--- Log opened Fri May 25 00:00:31 2018
00:04 < horse> are the phones pingable hmig?
00:07 < hmig> they are pingable
02:17 < banisterfiend> hi, i am messing with iptables. I hvae two custom chains -- how do i get the rules in chain A to always override the rules in chain B ?
02:20 < tds> banisterfiend: what do you mean by override? if you jump to an action (eg accept/reject/drop), at that point the rest of the chain won't be traversed
02:21 < banisterfiend> tds both chains are added as a `jump` target of `OUTPUT`, i guess i want to ensure that chain A is always the one that's jumped to first
02:22 < banisterfiend> rather than chain B, regardless of when A is added, it could be added either before or after B
02:22 < tds> can you upload the output of "iptables-save"?
02:22 < tds> either way, if you insert the rules in the right order, it should traverse the chains in the right order
02:26 < banisterfiend> tds thanks: https://www.dropbox.com/s/yzl7o70pxzjxroo/Screenshot%202018-05-25%2002.24.44.png?dl=0
02:26 < banisterfiend> has to be a screenshot sorry cos it's in a VM, and copy/apste isn't workign in that vm atm
02:27 < tds> hmm, is there any reason for jumping to a return, rather than having the drop at the end of the chain and jumping to the allow_lan...?
02:28 < tds> either way, assuming you're using a tool like iptables-restore to add the rules for you, they should always get added in the correct order
02:28 < banisterfiend> tds so i basically want it so that no matter what happens, teh ALLOW_LAN chain rules have higher precdence -- the issue is that ALLOW_LAN may or may not exist, and both ALLO_LAN and KILLSWITCH can be toggled off and on indepeddently
02:28 < banisterfiend> but in any case, if ALLOW_LAN exists it should have higher precedence than KILLSWITCH
02:31 < tds> hmm, how are you enabling/disabling the chains? might it make more sense to add a -j RETURN at the start of each chain (based on if you want to disable it), then you can modify them individually rather than worrying about the order the jumps in the output chain are added?
02:33 < banisterfiend> tds hmm what if i always got CHAIN A to append to OUTPUT but always got CHAIN B to insert to OUTPUT
02:33 < banisterfiend> then chain B would always have precedence over CHAIN A right?
02:34 < tds> yeah, that would work as well, though that may change behaviour if other rules get added to the output chain as well
02:35 < tds> that was why I suggested the -j return rule, then the modification for enabling/disabling one of those chain is easily contained within the chain itself
02:36 < ac_slater> guys I know this is networking 101, but I have eth0 with 192.168.10.x and it goes to my WAN/internet, I also have eth1 that is 192.168.20.x that goes to my lan (with default gateway 192.168.20.2 to my VPN server). How can I route ONLY 192.168.20.0/24 to eth1 ?
02:36 < ac_slater> ie - multi default gw ?
02:36 < sawgood> why is the Ubiquiti channel invite only?
02:38 < ac_slater> oh I guess I just want to specify gateway, not default gw for my second interface
02:39 < tds> ac_slater: so do you want to route traffic from a certain source subnet out via a different default gateway?
02:39 < tds> if so, you want to look into policy routing
02:40 < ac_slater> yea I do want that, thanks mate!
02:40 < ac_slater> any recommended readings?
02:41 < tds> what kind of router are you doing this on; something linuxy based off those interface names?
02:41 < redrabbit> #ubnt is an open chan
02:43 < ac_slater> sadly it's a DSR-250
02:43 < ac_slater> tds: ^
02:43 < ac_slater> (dlink)
02:44 < tds> ah, not a clue in that case, sorry
02:44 < redrabbit> My condolences
02:45 < banisterfiend> tds i dont quite understand this: "might it make more sense to add a -j RETURN at the start of each chain (based on if you want to disable it), then you can modify them individually" what do you mean exactly? apologize for my ignorance
02:46 < ac_slater> thanks guys
02:46 < tds> banisterfiend: my thought was that you could add a rule like -I KILLSWITCH_OUTPUT_RULES -j RETURN at the start of the chain in order to disable it, that way you can easily add/remove that single rule in the chain rather than having to worry about the order in the output chain
02:47 < tds> also, out of interest, is there any reason you're filtering on the output chain? normally I'd say to just leave that as accept, since you typically trust traffic originating from the host itself (there are of course reasons not to eg on shared boxes, just thought I'd check)
02:48 < banisterfiend> tds it's for a VPN, i'm hiding the host ip
02:50 < banisterfiend> tds ah i understand
02:50 < banisterfiend> that's a cool idea, but i think i want to remove the chain altogether to levae teh user's system as i found it
02:52 < tds> ah right, just removing the entire chain and your output rules makes sense then
02:54 < ac_slater> tds: I figured it out
02:54 < ac_slater> I just needed a static route
05:19 < ASmith> Hi, can someone help me spot the error and suggest the correct syntax in this Nginx default file for a Reverse SSL Forwarding Proxy for Multiple http Servers, Domains and Ports https://pastebin.com/5g9AJ1K6
05:22 < light> nginx -t -c nginx.conf
05:22 < ASmith> that pulls up the test which is going to state it fails?
05:24 < ASmith> its not locating it light!
05:24 < ASmith> looks like a bad install perhaps light...
05:43 < ASmith> I went into /var/lib/dpkg/ingo and removed all the crap nginx listings then was able to upgrade and update the files
05:44 < ASmith> I'll start over and then return if there's still a issue with the default site server blocks light, thanks
05:44 < ASmith> * /var/lib/dpkg/info
06:30 < sarthak> Hello. I wanted to learn networking so I set up GNS3 on linux mint but then I have no idea on how to start. I want thoery and practical(tinkering around with GNS3 maybe?) to go side by side while I learn. Also, I cannot buy any hardware atm. Can anyone provide any resources to help me get started? Thanks.
06:32 < light> you need images to use GNS3
06:32 < sarthak> I've downloaded the default GNS3 image
06:33 < light> I don't think GNS3 is the right place to start for someone that knows nothing about networking
06:34 < sarthak> okay
06:34 < sarthak> light: what do you recommend?
06:35 < light> get a CCNA or something
06:35 < light> or start by learning how your home network is setup and why
06:35 < sarthak> okay
06:35 < sarthak> but I can't buy any equipments rn
06:36 < sarthak> can I do CCNA without any equipments?
06:36 < light> yes
06:36 < sarthak> thanks
07:15 < amosbird> Hi, which should I use for proxy?  socks or tunnel ?
07:15 < light> An actual proxy.
07:16 < amosbird> I mean the implementation of the proxy
07:16 < light> The question is a little vague.
08:50 < orlock> Anybody know what might listen on UDP 52554?
08:56 < longxia> orlock: which operating system?
08:56 < orlock> Any of them
08:57 < longxia> on windows you could use netstat -anb to see the executable using it. May not be of much help though. On linux you can use lsof.
08:58 < orlock> Yes, i'm aware
08:58 < orlock> I'm just wondering why some random hosts on the internet are sending UDP packets to that port
08:59 < orlock> On non-existent ports
08:59 < orlock> on empty netblocks
08:59 < longxia> ah, i see. No idea. Nothing on google?
09:00 < orlock> Not that i can see
09:00 < orlock> didnt check services.. but nothing there either
09:00 < orlock> i can only assume its some botnet C&C trigger/callback packet?
09:16 < tpr> are the incoming datagrams similar from all the sources?
09:17 < tpr> are they coming regularly from same networks/addresses?
10:51 < Alexander-47u> hi
10:52 < Alexander-47u> i have two network interfaces one 192.168.1.1, eth0, a huawei 3g dongle in my raspberry pi to be exact, and wlan0, connected to my local area network
10:52 < Alexander-47u> 192.168.2.1
10:53 < Alexander-47u> i want to be able to access the 192.168.1.1 from the 192.168.2.0 network, with my laptop that is also conncted to my local area network
10:53 < Alexander-47u> any quick methods? :p
10:54 < Alexander-47u> i need to tunnel out a single port, 80, i could use ssh tunneling i guess
10:54 < Alexander-47u> but are there other 'good' ways?
10:54 < bezaban> ip forwarding and routing
10:57 < Alexander-47u> :p
10:58 < Alexander-47u> thats not really clear bezaban
10:59 < bezaban> enable ip forwarding on the pi and set the clients to route via it :)
10:59 < bezaban> for the subnets in question
11:00 < bezaban> need routes both ways so you don't get in an assymmetric situation
11:00 < Alexander-47u> iptables -A FORWARD -i eth0 -o wlan1 -j ACCEPT && iptables -A FORWARD -i wlan1 -o eth0 -j ACCEPT ?
11:00 < bezaban> you can ssh tunnel, but that requires some daemon tweaks to be able to expose it on a public interface unless you want two tunnels
11:01 < bezaban> sysctl -w net.ipv4.ip_forward=1
11:02 < Alexander-47u> are these commands good that i wrote?
11:05 < Alexander-47u> https://gist.github.com/tzermias/5408466
11:05 < Alexander-47u> this will be good right?
11:06 < bezaban> don't need those, I'd get the forwarding and routing in place first and then look at iptables
11:06 < bezaban> you just want to route to directly connected networks
11:07 < bezaban> oh, you want to nat it too?
11:07 < v0Lk> Is there a way to completely backup a semtech packet forwarder container (and the host OS) within a Cisco IXM-LPWA-800 LoRa gateway? I was considering using DD as I always have but if I'm backing it up it'll eat any space left on the flash
11:08 < Alexander-47u> i want to access 192.168.1.1:80 from 192.168.2.1
11:08 < Alexander-47u> thats all
11:11 < Alexander-47u> the pi is dual homed
11:11 < bezaban> then all you need to do is enable ip forwarding and put routes on device on each side via pi
11:12 < Alexander-47u> iptables -A FORWARD -i eth0 -o wlan1 -j ACCEPT && iptables -A FORWARD -i wlan1 -o eth0 -j ACCEPT ? should be enough then right?
11:13 <+catphish> Alexander-47u: what sounds like just accepting everything, no?
11:13 <+catphish> Alexander-47u: why bother to have a firewall at all
11:13 < bezaban> Alexander-47u: ignore iptables.
11:14 <+catphish> oh, you also want NAT, fun :(
11:15 < bezaban> I'm not sure, he said no to that
11:15 < bezaban> sounds like just routing two connected networks
11:16 < Alexander-47u> i want to access 192.168.1.1:80 from 192.168.2.1 :P
11:17 < Alexander-47u> so net.ipv4.ip_forward = 1 would be sufficient i think?
11:18 < djph> and a routing entry on the 1.0/24 gateway.  Unless the 2.0/24 gateway is doing NAT
11:19 <+xand> gross
11:19 <+xand> don't NAT between internal networks
11:19 < djph> xand: you know that, I know that ... everyone who uses two linksys routers thinks it's the only way ...
11:21 < bezaban> Alexander-47u: yes, and routes
11:21 < bezaban> and then add packet filtering if you so desire
11:22 < bezaban> going to lunch in the sun today methinks
11:30 < Alexander-47u> thanks :)
11:30 < Alexander-47u> it is clear now
11:54 < mnaumann> hi there. would someone offer their help indiagnosing why my iodine tunnel doesn't seem to forward packets?
12:00 < mnaumann> i have the latest version of iodined running on a kvm instance, and am using the andiodine android client (on two devices in different networks / behind the internet) as well as an older iodine version (the one in ubuntu 16.04) to connect to it. the connection + tunnel is always established fine, but traffic doesn't seem to flow properly.
12:09 < mnaumann> herre's what the server logs (and how i run it): https://paste.debian.net/1026544/
12:10 < mnaumann> MYDOMAINWAS.HE.RE and MYPASSWORDWASHERE are obviously fake, i replaced the original values in all occasions.
12:30 < TandyUK> have you got relevant iptables rules to allow and/or forward/nat/etc traffic?
12:31 < TandyUK> also what ip are your clients using?
12:31 < TandyUK> it shoudl be a 10.10.1.x ip, with 10.10.1.1 as gateway
12:32 < TandyUK> I also dont see a subnet mask being set anywhere, so this could also be wrong
12:32 < TandyUK> "Add more -D switches to set higher debug level."   also share your config, and the config/logs from one of the clients
12:38 <+catphish> did you get a GDPR cake? because we did! https://i.imgur.com/hvEh0V6.jpg
12:40 < Phil-Work> Gdpaaaaaaargh
12:41 < Phil-Work> I'm pleased to see 3 e-mails today asking for my consent to contact me
12:41 < Phil-Work> pretty sure they just did that
12:41 <+catphish> lol
12:42 <+catphish> i'm gonna contact you with or without your permission, mwahahahaahaha
12:42 < mast> :P
12:42 < mast> I swear if I get one more email...
12:42 <+catphish> it's just a friendly reminder of how many companies you gave your details to :|
12:43 < Phil-Work> it's a friendly reminder of how many companies stole my details from somewhere
13:15 < plitter> is there a way of displaying the data packets without the hex in tcpdump?
13:20 < mAniAk-_-> in ascii?
13:22 <+xand> -A ?
13:23 <+xand> or save to file and use wireshark to open it
13:23 < NeilHanlon> Anyone have any recommendation for reading material on SDN, OpenFlow, OpenCompute, etc?
13:23 < NeilHanlon> We're implementing BigSwitch's Big Cloud Fabric and I want to learn more about the underlying tech
13:30 < mnaumann> TandyUK: thanks again, but i need to run, i'll come back with these details later
13:30 < mnaumann> (and sorry about th edisconnect, still experimenting here)
13:41 < regdude> does anyone know why in MPLS when you do a  traceroute, then the second hop in the MPLS "cloud" times out with TTL propagation? Without TTL propagation MPLS is hidden
14:02 < linuxconformer> guys how does cloudflare SSL work?
14:35 < AlVal> I installed a pi-hole on my home network. router/gateway (netgear nighthawk r7000) is 192.168.0.254, pi-hole acts as dns server and lives at 192.168.0.29. samsung tv lives at 192.168.0.1
14:35 < AlVal> so i think all is good, the pi-hole will block all the dodgy traffic that the samsung tv tries to initiate without you realising
14:36 < AlVal> tv has its dns server set to the pi-hole of course. but wait... get this... after it realises that it can't resolve any of the domains it wants to get to
14:36 < AlVal> the TV overriides the dns settings you told it to use, and has a hard coded fallback to 8.8.8.8 if it cant get to where it wants to by your dns server
14:37 < Kingrat> sounds like you need to block all dns traffic outbound except from your pihole
14:37 < AlVal> I find that very offensive
14:37 < AlVal> Kingrat: you're talking my language now
14:37 < AlVal> Kingrat: but i dont understand static routes
14:37 < AlVal> Kingrat: not confident in how to set up that block effectively on the netgear nighthawk
14:38 < Kingrat> nothing to do with routing, its should be a simple firewall rule
14:38 < Kingrat> block all outgoing to port 53 udp except from pihole, or if you have to allow pihole to 53 udp outgoing before a deny by default to 53 udp
14:40 < AlVal> Kingrat: the netgear doesnt give me an interface that a technical person would expect. its all more english language style which leaves it a bit unclear technically what its gonna do
14:41 < Kingrat> maybe they have some docs showing how to create firewall rules on their interface *shrug*
14:41 < AlVal> Kingrat: there's "security - block services" and i can choose dns as a service, port 53 tcp, and select the ip or ip range to apply that rule to, but should i assume that means it will block port 53 traffic outbound to the internet from the selected ip
14:42 < AlVal> Kingrat: or would it completely block that ip from dns service even across the interneal network
14:42 < Kingrat> i have some pretty ugly interfaces but ive never messed with the nighthawk, the higher performance home router/ap in a single box didnt become a thing until after i already started using pfsense/dedicated aps
14:43 < Kingrat> can you allow it from your pihole to 0.0.0.0, and then block from 0.0.0.0 to 0.0.0.0
14:43 < at0m> AlVal: my TV is MAC-blocked for that reason. if it had an option to use a proxy, i just might allow it access to some sites, but it doesnt. at least i could manage its access permissions via the proxy then
14:46 < AlVal> at0m: if it had a proxy, given how it chooses to ignore the dns server you tell it to use at-will, i wouldnt even trust that its using the proxy always
14:46 < AlVal> at0m: although the block to traffic outside proxy could fix that i guess
14:46 < at0m> AlVal: hence my mac-blocking the TV alltogether
14:48 < AlVal> at0m: yeah i just wanted youtube to still work on the tv, and some sip channels. i like not having extra boxes outside the tv and the software in there, i just wish there were trustworthy custom open source operating systems you could replace your tvs os with
14:49 < at0m> there is one for my TV, but it's quite a hack and i don't feel for bricking my tv =)
14:49 < AlVal> kind of like putting cyanogenmod on your phone etc
14:50 < at0m> #lineageOS nowadays, but yea. if i don't have root, it doesnt get to my network.
14:51 < at0m> i've stuck a media center micro-ATX PC to the back of my TV some years ago, and made the TV stupid again.
14:52 < AlVal> at0m: yeah i guess i should re-look at what mini computers can do these days, can probably get a lot of power in a small form factor now
14:52 < AlVal> and would probably have a better plex client than the native tv anyway
14:54 < AlVal> 4 amazon echos in the house, good god they go crazy for ntp servers, why the hell do they need to talk to an ntp server so often
14:54 < at0m> AlVal: one of my rpi's would do, too, but it's pretty slow. gave that to the kids. anyhow, better than a chromecast on my LAN.
14:54 < AlVal> isnt an ntp just something you would check like once a week to ensure your clock is good
14:55 < at0m> maybe they boot often? i can imagine they don't have onboard RTC so don't keep clock on their own over reboots
14:55 < dogbert2> well, a better method is to have a master NTP device in your network (which does the polling) and everyone else grabs their NTP update from it
14:55 < AlVal> dogbert2: you can't even tell an amazon echo to use a static ip
14:55 < AlVal> dogbert2: never mind which ntp server to use
14:55 < at0m> kill it
14:56 < at0m> Does It Blend?
14:56 < AlVal> hahaha
14:56 < dogbert2> well, I have no use for an amazon echo, so I don't own one :)
14:57 < AlVal> dogbert2: the only thing we seem to consistently use them for is setting a cooker timer for 10 mins or something or asking the time
14:57 < AlVal> so youre not really missing out
14:59 < AlVal> being able to say set timer for 20 mins while hands are full putting food in the oven is helpful, nothing else has much value. i turn a light on or off with it sometimes. but now i heard that even the light bulbs are talking to the internet behind your back haha
15:01 < at0m> why else would they be online
15:02 < at0m> it's not that they're hiding it from you. it's why you bought them.
15:03 < adrian_1908> Quote: "Each Class A network can have up to 16.7 million unique hosts on its network. The range of host address is from 1.0.0.0 to 127.255.255.255."
15:03 < adrian_1908> I thought each Class A network would have a unique first octet. Shouldn't the possible range of host addresses go from (fixed).0.0.0. to (fixed).255.255.255 then?
15:03 < adrian_1908> (per class A I mean)
15:03 < AlVal> the other thing that really annoyed me was that i saw that the samsung tv was consistently talking to an israeli company called giraffic, and when i looked into it
15:03 < AlVal> it looks like your tv becomes a cdn network peer
15:04 <+catphish> adrian_1908: first of all, lets get this over with: there's no such thing as a class A network
15:04 < AlVal> helping their cdn stream video to others using your bandwidth
15:04 <+catphish> adrian_1908: they have been deprectaed for 20+ years
15:04 <+catphish> adrian_1908: secondly, this is 2 totally separate facts
15:05 <+catphish> adrian_1908: 1) a class A network was a /8, with 16,777,216 IPs
15:05 < at0m> AlVal: yes, that's all in documents you've agreed to.
15:05 <+catphish> adrian_1908: 2) a class A address is defined as being in the range 0.0.0.0 - 127.255.255.255
15:05 <+catphish> adrian_1908: these are 2 separate facts, so you're correct, each network has its own leading octet, and are 128 such networks
15:06 < at0m> AlVal: my LG falls back to stupid TV for my not agreeing with their terms.
15:06 < adrian_1908> catphish: Ah I see, the second statement wasn't linked to the first, but talked about the "global" range so to speak. Thanks.
15:06 <+catphish> adrian_1908: correct
15:07 <+catphish> adrian_1908: in modern terms, a class A would be defined as any /8 subnet inside 0.0.0.0/1
15:08 <+catphish> similarly, a class B network would be any /16 inside 128.0.0.0/2
15:08 <+catphish> but we don't use these classful definitions any more
15:09 <+catphish> the original intention was that a router could look at the first octet to determine the size of the network (anything starting with 0-127 was class A), but in modern networks, the size of the network is defined separately
15:34 < AlexPortable> SOHO router is set to static LAN DNS server, yet the computers somehow forget(?) after some time that they should use those, and they just use the ISP ones, how can i diagnose/fix ?
15:35 < dan01> if the command route -n, what does the ip 0.0.0.0 mean in the destination column?
15:35 < dan01> in the command*
15:35 <+xand> dan01: what oS is that? if it's linux use "ip route" instead and provide the output
15:35 <+xand> could be IP address or netmask
15:36 <+xand> AlexPortable: umm the PCs can't just magically get the ISP DNS servers from somewhere, maybe you have two DHCP servers
15:36 < AlexPortable> pretty sure i dont
15:36 < AlexPortable> i presume the router just tells me the ISP's DNS servers, but i dont know why
15:36 < regdude> unless there are two DNS Servers listed
15:37 < dan01> xand: default via 192.168.0.1 dev wlp2s0 proto dhcp metric 600
15:37 < dan01> 192.168.0.0/24 dev wlp2s0 proto kernel scope link src 192.168.0.104 metric 600
15:37 < dan01> 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
15:37 < dan01> that's it
15:37 <+xand> OK, what's the line from "route -n"?
15:38 <+xand> AlexPortable: tell the router to give out your desired DNS servers?
15:38 < AlexPortable> well i have
15:38 < AlexPortable> but sometimes it stops working
15:38 < AlexPortable> i check the computers dns entries and the isp ones show up
15:38 < dan01> xand: 0.0.0.0         192.168.0.1     0.0.0.0         UG    600    0        0 wlp2s0
15:38 <+xand> I believe that is the default
15:39 < dan01> xand: I guess my question is what does the first column "destination" mean, the destination where the packet is heading to?
15:39 <+xand> yes
15:40 < dan01> xand: So 0.0.0.0.is there for packets that come from outside? Because why would I send packets to myself?
15:41 <+xand> no... 0.0.0.0 IP address with 0.0.0.0 netmask (first and third columns) means the default route
16:01 < linuxconformer> is nobody here?
16:01 < skyroveRR> yup
16:02 < linuxconformer> ok cool, just wondering if it's possible to trace a browser request
16:02 < skyroveRR> yup
16:02 < linuxconformer> e.g. to trace the whole path http://google.com takes
16:02 < linuxconformer> how can i do this?
16:02 < skyroveRR> Which OS are you on?
16:02 < linuxconformer> linux
16:02 < skyroveRR> curl -v http://google.com
16:02 < turtle> first thing you have to do is yell ENHANCE
16:02 < linuxconformer> but is there no website that does this?
16:03 < skyroveRR> linuxconformer: linux already has the tools. Why do you need a website?
16:03 < skyroveRR> linuxconformer: run that command, see whether that's what you want.
16:03 < linuxconformer> skyroveRR: thought there might be a website with a nice UI, but it's not so important
16:03 < qman__> The information is only visible client side, a website cannot do that for you
16:04 < qman__> The chrome debug tools aare useful for this as well
16:04 < qman__> ctrl+shift+i, network tab
16:05 < linuxconformer> skyroveRR: i have another question, if im using cloudflare for SSL, does my app need to be served on :443?
16:17 < skyroveRR> linuxconformer: yup.
16:17 < linuxconformer> skyroveRR: for is that?
16:17 < linuxconformer> *why is that
16:19 < skyroveRR> Not really a cloudflare user, but from what I've gathered, people usually do SSL on their end, too, linuxconformer
16:19 < linuxconformer> skyroveRR: it's not *required* though is it?
16:20 < linuxconformer> i.e. if i'm serving an application from mywebsite.com:80, and i point cloudflare to it, then accessing https://mywebsite.com should work, no?
16:20 <+xand> linuxconformer: I don't think it is required
16:20 <+xand> but it's a good idea.
16:21 < linuxconformer> xand: agreed, just wanted to make sure though, because i'm using cloudflare and when i try to access my website over https, it's failing
16:21 <+xand> umm I think they have some different settings for that in the config
16:22 < ahyu84> anyone here using PIA VPN?
16:22 < fattredd> I am
16:22 < ahyu84> cool~
16:22 < ahyu84> any feedback on their VPN?
16:22 < ahyu84> is it reliable + trustable?
16:22 <+xand> linuxconformer: see "Flexible SSL" on https://support.cloudflare.com/hc/en-us/articles/204144518-SSL-FAQ
16:22 < fattredd> Great speeds. Super reliable. Lots of endpoints. Great price
16:23 < ahyu84> okay
16:23 < ahyu84> thx
16:23 <+xand> not sure how you can tell how trustworthy such a service is
16:23 < fattredd> 10/10 do recommend
16:23 < ahyu84> ok
16:23 <+xand> unless you personally know the owners or something
16:23 < fattredd> That's fair I guess
16:23 < ahyu84> as long as there is no log should be ok
16:23 < ahyu84> I don like record our activity
16:23 < fattredd> They claim the don't log anyway
16:24 < fattredd> They also aren't US based
16:24 < fattredd> so that's good
16:24 < ahyu84> ^_^
16:25 <+xand> ahyu84: you can't know if there's a log.
16:26 < ahyu84> hmm
16:26 < skyroveRR> And never trust any VPN provider..
16:26 < fattredd> https://www.privateinternetaccess.com/pages/privacy-policy/
16:27 < linuxconformer> skyroveRR: does it usually take a while for the https to start working?
16:27 < skyroveRR> linuxconformer: not used them, so can't say.
16:28 < tda> use cryptostorm. i never got on pia because they wouldnt take me money. it's probably a honey pot
16:29 < fattredd> Lol what?
16:30 < tda> try paying with a gift card over tor or another vpn. you'll see
16:30 < fattredd> Damn you're paranoid AF
16:31 < tda> they say they take anonymity and privacy seriously
16:31 < fattredd> Also you don't trust a VPN, but you trust tor?
16:31 < ahyu84> lol guy calm down..
16:31 < ahyu84> chill
16:32 < tda> i didn't say i trust tor. i didn't want pia to get my ip until i could be sure they were legit
16:33 < fattredd> Interesting. I never thought about that. What are you worried they could do?
16:33 < EmberCrest> Hey everyone. I'm looking into my office's network problems. People's connections keep dropping. I checked on Wireshark, and when the problems start, our computers start sending out ARP requests to identify 192.168.0.1 (gateway)
16:34 < EmberCrest> Then the gateway starts sending out ARP requests for the individual IPs
16:34 < EmberCrest> There seems to be about a 20 second delay between disconnection and connectivity restoration.
16:34 < grawity> but not ARP responses to the requests it received?
16:35 < ahyu84> @EmberCrest might be switch issue, or same cable connected to same switch
16:35 < grawity> what devices do you have between your computer and the gateway?
16:35 < grawity> including switches, access points, etc.
16:36 < EmberCrest> grawity: exactly. it doesn't respond to requests and then I see it make a bunch of requests itself.
16:36 < EmberCrest> So this is on a Wireless network too
16:36 < EmberCrest> I DO have an ethernet switch connected to one of the ports on the network
16:37 < EmberCrest> on the router*
16:37 < EmberCrest> Weirdly, the one computer plugged into the switch never loses connectivity.
16:37 < grawity> is the AP integrated into the router, or separate?
16:37 < EmberCrest> Sorry, what's an AP?
16:37 < EmberCrest> oh access point
16:37 < grawity> Wi-Fi access point, yes
16:37 < EmberCrest> Not entirely sure. It's an all-in-one router+modem from the ISP.
16:37 < EmberCrest> I'm guessing yes.
16:38 < grawity> in general if you don't have a separate device for Wi-Fi, and especially if the router has antennas sticking out...
16:39 < EmberCrest> Got it.
16:39 < grawity> anyway way, I'd guess either some part of its wifi radio is dying, or there's some *serious* radio interference coming from somewhere
16:40 < grawity> just a wild guess though
16:40 < EmberCrest> Hmmm.. it's possible. We're on a 5G network.
16:40 < grawity> but if it has moments where it's able to send packets over wi-fi, but not receive them over wi-fi
16:40 < grawity> as in 5 GHz?
16:40 < EmberCrest> Yeah
16:41 < EmberCrest> Which supposedly has smaller interference susceptibility
16:45 < linuxconformer> how do i check which DNS my website is on?
16:46 < skyroveRR> linuxconformer: whois <domain_name/website_name>
16:46 < skyroveRR> Again, on your linux machine.
16:46 < linuxconformer> thanks
16:49 < linuxconformer> skyroveRR: is it possible that a previous attempt at using LetsEncrypt skrewed up cloudflare ssl?
16:50 < skyroveRR> IDK..
16:51 < linuxconformer> ok man no problem
16:51 < skyroveRR> :)
16:54 < fattredd> Hey so I've got a question about an openVPN server that I've set up on my Ubiquity Edge Router.
16:55 < fattredd> The goal is to be able to access devices on my home network from afar, but it looks like OpenVPN wants to have it's own subnet. How can I connect to 192.168.1.0/24 from 191.168.2.0/24? How do I forward all traffic to the vpn?
16:55 <+xand> it has its own subnet but the router routes between them
16:55 < Barones> ^
16:55 < skyroveRR> ^^
16:55 <+catphish> ^^^
16:55 < Emperorpenguin> fattredd: depends how you do it
16:56 < Emperorpenguin> with a "dev tun" you need a separate subnet
16:56 < Emperorpenguin> with a"dev tap" connected to a bridge interface that's also connected to your ethernet network, you can use the same addressing
16:56 <+catphish> fattredd: the router will route between the 2 subnets, you may need to push a route to the LAN out to VPN clients
16:56 <+catphish> once you do that, it should just work
16:57 < fattredd> Do I need to explicitly create a route for the two subnets?
16:58 < grawity> not that you should use the same addressing though...
17:02 < Windy> !#$@$ Palo Alto
17:03 < SoniEx2> I think this router is broken
17:07 < fattredd> Hold on I'm confused. Should I have to tell the router to route between the subnets?
17:08 < fattredd> Or should that just magically happen?
17:10 < grawity> you do need to tell it the route towards the VPN subnet
17:12 <+catphish> fattredd: no, because the router is connected to both subnets, it already has routes to them
17:12 <+catphish> fattredd: you just need to make sure that the clients have routes to them
17:13 <+catphish> or if their default route is the router, that's good enough
17:13 < fattredd> So when I connect to my VPN right now, I get the IP 192.168.2.24
17:14 <+catphish> ok
17:14 < fattredd> I cannot ping 192.168.1.1
17:14 < turtle> how are those two things related?
17:14 <+catphish> fattredd: and what routes do you have?
17:14 <+catphish> fattredd: my immediate guess would be you have no route to 192.168.1.1
17:14 < fattredd> I would agree haha. How do I do that though?
17:15 <+catphish> you need to push that route from the openvpn server
17:16 <+catphish> i think the syntax you want is: push "route 192.168.1.0 255.255.255.0 192.168.2.1 1"
17:16 <+catphish> assuming 192.168.2.1 is the vpn server
17:16 < fattredd> In the server config?
17:16 <+catphish> yes
17:16 < fattredd> Okay gotcha
17:16 < fattredd> What's that trailing "1" doing?
17:17 <+catphish> that will then push that config to the client, which will install that route (a roure to 192.168.1.0/24 via the vpn server)
17:17 <+catphish> metric
17:17 <+catphish> it really doesn't matter what you specify there, examples seem to use 1
17:17 < fattredd> Mmm okay. I gotcha
17:18 < fattredd> Thanks +catphish
17:42 < fnDross> anyone know any _good_ android apps that help troubleshoot networks?
17:42 < fnDross> only using Fing right now :/
17:43 < tds> https://networktools.he.net/ is nice
17:44 <+catphish> obvious tool: wifi analyzer
17:45 <+catphish> i use this often: https://play.google.com/store/apps/details?id=com.farproc.wifi.analyzer&hl=en_GB
17:50 < redrabbit> the open source one is better and ad free
17:53 < heller_> what do you guys suggest, if i need a quick way to deploy VPN clients as gateway with minimal effort
17:54 < Apachez> which one?
17:55 < Apachez> landroid is nice for trace, dns, ssl etc
17:55 < heller_> maybe openvpn or something
17:59 < Apachez> "VPN clients as gateway"?
17:59 < Apachez> http://www.consilium.europa.eu/sv/general-secretariat/corporate-policies/classified-information/information-assurance/eu-restricted/  pick one ;)
18:00 < Apachez> I like these as vpn clients http://www.consilium.europa.eu/sv/general-secretariat/corporate-policies/classified-information/information-assurance/eu-restricted/vpn-encryptor/pgai-9421/
18:02 < heller_> i mean so i can have LAN devices behind it and access them without caring what connection theyh have
18:02 < detha> heller_: zerotier
18:11 < heller_> but zerotier clients needs an app?
18:11 < heller_> i cant install an app to a router :L)
18:19 < fnDross> heh wishin i had an extra pc w/ wifi to test this setup :/
18:20 < fnDross> 533mhz desktop w/ NT doesnt count
18:29 < tds> heller_: a little openwrt router + openvpn could work
19:17 <+catphish> He's making a list, He's checking it twice, He's gonna find out who's naughty or nice
19:17 <+catphish> Santa Claus is in contravention of article 4 of the General Data Protection Regulation (EU) 2016/679
19:18 < UncleDrax> I should self-comply with that. like anytime I meet someone I'll ask thier name again.. since I won't be storing it, or anything about them.
19:19 < fnDross> we could probably class action him
19:19 < fnDross> get the things we never got from our lists growing up
19:20 < UncleDrax> would you really want a bunch of Ponies/Horses/Firetrucks showing up on your lawn like.. right now?
19:20 <+catphish> UncleDrax: it doesn't apply to natural persons engaged in non-business activities, you're lucky
19:20 < fnDross> maybe
19:20 < UncleDrax> catphish: doesn't mean I can't comply with it anyway.. just means the EU won't try to enforce compliance.
19:20 < fnDross> im legal to drink now and those items would be entertaining
19:27 < AlexPortable> SOHO router is set to static LAN DNS server, yet the computers somehow forget(?) after some time that they should use those, and they just use the ISP ones, how can i diagnose/fix ? i check the computers dns entries and the isp ones show up
19:28 < ouemt> I've got an ubnt er-4 that I barely know how to use, and DNS lookups on all my devices take forever and/or fail, can someone suggest some troubleshooting?
19:31 < djph> AlexPortable: double-check the router's DHCP server that it's providing the right thing
19:31 < AlexPortable> yep it is
19:31 < AlexPortable> after rebooting it it works fine again
19:34 <+catphish> i'm legal to drink now too
19:34 <+catphish> i was legal to drink from my 5th birthday until the first time i drove a car :)
19:35 < djph> sounds like the router's misbehaving; or perhaps there's another DHCP server somewhere on your network providing the wrong info.
19:35 < AlexPortable> nope there is not
20:04 < spaces> catphish I think you are not allowed to drink from your 5th, so as little boy
20:04 < squealingcode> I've just set up two SFP+ network cards, given each an IP, but there's no connection. Systems at both ends run Ubuntu/Debian. Any idea where to start? lol
20:04 < squealingcode> No connection = cannot ping eachother.
20:04 < ouemt> squealingcode: have you defined a route?
20:04 < Apachez> so how did you set them up?
20:04 < squealingcode> They're on the same subnet.
20:04 < Apachez> 2 nics
20:04 < Apachez> one sfp+ in each
20:05 < Apachez> what kind of sfp+?
20:05 < Apachez> what kind of cable?
20:05 < Apachez> try to switch rx/tx at one end?
20:05 < Apachez> still no link?
20:05 < squealingcode> Fiber optic cable
20:05 < Apachez> suuuuuure
20:05 < Apachez> singlemode, multimode?
20:05 < Apachez> its like "I got a car"
20:05 < spaces> Apachez maybe wrong type of cable
20:05 < Apachez> its a difference of trabant vs ferrari on how you start them up
20:05 < ouemt> still looking for help with DNS troubleshooting if anyone has time, my google-fu is failing at this
20:05 < Apachez> so again
20:05 < Apachez> answer each question
20:05 < Apachez> which nics?
20:05 < spaces> Apachez no you start them the same way
20:06 < squealingcode> I know, I am sorry. This is the first time I set up this kind of equipment, but I was sure that everything was compatible.
20:06 < Apachez> yet you fail to answer simple questions
20:07 < squealingcode> OK, give me a sec and I'll see if I can answer your questions
20:07 < spaces> Apachez life is difficult so are your questions :P
20:08 < squealingcode> Yes, there's one SFP+ card in each machine. The cable is "SFP/SFP+ compatible". I have no idea how to switch "rx/tx" at one end, the cable is already terminated and "ready to go", so I guess everything should be in order inside.
20:09 < squealingcode> The cards have different vendors, idk if that means anything? One is Chelsio, the other is Mellanox
20:10 < djph> what's the cable, SM/MM patch.  Is is straight-through, or crossover (if crossover, one end will have the fibres flipped around - you'll be able to see that)
20:10 < squealingcode> This is the cable: https://www.ebay.com/itm/15m-Extreme-Networks-10GB-F15-SFPP-Compatible-10G-SFP-Active-Optical-Cable/192477763064?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2057872.m2749.l2649
20:11 < djph> oh, it's a DAC?
20:12 < squealingcode> I guess? The cable itself is fiber optic and the ends are the typi
20:12 < Apachez> "SFP/SFP+ compatible cable" WHAT THE FUCK IS THAT!?
20:12 < squealingcode> look like the typical SFP transceiver ends
20:12 < Apachez> djph: AOC
20:13 < Apachez> according to that link
20:13 < djph> yeah, looked at the pic, didn't read the desc
20:13 < djph> lalalala
20:15 <+catphish> squealingcode: sorry if i'm late to this conversation, but 1) if it has a link it *should* work 2) check the link 3) use tcpdump at each end to see what happens
20:18 < squealingcode> Thank you, catphish. Afaik there is link up on both cards (constant green light)
20:19 <+catphish> squealingcode: run ping on one, run tcpdump on the other, see what arrives
20:19 <+catphish> wow, is that a fibre cable and 2 optics all hardwired together?
20:20 <+catphish> if so, what a terrible way to buy those things
20:20 < Apachez> thats why I dont like AOC nor DAC cables
20:20 <+catphish> i've never seen an AOC before
20:20 < Apachez> if/when one end breaks for whatever reason the whole thing must be replaced
20:20 < Apachez> and they often cost $130 and upwards
20:20 <+catphish> i like DAC cables, because they're cheaper than 2 optics and a fibre
20:20 <+catphish> but AOC just seems mad
20:21 < Apachez> while a fibermodule on its own goes for 16-32 USD (dependingg on multimode vs singlemode 10G)
20:21 < Apachez> catphish: no they are not
20:21 < Apachez> another downside is that they are often "branded"
20:21 < squealingcode> Nothing shows up in tcpdump:(
20:21 < Apachez> so a cisco dac doesnt work in a juniper device
20:21 < squealingcode> I'll check some things later, thank you for all your suggestions tho:)
20:21 <+catphish> 1m DAC is $10
20:22 < squealingcode> btw is it normal for the cards to get like super hot? It does not have a fan, and I can barely touch the heatsink after 10 min.
20:22 <+catphish> there's no way you can beat that with 2 optics
20:22 < Apachez> the SFP+ interface on its own have a power budget of 2.5W
20:22 < Apachez> and then the phy or whatever will use some watts
20:22 < Apachez> so you might end up with like 10W or so per nic in a computer
20:22 < Apachez> and 10W on small area = hot hot hot
20:22 <+catphish> 10G optics are more than $10 on their own
20:23 < Apachez> where do you see a dac cable for $10 ?
20:23 <+catphish> https://www.fs.com/c/generic-10g-sfp-dac-1115
20:23 <+catphish> fs.com 1m 10G DAC is $10
20:24 < Apachez> ahh right https://www.fs.com/c/10g-sfp-dac-1114
20:24 < Apachez> I would still prefer fiberoptics over dacs :)
20:24 < Apachez> some vendors put some magic id code for stacking
20:24 <+catphish> depends on the requirement, but personally i find DAC to be more reliable, more robust, and cheaper for a very short run
20:25 <+catphish> obviously for more than 3m, i'd always go proper optics + SM
20:26 <+catphish> with that said, my routers are connected with fibre patch cables, because they happened to come with the modules :)
20:26 <+catphish> but it seems kinda fragile
20:26 <+catphish> my SAN is all DAC
20:29 <+catphish> i'm 100km behind my year running target :(
20:43 < AlexPortable> Is it expensive to install fiber in a home network / house ?
20:43 < AlexPortable> Looking at around 20 meter per cable
20:52 < TandyUK> why do you think you need fiber inside your house?
20:52 < TandyUK> do you have any cable runs over 100M?
20:58 < S_SubZero> sounds like quite a house if it can go that far in all directions
20:59 <+catphish> AlexPortable: it's generally unnecessary, but assuming you want it, i'd imagine the difficulty is terminating the fiber, or getting it pre-terminated in the exact right length
20:59 < AlexPortable> they aren't easy to buy like cat6a cables?
20:59 <+catphish> yes, but you can terminate cat6a cable
21:00 <+catphish> terminating fiber is hard
21:00 <+catphish> the fiber and media converters aren't too expensive, but installing it is hard i believe
21:01 < TandyUK> tbh if you used multimode, considering the short distances, its not too hard with the shitty 'diy' connectors
21:01 < TandyUK> but personally Id want it done properly
21:02 < S_SubZero> my buddy did a stint in an Amazon data center, they taught him how to terminate fiber and he says that's the only appreciable job skill he learned there
21:02 <+catphish> i don't know much about multimode, can you just cut it cleanly and push it into a plug?
21:03 <+catphish> my only experience of terminating fibre is splicing single mode to a pre-made pigtail
21:03 <+catphish> that process was difficult and the equipment is expensive, but i believe the results are excellent
21:04 <+catphish> that's how my FTTH was done, but i guess for short runs, you can do it more easily with MM, not ideal though
21:05 < S_SubZero> At MS they just threw money at the problem.  They just bought infinite numbers of fiber cable in one foot increments, so we could always do a run with their extremely rigid and precise length cables.
21:06 < Apachez> https://www.youtube.com/watch?v=VcZD9kR19a4  wonder what the geigercounters said?
21:08 < yuppie> hello all
21:08 < yuppie> anyone familiar with UBNT USG Pro?
21:08 < yuppie> im trying to create two isolated networks
21:09 < yuppie> using two different WAN connections
21:09 <+catphish> S_SubZero: that sounds man
21:09 <+catphish> *mad
21:11 < S_SubZero> Apachez: there was a rumor, which I can't confirm, that the last test they did messed the site up in some bad way and they used all of this pomp and circumstance to hide the fact that they needed to blow up the place anyway
21:25 < jvwjgames> Hello everyone i am trying to reach 162.220.209.51 but can't
21:25 < jvwjgames> i can reach 162.220.209.37 but not .51
21:29 < electricbear> jvwjgames, either the IP is offline or it is not accepting ICMP
21:29 < jvwjgames> it is online but like i siad i can't get to it
21:29 < electricbear> what does "get to it" mean
21:29 < electricbear> is it a VPS?
21:29 < jvwjgames> it is a cpanel server and i need ti get it back online ASAP
21:30 < electricbear> how do you normally access it? SSH?
21:30 < jvwjgames> i can't login to the cpanel server or ping or traceroute to it
21:30 < jvwjgames> and i cna't ssh either
21:30 < jvwjgames> .48/28 network is being routed through .37
21:31 < electricbear> who is the host
21:31 < jvwjgames> witch is the master VM Server where the cpanel server is hosted
21:31 < jvwjgames> Me
21:31 < jvwjgames> i am hosting my physical servers at a local DC here in Utah
21:32 < electricbear> perhaps the VM is down?
21:32 < electricbear> I'm really not sure. not an expert
21:32 < electricbear> but good luck
21:33 < jvwjgames> no vm is up
21:33 < jvwjgames> it can ping out but i can 't access it
21:33 < electricbear> it's a routing issue then
21:33 < electricbear> someone will help you
21:33 < tds> if it can ping out routing is likely fine, sounds more like firewalling to me
21:34 < tds> (assuming "ping out" = send out ping requests and get replies back)
21:34 < electricbear> ah good point tds
21:34 < jvwjgames> yes
21:35 < tds> if it's a web server, check that the web sever is actually running and listening
21:35 < jvwjgames> it is
21:36 < tds> in that case I'd confirm you can poke the web server eg with curl/telnet on the vm itself, then check firewall rules, do a packet capture to confirm it actually sees incoming connections
21:41 < spaces> https://www.youtube.com/watch?v=63Ja39PJdrU Wheeehoooooeee!!
21:48 < seekr> I've begun experiencing the inability to connect to a win7 machine using ssh, which uses port 22.  The machine uses a combo cable modem / router provided as part of AT&T Uverse service.  I configured that router several years ago to permit connections on port 22, and all has been working fine until just recently, despite the fact, that I haven't changed anything on the machine.  I'm using Bitvise SSH server software, and have checked via a Putty
21:48 < seekr> connection from the machine itself that that server is responding to connection requests and working well.  The firewall is being handled by the AT&T branded version of McAfee Internet Security Suite, which also appears to be configured correctly to permit connections on port 22 (though that port is not mentioned as such).  Again, that software was not changed prior to the problem manifesting, so I doubt that it's involved.  I attempted connecting
21:48 < seekr> on port 122, which I also opened on the router for test purposes, but I find myself unable to connect on that port also (though in that case, McAfee could be blocking the port).  I used nmap on my own machine to see if I could determine what ports are open.  It reported a couple of ports I use for VNC communication, but nothing else - though it indicated there are a truckload of "filtered" ports.  I don't know how to unfilter such ports or whether
21:48 < seekr> such a thing even makes any sense.  Ideas?
21:48 < jvwjgames> there is no firewall active
21:48 < jvwjgames> ok seekr don't paste multiple lines like that
21:49 < seekr> I pasted nothing - typed all those characters with my own fingertips.  :)
21:49 < tds> jvwjgames: what about those other two parts - can you make http requests to the vm from itself, does it see incoming connections?
21:49 < electricbear> long messages are automatically spliced jvwjgames
21:49 < jvwjgames> oh ok sorry my bad seekr
21:49 < djph> seekr: so connecting from another machine *INTERNALLY* works, but connecting from a *REMOTE* location does not?
21:50 < seekr> I don't see the problem - I just provided a complete description of the problem, to save having to answer questions.
21:50 < seekr> djph: hi there - I think I recognise you from #linuxmint.* channels - you the same person?
21:51 < djph> maybe
21:51 < electricbear> seekr, its no biggie. some channels prefer pastebin, etc, but it doesnt matter i dont think
21:51 < seekr> djph: I have no other machines handy on the LAN to try connecting - so I just used Putty on that machine itself.
21:51 < seekr> Thanks for the moral support, electricbear!
21:51 < djph> you'll need something (anything) that's not "that machine" -- even an android phone running the "connectbot" app will suffice.
21:52 < djph> because testing from localhost vs. a different host would be key if the mcafee firewall went full-stupid
21:53 < seekr> Well, I don't have ready access to the machine (it belongs to my aged uncle on the other side of a vast continent), but if you can give me the name of an ssh client for an iPad, I could see if I can get him to help me test from another machine on the LAN.
21:53 < djph> ask google.  iDevices and Windows are two things I don't do.
21:53 < seekr> djph: yes - I understand - the reason I mentioned that factoid is that I wanted to establish that the ssh server software is working just fine
21:54 < djph> I've yet to call the ssh server into question.
21:54 < seekr> google is evil - but I could do a search for an app using something other than evilGoogle
21:55 < djph> I don't care what you use to search the fucking web ... just go look it up already.
21:55 < seekr> djph: understood - but I think it's relevant nonetheless - I wanted to establish that I've done as much as I can to try to eliminate possible sources of the problem
21:55 < djph> you have not.  You've so far only confirmed the machine lets itself talk to itself.
21:56 < seekr> yes - I have not established that a local connection is possible - so you are right that I haven't done everything - I've done as much as I could under present circumstances - that's all
21:58 < djph> go find yourself that idevice program, and check.  Once you've done that, then you've (mostly) ruled out the firewall on the machine.  Once you've done that, you can take a look at the AT&T modem, and make sure it's doing everything properly -- e.g. forwarding to the right IP address / firewall's properly opened / etc.
22:00 < djph> ... I mean, I guess you could triple-check nothing stupid happened like the winbox has a different IP address than you expect right now ...
22:01 < seekr> djph: It's nearly impossible that the router is to blame, unless it's maybe gone at least semi-stupid, since I've been connecting successfully for æons, having configured the router to open that port when we first got the Internet service
22:03 < djph> I'm sorry, I thought you were asking for help troubleshooting.  I'll just go back to enjoying my well-deserved beer.
22:03 < djph> good luck
22:03 < seekr> djph: Ein Prosit!
22:16 < jvwjgames> sorry fro long delay no tcpdumnp dosen't see connections comming in
22:16 < jvwjgames> and there a re no firewalls on the system
22:24 < tds> I'd check on whatever router is upstream of it in that case
22:26 < Mughal56>  /join #offsec
22:41 < jvwjgames> can some help me further on my issue
22:44 < ouemt> having super long DNS lookup times and some failures, how do I narrow down where the problem is? I've got an edgerouter that's doing caching and forwarding with it NATing requests to any DNS server besides my router
22:45 < djph> what DNS servers are you using?
22:45 < djph> also, it could be the router itself
22:45 < ouemt> djph: 1.1.1.1
22:45 < djph> try skipping the router, see if lookups suck less.
22:46 < djph> (i.e. point the pc directly to it)
22:47 < Poster> dig +trace may also be helpful
22:48 < ouemt> djph: will try that in a bit, requires a little rewiring
22:48 < ouemt> Poster: how's that
22:49 < Poster> https://ns1.com/articles/using-dig-trace
22:50 < ouemt> Poster: will look, thanks
22:51 < tds> jvwjgames: did you try packet captures on whatever router is upstream of that VM?
22:52 < jvwjgames> 'ya nothing also i think i found the issue the vm server uses a bridged system by default i need to switcxh it to a routed system
22:52 < tds> bridging should work fine as long as the provider has all your IP space presented as on-link; if it's routed to an IP on another subnet then you'll need to change that design
22:54 < spaces> lol facebook is down ?
22:59 < tds> jvwjgames: just to confirm about what you said earlier with it being able to "ping out" - what were you testing there?
22:59 < tds> if you're able to send echo requests to a certain address and get replies, but not do the same thing in reverse, that sounds very much like a firewall issue
23:04 < Apachez> GDPR in a nutshell https://i.imgur.com/Yj7wsHD.jpg
23:04 < spaces> Apachez eh ?
23:11 < danieli> Apachez: I've seen a lot of memes that fit well for it
23:12 < spaces> Apachez is it, like... you cannot tell my penis size now as it's private ?
23:13 < danieli> you did not understand the point of that meme whatsoever
23:14 < spaces> danieli smart one mate, that is why I ask
23:14 < linux_probe> lawl, avoid camera 101 accomplished
23:14 < Apachez> american choppers goes GDPR https://twitter.com/wbm312/status/1000040692037533696
23:15 < linux_probe> they didnt get my ugly mug on the shows
23:15 < spaces> Apachez I still wonder how much chairs they ordered each week
23:24 < Apachez> probably sposnored
23:25 < spaces> Apachez yeah and Sr. went bankrupt almost because everyone stopped sponsoring :P
23:26 < inky> is there a way to hide from my ISP my DNS lookups?
23:27 < spaces> use opendns
23:27 < spaces> oh!
23:27 < spaces> no use a HE tunnel
23:27 < tds> you can use dns over tls to hide them if you want (that relies on you trusting the remote server though)
23:27 < linux_probe> uhhhh
23:27 < spaces> for wat reason actually ?
23:27 < linux_probe> he tunnel sint hiding anything
23:28 < tds> ^ it's still a plaintext udp packet inside a 6in4 packet
23:28 < linux_probe> no a VPN on the otherhand ;)
23:28 < linux_probe> now**
23:28 < inky> spaces: whats a HE tunnel? what does HE stand for?
23:28 < tds> I suspect spaces means he.net, they run a service for 6in4 tunnels (tunnelbroker.net)
23:29 < spaces> yes if it's for hosting your small website you can use he.net
23:29 < spaces> then on IPv6
23:29 < inky> i see thanks. is there no "direct" (without vpn) solution??
23:29 < spaces> otherwise do a VPN
23:30 < tds> inky: as I mentioned, if you have a remote dns resolver that you trust (and which supports it), you can use dns over tls
23:30 < ouemt> ok, I disabled NAT on DNS requests (I had been forcing everything to talk to my router), and it just took 15 seconds to query 1.1.1.1 for a major website using dig
23:31 < ouemt> it was like this with NAT on too, which I take to mean, it probably isn't the DNS on the router that's messing up
23:31 < inky> tds: oh i see now. thanks!
23:32 < inky> oh cool, says on wiki that android P will support dns over tls
23:32 < ouemt> inky: maybe dnscrypt?
23:34 < ouemt> djph: skipped the router as suggested, with NAT off `dig @1.1.1.1 cox.com` took 15 sec
23:35 < tds> ouemt: if you try and ping/traceroute to 1.1.1.1, do you see similar latency?
23:35 < tds> 15s response to dns requests sounds rather odd to me
23:35 < ouemt> tds: ping is ~10-12 ms
23:36 < tds> interesting - do you have mtr installed?
23:36 < tds> it might be worth trying it in both tcp mode and udp mode, with dest port 53
23:37 < ouemt> tds, I do have it but I've not used it before
23:37 < ouemt> gimme a min to sort it out
23:37 < tds> you'll want something like mtr -P 53 1.1.1.1, add --tcp and then try with --udp
23:40 < hmig> is it normal for voip phones to send multicast to 239.0.0.1
23:40 < hmig> ?
23:40 < hmig> i knwo its a multicast address
23:40 < ouemt> tds, mk, it's running, max ping to one of those steps is like 80ms, and rarely higher than 25
23:40 < ouemt> I'm thinking this is something with my router I don't understand
23:40 < ouemt> it might still be trying to handle it locally
23:41 < hmig> but ive been having weired issues with voip and I think that the access switces are not forwarding multicast packets to the correct place....possibly
--- Log closed Sat May 26 00:00:33 2018