--- Log opened Wed May 23 00:00:29 2018
00:09 < BrandonM> Is it possible to have a separate vlan and tag specific ports just for pxe booting? (Already have pxe on the current network for sccm07, want this vlan specific for sccm 1802)
00:12 < xamithan> sure why not?
00:12 < Apachez> you can tag shit too if you want if you use ipxe
00:19 < BrandonM> xamithan I just want some clarification if its possible without the need of taking ccm 07 offline, heh.
00:23 < xamithan> If ccm07 can't see the separate vlan there is no need
00:27 < xirg> hello, i'm looking into a san or nas for shared storage on a home network as well as a host for a virtual machine running ubuntu desktop
00:27 < xirg> any recommendations?
00:28 < Apachez> synology?
00:28 < Apachez> hp virtual storage
00:28 < Apachez> depends on the size of your wallet
00:29 < kiokoman> readynas ?
00:30 < xirg> hello if anyone answered my question plz repeat it, I just moved to my laptop
00:30 < xirg> if not disregard
00:33 <+catphish> synology are good, for nas not sure i can recommend them for a VM host though
00:34 < xamithan> grab a synology or qnap and a intel nuc
00:35 < xamithan> Assuming cost isn't a factor
00:37 < xirg> is the intel nuc power efficient?
00:38 < petemc> yes
00:45 < drac_boy> hi
01:15 < star> Is it worth using OpenWRT/LEDE over TP-Link's probably proprietary firmware? (other than ease of mind)
01:17 < xamithan> I don't because I wouldn't get the full wifi AC speed
01:18 < xamithan> Otherwise openwrt is much more stable and robust
01:25 < RoadRunner> is this an apropriate place to ask about "how to" ssh connectivity?
01:25 < DoctorDick> ?ask
01:25 < RoadRunner> (under linux)
01:25 < DoctorDick> Just ask
01:27 < RoadRunner> if I am trying to help a friend with minimal linux knowledge to remotely repair his comp, is ssh the best way to go about it?
01:27 < xamithan> Depends on what is broken
01:28 < xamithan> If grub is broken or something in the DE,  ssh isn't going to help much
01:29 < RoadRunner> DE?
01:29 < xamithan> desktop environment
01:29 < dijksterhuis> Desktop environment
01:30 < RoadRunner> let's say it's routing maintenace, where I'd have to log in, open a terminal and clean out old kernels or remove or install some apps?
01:31 < dijksterhuis> Should be fine. Just make sure you don’t do anything that bricks the system, else you won’t be able to get back in to fix it
01:32 < RoadRunner> rebuilding grub can only be done in person?
01:34 < dijksterhuis> Anything outside of the os would need to yes
01:34 < xamithan> If that was true we'd need a whole lot more people in the datacenter
01:35 < xamithan> That isn't true either,  there is OOB management
01:35 < xamithan> Probably not on a consumer system though
01:36 < RoadRunner> OOB?
01:36 < xamithan> out of bounds,  like IPMI, iDrac, IP-KVM,  etc.
01:40 < RoadRunner> so far, I've heard advice like ssh, teamviewer,  chrome and remote desktop extension; I am new to this so what's the best way to proceed?
01:40 < xamithan> Like we said,  depends on what is broken.  ssh is fine for what you said so far
01:40 < dijksterhuis> Use a google hangout or something to get them to show out the problem first
01:41 < dijksterhuis> ^ top tip
01:41 < xamithan> I don't see why the friend is incapable of typing "apt install"  or "apt autoremove" theirself though
01:41 < dijksterhuis> If it’s a DE thing you can guide them from there, or work out next steps as you go
01:42 < dijksterhuis> Ssh should be fine for most of what you need
01:42 < RoadRunner> dijksterhuis: please explain "google hangout"
01:43 < RoadRunner> xamithan: my friend is over 80 and doesn't want to learn unix or deal with cli...
01:43 < dijksterhuis> Video call session. Like Skype. But via the web browser
01:43 < xamithan> Why isn't he using windows then?
01:43 < linux_probe> put him on ubuntu?
01:44 < RoadRunner> xamithan: I am trying to get him to transition :) (to ubuntu)
01:44 < linux_probe> only thing i've seen sticky is upgrades
01:44 < linux_probe> distro version upgrades rather
01:45 < linux_probe> at most you'll have to remove plugings from browser and creset home page lol
01:47 < xamithan> You put them on 18.04 they'll be dead by the time it is end of life
01:47 < xamithan> (sorry if that was a bad joke)
01:47 < dijksterhuis> RoadRunner: You can get him to share his screen on a google hangout FYI.
01:47 < RoadRunner> xamithan: ...
01:47  * drac_boy thankfully doesn't even support linux personally anyway ;)
01:48 < dijksterhuis> So he can show you the actual problem then
01:48 < linux_probe> maybe setup a vpn lol
01:48 < RoadRunner> dijksterhuis: is google hangout the only such service (where screens can be shared)? I thought Firefox, had something like that?
01:50 < dijksterhuis> Possibly services more out there. It’s just the one I use as it’s relatively simple to set up.
01:50 < RoadRunner> ok, that's certainly one way worth noting
01:50 < dijksterhuis> Sign in, start a session, email the link, they join... done.
01:50 < xamithan> anything that uses webRTC will work
01:51 < RoadRunner> webRTC?
01:51 < xamithan> the framework that most all those services are based on
01:51 < buscado> yes hello, I have not been able to access my home server since my ISP sent me a bonded adsl modem, i have turned off both ipv4 and ipv6 firewall, turn on DMZ for the server and also set up port forwarding but still nothing anyone have an idea why this is happening?
01:51 < buscado> is there something about a bonded pair connection that keeps it from being accessed from the wan?
01:52 < RoadRunner> does anyone have a good alternative for google's offering?
02:01 < RoadRunner> assuming ssh-server is installed on the remote comp and given that my friend is on a dynamic ip where his linux comp is one of seferal on a lan with a router set to auto dhcp; I got to call him and explain how to open terminal, enter "inxi -i" and tell me the ip (which can be diff every time he boots), do his router settings need to be changed to let me in?
02:03 < xamithan> goodluck with that,  he'll need to port forward and set a static ip
02:03 < xamithan> teamviewer or hangouts might be easier to deal with
02:05 < RoadRunner> to finish off with ssh, if he gives me both his wan and lan ip's would he still need to port forward or change anything else on his router?
02:08 < djph> just use a reverse ssh tunnel if you want to ssh that bad
02:09 < RoadRunner> since its all new to me, the same question - how?
02:10 < spaces> I have the perfect hotdog!
02:11 < RoadRunner> the amount of stuff in man on ssh is intimidating so I am looking for a way to start "slow"...
02:13 < ALowther_> Idk how you'd get through properly with NAT
02:13 < ALowther_> You can try this, as suggested by djph, I've never done a reverse SSH tunnel myself.
02:13 < ALowther_> https://www.howtoforge.com/reverse-ssh-tunneling
02:13 < ALowther_> Roadrunner
02:13 < RoadRunner> xamithan: if I set him up on a router with a static ip, would the task become more doable?
02:14 < tds> -R is the option you want for reverse tunneling (look at the man page for more details), if you want to keep it running you probably want to look into autossh
02:14 < xamithan> If the comp has a static lan IP and has a proper port forward in place then you won't need a reverse ssh tunnel
02:14 < tds> I guess these days you could also write a systemd service to run ssh
02:15 < xamithan> Honestly though,  programs like teamviewer connect to a central server so they traverse NAT.  It is the easier option
02:15 < ALowther_> Roadrunner, the key, I believe, is the port forwarding. You can ssh to the public IP, but it has no idea where to route that information, unless you are trying to SSH into his router....You could try SSHing into his router, set up port forwarding on his router to the LAN ip, then SSH in. The port forward tells the router which computer you are trying to contact via the IP address.
02:17 < met-denise-milan> hi
02:18 < RoadRunner> xamithan: I'll certainly look into teamviewer
02:21 < RoadRunner> ALowther_: I understand the concept but it certainly doesn't sound quick or easy...  So there is no way to input both the wan and lan ip's in one go during login without port forwarding on the router?
02:21 < xamithan> Nah that isn't how networking works
02:21 < ALowther_> RoadRunner. In my experience, especially with a standard consumer router with a web interface, configuring port forwarding is easy and straightforward
02:22 < ALowther_> But as xamithan said, no...At least with IPv4. You might be able to do something with IPv6, Idk, but I doubt that is configured anyhow.
02:24 < xamithan> NAT lets the router share the WAN IP.  It doesn't know which lan IP is running what services on what ports so it only allows through connections that are already existing unless you forward the ports
02:26 < xamithan> The only way a round that is using UPnP (universal plug and play) which is mostly limited to IoT devices or gaming consoles and a huge security hole
02:26 < RoadRunner> his router belongs to his ip provider and you can't change nothing there; so, if port forwarding is a must which can only work predictably on a static ip, I'd have to give him one of my custom built routers built on smallWall but then he would have to learn still more stuff to use it...
02:27 < ALowther_> RoadRunner. If you can't configure port forwarding, it doesn't matter if the LAN IP is static.
02:28 < xamithan> teamviewer or google remote desktop or something else that traverse NAT sounds like your only option then
02:29 < RoadRunner> ALowther_: I get that :) - on the router I could give him I could configure everything
02:29 < RoadRunner> I guess, I'll just have to ask him to choose
02:30 < xamithan> Yeah but more than likely he has a modem|router combo that you can't bypass
02:30 < xamithan> Very few ISPs give you separate router
02:30 < RoadRunner> I can ask his provider to exchange his current router for another in bridge mode
02:30 < xamithan> You could
02:30 < ALowther_> xamithan: Is that a thing, where you can't bypass it? I guess I have been blessed with my ISP's. I have always been able to use my own router, if I wanted.
02:31 < xamithan> I've never had one that you couldn't get into the settings,  but I've heard of it happening
02:34 < RoadRunner> if he is going to be willing to learn, would you recommend I give him a gateway built on SmallWall or OpenSense? SmallWall is much easier to learn, but I believe OpenSense gives better vpn options?
02:39 < RoadRunner> xamithan: ALowther_: any opinion?
02:40 < xamithan> I've never used those two, so no opinion here =o
02:40 < ALowther_> RoadRunner: No, I've never heard of either of those. I am certainly no expert, so that doesn't mean they aren't any good.
02:40 < xamithan> I'm a pfsense fan myself
02:40 < ALowther_> I personally use MicroTik with OpenVPN
02:41 < ALowther_> RoadRunner: I am just a hobbyist for networking, so I have lots to learn myself.
02:41 < RoadRunner> ok, so, I've used openWall for like a decade, smallWall is its direct decendent and OPNsense is simmilar to pfsense only, from what I understand - now more open
02:42 < xamithan> I'm sure either will work just fine,  mostly stuff like that is just preference
02:43 < RoadRunner> I have not used OPNsense myself (just installed it on one gateway) but it seems WAY more complex than small/mono wall; was just wondering if it does in fact give supperior options for vpn and would my friend really be likely to benefit from that?
02:49 < birkoff> what are strings like \005\036\0141\000in ?
02:52 < S_SubZero> context?
03:00 < RoadRunner> ALowther_: xamithan: btw, even if I give him a configurable router, set his comp to a static ip on his lan and port forward the router, I am not on a static ip with my isp so what incoming ip would I be setting up in his port forwarding?
03:01 < xamithan> source ip can be set to any
03:02 < ALowther_> RoadRunner: You don't. Your IP can change and it will be on a per connection basis. You tell it to "pass along" connections on a specific port to a specific computer & that's what it does.
03:02 < ALowther_> That is why some people will tell you not to use port forwarding as it could be a security issue. Personally, if it's just a home LAN and you use basic security measures with passwords and a non-standard port I don't think it should be too big of a concern.
03:04 < RoadRunner> recommendations for a "non-standard" port number?
03:04 < xamithan> Any good vpn will have functionality similar to fail2ban
03:04 < xamithan> Anything above 1024 is good
03:05 < xamithan> I wouldn't choose something similar though,  like 222,  or 2222
03:05 < RoadRunner> just don't like the idea that any source could get through...
03:05 < ALowther_> RoadRunner: Just remember it, you will need to explicitly define it when you try to SSH in.
03:06 < xamithan> security through obscurity is just stupid IMO.  using a certificate + a password is much better
03:06 < tds> the only real reason to change the ssh port is to drop the amount of noise in the logs, otherwise it's pointless
03:06 < xamithan> Yeah it'll stop those chinese bots
03:06 < ALowther_> RoadRunner: They can get to the computer, but they still need a password to get in. Unless a guest account or some other thing is enabled to let people in without a password.
03:07 < RoadRunner> xamithan: certificate?
03:07 < tds> just disable password authentication on everything, leave ssh on the default port, and you should be fine
03:08 < xamithan> A good vpn will run on SSL with certificates for each user
03:08 < ALowther_> RoadRunner: There may be some routers that allow you to only accept connections from certain IPs for port forwarding. That certainly would be a good tool. I don't think I've ever done that.
03:08 < xamithan> a worse vpn will user something like pptp and just a user|password to get in
03:08 < RoadRunner> xamithan: vpn recommendations?
03:08 < ALowther_> Wait, you're doing all of this over a VPN? Just have them connection directly to the VPN & they will be on your "local" network. You can SSH directly.
03:09 < xamithan> Whatever you want,  they are mostly all the same
03:09 < xamithan> I think most people use IKE nowadays though
03:10 < RoadRunner> where is it based?
03:10 < ALowther_> I believe he is talking about a protocol for setting up your own VPN network, not using a 3rd party one.
03:11 < xamithan> Yeah the protocol,  most all support IKE unless it is a really really old device
03:11 < RoadRunner> ok xamithan, where could I learn how to do that?
03:12 < ALowther_> https://openvpn.net
03:12 < ALowther_> This is what I use for my VPN network
03:13 < ALowther_> But you will need to make sure you configure everything properly, otherwise if the routing tables are messed up yourself/your friend may not be able to access the internet
03:15 < RoadRunner> I got much to learn about vpn's; best place to start?
03:15 < ALowther_> RoadRunner: For a more streamlined solution, turn off Password authentication on the sshd config file on your friend's computer, generate an ssh key with ssh-keygen, add your .pub to your friend's ~/.ssh/authorized_keys file and only you will be able to get in
03:17 < ALowther_> To clarify. Generate an ssh key with ssh-keygen on YOUR local computer. Then take that key, ONLY the public key, there is also a private key generated, ONLY FOR YOU. Put the public key in their authorized_keys file and you should be able to get in. The file/directories could be elsewhere. What I named is just a common configuration.
03:19 < RoadRunner> I am getting confused btw ssh and vpn solutions here...
03:20 < ALowther_> A VPN connection, is essentially, just a wrapper. It encrypts all of the data you are sending.
03:23 < RoadRunner> but you still need to port forward, right?
03:23 < ALowther_> Not if you have the VPN connection set up.
03:24 < RoadRunner> is there a place with a comprehensive right up on all of this; ie: a step by step cook book?
03:24 < RoadRunner> *write-up
03:25 < ALowther_> Which thing? VPN connections or SSH?
03:25 < RoadRunner> I guess both wouldn't hurt
03:27 < ALowther_> http://www.steves-internet-guide.com/understanding-port-forwarding/
03:27 < ALowther_> This isn't SSH centric, but it covers port forwarding, which is really the question at hand
03:32 < RoadRunner> I was actually hoping for something  specializing in vpn and ssh :)
03:33 < SporkWitch> RoadRunner: broad questions get broad, unfocused answers
03:33 < SporkWitch> RoadRunner: if you want something more specific, you need to ask for something more specific.
03:34 < ALowther_> RoadRunner: If you read up on a VPN and really start to understand it, it will answer your SSH question. Using a VPN allows you to access any other computer also connected to the network with a LAN address.
03:35 < SporkWitch> depending on configuration, anyway
03:35 < RoadRunner> SporkWitch: alright, how about this: would really apreciate links to manuals specializing in vpn and ssh
03:36 < SporkWitch> RoadRunner: man ssh :)
03:36 < RoadRunner> did that first thing and was overwhelmed by details yet still am shy of concepts...
03:36 < SporkWitch> RoadRunner: snark aside, you have to understand that these are very high-level questions; most of the people here are working at a much lower level.  What you want is going to take a google search, which means you should google it
03:37 < ALowther_> RoadRunner: VPN's and SSH don't necessary go hand-in-hand like that.
03:37 < SporkWitch> RoadRunner: i'd suggest search strings along the lines of "what is / how does ssh / vpn work"
03:37 < ALowther_> Your question really seems to have a lot less to do with SSH and more to do with general networking and understanding how to contact other computers.
03:38 < ALowther_> I have found ssh.com to be a wonderful resource. It is maintained by the inventor of SSH
03:38 < xamithan> Might as well just go read some CCNA and CCNP books first
03:38 < SporkWitch> ^
03:39 < xamithan> Any guide you going to find is going to be specific to whatever piece of software you are working with.  Any guide like say,  man ssh.  Is going to be too broad to understand
03:42 < RoadRunner> considering I've been building lan's on gateways built by myself for a while, I don't think a basic lesson in networking or portforwarding is needed; I asked specifically about what I haven't used before which is ssh and vpn's.  Have started today with ssh.com but perhaps I can do more research still.
03:42 < ALowther_> The solution to your question is to set up port forwarding. You then became concerned with security which got your interested in VPN. As I continue to learn, I keep coming to the same answer for myself. Everything is actually built of really small, really simple pieces. It's the combination of those tens or hundreds or thousands of simple pieces that give the perception of complexity. If you are willing to take the time to dig into ea
03:42 < ALowther_> ch small, simple, piece it all starts to come together.
03:44 < ALowther_> RoadRunner: Yes, I would read SSH.com it will state things more explicitly than "man ssh".
03:44 < xamithan> At a basic level ssh is simple though,  ssh user@host,  put in your password.  You are done.  Things get more complicated if you want to start doing reverse tunneling or setting up key pairs
03:44 < SporkWitch> eh, keypairs aren't that complicated
03:45 < ALowther_> Unless you decide you want to research the maths behind the algorithms :p
03:45 < xamithan> I don't know his knowledge level but I agree it isn't complicated.  You could still get lost in pages and pages of documents explaining how crypto and PGP work though
03:45 < SporkWitch> sure, but even just the concepts of HOW it works aren't that crazy; don't necessarily need the maths directly
03:46 < SporkWitch> i was mostly just talking in terms of use, though
03:46 < tds> it gets a bit more complex if you want to use a gpg smartcard or an ssh ca or something, but yeah, it's not too bad
03:46  * SporkWitch hugs his yubikey :P
03:46 < ALowther_> RoadRunner: https://www.ssh.com/ssh/keygen/
03:46  * tds should really get another one after losing his
03:47 < SporkWitch> smartcard isn't too bad; there's easily found articles that'll hand you the settings and step-by-steps.  CA does get a bit complicated, have done that one before too
03:47 < SporkWitch> and if you're on windows, well, just don't even bother; windows is shit >_<
03:48 < tds> I'm still slightly uncomfortable with storing my gpg keys on smartcards though - afaik most of them don't actually encrypt the key data with the passphrase, the chip just checks that the passphrase is correct?
03:48 < SporkWitch> (WSL could almost be viable, but it is deliberately prevented from using USB devices; gpg4win can let putty and tunnelier use yubikeys though)
03:48 < tds> it's fine for ssh since that's relatively simple to revoke/swap, but pgp is more of a pain
03:48 < ALowther_> There is a command that generates it for you. If you are able to connect to your friend's computer, you can then use ssh-copy-id, https://www.ssh.com/ssh/copy-id, to handle everything for you. Then go into sshd config and turn off password authentication, https://www.ssh.com/ssh/sshd_config/. You should be fine.ss
03:49 < SporkWitch> tds: i don't know about that one way or the other, but if they do what they're _supposed_ to, they're physically incapable of revealing the privkey programmatically.  The only way to extract it is destructive, requires a _very_ expensive lab, and even then has a low chance of success
03:49 < SporkWitch> tds: this obviously falls apart if there's a flaw in the firmware, but as with anything, trust has to be placed at some level of the system
03:50 < tds> ah yeah, I certainly don't think extracting data off a microcontroller's flash is easy, I'm just uncomfortable with the idea of it
03:50 < SporkWitch> tds: and i'm saying you shouldn't be; this isn't something that even the government can do easily or consistently, even if they have the motivation for it (AFAIK)
03:51 < RoadRunner> a question about another solution offered earlier: teamviewer isn't in ubuntu software, or in synaptic- just on their web page. Probably a private repository, it's not open source, is it ?
03:51 < SporkWitch> very no
03:51 < tds> iirc teamviewer on linux is just wine and their windows application bundled into a deb?
03:51 < SporkWitch> don't know, just know you shouldn't use it lol
03:52 < RoadRunner> SporkWitch: why?
03:52 < tds> SporkWitch: there's also the usability side of it, having to revoke subkeys and all that when I lose the smartcard is a pain :P
03:52 < SporkWitch> RoadRunner: huge, gaping security issues lol
03:53 < SporkWitch> tds: that's a flaw in key-based access regardless.  the nice thing about smartcards and yubikeys is that most people tend to be good about positive control over their keychains and wallets
03:54 < RoadRunner> thank you for all the help :)
03:54 < SporkWitch> i strongly prefer smartcards over USB tokens for that reason: easier storage, cheap replacement, and it has the added bonus of requiring a reader, which is a barrier to casual use by unauthorized parties
03:55 < SporkWitch> i have a really nice card reader, folds up to the size of your average USB flash drive.  keep that on my keychain and the smartcard in my wallet; i wasn't able to find enough information on the sigilance card though to get me to buy it.  There's jsut no real documentation, while yubikey is VERY well documented and supported, so i ended up going with those
03:56 < tds> ah yeah, by "smartcard" I just meant a usb gpg smartcard (eg yubikey), I may try real physical cards at some point though
03:57 < SporkWitch> my certifying key, unique auth subkey, and shared encryption key sits on a NEO in my safe.  Another NEO with the shared encryption and unique auth and signing keys for use on phone and desktop (it supports NFC).  A Nano with the shared encryption, unique auth and signing, for use on laptops (I don't like the NEO sticking out of a laptop's ports, i always worry about damage; nano is perfect since
03:57 < SporkWitch> it just barely juts out enough to activate it)
03:58 < SporkWitch> i actually did cards first, because i was active duty military, so i had a reason to buy a reader so i could access some work stuff from home (DOD CAC is a smartcard, not just a photo id)
03:58 < SporkWitch> even ported a tool for feeding system entropy with entropy from a card's TRNG
03:59 < SporkWitch> (significantly reduces the time to generate random data, and as far as all testing i did, the feitian card i bought produced wonderfully random data)
04:55 < light> sublime
05:55 < toastedbread> does anyone know about shoutcast servers?
05:57 < linux_probe> just how loud do they shout?
05:59 < toastedbread> How does a shoutcast work with posting a current song playing in a channel
06:04 < toastedbread> !commands
06:43 < Al_nz1> I am trying to identify the IP address and subnet of a camera up a pole. I plug into the plain ethernet side of the injector and open up wireshark. I can see
06:44 < Al_nz1> microchi_66:99:fd broadcast ARP who was 192.168.137.22 Tell 192.168.137.1
06:44 < Al_nz1> there is a bit of other traffic, but this appears to tell me that the camera is on 192.168.137.1 ?
06:44 < Al_nz1> or am I reading this wrong?
06:48 < linux_probe> kind of sounds that way, unless there's other stuff running off that injector/line
06:49 < Al_nz1> linux_probe: just me and the camera - injector in the middle
06:49 < Al_nz1> when i put my PC on 192.168.137.50 and try to ping 192.168.137.1 I get Ping Transmit failed General Failure (Im on a windows PC)
06:50 < linux_probe> maybe your machine had that ip before on other network
06:50 < Al_nz1> my laptop had which IP?
06:51 < linux_probe> x.x.137.1
06:53 < Al_nz1> linux_probe: why would the camera want 137.1 to be told who has 137.22?
06:53 < linux_probe> are you sure that's the camera?
06:55 < Al_nz1> https://imgur.com/a/mekUr82
06:56 < Al_nz1> linux_probe: the source for that broadcast line is definitley matching the last few digits of the camera mac address
06:56 < Al_nz1> what if the camera is still on DHCP? but was last on a subnet different to the current one
06:58 < linux_probe> it could be some sort of auto-ip if DHCP went away
06:59 < linux_probe> what does your laptop get if you plug into the network there
06:59 < Al_nz1> dunno - I would have to go backonsite but they are 192.168.1.x
07:02 < linux_probe> unless the cameras are on a vlan or other network. who knows, camera may simply be firewalled except other ports, port scan it?
07:02 < Al_nz1> yeah, just got zenmap -thats my next attempt
07:02 < Al_nz1> I have used these cameras before......
07:03 < linux_probe> binoculars?
07:03 < linux_probe> maybe you can read the label lol
07:03 < Al_nz1> nah the IP wont be labelled
07:03 < Al_nz1> lol
07:03 < Al_nz1> but I know that Mac
07:03 < linux_probe> then lookup the camera directions
07:04 < linux_probe> likely says how to connect without dhcp and what not
07:06 < linux_probe> https://www.microchip.com/
07:06 < linux_probe> is who the mac range goes to
07:10 < Al_nz1> yeah I might try to call them tonight
07:10 < Al_nz1> thanks
07:10 < linux_probe> dont know if they make cameras though, probably just the chip manufacture
07:14 < linux_probe> may help...
07:14 < linux_probe> https://www.microchip.com/design-centers/ethernet/ethernet-devices/applications/automation-access-security/ip-camera
07:15 < linux_probe> it looks like they're firewalled and only allow specific selected tiings through
07:24 < liveuser11> A_D you were compromised?
07:24 < A_D> ...no? not that I know of
07:25 < liveuser11> StevenR hello
07:25 < liveuser11> A_D it is well that you respond.
07:26 < liveuser11> Do you recall what went on these past say 10 years?
07:26 < liveuser11> In turn it is quite a new retrospection.
07:26 < A_D> k
07:27 < liveuser11> Staying awake?
07:28 < liveuser11> A_D: shying away now?
07:28 < A_D> Sure, why not.
07:29 < liveuser11> You are Christian?
07:30 < A_D> Sure, lemme answer random questions from a random unknown user
07:30 < liveuser11> Such a primary "why not" I can go on.
07:32 < liveuser11> Have you ever met somebody who complains of repeatedly having nonsense things stolen from it?
07:34 < liveuser11> Network, what can cause somebody to become a target for such nonsense theft and what can be a motive of such seemingly unconnected thieves?
07:35 < liveuser11> I start with things almost mundane, because I have much deeper things in mind and if somebody cannot carry on simple logic somebody leaves me lonely.
07:37 < liveuser11> There are times when justice is barricaded by the some scenario.
07:38 < liveuser11> If I walk away is it just?
07:39 < liveuser11> If I hunt how shall I fall on so many?
07:40 < liveuser11> It went deeper A_D
07:41 < liveuser11> We gave the prosody context for balm.
07:41 < linux_probe> deeper than a creeper on reaper
08:07 < Bugz_> Hello
08:11 < liveuser11> Bugz_: did you really download a game of shank
08:20 < michagogo> SporkWitch: re: requiring a reader, I guess that depends on what your environment is, what country you’re in, etc.
08:21 < michagogo> Some places have national ID cards that are smartcards and are useful online
08:22 < knocksee> Super noob question: If i use a USB 4g stick in my asus rt-ac87u, does it use the antenna in the asus for the 4g or the sticks antenna? I assume the sticks?
08:22 < michagogo> Or places with public transportation smartcard systems that encode data on the card itself (e.g. Calypso-based systems), so to reload from home you either need a phone with NFC or a card reader l
08:22 < michagogo> knocksee: rt-ac87u being a router or access point or something?
08:23 < michagogo> Yeah, pretty sure it’ll use the stick
08:23 < knocksee> yeh thats what im thinking
08:24 < michagogo> Afaik WiFi and cellular connections use different antennae
08:24 < michagogo> If the router were using its own antenna, it would probably just have a SIM slot
08:24 < knocksee> we have a huawei E5180 and it only gets around 7mbit, we use our phones and we get around 22mbit, all to the same test server
08:25 < michagogo> 🤷🏼‍♂️
08:25 < knocksee> i assume its the shitty antenna in the modem
08:26 < michagogo> Maybe
08:26 < michagogo> Or it could be the router
08:26 < michagogo> Or maybe for some reason you’re on 3G?
08:26 < michagogo> Or it could be something else about the modem, firmware or cpu or something
08:27 < michagogo> Lots of potential factors, most of them tough or impossible to isolate
08:27 < knocksee> hmm
08:27 < knocksee> true - i should take the router out of the equation and test
08:27 < michagogo> For example, I might try the modem on a computer directly
08:28 < michagogo> Now that I think about it, I don’t know what USB 2 throughput is.
08:30 < michagogo> Never mind, looks like it’s a few hundred Mbps
08:32 < linux_probe> usb 2.0 was 480Mbps or 60MBps
08:35 < linux_probe> real world is more like 20 to 40MB/s
09:07 < regdude> In Cisco world, the SVI (Switched Virtual Interface or something like that) is simply a configuration option that allows you to route traffic between VLANs or does it do something else?
10:15 < Apachez> its the vlan interface with ip address configured (ipv4, ipv6 or both)
10:16 < Apachez> once it got that packets who arrives to this (virtual) interface can be routed through other vlan-interfaces (who got ip configured)
10:16 < Apachez> thats a common mistake when people enable routing in l3 switches
10:16 < Apachez> through the "ip routing" command (or similar)
10:16 < Apachez> because now client vlan can reach mgmt vlan
10:16 < Apachez> and stuff in mgmt vlan can reach outside mgmt vlan etc
10:19 < regdude> but there is no other function that this Cisco SVI is doing other than allowing routing between VLANs on the the device, right?
10:23 < Apachez> well its a way to access the device itself
10:24 < Apachez> if you dont put up any acl's and you enabled telnet/ssh/http/https then this ip can be used to login to your switch too
10:24 < Apachez> and it will use this ip for dynamic routing protocols as source interface
10:24 < Apachez> same with syslog
10:24 < Apachez> and ntp etc
10:24 < Apachez> your switch cannot sync its time to a ntp server unless your switch have one ip configured and the ntp is reachable through this ip
10:42 < regdude> so it is simply an interface that is allowed to access the CPU
10:42 < Apachez> cpu and routing
11:04 < yumbox> is there a way I can test if DNS over HTTPS is working?
11:04 < yumbox> I have it setup on my pc, and want to know if it's setup correctly.
11:07 < grawity> make a DNS request, and use Wireshark to see where it goes
11:35 < easy_ref123> any help identifying the syntax of this route?
11:35 < easy_ref123> 0.0.0.0 0.0.0.0 192.168.1.2
11:36 <+xand> default gateway?
11:36 < djph> gateway of last resort
11:36 < djph> mornin' xand
11:36 <+xand> hi
11:37 < grawity> easy_ref123: when written like that, it's almost always "<destination> <netmask> <gateway>"
11:38 < easy_ref123> thanks guys
11:40 < DK2> whats the best way to prevent synflood on a linuxbox?
11:40 < DK2> iptables?
11:41 < grawity> I've *heard* that iptables' SYNPROXY is good
11:41 < Apachez> "prevent"?
11:41 < Apachez> nullroute the offending srcip
11:42 < Apachez> so the packets never reaches your linuxbox
11:43 < DK2> Apachez: hard if theres a big amount of spoofed ips
11:43 < DK2> i had ~120 IPs in the attack not counting the false positives i would also nullroute
11:43 < Apachez> so pick those out with grep and whatelse
11:43 < Apachez> do a script to create the ip route to null for these ip's
11:43 < Apachez> and then push it into your edge
11:43 < Apachez> done!
11:44 < DK2> but how i can i tell the diffrence between godo an dbad i
11:48 < dionysus69> what is the benefit of digital ocean private networking?
11:49 < dionysus69> so you can close down access to the internet while still be able to connect to other nodes in the same region? or it has other implications too
11:50 < Apachez> no idea, what does their buzzword marketing papers tells you?
11:51 < Apachez> DK2: well put up a baseline of what is the expected rate of incoming syn's per ip in your solution
11:51 < Apachez> and then you like double that number to pick out prime suspects who are synflooding you
11:52 < ShapeShifter499> hi
11:53 < ShapeShifter499> I would like to limit a single program from uploading and downloading to much at once, limiting the bandwidth.   What should I use for this on Linux?
11:53 < ShapeShifter499> The program in question is duplicity
11:54 < Apachez> start by checking if this program have a setting for this
11:54 < ShapeShifter499> it doesn't
11:54 < dionysus69> you need a shaping tool, google shape a single linux process or something
11:54 < Apachez> next, can you configure this software to use a particular interface?
11:58 < ShapeShifter499> dionysus69: Apachez I came across trickle but I got a error trying to compile it on my Raspberry Pi
12:08 < skyroveRR> ShapeShifter499: well, what error?
12:08 < ShapeShifter499> skyroveRR: this one https://github.com/mariusae/trickle/issues/22
12:10 < kbaegis> Hey all. Upgrade from 4.15 to 4.16 completely broke my networking stack
12:11 < kbaegis> Anyone know why a kernel (same modules) running ovs/lacp in 4.15 would work fine, but a 4.16 version would fail to receive traffic?
12:11 < bingojingo2> ji
12:12 < ShapeShifter499> skyroveRR: seems exactly like what I wanted too
12:12 < kbaegis1> Could use some help here
12:13 < bingojingo2> can anyone here with a GOOGLE account please tell me how far back you can view your timeline's history on google maps? Please check this on your account, thanks
12:13 < skyroveRR> ShapeShifter499: what's your cross compile triplet called?
12:14 < ShapeShifter499> skyroveRR: I'm building directly on my Raspberry Pi
12:14 < skyroveRR> Like, arm-linux-gnueaabihf?
12:14 < grawity> bingojingo2: the year dropdown goes all the way back to 2009, but I only got an Android phone in 2013 so that's where the actual data starts
12:14 < skyroveRR> ShapeShifter499: what does gcc --version give you?
12:15 < ShapeShifter499> skyroveRR: gcc (GCC) 8.1.0
12:15 < bingojingo2> gravity:  thanks
12:15 < grawity> actually hmm
12:15 < skyroveRR> ShapeShifter499: err sorry, gcc -v?
12:16 < ShapeShifter499> skyroveRR: this https://gist.github.com/ShapeShifter499/37af46ec37442619d6b05ed619589c0f
12:17 < bingojingo2> gravity:  so you can view your timeline's data starting from 2013 up until now?
12:17 < grawity> yes
12:17 < skyroveRR> ShapeShifter499: what configure command are you passing?
12:17 < grawity> I don't remember when I bought the phone though, but sounds about right for its model
12:18 < bingojingo2> so thats 5 years of data]
12:19 < bingojingo2> my computer was seized and my data has suspiciously been deleted by the police.  Seems lke some corruption has occurred now i can make acomplaint
12:19 < ShapeShifter499> skyroveRR: I was using the PKGBUILD here from the AUR for Arch Linux    https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=trickle      I passed "-A" flag to makepkg to ignore architecture and build anyways.       "./configure --prefix=/usr \ --mandir=/usr/share/man"   is what I see.
12:20 < kbaegis1> Same freaking kernel config
12:20 < kbaegis1> :/
12:21 < skyroveRR> ShapeShifter499: try putting in --build=aarch64-unknown-linux at the end of the configure command
12:22 < ShapeShifter499> skyroveRR: it's building now
12:23 < skyroveRR> ShapeShifter499: :)
12:23 < ShapeShifter499> so what should I tell the developer?
12:23 < skyroveRR> To put in the --build option, duh.
12:24 < Apachez> ShapeShifter499: if the software can lock to srcip then I would setup a virtual interface and then use tc qdisc to shape that into whatever speed you like
12:24 < Apachez> the software locks to this virtual interface and tada!
12:27 < ShapeShifter499> skyroveRR: the PKGBUILD is maintained by a different person then trickle.
12:27 < ShapeShifter499> so tell whoever uploaded the PKGBUILD?
12:42 < ShapeShifter499> skyroveRR: I don't know where that ./config.guess file is coming from
12:49 < phre4k> docker isn't answering, so maybe you have a clue: this is my docker-compose.yml: https://paste.linux.community/view/raw/0df89428 and when I do docker network inspect it shows me "Subnet": "172.22.0.0/16" → why did this happen and why is it so huuuuge?
12:49 < phre4k> s/docker/#docker/, s/you/you guys/
12:49  * phre4k injects coffee
12:57 < mosulica> https://i.redditmedia.com/RGhKvft_3RGTLB2SbCjtvWzMWlYpseyDe2dL1Wh5D_U.jpg?w=600&s=3639a00a20556e4339fcba25a0feecdc
12:57 < mosulica> https://www.ejobs.ro/user/locuri-de-munca/iron-hostel-cj-angajeaza-om-care-sa-nu-faca-nimic-de-la-12/1053588
13:25 < liveuser11> doot doot doot
13:25 < liveuser11> does dat be a good thing?
13:27 < liveuser11> smoove?
13:30 < rendar> can i ping an host let's say 20 times every 2 seconds, and wait like 5 minutes (so if the network is lagged i'm ok) and if i get nothing in 5 minutes, ping rertuens error?
13:31 < djph> ping should get a response nearly instantly ...
13:32 < rendar> djph: not if network is lagged, i would to wait at least 1 minute
13:32 < djph> although, if you're using a network monitor, you can usually configure something like that (although it's X pings, not X minutes, usually)
13:33 < rendar> i'm in a bash script, and the machine must check if another machine in the local lan is still up or not
13:34 < djph> have fun
13:34 < rendar> djph: ping has -W timeout option
13:35 < tpr> install nagios they said, it's fun they said
13:38 < djph> tpr: "fun(tm)"
13:38 < djph> get it right
13:44 < tpr> :P I tried but got frustrated with it (for my home network)
13:45 < tpr> but it has a ping plugin! which works at least sometimes on some platforms, maybe ;)
13:45 < djph> tpr: no, I was saying you misspelt 'fun(tm)'
13:45 < tpr> unfortunately either free disk space or memory piece didn't
13:45 < tpr> ohhHH
13:45 < djph> yeah, it's a bit of a bear to get working
13:45 < djph> especially the bits that rely on SNMP
13:51 < v0Lk> Anyone ever use the Cisco IXM LPWA 800 LoRa gateway? I have a few questions
13:56 < eschmidbauer> hello-- newb question here... we want to be able to use ecmp/ospf to distribute ingress traffic (hashed based on client (src) -> srv (dst)) out egress to a private subnet
13:56 < eschmidbauer> is this possible?
13:57 < eschmidbauer> like basically packet A comes from internet and hashed so the client traffic is consistently sent egress to subnet
14:08 < eschmidbauer> basically need stickiness... but the packets get modified on the server before getting sent out egress
14:14 <+catphish> eschmidbauer: you want NAT, not just plain routing?
14:15 <+catphish> eschmidbauer: i suppose the first question is: why do you want to modify the packets?
14:17 <+catphish> if you didn't want to modify the packets, iBGP + ECMP would do this out of the box, no need for the private IPs
14:21 < skyroveRR> ShapeShifter499: perhaps contact that dude maintaining it?
14:40 <+catphish> eschmidbauer: ?
14:40 < skyroveRR> Hey catphish
14:40 <+catphish> hi
14:42 < xirg> Hello, out of these supported options: [3.5" or 2.5" SATA 6Gb/s, 3Gb/s HDD or SSD, hot swappable]
14:42 < xirg> What is the best type of drive for a home QNAP
14:43 < djph> the one with the best features at a pricepoint you can easily swallow
14:43 < xirg> SSD or HDD?
14:44 <+catphish> well SSD is going to be faster and more expensive for the same capacity
14:44 < xirg> I know ssd is faster but isn't hdd better sometimes
14:44 <+catphish> afaik no
14:44 < djph> well, cheaper for the same capacity (or more capacity for the same price)
14:44 <+catphish> cheap SSD might be less reliable then a good spinning disk
14:45 <+catphish> but overall SSD is better
14:45 <+xand> HDD is only better for cost/GB
14:45 < skyroveRR> And for consistent writes of data.
14:46 <+catphish> skyroveRR: citation needed
14:46 < xirg> xand, yea i was just reading that.  For massive amounts of data HDD is a better option, i think i'll go with ssd
14:47 < skyroveRR> catphish: database writes?
14:50 <+catphish> skyroveRR: i think modern SSDs do indeed still have write limits, perhaps 5,000 writes for a good quality one
14:51 <+catphish> but that means replacing all your data once a day for 10 years
14:51 <+catphish> so i suppose one must consider the use case
14:59 < Apachez> yes they do but they also have better whats it called underprovisioned areas
14:59 < Apachez> like your 512GB SSD is actually 600GB or something
14:59 <+catphish> yes, they have spare replacement sectors
14:59 < Apachez> so even if you write like 1TB/day you can do so sustained rate for the next 20 years or so
15:00 < Apachez> na its not spare repleacement
15:00 <+catphish> but those are more for random premature failures than the ones that will happen in bulk when you've written too much
15:00 < Apachez> they are used daily
15:00 < Apachez> since the ssd constantly remaps physical location of each LBA
15:00 <+catphish> well yes, some extra is needed to do wear leveling of course
15:01 <+catphish> but some are spare too
15:01 < Apachez> dunno if spare is used anylonger the way they used to
15:01 <+catphish> (possibly all the same, i'm sure the conteroller manages it all magically)
15:01 <+catphish> tbh the spares may all get used
15:02 <+catphish> but there's enough capacity for both wear levelling and for some to fail
15:02 <+catphish> in any case, with 2000-5000 writes, you can write your 1TB a day for several years
15:05 < Apachez> back in the days if you wrote to LBA12345 then you wrote to that physical position (unless it was marked as damaged and a spare sector was used)
15:06 < Apachez> today with SSD when you write to LBA12345 you actually write to LBA88373 and next write to LBA12345 becomes a physical write to LBA43039
15:06 < Apachez> and so on
15:06 < Apachez> and the firmware will keep track of this mapping
15:06 < Apachez> so that from the os point of view you read and write from LBA12345
15:07 < compdoc> thats too complicated. Im going back to floppy discs
15:07 < Apachez> funny note, most SSD's have their own operating system running
15:07 < Apachez> and malware have started to come this way too :)
15:07 < Apachez> which will be fun
15:07 < Apachez> when your antivirus reads the file its perfectly fine
15:07 < Apachez> but if some other process reads the same file all hell breaks lose :P
15:27 < eschmidb_> hey catphish- we are dealing with SIP so we need to modify packets
15:28 < eschmidb_> and also, the purpose of iBGP/ECMP is to do anycast on private subnet
15:28 < eschmidb_> but we need client to also get distributed to same node in subnet unless that node goes down (and another takes over)
15:29 < eschmidb_> im thinking maybe just use multiple interfaces on source egress
15:29 < eschmidb_> and use anycast IP as dest-- i thnk ECMP should distribute consistently this way ( could be wrong)
16:17 < stubbyroot> Hoping someone can help me out with this. I'm on an old 6500 series trying to sort the cam table for specific manufacturer but having issues. Right now I'm using include with 0005\.[a-z0-9]{4}\.[a-z0-9]{4} but that's not working. Any ideas? Where am I going wrong?
16:19 < stubbyroot> The regex should match but isn't at least not on ios.
16:19 < stubbyroot> The MACs Im trying match all start with 0005
16:29 < kilmanio> Hey people, I've been using my ISP's modem/router since forever and it seems like a good time to switch. Where do I start?
16:29 < Epic|> Decide on a budget
16:29 <+catphish> the first question is why
16:29 < Epic|> Look at supported hardware from your ISP
16:30 <+catphish> make sure to start by checking 1) whether the ISP allows you to use your own hardware, or 2) if they will provide a bare modem, to which you can add your own router
16:30 < regdude> is there a name for a MPLS setup where CE-PE-P-P-P-PE-CE ? Or should it just be called PE-P-PE?
16:31 < Emperorpenguin> yes
16:31 < Emperorpenguin> :D
16:31 < Emperorpenguin> it's just PE-P-PE
16:31 < Emperorpenguin> it doesn't matter how many P you have inbetween
16:31 < regdude> thanks!
16:31 < regdude> just checking if there is a nice name for it
16:31 < Emperorpenguin> I mean you shouldn't even care how many hops you pass
16:31 < Emperorpenguin> as long as it works right?
16:32 < regdude> thought there might be a difference since explicit null is not possible between Ps
16:32 < kilmanio> catphish, I can just put it in bridge mode, right?
16:33 < rendar> if some host ping me, what actually the system replies in the icmp packet? can i fill the icmp packet with some extra info that ping can grasp?
16:33 <+catphish> kilmanio: if the existing device has a real bridge mode that disables the router entirely, yes
16:33 <+catphish> kilmanio: what technology is this? cable? vdsl? satellite? avian carrier?
16:34 < kilmanio> I have a coaxcable
16:34 <+catphish> ok, cable, then hopefully you can put your existing device into a bridge mode than will disable its router, and use your own ethernet router instead
16:34 <+catphish> *that
16:35 < xirg> I'm excited i just ordered this: https://www.amazon.com/gp/product/B075N1BYWX/ref=oh_aui_detailpage_o02_s00?ie=UTF8&psc=1
16:36 <+catphish> cool, those are nice
16:38 < kilmanio> If I get something like an ubiquiti edgerouterX and an AP I should be fine, right?
16:39 <+catphish> as long as your modem will work as a pure modem, yes, and that's a good choice :)
16:43 < rendar> when someone ping me in linux, what is the facility that actually replies to the pings? where i can configure it?
16:43 <+catphish> rendar: it's the linux kernel
16:43 < rendar> catphish: as i thought
16:43 <+catphish> rendar: you can configure it through "sysctl" options
16:43 < rendar> catphish: can i say to the kernel that i want to insert some data into the ping packet?
16:43 <+catphish> there's not much to configure about ping responses, except to rate limit them
16:44 < rendar> what about data like ping -p ?
16:44 <+catphish> no, i'm pretty sure it has to respond with the same data it was sent
16:44 < rendar> i see
16:45 < rendar> i wish to check from my raspberry, with a simple ping or something simple like that if something is on or off in my local desktop machine
16:45 < rendar> can i do this with icmp? without installing servers or something
16:45 <+catphish> no
16:46 < rendar> ok, any ideas?
16:46 <+catphish> write a server to do it
16:46 < rendar> maybe i can do that with nc
16:46 < hmig> anyone know if this STP topology is actually viable? https://imgur.com/a/qPqx3HL
16:47 < hmig> i plan to stack the two core switches ordered DAC cables but they may not arrive in time
16:47 < turtle> I have a lot of ideas. a buffet style mexican restaurant where everyone eats out of a trough. a realdoll time sharing venture.
16:47 <+catphish> hmig: i don't see why not, isn't that a pretty standard setup?
16:48 <+catphish> stacking the core and using LACP for everything would be beter, but that setup should work
16:49 < hmig> thats the goal
16:50 < hmig> im my topology i have a priamry root and and secondary root, thats better than just having a single root bridge right
16:51 < hmig> i know it sounds like a dumb question
16:51 < hmig> lol
16:52 < Roq> hmig: Check if your switches supportd 'distributed trunking' this allows for an interswitch link connection between the two core switches. stack functionality without actually stacking
16:52 < hmig> they support IRF
16:53 < Roq> http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/15-18/5998-8160_ssw_mcg/content/ch04s14.html
16:53 < hmig> HPE's stacking technology
16:53 < hmig> they dont support an actual module on the back for stcking tho
16:54 < Roq> I'm not sure if IRF is the same as Distributed trunking
17:04 < fishar> hi does anyone here use Cisco ASR 903?
17:08 < Epic|> Catphish, ISPs tend to provide shit tier hardware
17:14 < eto> hello
17:15 < eto> i would like to know if there exist something like echo packet at ethernet layer level
17:15 <+catphish> yes, come on in, we have cookies
17:15 <+catphish> no
17:16 <+catphish> there is no such frame
17:16 < eto> i know there are several arp ping tools but i am mostly interested in something get get filled source and target mac and gets reflected back
17:16 < UncleDrax> OAM-EFM/CFM can do some layer-2 type stuff, but if you're tyring to do it over a WAN/Internet, it won't do that
17:17 < eto> catphish: that's a pity, so how does for example switch know link is active? it relies on what physical layer reprts?
17:17 < UncleDrax> but it also requires devices to support it
17:17 <+catphish> eto: yes that, switches don't even have a MAC address to send frames from
17:18 < eto> UncleDrax: this for use on local and "virtual networks"
17:18 <+catphish> a switch only cares that the physical link is up
17:19 < eto> catphish: wait, i understand it as switch having some switching processor inside - which learns the source and target macs to route packets - this unit doesn't have mac address itself?
17:19 < eto> UncleDrax: thanks will look into those acronyms
17:20 < UncleDrax> eto: ya see if your HW supports OAM-EFM (802.3ah-2004).
17:20 < UncleDrax> Would you like to know more? https://en.wikipedia.org/wiki/Ethernet_in_the_first_mile
17:20 < pekster> It's just associating discovered (seen) MACs to ports; a pure Layer-2 switch doesn't have or need its own MAC. A "managed" switch will have its own MAC, but that's just used for traffic being sent to the administrative address on the switch (and only for VLANs/ports the managed switch is configured to do so on)
17:21 < kilmanio> Should I use dns over https
17:21 < eto> so for example when switch actually has mac, it is "managed" interface that is inside attached to swithing core, switching core itself has no mac
17:21 < pekster> eto: Exactly!
17:21 < my_mind> place i work at has voip phones and computers connected to same router and switch,
17:21 < UncleDrax> eto: OAM-CFM (Connectiby Fault Management) can be used like a layer-2 BFD over an Ethernet link where you might not have visibility into the middle. again requires device endpoints to support it.
17:22 < eto> UncleDrax: thank you very much !
17:22 < my_mind> I want to seperate them.
17:22 < my_mind> is this switch good for use only for the phones? https://amzn.to/2ILeori
17:22 < my_mind> TPlink 24 port unmanaged
17:23 < UncleDrax> (having not touched an unmanaged switch in forever, it correct to say an unmanaged switch still likely wouldn't be VLAN aware?)
17:23 < eto> okay because i am playing with software switches too, and both i have experience with seem to have mac attached to interface representing software(!) switching core itself
17:24 < eto> is this os architecture limitation ? (each device, even if virtual, requiring mac address)
17:24 <+catphish> eto: a simple switch indeed has no MAC itself, it doesn't need one
17:25 < eto> for example both linux and freebsd software bridges get their own mac addresses on creation
17:25 < Reventlov> Searching for a way to force mcs change on Linux (iwlwifi), any idea?
17:25 <+catphish> eto: it only needs a MAC if it's managed and things need to talk to it
17:25 < Reventlov> using iw to change bitrate / mcs works, but only temporarily (seconds)
17:25 <+catphish> eto: a linux bridge has a MAC because it has an extra port hat goes to the host itself, that's the MAC of the host
17:25 < my_mind> catphish: i need to seperate the computers and the phones.
17:26 <+catphish> my_mind: why?
17:26 < my_mind> phones are not getting calls
17:26 < my_mind> *most phones
17:26 < my_mind> bad connection
17:26 < UncleDrax> my_mind: in most 'Phone' cases, you'd want: a VLAN aware switch that does PoE. which usually means managed. TP-Link makes things that fit that bill.
17:26 <+catphish> my_mind: i don't think separating them is gong to help with that
17:26 <+catphish> as UncleDrax says, you would normally use a VLAN + PoE switch for phones
17:27 <+catphish> but that's not going to help with connectivity issues
17:27 < eto> catphish: ah i think i get it - so macs in software bridges (aka switches) actually represent host's port plugged into that switching core
17:28 < eto> and theoretically if no host conenctivity was required software switch would not need mac address - same way like real switching core
17:29 < eto> correct?
17:29 < my_mind> catphish: why wouldn't it help? the voip service company told me the network we're using is overloaded
17:29 < my_mind> we're using 2 ISPs connected to a dual wan router
17:30 < my_mind> dual wan router is connected to switch
17:30 < my_mind> and the phones and computers are connected to that switch
17:30 < my_mind> So I was thinking I need to get a seperate router and switch for the phones
17:31 < eto> it's still surprising that ethernet protocl doesn't provide a way to reflect packet from other mac in the core spec
17:32 < eto> my_mind: btw how does the voip company know that?
17:33 < my_mind> they're a small company, they are familiar with our network
17:45 <+catphish> my_mind: well they may well be right then, usually it's the WAN that gets overloaded long before LAN
17:46 <+catphish> but by having separate LANs you can route then to separate WAN connections, which will help a lot
17:50 < tds> eto: on linux the bridge interface should use the mac address of one of the member interfaces iirc (possibly the smallest/largest?)
17:52 < fnDross> catphish: see thats what i did, but i got flack
17:54 < fnDross> https://ibin.co/3wZx0gWjNDUu.jpg  << wan3 & AP to wan2 is on its own, leaving the local lan i/o alone
17:59 < kbaegis> Hey guys. I'm having issues with my kernel upgrade
17:59 < SporkWitch> If you have a question, just ask! For example: "I have a problem with ___; I'm running Debian version ___. When I try to do ___ I get the following output ___. I expected it to do ___." Don't ask if you can ask, if anyone uses it, or pick one person to ask. We're all volunteers; make it easy for us to help you. If you don't get an answer try a few hours later.
17:59 < kbaegis> 4.15.14->4.16.10
17:59 < SporkWitch> that said, this is ##networking, not #whateverOSyou'reon, ask your OS's support channel
17:59 < kbaegis> OVS isn't seeing packets anymore
18:00 < kbaegis> Reverting the kernel version
18:00 < tds> now that's more like ##networking ;)
18:00 < SporkWitch> tds: i'm still waiting for a coherent question, even if it's offtopic lol
18:01 < kbaegis> So I have two lacp interfaces in a bond under ovs
18:01 < kbaegis> And everything works perfectly under 4.15.14
18:02 < kbaegis> Upgrading to 4.16, I get no network connectivity from the host and I have to access it SoL/OOB
18:02 < kbaegis> Mods are all consistent, kernel config is the same
18:02 < SporkWitch> kbaegis: ask your OS support channel
18:02 < kbaegis> And all the interfaces are detected
18:02 < SporkWitch> newlines
18:02 < SporkWitch> are
18:02 < SporkWitch> not
18:02 < SporkWitch> a
18:02 < kbaegis> SporkWitch: I roll my own.
18:02 < SporkWitch> substitute
18:02 < SporkWitch> for
18:02 < SporkWitch> punctuation
18:03 < kbaegis> SporkWitch: I'll check with my "distro support", but that's not going to be helpful.
18:03 < SporkWitch> kbaegis: so you're asking ##networking to help you fix your homemade linux distro's non-networking problem? lol
18:03 < SporkWitch> go use a real distro
18:04 < qoxncyha> corporate LAN unblocked 1.1.1.1 DNS-over-TLS \o/
18:04 < kbaegis> SporkWitch: It is a networking problem. It's best not to speak if you have no valuable contribution. You don't have to help me if you don't want to.
18:05 < kbaegis> Can anyone help me figure out how to trace these packets? I was attempting to insert a trace rule for the raw table, and I was getting errors: iptables -t raw -I PREROUTING
18:06 < kbaegis> Thanks for the dm with offensive language, SporkWitch
18:07 <@catphish> kbaegis: if the kernel version is the only thing that's changed, it seems reasonable to assume it may be a bug, maybe worth a quick descriptive email to the appropriate mailing list
18:08 <@catphish> i've always found tracing packets through the kernel to be tricky, not sure how best to do that i'm afraid
18:09 < fnDross> ever run into clients failing >> "WPA: group key handshake"?
18:10 < tds> for ovs, I guess you could initially try tcpdump on the individual physical interfaces, then on the bond, then the bridge, and see where the issue is
18:10 <+catphish> kbaegis: have you done pcaps on the interfaces to see if anything is being phsically sent / received at all?
18:10 <+catphish> oh, what tds said
18:10 < kbaegis> tds: Did that already- I only see LACP/CDP traffic
18:12 <+catphish> it seems somewhat implausible that networking could be *that* broken
18:13 < kbaegis> Well I just checked my switch config to ensure that it's still trunking the appropriate vlans
18:13 <+catphish> also, it's worth considering that in linux, LACP is software, so it LACP frames are being exchanged, the NIC is working fine, meaning that i can't see how you could *not* be receiving other types of frame :(
18:13 <+catphish> unless LACP is what's broken and the switch is cutting you off
18:13 < kbaegis> Could it be receiving those only and not replying?
18:14 <+catphish> kbaegis: tcpdump will tell you
18:14 <+catphish> oh, well not really, it won't tell you if they physically leave
18:15 <+catphish> it could be that you're simply physically transmitting nothing, see if you can see LACP status on thw switch
18:15 < kbaegis> It's a netgear. I'll check the web interface since I don't know the command to monitor lacp from the cli
18:16 <+catphish> it might be there in the web ui, i'm not sure
18:17 <+catphish> can you plug it into another linux box and see?
18:18 <+catphish> if you can see a frame in tcpdump but confirm it's not physically leaving the interface then you have a bug you can report
18:20 < fnDross> when i'm able to dump all my consumer hw, what should i buy?
18:20 <+catphish> a log cabin by a lake
18:20 <+catphish> and a fishing rod
18:21 < kbaegis> catphish: I had been trying to trace ping packets with iptables -t raw -I PREROUTING -p icmp -j TRACE
18:21 < kbaegis> I was getting errors on that command
18:21 <+catphish> ping packets form where to where?
18:21 <+catphish> *from
18:22 <+catphish> my advice: choose one direction to attack the problem from and stick with it
18:22 <+catphish> choose *one* frame that you think is getting lost
18:22 < Windy> is there any kind of wayback machine for SSL certs?  some way to see what cert was presented by a particular site on a particular date
18:23 < kbaegis1> If I had to guess, lacp. Is there a way to look for those? I've never used tcpdump/bpf to look at lacp
18:23 <+catphish> Windy: moderately unlikely, never heard of such a thing, but can't say it doesn't exist
18:23 <+catphish> well you can see them on the port with tcpdump right?
18:24 <+catphish> so see if they're physically leaving
18:24 < Windy> we started having issues with ssl decryption for two sites yesterday that both have ECC certs.  i'm wondering if they changed them recently hrm
18:24 <+catphish> you'll want to look up how to display MACs in tcpdump to make sure you know which way they're going
18:24 < fnDross> heh, thats on the list catphish, and the person that gets me from A to B
18:25 < tds> Windy: you can see previous certificates issued with certain CAs through the certificate transparency logs (web ui at crt.sh), that won't tell you what cert the site was actually using though
18:25 < Windy> tds, interesting, thanks!
18:29 <+catphish> kbaegis1: good luck
18:31 < Windy> hrm, i misunderstood.  it wasn't the certs in question but rather the TLS cipher suites that were EC based and causing this error
18:34 < kbaegis> catphish: Ty
18:40 < lupine> I don't suppose anyone knows if azure network security group rules are stateful or not, do they?
18:42 < lupine> https://docs.microsoft.com/en-us/azure/virtual-network/security-overview talks about flow records...
18:43 < lupine> got it: > https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
18:43 < lupine> um
18:43 < lupine> "An existing connections may not be interrupted when you remove a security rule that enabled the flow"
20:45 < _AxS_> hey all -- anybody know what's going on with the internet in north america?  seems there's a fairly sinificant split that isn't resolving/re-routing...
20:47 < _AxS_> (i can't reach google in cali from my rogers/comcast/whatever ISP, but i can reach a DC in kitchener and -it- can reach google but can't reach my ISP..  and there are some sites neither can reach..)..  I assume there are pages where the status of such things can be looked up but i've no idea what search terms to even use to find them; anybody know of any?
20:47 < UncleDrax> well.. neither the Outages mail list, nor the NANOG mailing list seems to be freaking out today, so I would say this is far less then 'The Internet in North America'.
20:47 < UncleDrax> oh you provided details
20:48 < Dalton> traceroute is your friend
20:49 < _AxS_> Dalton: been doing that, but its not helping so much other than to confirm its not just my ISP..
20:50 < Dalton> where in Ontario are you?
20:50 < _AxS_> Ottawa
20:50 < Dalton> and what are you tracing to?
20:50 < Dalton> and define "reach"
20:50 < Dalton> ping/www/etc
20:51 < _AxS_> various things; 8.8.8.8, google.ca (172.217.x), yahoo.ca , rogers.com , etc..
20:52 < UncleDrax> as to the question of 'how can one see a high-level 'health' of the Internet. the Internet Traffic report, downdetector (or for .ca, http://canadianoutages.com/ ), etc aim to provide that
20:53 < _AxS_> UncleDrax: yeha i found that with searches, do they cover outages that are downstream though or just those at the ISP level?  I thought it was the latter
20:53 < UncleDrax> at the Service Provider / Network Engineer level, there are some mailing lists for Serious type discussion on events.. that woudl be stuff like 'Cogent and Hurricane Electric are in a pissing match today so a buncha routes are down'
20:54 < Dalton> it's Cogent, what do you expect ;)
20:54 < UncleDrax> Dalton: hence why I picked them :]
20:54 < Dalton> i know that was hypothetical but hehe
20:55 < Dalton> _AxS_: are you on Rogers?
20:56 < Dalton> I would assume they have their own google cache for that kind of stuff
20:57 < _AxS_> Dalton: well you'd think, but that doesn't help mail services and others.
20:57 < Dalton> okay, that's why I asked how you were testing
20:57 < _AxS_> Dalton: and yeah, Rogers.  I hacked a route through a VPN tunnel to my kitchener DC to get around the issue for now (i don't know what they're doing multi-homing on but at least that's an option)
20:58 < Dalton> probably Cogeco?
20:58 < Dalton> my Ontario-net is only presumptious
20:58 < Dalton> but easy enough to find out who they're peering with
20:59 < UncleDrax> Rogers maintain a looking glass? (idle curiousity.. not interested enough to google it myself..)
21:00 < Dalton> i doubt it
21:00 < _AxS_> i doubt it too..
21:00 < UncleDrax> ya i wouldn't expect it.. none listed in peeringdb for as812
21:02 < _AxS_> UncleDrax: thx, that's the sort of thing i was wondering about..  given its more out of curiosity than anything it'll likely not be relevant for me to subscribe to those MLs, but good to know they exist.
21:03 < _AxS_> and yeah, given you guys haven't heard of anything I assume its some sort of minor intermittent event; not some sort of big issue that'll take days to resolve..
21:03 < UncleDrax> ya I check them out in a R/O (archives) format
21:03 < UncleDrax> NANOG talks much more then just outages and a broader topic list
21:05 < _AxS_> UncleDrax: nanog-annouce generally cover outage discussions or just the main discussion list that you check?
21:11 < UncleDrax> NANOG annouce covers annoucements about NANOG itself (the organization, ie: meetings, voting member changes, etc..). NANOG list archive is a general discussion list for Network Operators (presumably of North America, but it's wider) to discuss.. Networking things. of which major outages is sometimes a topic of
21:13 < UncleDrax> Outages.org maintains a list as well, plus a wiki with more "general high level" health sites and a swath of major Network 'Network Status' pages. ( https://wiki.outages.org/index.php/Dashboard )
21:14 < UncleDrax> in both cases, please familarize yourself with the guidelines for posting if you choose to post to those lists. having a good SNR is what keeps those lists useful
21:15 < _AxS_> Oh gawd, there's no way I'd post to a list like that unless I got a job in network ops... and even then, likely only if i was responsible for a large segment of a customer base or something.
21:16 < UncleDrax> fair enough, hard to know where pepole come from, so figure I'd say it just to say it
21:16 < _AxS_> yep, appreciated. :)
21:16 < UncleDrax> also for any idlers ;]
21:25 < hehehe> when accessing site I get 504 gateway error
21:25 < hehehe> how to overcome it?
21:26 < grawity> call the site's sysadmin and tell them to fix their cra
21:27 < hehehe> cra?
21:28 < hehehe> its lycamobile its giant site
21:28 < hehehe> crap
21:28 < hehehe> well I need to access it
21:29 < hehehe> In other words, 504 errors usually indicate that a different computer, one that the website you're getting the 504 message on doesn't control but relies on, isn't communicating with it quickly enough.
21:29 < hehehe> wtf is that
21:29 < Carll> Any ideas on which device I could use to replace a CD Changer? Really tight budget as it's out of my own money for works music
21:30 < hehehe> some computer in between?
21:30 < grawity> well you cannot
21:30 < hehehe> grawity: what if I use vpn
21:30 < hehehe> that will re route traffic
21:30 < hehehe> what does 504 means?
21:30 < grawity> you're still accessing the same site
21:30 < hehehe> so 504 means site is down?
21:30 < hehehe> or
21:30 < grawity> well, the backend is down
21:31 < grawity> you're connecting to a "reverse proxy", and it connects to the real servers
21:31 < grawity> maybe for load balancing, maybe for security, maybe for cgi
21:31 < hehehe> mm
21:31 < hehehe> http://www.lycamobile.co.uk/
21:31 < hehehe> can you access it?
21:31 < hehehe> how dare they to go offline
21:51 < hehehe> https://downforeveryoneorjustme.com/lycamobile.co.uk
21:51 < hehehe> fck u guys lol
22:09 < tds> lycamobile.co.uk looks like an ubuntu box at ovh that just serves redirects to www.lycamobile.co.uk, try putting in the latter domain and you'll get the right result
22:23 < kbaegis> Could use help with my packet dump: https://hastebin.com/obiquhuzay.sql
22:23 < kbaegis> LACP/CDP are coming in from the switch, but my 4.16.10 kernel host isn't responding via lacp it looks like
22:27 < kbaegis> Anyone know if there's a sysfs toggle for lacp "active mode"?
22:33 < kbaegis> Anyone here used lacp_rate before?
22:37 < UncleDrax> i've never changed the default setting, no
22:37 < UncleDrax> but sounds like it's just the keep-alive/control pkt frequency
22:38 < kbaegis> UncleDrax: Well, the switch is doing its job sending the LACP information. My upgraded host doesn't appear to be.
22:38 < UncleDrax> fast = 1 per sec, normal (or 'slow?') 1 per 30s (per cisco docco)
22:39 < tds> kbaegis: out of interest, do you get anywhere if you move to plain linux bonding rather than OVS?
22:39 < UncleDrax> linux/bsd bond interface? you have it set for the correct 'mode' which I think is how they make it be LACP vs RR or something
22:40 < kbaegis> tds: let me check :)
22:41 < _AxS_> kbaegis: lacp_rate , ive used it with linux bonding and a cisco switch
22:41 < tds> also, I assume you're running the latest version of ovs and rebuilt it when you upgraded the kernel?
22:41 < _AxS_> (sorry, dell switch; my cisco was too old and/or didn't have a high enough license or something)
22:43 < kbaegis> I did get "bridge|WARN|port bond_iso: Using the default bond_mode active-backup. Note that in previous versions, the default bond_mode was balance-slb", however that's not enabled since I ran ovs-vsctl set port bond_internal boond_mode=balance-slb
22:43 < kbaegis> ^bond_mode*
22:44 < _AxS_> kbaegis: you don't want either of those you need bond_mode to be 802.3ad
22:44 < UncleDrax> iirc, 'mode=4' for linux kernel
22:45 < _AxS_> (or mode=4)
22:45 < kbaegis> "ovs-vsctl: constraint violation: "802.3ad" is not one of the allowed values ([active-backup, balance-slb, balance-tcp])"
22:45 < _AxS_> kbaegis: apparently (and oddly) it doesn't support an LACP based bonding auto-negotiation.
22:46 < UncleDrax> https://blog.scottlowe.org/2012/10/19/link-aggregation-and-lacp-with-open-vswitch/  ? old but maybe still relevant? (I've never touched OpenvSwitch)
22:46 < kbaegis> That would explain why my outward facing interfaces work and my inward facing ones don't
22:49 < kbaegis> Here's the output from ovs on the bond. https://hastebin.com/gudifumana.go
22:50 < kbaegis> idk/understand if lacp:active is interferring with bond_mode: balance-slb
22:51 < _AxS_> kbaegis: other way around if anything.  balance-slb could be making the host system (which i assume is a linux kernel?  I don't know anything about OVS either) ignore the LACP negotiation.  can you unset bond_mode ?
22:52 < _AxS_> kbaegis: also, if the other side is active, you can make OVS passive and it'll negotiate to whatever the other side has.
22:52 < _AxS_> (again, assuming an 802.3ad mode)
22:54 < kbaegis> I just tried that
22:54 < kbaegis> so bond_mode is unset, lacp=passive
22:54 < kbaegis> Testing now
22:55 < _AxS_> kbaegis: does the command from UncleDrax's link work:  ovs-appctl bond/show bond_internal   ?
22:55 < Apachez> when doing lacp one end must be active
22:55 < Apachez> so best is if both are active
22:56 < Apachez> and dont forget to configure short update timer
22:56 < Apachez> otherwise it will take like 30 seconds to form the bond instead of 1 second
22:56 < _AxS_> (as long as all devices support lacp_rate=fast)
23:01 < kbaegis> Well, here's the verbose tcpdump from active->passive and an admin down/up https://hastebin.com/emalizigoh.pl
23:02 < kbaegis> huh _AxS_: https://hastebin.com/uletapoked.sql
23:03 < _AxS_> ok well that's part of your issue, the slave devices aren't up (or allowed to come up)
23:09 < spaces> guys is Whois really going to vanish for domains because of GDPR ?
23:10 < tds> how are you setting the interfaces and bonds up - ifupdown, or custom scripts or something? can you post the config for that somewhere?
23:13 < kbaegis> inquired on #openvswitch as well. This dmesg output is telling: https://hastebin.com/tonemezoxu.scala
23:14 < kbaegis> tds: I'm a gentoo user, so it's netifrc/openrc
23:14 < _AxS_> kbaegis: well i can read it fine then.  you've just got config_[device]="null" essentially right?
23:15 < kbaegis> Correct
23:15 < _AxS_> tds: that's the equivalent of a bare 'ip link set dev [device] up'
23:15 < tds> thanks :)
23:15 < kbaegis> raw interfaces are configured "null !dhcp"
23:16 < _AxS_> kbaegis: !dhcp is redundant, fyi
23:16 < kbaegis> probably :)
23:17 < kbaegis> Yeah, I remember that from previous troubleshooting. OVS does. not. like. trunk interfaces with an assigned IP
23:17 < _AxS_> kbaegis: curious, is OVS installed from a package in the gentoo repo?
23:17 < kbaegis> Yeah. I don't think I enabled ~amd64
23:17  * _AxS_ should check that out later...
23:18 < kbaegis> Didn't. Just verified
23:21 < kbaegis> Just made a logging file for ovs. Let's see what we can see
--- Log closed Thu May 24 00:00:30 2018