37 < tyzoid> ah
21:37 < tyzoid> shame
21:37 <+catphish> but if i had a 50W licence i could do 50W on 2.4GHz
21:37 < detha> and on 10GHz ?
21:38 <+catphish> yes
21:38 <+catphish> 10000-10125 - 50W
21:38 < tyzoid> Not sure if it's the same where you are, but here in the States, Amateur / Licensed operation is prioritized over ISM use, which means if a neighbor is interfering with my 2.4ghz operations, they'd legally be required to change frequencies / shut down their router
21:38 < tyzoid> I've got a funny anecdote about that
21:39 <+catphish> not here, 2400-2450 - Secondary. Users must accept interference from ISM users
21:39 < tyzoid> Where I went to college, there was a policy against students running wireless networks in the dorms, as they interfered with the campus wifi
21:39 < tyzoid> but one student was a licensed user
21:39 < tyzoid> which means he has priority
21:39 <+catphish> lol
21:39 < tyzoid> so the college's IT staff used to go around and essentially dos the student's networks
21:39 < tyzoid> trying to take them offline
21:40 < tyzoid> so he went to the FCC and claimed purposeful interference
21:40 <+catphish> that is illegal in most places
21:40 < tyzoid> and long story short, they got told to quit it
21:40 <+catphish> here pretty much all radio users much tolerate each other, deliberate interference is always illegal
21:41 <+catphish> although many bands are secondary to the military
21:41 < tyzoid> I think it's the same, but I'm sure there are details I'm missing, since this is a story I've heard second (third?) hand.
21:42 <+catphish> your story is only semi-plausible
21:42 <+catphish> to be an amateur radio user, you have to follow some conventions, no encryption, you must prefix communications with your cllsign
21:43 <+catphish> so using wifi as-is wouldn't really qualify
21:43 < detha> set SSID to call-sign ?
21:43 < tyzoid> There's multiple different interpretations of that - encryption can't be used for the purposes of obfuscating the data
21:43 <+catphish> also, while interfering with someone's wifi signal is illegal, the college could probably just expell you if you didn't follow their rules
21:43 < tyzoid> but it could possibly depending on the interpretation be used to enforce authentication
21:44 < tyzoid> detha: That's what most people do, set ssid to call sign, then set network open
21:44 <+catphish> tyzoid: well here you can't use encryption, full stop, the data must be readable
21:44 <+catphish> setting SSID to the callsign might be considered OK
21:45 <+catphish> but you also couldn't use TLS
21:45 < tyzoid> catphish: That's actually standard practice, though usually it's a microwave link, and not normal wifi
21:45 <+catphish> the internet would be pretty useless
21:46 <+catphish> on the plus side, you can so it at 100W and cook your food on the antenna :)
21:46 <+catphish> i don't own a radio :( really should get one
21:47 <+catphish> wonder how much a HF and VHF radio costs
21:48 < tyzoid> catphish: http://www.broadband-hamnet.org/images/stories/DataEncryptionIsLegal.pdf
21:49 < tyzoid> This applies in the US, but essentially the argument is that some encryption is required to ensure only hams can connect
21:51 < siix> hey folks - what's the best way to track down which device on a LAN is using up the internet bandwidth?
21:52 < tyzoid> siix: do you have the ability to capture the packets on that segment?
21:52 < tyzoid> if so, it should be pretty easy to measure relative packet count
21:52 < tyzoid> otherwise, you'll need access to the router
21:52 < tyzoid> iptables has a feature where you can count packets of traffic
21:52 <+catphish> tyzoid: just read that, i'm really not convinced
21:53 <+catphish> tyzoid: i guess it holds up where it was written, but it has the side effect of making the connunications themselves unreadable to other licenced users
21:53 <+catphish> which IMO is unacceptable under the rules here
21:53 < tyzoid> The rules here make no mention of needing to be able to intercept traffic
21:54 < siix> tyzoid: i have access to the router, yes, so i should be able to grab packets. router has several wired clients but i believe the majority of the traffic is coming from one of the wireless clients
21:54 <+catphish> tyzoid: the actual rule in the UK is: "Messages sent from the station shall not be encrypted for the purposes of rendering the Message unintelligible to other radio spectrum users."
21:55 < Alina-malina> https://pastebin.com/raw/Za6iyAWM   someone ban this idiot from here please....or at least dont provide any help, hes harasing in PMs to people for many years, and using different nicknames like Neo4, just sayin...
21:55 < tyzoid> Then this argument might still apply
21:55 <+catphish> now, you could try to argue you were encrypting for some other purpose
21:55 <+catphish> but IMO if you wanted *authentication* you can do this without encrypting the payload
21:56 < siix> tyzoid: ideally something like a real-time bar graph of traffic load by client on an interface would be great
21:56 < tyzoid> not with 802.11, though
21:56 <+catphish> tyzoid: that's correct, and IMO that makes encrypted 802.11 unsuitable for amateur radio usage
21:56 < tyzoid> siix: there is custom router firmware for that, ubiquity makes some great stuff for the edgerouter
21:56 < siix> tyzoid: i'm limited there. the router is an asus
21:57 < tyzoid> catphish: No, any 802.11 authentication scheme uses encryption, which means it's impossible to 802.11 and have auth
21:57 <+catphish> tyzoid: well i agree
21:57 <+catphish> hence you would need to make a new protocol
21:58 <+catphish> however it's also clear that unencrypted 802.11 also fails to meet the requirements
21:58 < CounterPillow> Dagger: looks like you pointed me to the right direction. IPv6 hasn't died yet.
21:58 <+catphish> because it can communicate with non-licenced users
21:58 < CounterPillow> Dagger: <3
21:58 <+catphish> so basically, in my opinion (which doesn't count for much), 802.11 can never be used as-is for amateur communications
21:59 <+catphish> tyzoid: the argument in that article is interesting, but i would not be happy about it
21:59 < Dagger> CounterPillow: note that I'm pinging you every 15s, that might potentially have something to do with it
21:59 < Dagger> CounterPillow: I'll stop that now
21:59 < CounterPillow> oh D:
22:00 <+catphish> the UK rules also say " The Licensee may use codes and abbreviations for communications as long as they do not obscure or confuse the meaning of the Message."
22:00 < CounterPillow> If you're the only one keeping me alive then that would be hilarious
22:00 <+catphish> it's pretty clear they don't want encryption at all
22:06 < detha> the entire 'no encryption' thing is to make it easy to check if someone violates some of the other conditions, like 'Not carrying commercial traffic'
22:12 <+catphish> detha: not entirely
22:12 <+catphish> although i'm sure that's one reason
22:12 <+catphish> but the whole point of amateur radio is that people can enjoy both transmitting and listening
22:13 < detha> I'm pretty sure it's the main reason. There are others, but those serve to prop that one up
22:25 <+catphish> since it's quiet here, i'd like to express 2 controversial opinions 1) the USA should ban guns 2) the UK royal family need to go away
22:28 < tyzoid> catphish: But what about all the people who participate in Hunting?
22:29 < tyzoid> Game hunting is a huge thing here
22:29 <+catphish> i don't know much about that
22:30 <+catphish> but here guns can be licenced for hunting, there are lots of conditions, they have to be stored securely, and it's not a problem, so as long as it's properly controlled, i see no problem
22:30 < tds> I don't care that much about the royal family still being around, bbc news sending out push notifications every 5 mins about it is getting annoying though
22:31 < tyzoid> Also, you don't have a right to a gun put into your country's founding documents
22:31 <+catphish> i used to be ok with the royal family, figured if they mind their own business, they're not harming anyone
22:31 < tyzoid> plus, the context in which that exists makes it very difficult to push any legislation through that limits it
22:31 < petemc> they mostly do, apart from Charles
22:32 <+catphish> but today i read about homeless people having their belongings confiscated by anti-terror police just because some rich folk want to get married nearby
22:32 < Dagger> I have to go into London tomorrow
22:32 <+catphish> and i think "fuck them"
22:32 < Dagger> it shouldn't be too busy, right...?
22:33 <+catphish> tyzoid: honestly, the USA has way too much time for those old documents, they need to start making laws for today
22:33 < petemc> might be a few around windsor area
22:33 < tyzoid> catphish: That old document is the rules by which our country operates and is what gives power to all of our institutions
22:33 <+catphish> tyzoid: it's not that hard to amend the US constitution, you just need a large majority, but instead they treat it like some kind of holy document that must never be questioned
22:34 < tyzoid> "not that hard," - it is that hard to get people to agree
22:34 < tyzoid> esp. when there's major financial incentives to keeping it as is
22:34 <+catphish> tyzoid: in fact, the right to bear arms is itself an emendment!
22:34 < petemc> if a load of you children being shot in their school doesnt change peoples minds, nothing will
22:34 < tyzoid> ^
22:34 < steevo> catphish, not really, only kind of.
22:34 <+catphish> so IMO treating is as gospel is bullshit
22:34 < petemc> s/you/young/
22:35 < steevo> the bill of rights just defines natural rights, it doesn't actually _give_ rights
22:35 < tyzoid> steevo: Incorrect
22:36 < tyzoid> it actually does
22:36 < steevo> tyzoid, no, it actually doesn't
22:36 <+catphish> tyzoid: and yes, i realise it's hard to get people to agree, and it's right that it requires a huge majority to change these things
22:36 < tyzoid> steevo: it does so by limiting what congress, and the states have a right to regulate and restrict
22:36 < tyzoid> it gives that power to the people
22:37 < steevo> tyzoid,  you are correct, before you explained I thought you meant something different
22:37 < tyzoid> and there has only ever been one time where an amendment to the constitution has been repealed, and that was when rights/abilities were being taken away
22:37 < tyzoid> (a la prohibition)
22:37 < tyzoid> steevo: I see
22:38 <+catphish> tyzoid: sadly a lot of (arguably more important) rights have been taken away, because they happened not to be relevant when those old documents were written :(
22:38 < tyzoid> catphish: I agree wholeheartedly with that
22:39 < steevo> catphish, can you give an example?
22:39 < tyzoid> steevo: The "right" to privacy?
22:39 <+catphish> steevo: privacy is the obvious one
22:39 < steevo> catphish, tyzoid, I agree with that. Makes sense why they didn't think of it though
22:39 < tyzoid> exactly
22:40 < tyzoid> because people weren't in the habit of carrying around magical devices that could report precise position at any moment
22:40 <+catphish> tyzoid: and lets not forget the really obvious one - freedon
22:40 < tyzoid> nor were communicating via electromagnetic signals that could be intercepted without either party noticing
22:40 < tyzoid> catphish: freedom, how so?
22:40 <+catphish> the USA had quite a long period where they thought enslaving  humans was ok
22:40 < tyzoid> (not disagreeing with you, just curious)
22:41 <+catphish> because there was nothing in the original constitution prohibiting it
22:41 < steevo> catphish, the humans were actually enslaved elswhere, just after they got to the USA, they weren't freed
22:41 <+catphish> steevo: technically true
22:41 <+catphish> but i'm not sure the black people would say that was an important distinction :)
22:41 < tyzoid> steevo: You could also argue the other way, by the fact that people could be born into slavery on US soil
22:42 < steevo> tyzoid, true
22:43 <+catphish> i actually genuinely can't comprehend how "We hold these truths to be self-evident, that all men are created equal" was so ignored
22:43 <+catphish> "that they are endowed by their Creator with certain unalienable Rights, that among these are Life, ***Liberty***"...
22:43 <+catphish> bafflng
22:43 < steevo> catphish, aye
22:45 <+catphish> the only conclusion i can arrive at is that the constitution is interpreted to convenience the rich
22:45 <+catphish> and this remains the case
22:46 < steevo> catphish, I don't know. Sometimes it does seem that way
22:48 <+catphish> i believe that in most developed countries, rule is bought with cash
22:48 < steevo> catphish, I am sure that's true in some cases. I know for a fact the 'little guy' wins on occasion though.
22:49 <+catphish> i mean, do we really believe that people like donald trump just happened to be the best person for the job, or maybe there might be some element of being able to buy your way to the top
22:49 <+catphish> steevo: fortunately, the judiciary in most countries seem to provide some balance
22:49 < steevo> catphish, he did have to posess the resources required to campaign, which most people don't have
22:50 < UncleDrax> "8-Port Gagabit w/POE".. is a Gagabit more, less, or equal to a Gigabit?
22:50 <+catphish> UncleDrax: lol, i'd say it was the same, but more musically talented
22:50 < S_SubZero> LadyGagaBit (caught in sad packet loss)
22:50 <+catphish> :)
22:51 <+catphish> steevo: this is the problem, the pool is really rather reduced to those people that have already flourished under the existing regime
22:52 < steevo> catphish, or those who can convince the conventions and such that they are worth supporting
22:53 <+catphish> steevo: well sure, but i fear that rarely includes anyone who isn't either extremely rich, or already part of the family
22:53 < steevo> catphish, in national governments that is very true. More localised governments are much easier to "break into" though
22:54 <+catphish> consider that the USA escaped monarchy, only to end up with a new kind of inherited power
22:54 <+catphish> steevo: yes, that is certainly true, i always advocate moving as much power as possible to local government
22:54 < steevo> catphish, which is why states rights should be a much bigger deal in the US
22:55 <+catphish> steevo: i agree entirely
22:55 <+catphish> i think there's a good balance to be had between areas of control (state vs national vs international treaties)
22:56 < steevo> catphish, that is actually what the confederacy wanted when they seceded from the union
22:56 < UncleDrax> so Gagabit aside, anyone have suggestions for a 3-4port GigaBit PoE/PoE+ VLAN capable switch with an SFP+ uplink. Looking for something that's easy to keep managed for ~100 units without much fuss/fiddly-bits
22:57 <+catphish> steevo: consider that in the UK, it was deemed too much control was being given to the EU, so we're leaving
22:57 < UncleDrax> MTs seem to fiddy to me for this.. but if someone does em at that (or larger) deploy, i'd be curious to know
22:57 < steevo> catphish, my understanding of the situation is limited, but it seemed to me that brexit was a good idea
22:57 <+catphish> steevo: personally i like the EU, i wish more control could have stayed where it belonged
22:58 <+catphish> i wish we have delegated to the EU where it was a good ideal but kept control nationally where it was a good idea, but even more so, i think a lot more control in the UK should go to even smaller regional government
22:58 < tds> UncleDrax: any reason for wanting so few gbit ports, but with a 10gb uplink?
22:58 <+catphish> because i believe in retaining control, but not being isolationish
22:59 < tds> I'd have thought a bonded pair of 1g links might work better for that
22:59 <+catphish> *isolationist
22:59 <+catphish> UncleDrax: you really need 10G uplink?
23:00 < UncleDrax> tds: catphish: sorry.. just regular SFP.. i got carried away with the + signs.. stupid PoE
23:01 <+catphish> UncleDrax: well, mikrotik definitely make such a device
23:01 <+catphish> UncleDrax: you need managed?
23:01 < detha> UncleDrax: '3-4 port' and 'sensibly managed' narrows the options somewhat.
23:02 <+catphish> i'd say mikrotik may be the only such device
23:02 <+catphish> https://mikrotik.com/product/RB260GS
23:02 < detha> There's industrial stuff that fits that bill, but I don't think you want to pay for 100 of those
23:02 <+catphish> The RB260GS is a small SOHO switch. It has five Gigabit Ethernet ports and one SFP cage powered by an Atheros Switch Chip.
23:03 < UncleDrax> detha: $100? not out of the budget. whatchagot?
23:03 < HJJHJH> pictures my sister in bikini -  https://volafile.org/r/jt77w9w8
23:04 < detha> UncleDrax: don't think $100 will do that, but lemme look
23:04 <+catphish> somehow i doubt that link is what it claims to be
23:04 < UncleDrax> these will live in an levinton box in a garage in a subtropical climate.. if there's a sub$200 industrial-grade box that fits thebill, i'm definately all ears
23:04 <+catphish> UncleDrax: did you see my suggestion?
23:05 < UncleDrax> ya, I got a HEX POE at home actually.. do those boot faster and more rugged? size wise they are awesome, but I worry about the fiddly-bit nature of MTs a lot for rolling out to remote locations
23:06 <+catphish> UncleDrax: maybe https://www.tp-link.com/uk/products/details/cat-39_T2500G-10TS.html
23:06 < UncleDrax> are those passive PoE only? def will need 802.3af/at though.. going to hang APs off them
23:07 <+catphish> twice the price of the mikrotik
23:07 < UncleDrax> catphish: ya I was looking at the TP link options.. might just have to pick up a couple just to test em
23:08 <+catphish> personally i'd go with the tp-link, i have a weird inexplicable personal dislike of mikrotik's software
23:08 <+catphish> the tp-link just seems more rugged too
23:08 < UncleDrax> ya I don't dislike it, but it's definately what i'd call 'fiddly'.. sometimes too many knobs is A Bad Thing
23:08 < detha> UncleDrax: https://www.moxa.com/product/EDS-P506A-4PoE.htm
23:08 < UncleDrax> the MTs
23:09 <+catphish> also, plastic case is never a winner for me on anything serious
23:09 <+catphish> detha: those looks great
23:09 <+catphish> ...Starting From $1,490.00
23:09 <+catphish> no
23:09 < UncleDrax> detha: need Gig (and I'll poke at their other offerings)
23:09 < detha> catphish: those things are quite nice. $$$ though.
23:09 < UncleDrax> ya..
23:10 < UncleDrax> but that's like certified rugged stuff, you'd put that in a metal traffic control box type thing
23:10 < UncleDrax> or in the middle of a steel mill
23:11 < detha> yup. they can handle that. cisco-like CLI, nice and easy.
23:12 < UncleDrax> and they do modbus.. *vomits a little*
23:12 < UncleDrax> but ya if I was running a factory, i'd be all over that
23:13 < UncleDrax> was just curious what else might be in teh space I was missing.. hard to keep from getting blinders
23:15 < detha> The 'sensibly managed' part is the difficult one here, plenty Netgear and similar stuff that fits, but either unmanaged or GUI only
23:15 < UncleDrax> appriciate the input, please resume your regularly scheduled political conversation
23:15 < UncleDrax> ya unmanaged irks me as thing. pure CLI isn't a big deal, but i'd have to write some glue to expose stuff to our HellDesk
23:15 <+catphish> the tp-link i linked was managed
23:16 <+catphish> seems idea if you want reasonable quality but not enterprise
23:16 < UncleDrax> well, I want enterprise/SP quality, but not enterprise/SP price.. like most people :]
23:16 <+catphish> of course :)
23:17 < UncleDrax> putting questions out to a few VARs too.. we'll see
23:17 <+catphish> i still believe netgear provide that when it comes to switches
23:17 < UncleDrax> speaking of which, found one of those old 4-port Netgear 10base-T HUBs at our CO the other day.. classic stuff that
23:17 <+catphish> they have some crappy devices, but most are seriously reliable, and because of lifetime warranty, they replace the crappy ones
23:18 < detha> Let us know if you find anything, always interested in more cost-effective things that still do the job
23:18 < UncleDrax> the kind with the 'uplink' mode button. ahh memories
23:18 <+catphish> those hubs are iconic
23:18 <+catphish> this one? https://images-na.ssl-images-amazon.com/images/I/715NRWW6N0L._SX355_.gif
23:18 < UncleDrax> that's the one
23:18 <+catphish> :)
23:19 < detha> memories....
23:19 < UncleDrax> we used them for ethernet drops on our Nortel JungleMUXs I think.. .. homie don't do TDM
23:20 < UncleDrax> had to be a hub because of how they did the SONET fast ring or some such.. I am not a SONET tech (IANAST?)
23:20 < UncleDrax> anywho
23:20 < UncleDrax> ya appriciate the input, i'll poke at it and if I find some amazing box, i'll report back
--- Log closed Sat May 19 00:00:25 2018