--- Log opened Sun May 27 00:00:34 2018
01:30 < Apachez> "Airmen responsible for guarding nuclear missiles caught using LSD"  only in murica...
01:34 < spaces> eh ?
01:37 < Apachez> cbs reported yesterday
02:39 < spaces> Apachez ok
02:40 < spaces> this channel is really dead lately
02:41 < linux_probe> life, life life
02:41 < linux_probe> better?
02:41 < agent_white> Only on weekends.
02:42 < Whiskey`> my toxicity has killed them all
02:44 < ouemt> anyone have any experience with ubiquiti equipment? I've got a strange issue with my edgerouter and DNS that I can't figure out
02:46 < precise> ouemt: ##ubnt ?
02:46 < ouemt> precise: dead when I've tried
02:46 < precise> ouemt: It's relatively active
02:46 < precise> But it is Memorial Day weekend stateside, so it's quiet online overall
02:47 < ouemt> hmm... must have been bad luck, I posted in there a few weeks ago and saw no traffic after several hours, so I never went back
02:47 < precise> ouemt: It's quite active at times, but it can look dead. IDK about you, but once I join a chan I idle in there permanently
02:47 < precise> Cuz, ya know, logs, n shit
02:48 < ouemt> yeah, I do on some, but other's I just leave
02:48 < ouemt> I might be misremembering, isn't there a ##ubiquiti or something?
02:48  * ouemt gets the channel list out
02:49 < precise> I think ##ubnt is the only IRC chan on freenode for such topics
02:49 < ouemt> there is ##ubiquiti, and it has 13 users
02:49 < ouemt> I bet that's where I tried
02:50 < ouemt> so thanks for the heads up on ##ubnt!
02:50 < precise> np :)
02:51 < spaces> linux_probe got yourself an AED ?
02:51 < spaces> Whiskey` heh lol are you also still drunk in here ?
02:52 < Whiskey`> spaces: I do not know what you are talking about
02:53 < spaces> Whiskey` you don't know what your names says ?
02:53 < Whiskey`> I know what my name says
02:54 < Whiskey`> stop assuming my sobriety!!
02:55 < spaces> Whiskey` are you afraid people find out you are lying ?
02:55 < Whiskey`> What am I purportedly telling lies about ?
02:57 < Whiskey`> what has me confused is the 'still drunk' part. i do not remember the last time i talked to you, drunk or not.
02:57 < Whiskey`> im very sure ive been sober at least once since then, if not more then once.
02:57 < Whiskey`> now, how sober, or not, that i am right now has not beens stated in here, so, meh
02:58 < spaces> Whiskey` prove it, you name shows us you are alcholic :P We don't know the percentage yet :D
02:58 < Whiskey`> ah well I wont tell
02:58 < spaces> at least you are flamable it seems :P
02:58 < Whiskey`> (cause im not going to go do a blood test to check my B.A.C)
02:59 < spaces> heh
02:59 < spaces> it's mostly written on your label
02:59 < spaces> ir did they took it off after your birth ?
03:00 < Whiskey`> frain I am old school hooch son
03:00 < Whiskey`> fraid*
03:00 < Whiskey`> I didnt get no makers mark
03:02 < Seraxis> !ns info sera
03:10  * linux_probe joins ##ubnt just because
03:15 < spaces> linux_probe what is ubnt ?
03:16 < light> a fork of dbn
03:16 < spaces> dbn ?
03:16 < Whiskey`> lel
03:16 < spaces> not ubuntu ?
03:16 < spaces> eh ? there is ##ubuntu
03:16 < spaces> or #ubuntu
03:17 < Whiskey`> #ubnt
03:17 < Whiskey`> ##ubnt
03:17 < spaces> Whiskey`we cannot trust you, we don't know your % yet
03:17 < spaces> or are you moonshined ?
03:18 < Whiskey`> I AM MOONSHINE BOI
03:18 < Whiskey`> 100%
03:18 < spaces> :|
03:18 < Whiskey`> they made a song about me
03:19 < spaces> even worse
03:19 < spaces> that is how druk they got
03:19 < spaces> drunk
03:19 < errst> spaces, the %, it's about 40%–68% (usually 40%, 43% or 46%)
03:20 < errst> https://www.wikiwand.com/en/Alcohol_by_volume#/Typical_levels
03:25 < spaces> errst I know but Whiskey` is some special type of creature ;)
03:25 < errst> lol
03:31 < Whiskey`> I am. I am lab grade 200proof alc!
03:32 < Whiskey`> gotta keep my ass in a slealed glass container else i start drinking water (bleh)
03:32 < linux_probe> lol
03:32 < linux_probe> there is no 200 proof =p
03:32 < linux_probe> 199.xxxxxxxx
03:33 < spaces> ok, it seems everyone is etting drunk now
03:33 < spaces> getting
03:34 < linux_probe> spaces is always so drunk he's in spaces
03:34 < linux_probe> way into the outer spaces thatr is
03:34 < precise> I should get drunk
03:34 < precise> But I cant
03:35 < Whiskey`> linux_probe: hush your filthy mouth!
03:36 < Whiskey`> spaces: have you found my song? a clue is jerry reed
03:37 < linux_probe> heh
03:38  * linux_probe thinsk either the bird or she got the gold mine :))
03:39 < Whiskey`> linux_probe: you made me cry! now im only 193proof!!
03:40 < linux_probe> haha
03:40 < Whiskey`> barely even dollar store iso now =(
03:40 < Whiskey`> (na that crap is like 50% water)
03:40 < linux_probe> lol
03:41 < linux_probe> I usually start with 90% then I fail to close the damned lid >_<
03:42 < Whiskey`> thats alcohol abouse right there
03:51 < Whiskey`> https://www.youtube.com/watch?v=MZ35SOU9HTM was also wrote aobut me
03:52 < Whiskey`> spaces: ^
04:14 < spaces> Whiskey` yo must be rich and famous!
05:03 < agent_white> Whiskey`: I'm not an alchoholic, just a liquor enthusiast. ;)
05:04 < Whiskey`> spaces: I am!
05:05 < Whiskey`> agent_white: Arent we all?
05:05 < agent_white> Amen.
05:12 < spaces> Whiskey` be fair and share :P
05:29 < spaces> so it seems to be happening... Orcale is going to ask money for Java!
05:35 < Epic|> haha
05:35 < Epic|> sucks dick when its 'free'
05:36 < Epic|> will probably be awesome as a pay product
05:37 < linux_probe> java needs to die
05:37 < linux_probe> they whined until microsloth no longer had it, then didnt maintain it for shart
05:41 < adamz> Hi everyone. I have a host (an IP camera connected via wifi) that I can ping reliably from a freebsd host (wired) and a macOS host (wireless). Yet from Windows and Linux hosts (wired and wifi), i'll get a reply for about 5 seconds, then "Destination Host Unreachable" for about 20 seconds.
05:41 < adamz> I can ping all other hosts, wired and wireless, from all other hosts without issue.
05:43 < adamz> I does look like the ARP entry on the linux hosts is becoming INCOMPLETE, then switches to PROBE -> STALE -> FAILED -> INCOMPLETE
05:44 < linux_probe> wifi, yup
05:46 < adamz> i know, wifi
05:46 < adamz> but still, every other wifi device works
05:46 < adamz> i eve put the camera next to the access point
05:46 < adamz> the AP is a UniFI AP-HD
05:51 < linux_probe> probably the camera
05:52 < linux_probe> or known bug with camera/ap firmware
05:52 < linux_probe> is the ap updated, is the camera updated
05:55 < linux_probe> if it's all updated, try the camera on other ap and see if the same occurs  ;)
05:56 < linux_probe> if it's an older camera perhaps power supply is weak and it keeps rebooting
05:57 < adamz> yeah, its probably the camera. It has a ethernet port too, which works fine. Just on wifi
05:57 < adamz> Latest firmware for both the AP and camera.
05:57 < Whiskey`> adamz: sounds like the camera is disconecting or ip conflict
05:58 < linux_probe> ^ yeah good one also, maybe mac address conflict even
05:58 < Whiskey`> thats rate but ya
05:58 < Whiskey`> rare
05:58 < Whiskey`> i am now 500 proof!
05:58 < linux_probe> he didnt say if it was total chinesium camera or not lol
05:58 < Whiskey`> my typing shows it
05:59 < linux_probe> id still eyeball the camera powersupply or watch and see if it keeps reseting, the wifi would use more power than wired eth
06:00 < Whiskey`> ^
06:00 < Whiskey`> yup make sure its not dropping off
06:00 < adamz> its chinesium
06:01 < linux_probe> watching DHCP requests is likely a good idea also, assuming you didnt set it static
06:01 < adamz> not a MAC conflict, as far as I can tell
06:01 < Whiskey`> in fact can you login to the router nad see the wifi uptime
06:01 < adamz> it makes one DHCP request when it powers on
06:02 < adamz> on the access point admin page (Unifi controler) it has an uptime of hours (since I last power cycled it) and a signal stength of  99% (-16 dBm), which makes sense since the camera is practically on-top of the AP.
06:02 < Whiskey`> ok THAT can be  issue
06:02 < Whiskey`> move it away
06:02 < Whiskey`> hot wifi is as bad as cold wifi
06:02 < adamz> if it was dropping off the wifi network, why are the pings from the macos and freebsd hosts 100% reliable, yet from linux they arent?
06:02 < Whiskey`> it needs to be juuuust right
06:03 < Whiskey`> adamz: you said they were NOT
06:03 < Whiskey`> [20:42:54] <adamz> I does look like the ARP entry on the linux hosts is becoming INCOMPLETE, then switches to PROBE -> STALE -> FAILED -> INCOMPLETE
06:03 < Whiskey`> that should not happen while pinging
06:03 < linux_probe> half are good, half are bad he said, and showing some funky "MAC" arp entries
06:03 < Whiskey`> oh i missed that
06:03 < adamz> on macos i see every reply from the ping sequence
06:04 < adamz> ie, 0% packet loss, and every ping gets a reply
06:04 < linux_probe> what about the ping responce times though
06:04 < adamz> ~1ms
06:04 < Whiskey`> ok on the mac is the mac correct
06:04 < adamz> reliably 1ms
06:04 < linux_probe> so no lag hmm
06:05 < adamz> i was thinking maybe something different with how ARP entries are cached/purged between macos/freebsd and linux?
06:06 < Whiskey`> not likely
06:06 < Whiskey`> make sure the MAC is the sme on all hosts that ping it
06:08 < adamz> yep, looks like the cam has the same MAC on both the freebsd and linux ARP entries
06:08 < adamz> which is the same MAC that requested the DHCP lease, and thats connected to the AP
06:10 < Whiskey`> ok power it down and do pings
06:10 < Whiskey`> there isnt antoher switch in the middle someplce is there
06:12 < adamz> network setup is:   PFsense box -> EdgeSwitch -> UniFi AP -> Camera.       PFsense box is the DHCP server. Unifi AP is a pure wifi access point. The edgeswitch configured as a layer 2 switch.
06:13 < adamz> the freebsd box is wired into the edgeswitch
06:13 < adamz> my macos laptop is connected to the same wifi AP as the camera
06:13 < adamz> the freebsd and macos boxes can ping the camera 100% reliably
06:14 < adamz> multiple linux boxes wired into the switch can't ping the camera reliably
06:14 < adamz> nor can my linux laptop connected via wifi
06:15 < adamz> with the wired freebsd box pinging the camera (on wifi), i pulled the power on the camera. The pings stopped as soon as i pulled the plug. No "Destination Host Unreachable" messages.
06:15 < linux_probe> if you keep refreshing the pfsense "ststus>dhcp lease page, the camera or any of the clients are changing to offline status are they
06:17 < adamz> with the power pulled on the cam, the PFsense DHCP leases page still shows it as "online".  The other hosts (macos box, freebsd box, linux boxen, etc) are all "online" too
06:17 < linux_probe> and maybe check and refresh the switch ma/arp list to see if there's an issue there
06:25 < adamz> the switches ARP table is empty since it's only in l2 mode
06:26  * linux_probe faceplams,
06:27 < linux_probe> well, hit console on pfsense and do arp -a and keep watching it
06:27 < linux_probe> i guess other than that, make sure all the packet sizes are 1500 lol
06:29 < adamz> the cam is plugged back in. the output of `arp -a` on the pfsense box shows the cam: ? (192.168.1.164) at 9c:8e:cd:12:a7:28 on igb1 expires in 1099 seconds [ethernet]
06:29 < adamz> which is the right MAC
06:30 < Whiskey`> adamz: how long did you leave the cam off while pinging
06:30 < adamz> about 5 mins or so there
06:31 < Whiskey`> ok so more thne long enough for a alt ip to pop up
06:31 < Whiskey`> well im going to blame the pfsense and call it good
06:31 < linux_probe> or some switch bug
06:32 < linux_probe> check the switch for firmware updates/bugs?
06:32 < adamz> i have. its on the latest too
06:33 < Whiskey`> its the pf...
06:33 < Whiskey`> always is
06:34 < adamz> this issue occured even when pfsense wasn't involved. Origianlly I had everything on a separate VLAN that didn't even trunk to the PF box and one of the other linux boxes (and even at one point the switch) was offering DHCP leases. Saw the same problems.
06:35 < adamz> i spent most of today reconfiguing everything to disable vlans, etc so that the network is as "simple" as can be.
06:37 < dogbert2> gah - National Australia Bank on Saturday suffered what it described as a "nationwide outage" to some of its technology systems, leaving customers unable to access banking services or withdraw money. Customers took to social media to vent their frustrations, with some saying they were left unable to pay for groceries or refuel their cars...
06:40 < superkuh> So use cash.
06:41 < superkuh> Relying on some third party service to make all your purchases is stupid.
06:41 < jessica523> or loot stores
06:44 < local_host> Can an individual or institution buy ads to target your specific ip address/computer?
06:48 < local_host> Does one have to buy the ad or can your local isp just inject ads into YouTube videos?
06:49 < adamz> im going to blame the IP camera. I was haing issues with it even respecing DHCP leases before. If i was offering an address without a gateway, it'd accept the offer, but then assign 192.168.1.108 statically to its interface anyway. Yahoo
06:50 < adamz> piece of crap chineseum
06:50 < Whiskey`> local_host: no only google can inject ads to youtube
06:51 < linux_probe> lol adamz
06:51 < Whiskey`> what brand of chineseum
06:51 < local_host> Whiskey:Can an individual or institution pay Google to target my address specifically? Is there some pay to harass a specific person just because you don't like them form.
06:52 < Whiskey`> local_host: not at all
06:53 < local_host> Whiskey:What about SEO don't they have it for direct ad targeting. Someone in power is abusing their authority then.
06:53 < Whiskey`> uhm
06:53 < Whiskey`> im not up on exactly how the back end works, but ive never heard of google serving abusing ads
06:54 < Whiskey`> if you are getting suspect ads i would think you are infected with some malware
06:57 < adamz> Whiskey`: Amcrest
06:58  * linux_probe suggests adblocking
06:58 < adamz> i've used other cameras with veeeeery similar web interfaces before. So similar I think they might have just modified the CSS and replaced a few brand logo images.
06:58 < linux_probe> if you cannot use adblocking, then dont use the web/ga,mes on said dummy devices
06:58 < linux_probe> :) solved
06:58 < Whiskey`> thats odd arcrest is pretty good
06:58  * linux_probe prefers not paying to see bullshit spammed at me
06:59 < linux_probe> and they want to charge more for intertubes? and still spam the fuck out of me?
06:59 < Whiskey`> well in fairness google doesnt charge you for intertubez
06:59 < linux_probe> no, they just track and spam the fuck out of everything
06:59 < linux_probe> :))
07:00 < linux_probe> slowing the intertubes for all
07:00 < Whiskey`> yea well thats how they charge you for the intertubez
07:00 < Whiskey`> ....=)
07:00 < linux_probe> slowing and infecting machines
07:00 < RudyValencia> OK so I currently use two Mikrotik routers to do an IPsec tunnel between me and a colleague in Florida. I want to switch to something a bit more modern that can do the same tunneling between our sites, any suggestions for prosumer gear that can?
07:00 < Whiskey`> uhm, no google doesnt do shit to slow the tubez for anyone
07:00 < Whiskey`> they build more backbone then any ISP does
07:00 < linux_probe> all the ads = slowing and browser lagging
07:01 < Whiskey`> google ads are some of the lightest resource wise there is
07:01 < linux_probe> burn it all with fire
07:02 < Whiskey`> so how would you support google searvice that you use for free?
07:02 < linux_probe> what google services
07:02 < linux_probe> other than chrome lol
07:02 < Whiskey`> if you dont use thier stuff, stfu about them
07:02 < Whiskey`> damn probe you on troll mode tonight
07:02 < linux_probe> becauswe they are the #1 biggest adware, malware and spyware corp lol
07:03 < linux_probe> troll mode? I'm being serious
07:03 < Whiskey`> and i still trust them more then facebook, yahoo and the us gov combined
07:03 < linux_probe> the rest got the idea from google
07:04 < Whiskey`> na others did it, google just did it better first
07:04 < linux_probe> well, that and stupidity of sheeple not knowing they have no privacy =p
07:04 < Whiskey`> yea well you cant do anything online with privacy
07:04 < Whiskey`> not anymore
07:05 < linux_probe> I mean it's one thing knowing about the provacy loss and still using it, fact is most do not have a clue
07:05 < Whiskey`> yea most dont
07:05 < Whiskey`> the facebook stuff slapped a lot of ppl tho
07:05 < Whiskey`> dammit where is my kindle, fkn kids ran off with it
07:09 < linux_probe> kindle lol
07:19 < local_host> So who has control the isp or YouTube because somebody rich people related to AT&T and the universities in my area are definitely paying for this crap. Are they directly contacting the company or are they going through the isp?
07:20 < local_host> Also could someone tell me how this works on the backend or send me a link to some uncensored code?
07:22 < local_host> You are fucking children...if I had access to the code I wouldn't act like a little entitled shit.
07:23 < tohsa> why cant I access old.reddit.com with the ip address from nslookup? 151.101.21.140? Trying to redirect reddit.com to go to old.reddit.com
07:23 < linux_probe> o_O
07:23 < tohsa> with the hosts file
07:25 < DSee> can someone give me some ideas to transform my SOHO/home network into a low enterprise or mid-grade business thing? firewalls, VPN, etc, anti-penetration
07:33 < local_host> You're heads of international companies and you're over 60 with insider information and you're using it to fucking insult me? Now I have a goddamn filter are you people tired or jacking off?
07:33 < local_host> You're heads of international companies and you're over 60 with insider information and you're using it to fucking insult me? Now I have a goddamn filter are you people tired of jacking off?
07:35 < tohsa> lolwhat
07:35 < linux_probe> what kind of drugs is that fella/bot on
07:39 < local_host> Wait I forgot you can't you need a penile stint to even function.
07:39 < linux_probe> local_host~ has peniles in his arse and mouth
07:40 < local_host> I'm serious they are reading my packets and I don't even have access to the code or knowledge to see who is doing this.
07:40 < The_Shadows> 30min of troubleshooting why connection between firewall and switch was only 100M..., Changed 10 cabels and switch but real problem was between firewall and router :D. Intel nic green light 100MB and i was so sure that green meant 100 that didn't even check anything :D
07:42 < The_Shadows> I mean green = GBe and amber = 100Mb
09:09 < pabed__> hi guys , is there anyone who implementes failover with "opnsense" I follow this manual "https://wiki.opnsense.org/manual/how-tos/multiwan.html" but it doesn't work . any idea?
09:10 < sql00_> Hello
09:40 < sql00_> I want to configure Port Mirroring for outgoing traffic on my home network, but how outgoing ssl traffic will be decrypted on monitoring port ?
09:43 < skyroveRR> sql00_: you'll have to take a packet dump on some machine, and most of it will be garbage.
09:43 < skyroveRR> Without a proper decryption key.
09:45 < sql00_> Where should I connect switch to analyze traffic from VLAN and Wireless Clients ?
09:46 < skyroveRR> You have to set a mirroring port on a manageable switch.
09:46 < Aleksandar86> I have Ubiquiti UAP AC PRO, I set VLANs on him. On Mikrotik I have DHCP for VLANs but not working good. I connect to UAP via Wifi and I got IP from Mikrotik, but after 5 secunds all  wifi networks going down...
09:47 < Aleksandar86> Anybody here had same problem?
09:49 < sql00_> Yes, I have to set a mirror port on managaeble network switch, but where exactly switch needs to be placed ? Between Router and ISP Cable ?
09:51 < sql00_> At the moment ISP cable is connected directly to my Linksys router, but I am going to buy network switch which supports port mirroring and need to know where I should to place the network swtich
09:51 < sql00_> because I want to monitor not only Vlan users but wireless users.
09:56 < iPaq> Hey lads. I've got a setup at home involving all linux hosts (and the router), VLANs 10, 20 and 30 for servers, mystuff, and 'guest', the guest wifi also being forced into Vlan30. It's all very nice and all. But some of my servers are (CentOS)KVM Hypervisors. And I'm wondering, should I be setting them up as trunks and passing eth0.10,20 and 30 through to VM's as per the vlan they need to be in? or should I be handling this more sec
09:58 < iPaq> Like I don't use eth0 on either hypervisor, only eth0.10 has IP's assigned for both box, being servers, therefore in VLAN10. But this way new VMs could be bridged onto eth0.30 if they're to be untrusted. Instead of eth0 itself. Does.. this all sound like the right thinking? Or is this pretty stupid.
10:15 < detha> iPaq: I generally run a trunk to the hypervisor, then bridge each VM to the appropriate vlan on the trunk
10:16 < detha> If a VM needs to be in more than one vlan, give it two virtual interfaces, one bridged to the one vlan, one to the other vlan
10:17 < iPaq> Thanks @detha that's exactly what I wanted to hear <3
10:17 < iPaq> Welp, I'm off to push that setup. Have great nights
10:28 < sql00_> Can anyone suggest me network switch with port mirroring support for home network monitoring?
10:29 < skyroveRR> sql00_: most manageables can do that..
10:42 < Korisnik_> is posible use Ubiquiti UAP AC PRO VLANs with Mikrotik DHCP?
10:42 < Korisnik_> in my case not working
10:47 < sql00_> ISP CABLE --> Router(DHCP) --> SWITCH(Port Mirroring) --> On one of the Switch source ports I will connect router2 with WAP enabled. On other ports on switch I will connect PC's and on destination port I will plug Monitoring PC. What do you think ? The idea is to fully monitor home network traffic + wireless
12:29 < luc4> Hello! I'm trying to configure a router as a switch to connect to my network and extend it with new eth ports and wifi signal. What I see is that any system which connects via wifi to it cannot get an address via DHCP 90% of the times. Static IPs work properly instead. Any idea of a possible explaination?
13:28 < luc4> Anyone who knows if a wifi router should be able to act as a switch with wifi AP?
13:31 < detha> "it depends". crappy all-in-one things often have the option to disable parts of the firmware, but not always. Proper way: use a device that knows what it is, i.e. separate switch, and separate access point.
13:40 < longxia> luc4s: yes, i have one running (Mikrotik RB951G), although RouterOS now treats it as a bridge with "hardware offloading".
13:41 < longxia> luc4, did you just gain an 's' in your nick?
14:16 < grawity> oddly, it doesn't offload VLAN filtering on the RB951G, even though the switch chip seems capable of it
14:19 < grawity> I wonder why my iperf3 tests between two servers start at 200 Mbps but then slowly drop to just 100 Mbps within 10 seconds
14:20 < grawity> is that some QoS stuff or
14:23 < dostoyevsky> I have very unreliable internet at this hotel here... so I keep ping running all the time to see when it goes down again.  One odd thing: Sometimes I always see "Request timeout" but then I just press CTRL-C restart ping and I get pings again
14:24 < dostoyevsky> it's like I restart the network by pressing CTRL-C
14:36 < spaces> so life sucks as we need to work again tomorrow
14:36 < batch> anyone here got some script to join a sambaserver to activedirectory?
14:37 < grawity> `realm join` if you have realmd installed
14:38 < batch> oke wow thx let me check it out
14:41 < spaces> grawity we don't mix I think
14:41 < grawity> yes I prefer tabs
14:41 < dogbert2> yeah...I werk tomorrow, but at double time and a half :)
14:42 < Apachez> grawity: how fast does it drop?
14:42 < Apachez> grawity: tried differnt settings?
14:42 < spaces> dogbert2 I just hobby all day long :P
14:42 < Apachez> get the same drop with lets say 2 concurrent transfers?
14:42 < Apachez> normally qos allows a small burst and then it throttles down to whatever speed is configured
14:43 < grawity> Apachez: approx 10 seconds
14:43 < Apachez> sounds too large
14:44 < Apachez> the burst is more like max 1-2 seconds
14:44 < grawity> kinda like this https://ptpb.pw/496g.txt – same with SSH file transfers, not iperf-specific
14:44 < Apachez> sounds more like some other thing is kicking in
14:44 < Apachez> like congestion control or such
14:44 < Apachez> whats the latency between the endnodes?
14:45 < grawity> ~40 ms, it's over WAN from my VPS (from two different VPSes at different locations) to my server at $WORK
14:45 < grawity> I mean, I don't really mind it but a bit curious if it's intentional or something else
15:12 < realbadhorse> i dont know if its relevant here but i want to proxy everything through burpsuite which i already know how to but now i also need to connect to a proxy server while being connected to burp
15:12 < realbadhorse> how do i do that?
15:13 < Apachez> grawity: unless you have really small send/receive buffers 40ms shouldnt be a problem
15:13 < Apachez> you can do the maths with bandwidth product delay
15:13 < Apachez> bandwidth delay product
15:14 < Apachez> delay bandwdith product
15:14 < Apachez> ehh whatever that formula is called :)
15:15 < Apachez> https://en.wikipedia.org/wiki/Bandwidth-delay_product
15:15 < Apachez> so with 40ms delay
15:15 < Apachez> and lets say 200Mbps
15:15 < grawity> realbadhorse: https://i.imgur.com/4bDSejS.png
15:16 < Apachez> 200M * 0.040 = 8000000 / 8 = 1 000 000 bytes buffer
15:16 < Apachez> so you need in theory 1Mbyte send/receive buffer at each end
15:17 < Apachez> but thats somewhat flawed
15:17 < Apachez> I can get 1G with less than that
15:42 < Apachez> not even animals like snowballs =) https://imgur.com/zxWvLYS
15:43 < shtrb|laptop> Where is the snow there ?
15:47 < mnemon> Apachez: https://www.youtube.com/watch?v=kT8sTEDtUAI nah, horses are just evil.
15:49 < quarterback> Can anybody tell how much bandwidth and speed is required for setting up a dedciated dns server like 8.8.8.8 ? Are two dns servers needed to setup root dns?
15:50 < mnemon> quarterback: you cannot setup a root dns for other people, the bandwidth depends solely on the number of clients.
15:50 < moosebumps> hey i have a question
15:50 < moosebumps> can i ask it
15:50 < shtrb|laptop> !ask
15:51 < moosebumps> its about politics and horses
15:51 < mnemon> moosebumps: read the topic.
15:51 < quarterback> mnemon, What do you mean by "cannot setup root dns for other people"? Can a dns server be setup for many countries?
15:51 < mnemon> quarterback: what do you mean with "root dns"?
15:51 < shtrb|laptop> quarterback, you are using root dns, I don't think you mean what we mean by that
15:52 < shtrb|laptop> quarterback, you can force english epaking countries to add a new character and open yourself a possition for a new root tomain
15:52 < shtrb|laptop> *domain
15:52 < moosebumps> dont talk back to the quarterback
15:52 < quarterback> shtrb|laptop, I am also new to dns, I just know some basics of networking. I have a high speed lan internet and hoped to setup some server. Be it dns, ftp or ircd.
15:53 < shtrb|laptop> I think you just wish to setup a DNS server (not root dns )
15:53 < quarterback> shtrb|laptop, No, I dont mean to open a new language to the dns system. I intend to setup a english dns server. Bare with me as this is somewhat new to me.
15:54 < tds> in general I'd avoid running a public dns resolver, since it's relatively likely it'll be abused for reflection attacks
15:54 < quarterback> mnemon, By root dns , I mean a core dns server of the internet which resolves Ip addresses into TLD's.
15:54 < tds> if you just want to run your own dns resolver for internal use, sure, go for it
15:54 < quarterback> Tds, a firewall can be setup and if you add ddos protection, its not that hard I believe.
15:55 < quarterback> tds, No, its for personal use. I mean it for public use. For corporations and public, academia in India.
15:55 < quarterback> tds, And also for other nations.
15:55 < tds> well the ideal solution for reflection attacks is for everyone to start filtering source addresses (see bcp38), but it'll be a while off before that's implemented everywhere
15:55 < quarterback> tds, Its not for personal use only *
15:56 < quarterback> tds, Those kind of attacks are rare in India I believe.
15:56 < tds> if you want to run a service for use in multiple locations, you probably want to look into anycast, otherwise latency will be terrible compared to other public resolvers
15:56 < mnemon> quarterback: I'd suggest you read up on how the DNS infrastructure works. short answer is that you cannot set up a root dns server. You can set up a DNS server for your domain or a resolver/cache for client devices. https://en.wikipedia.org/wiki/Root_name_server
15:57 < shtrb|laptop> quarterback, you wish to create just a DNS server, the new letter was to express to you that root dns server (are one of the 13 letters used to create TLDs) , there are alternative options to ICANN mandated(?) , you just need to check about "normal" DNS servers
15:57 < quarterback> mnemon, The internet in India is a different network. Can't I own a chunk of it in Asia? I dont have to bother about other nations in western world.
15:58 < shtrb|laptop> quarterback, google ICANN
15:59 < shtrb|laptop> or you could take over some ISPs and just push your own service only for Indian customers (inventing your own tlds)
15:59 < mnemon> quarterback: it is not separate as far as the whole dns system is concerned, specifics such as subdomains under the national TLD's are usually controlled by countries or the control is delegated by them.
16:00 < tds> if you actually want to run a public dns resolver and have random people using it though, you'll need to give them a compelling reason to do so, which I suspect you don't compared to the other big public ones
16:00 < quarterback> shtrb|laptop, There is a .in domain which comes from India. I see that many .in domains are hosted in usa or elsewhere. I want to change that. Let indian domains be in India and their names be resolved from a dns server in India.
16:01 < mnemon> you just need a normal dns server for that.
16:02 < quarterback> mnemon, So is it possible that I start a dns service and tell ISPs in India.. they are free to use it or for some yearly charge. Would it work?
16:03 < mnemon> you need to tell whoever owns the domain, but yes in principle it is possible.
16:03 < quarterback> mnemon, Where does domain comes here? do you mean any .in domain ?
16:03 < shtrb|laptop> quarterback, If you wish to take over .in tld you need to a permission from ICANN and from National Internet Exchange of India, but in reallity you can start a register , interact with some officalls to get things done and in time you could start register stuff under .in
16:04 < quarterback> shtrb|laptop, I am not solely interested in web hosting or being a reseller of .in domains. I am interested in setting up some infrastructure which is hardware and a few servers which could be greatly put to use or be exploited.
16:05 < shtrb|laptop> nixi is friend, but first you would need to prepare good sums of money to pay for the infra and legalization
16:05 < Apachez> tds: also tier1's and 2's could start filtering which ranges they see based on bgp AS info
16:06 < quarterback> shtrb|laptop, well I've got a ISP who agreed to give me fixed IP addresses. What else do I need?
16:06 < shtrb|laptop> lol
16:06 < shtrb|laptop> not sure if trolling or serius
16:06 < tds> Apachez: out of interest, do you know if any of them do at the moment?
16:06 < quarterback> Apachez, I think its a tier 3 ISP which is offering me ip addresses. Do I need to approach a tier 1 or internet backbone provider for the bandwidth?
16:07 < quarterback> mnemon, I am curious if there any legal matters with ICANN which need to be addressed first for setting up a dns server, I mean a normal dns server in your terms.
16:08 < tds> quarterback: if you want to run a public dns service, you'll likely want to run multiple servers in different locations with anycast (announcing the same prefix in all these locations), and ideally multiple transit providers and local peering (especially if you plan on pushing lots of bandwidth)
16:10 < mnemon> quarterback: you can run dns server for individual domains as long as the owners point to your service without any extra hassle usually, some registrars might have special rules.
16:10 < quarterback> tds, Yes, I intend to go in that direction. It seems setting up a dns is easy with ready to use software. Maintenance can be a bit of work which many people can learn. First I start in one location and scale it into three or four cities where there are international submarine cables.
16:10 < Apachez> tds: dunno, its been spoken about at NANOG and the other conferences for some time
16:11 < Apachez> there is a ASDB or whatever its called that could be used to lookup ipranges per AS
16:11 < Apachez> and get answer which ranges should be seen through each AS (even if that AS is uplink to others)
16:12 < quarterback> tds, I also live in a country which is geographically and demographically very big, its about 3000km from one end to another with a population density of over 500/ sq mile. So there would be need for servers as this.
16:12 < shtrb|laptop> Apachez, bgp.he.net/AS714#prefix
16:12 < shtrb|laptop> is one way
16:13 < tds> lots of providers are using the data already to generate prefix filters on sessions, use of the same data for source address filtering seems to be much less common though
16:13 < Apachez> shtrb|laptop: the thing is that the prefixes listed are the ones you "own"
16:13 < Apachez> the problem is that you as an upstream ISP will provide other prefixes
16:14 < Apachez> like lets say Telai have prefix X
16:14 < Apachez> and telenor have prefix Y
16:14 < Apachez> if you are connected to telenor and telia do have a routing through telenor then you will see from telenor both prefix X and Y
16:14 < tds> tools like bgpq3 can work on as-sets, so that'll cover downstreams and downstreams of downstreams and so on with no issues
16:14 < Apachez> and thats the tricky part
16:15 < Apachez> because which prefix is seen by whom may differ
16:15 < tds> (that does rely on everyone keeping as-sets up to date though, which likely isn't the case :/ )
16:15 < quarterback> What are the prefixes you are talking about?
16:15 < Apachez> just because telia uses telenor as uplink in sweden doesnt mean that they will do that in lets say usa
16:15 < Apachez> so if you are connected to telenor in usa you shouldnt see prefix X at all
16:16 < Apachez> quarterback: prefix is the iprange assigned to a specific AS
16:16 < Apachez> iprange(s)
16:16 < Apachez> well as-sets are up2date through RIR's
16:16 < Apachez> at least about who owns which range
16:17 < Apachez> but its not updated who uplinks through who and where
16:17 < Apachez> and for such acl to have some kind of meaning you need a way to figure this out in an easy and fast way
16:17 < Apachez> preferly if bgp itself could be extended to do this
16:17 < mnemon> quarterback: a fix already exists for the "large amount of people connecting", it's the ISP resolvers/cache.
16:18 < Apachez> mnemon: resolers have nothing to do with bgp
16:19 < mnemon> Apachez: I was commenting on the earlier DNS discussion
16:21 < quarterback> mnemon, Does every ISP have dns servers of its own? I see many companies in India use google'
16:22 < quarterback> mnemon, use google's dns server 8.8.8.8 and 8.8.4.4
16:22 < shtrb|laptop> Many ISP have their own (all?), many use Google's as the forwarded to (secondary) and some have signed an edge agrement
16:22 < quarterback> mnemon, What could be the meaning of that? Don't they have dns servers of their own?
16:47 < spaces> I need to whine
16:48 < spaces> Apachez let me borrow your lap
16:52 < pk2010> hello
16:53 < pk2010> suppose i buy a server from a host and there is lots of traffic on it...then i cancel the server subscription..now if that traffic keeps coming on that IP address
16:53 < pk2010> how hosts give this IP to new users
16:54 < pk2010> i mean this excess traffic will be useless for new customer..no?
17:10 < Apachez> spaces: here here, sit in my lap and Ill sing soft kitty for ya ;)
17:12 < Apachez> Soft kitty, Warm kitty, Little ball of fur, happy kitty, sleepy kitty, purr purr purr...
17:24 < spaces> Apachez oh I love you :D
17:24 < spaces> but don't touch my kitty!
17:25 < Epic|> ...
17:26 < superkuh> https://juliareda.eu/2018/05/censorship-machines-link-tax-finish-line/ - the next step in the Euro attack on the internet after GDPR.
17:27 <+catphish> superkuh: time to leave i guess :)
17:28 < spaces> Epic| you might don't know Santa Claus in person...
17:28 < superkuh> US is already copying GDPR with some bills. Once they show the gov can use these types of excuses to grab more power it'll happen here too.
17:28 < superkuh> Think of the communists/terrorists/children/privacy.
17:28 <+catphish> i mostly like GDPR, as far as i can tell, it achieves what it sets out to achieve
17:28 <+catphish> the only downside is the administrative costs
17:29 < superkuh> It has the implicit premise that people are too stupid to make the right choices and not use shit services so the government must do it instead with the monopoly on violence.
17:30 < superkuh> s/with the/with their/
17:30 <+catphish> i don't think a user can be expected to know what what will be done with their data
17:30 < superkuh> And the other premise that it's "their data" even when it's not their service.
17:31 < superkuh> It's only your data if you aren't using third party.
17:31 <+catphish> wha?
17:31 < superkuh> Like making it illegal to take a photo of someone who came over to your BBQ.
17:31 <+catphish> well that's not covered by GDPR
17:32 < superkuh> Yes. It's an analogy.
17:32 < detha> I'll stick to the original 'Click here to confirm you are not a citizen of the EU to enter this site'
17:32 <+catphish> detha: i've never understood that, if it's a non-eu company, they can just tell users they don't comply with EU law
17:33 <+catphish> they aren't even obliged to do that, but seems polite
17:34 < detha> EU seems to intend to make their law reach outside the EU; and even if that doesn't hold up, lawyers costs to prove it will be too high
17:34 <+catphish> whose lawyer costs?
17:34 < detha> Mine, should someone ever try to slap GDPR charges on me
17:35 < detha> s/charges/fines/
17:35 <+catphish> detha: you'd travel all the way to europe, to answer the complaint? :|
17:35 < superkuh> Anyway, the newly proposed regulations are fairly clear cut in their shit-ness.
17:35 < superkuh> (ie, what's in the linked article, not gdpr)
17:35 < detha> No. But they seem to want to make various treaties work for them
17:35 <+catphish> detha: if someone tried to serve me a DMCA notice for example, i'd just politely tell them it doesn't apply to me
17:36 < detha> That you can do. The whole intent of this GDPR mess is to make that difficult/expensive to do even for people outside the EU
17:36 <+catphish> of course, there's the argument that if you're supplying services in the EU, you must follow laws there, but that really only matters if you have some kind of presence there
17:37 < detha> Exactly. Which is why I don't want to provide services to the EU under these terms
17:37 <+catphish> detha: why not anyway?
17:37 <+catphish> as a consumer, i'd be pretty unhappy if you weren't complying with it :(
17:38 <+catphish> detha: if for example you won't delete my data on request, i don't want to give it to you :(
17:39 < detha> As a consumer, I expect companies to take whatever I give them, and regulators to stay well out of the way
17:39 <+catphish> detha: well then i'm glad with people like you around, the laws are coming
17:40 <+catphish> fuck having my data that i give compnies for one purpose being sold off
17:40 < spaces> catphish get a profit from it!
17:40 <+catphish> not my cup of tea
17:40 < detha> You didn't see that coming? There is a reason I never had any facebook/twitter/... account
17:42 <+catphish> well for things like facebook, you essentially sell them your data in exchange for their service, i guess that's fine as long as everyone involved understands / accepts it
17:43 <+catphish> anyway, it's mostly working for me
17:43 < BT709> Hi All, anyone got any experience with packetfence? Looking at this compared to just freeradius for a wired 802.1x project to handle around 110 switches with 3000 linux/windows clients.
17:43 < detha> And therein lies the problem. Most people don't. And this is why the regulators now put all this ridiculousness in place, to protect the people against themselves
17:44 <+catphish> the only problem i've had with GDPR so far is one person who has set up about 10 free accounts with my service with different email addresses, total mess (and clearly against our terms), is now attempting to use the regulations to ask for a copy of all the data held about him, admin nightmare
17:44 <+catphish> detha: that much i agree with
17:44 <+catphish> detha: but we don't really like letting people who *are* stupid get abused here
17:45 < ryao> Why is it that DECT phones always have the base station integrated with a phone charger and sometimes also an answering machine. It seems to me like it would make things much easier if it were just a base station that could be powered using PoE with the handsets placed around the house. :/
17:46 < tds> catphish: aren't you at least allowed to charge an admin fee for requests like that?
17:46 < ryao> BT709: I don't use packetfence, but I use freeRADIUS through pfSense. I'd be comfortable using freeRADIUS for what you are doing if I were you.
17:46 <+catphish> tds: no
17:47 <+catphish> tds: you're only allowed to charge a fee if the requests are excessive, but a single request has to be free
17:47 < ryao> catphish: I assume that you are referring to GDPR. I suspect that anyone without a presence in the EU can ignore it, although the way people are acting is as if they expect the EU to try to get them extradited if they don't comply, even if they don't do anything with the EU.
17:47 < detha> I would call 10 identities on one service excessive
17:48 <+catphish> ryao: i agree, i'd expect non-eu companies to ignore it, as long as they don't have a significant presence in the EU, i don't see what anyone could do about it
17:48 < tds> catphish: ah, has that changed with gdpr from the original data protection legislation?
17:48 <+catphish> tds: yes
17:48 < tds> for some reason I thought you could charge a small admin fee by default, I think the only source for that might have been ICT GCSE though :P
17:48 < ryao> catphish: It annoyed me though. The iOS speedtest app has a GDPR privacy notice that is on an infinite loop. You accept it and then it shows up again. It makes the app unusable. :/
17:49 <+catphish> tds: yeah, with the old DPA you could charge a free, with 2018 DPA it has to be free
17:49 < spaces> catphish I like a cup of tea!
17:49 < tds> catphish: now that whole gcse was useless, I think that's the only thing I remember and it's wrong now ;)
17:50 <+catphish> i wouldn't mind if this guy had one account, but 1) he has like 6 accounts across various of our apps with different email address 2) he's asked a bunch of other pointless questions that he could easily find the answers to in our (very nicely written) privacy policy
17:50 <+catphish> it's my opinion that he's got a standard letter from somewhere, and sent it to every company he's ever dealt with
17:50 < ryao> catphish: lol
17:51 < BT709> ryao: I have been told this too, but haven't found much online regarding building this out
17:52 <+catphish> a quick google search says yes, this is the letter he's sent us: https://m.forums.theregister.co.uk/post/reply/3285234?
17:53 < ryao> BT709: I haven't deployed 802.1x for wired stuff in part because it is broken unless you use the macsec extensions that almost nobody supports, but setting it up for wireless was basically something I had to figure out on my own. pfSense made it somewhat easy to do though.
17:54 < ryao> BT709: If you setup pfSense, you can use it to make an internal CA. Then you can use it to generate certificates, setup freeRADIUS, etcetera. There is a nasty bug where revocation lists break things if you use them, but I get around this by just never reusing usernames and putting them into the certificates. If the username isn't in freeRADIUS database, then it won't authenticate it.
17:55 < ryao> BT709: https://en.wikipedia.org/wiki/IEEE_802.1X#Vulnerabilities_in_802.1X-2001_and_802.1X-2004
17:56 < ryao> BT709: You need this to make it secure: https://en.wikipedia.org/wiki/IEEE_802.1AE
17:57 < ryao> BT709: By the way, are these L2 or L3 switches? ^_^;;
17:57  * ryao prefers to use router to describe a L3 switch.
17:57 < ryao> BT709: If you have a broadcast domain with 3000 clients... ouch.
17:57 < spaces> indeed BUT if it can only do static routes it's kinda sucky
17:58 < BT709> ryao: Yeah this is what im finding, there is not much out there regarding wired deployments. This is for an enterprise environment, I would aim to attach onto the existing CA infra and machine based certs for TLS auth. MACSEC is not what i am looking for, that is L2 encryption
17:58 < ryao> spaces: If what can?
17:58 < ryao> BT709: 802.1x has a vulnerability where you can attach a switch in between it and a machine and then get free reign to do whatever you want.
17:58 < BT709> ryao: I hope no one here has a broadcast domain with 3000 clients tbh :P
17:58 < ryao> BT709: I do too.
17:59 < ryao> BT709: I need to get ready for Sunday Mass. I'll be back in 90 minutes.
17:59 < BT709> These are multilayer switches, but for the purpose of 802.1x it is purely layer2 which controls vlan assignments and MAC bypass.
18:01 < ryao> BT709: You could just require all clients to use IPSec and be done with it. Not that I want to discourage you, but the fact that 802.1x is easy to circumvent kind of makes it pointless. :/
18:01 < ryao> At least on wired.
18:01 < ryao> BT709: Also, I suspect that there is little information on how to do it on wired because this is part of the material needed to get various certifications.
18:02 < ryao> Which switches are these and who made them? Maybe the vendor has some documentation avaliable.
18:02 < BT709> ryao: No preventative security is 100% secure, this is why you must employ defense in depth.
18:02  * ryao really must step out now.
18:02 < Apachez> but relying only on 1x is bad
18:02 < Apachez> since it has designflaws
18:02 < Apachez> but its great as part of layered security
18:02 < BT709> Apachez: totally agree
18:02 < Apachez> it protects from accidently connected unwanted devices or networks
18:03 < Apachez> but it doesnt protect from somebody who knows what they are doing
18:03 < Apachez> setting your own switch in between is an easy bypass
18:03 < Apachez> instead of 1x device connected to 1x switch
18:03 < Apachez> you connect your own switch in between so it becomes 1x device <-> your switch <-> 1x switch
18:03 < Apachez> and then connet the evil box to your switch
18:04 < Apachez> this way you not only find out the mac of the 1x device but once 1x device opens up the interface at 1x switch its open until reauth
18:04 < Apachez> so you shutdown the interface in your switch that goes to 1x device
18:04 < BT709> Apachez: how would that work, if the mac addresses over the line would be unique? Only the switch in that case would be authed.
18:04 < Apachez> and put 1x device mac on your evil device connected to your switch
18:04 < Apachez> and tada
18:04 < Apachez> the 1x switch will never notice wtf happend
18:04 < Apachez> and you as evil user will have full access to the 1x protected network until reauth occurs
18:04 < Apachez> which by default they occurs like once an hour or so
18:04 < BT709> If you spoof the mac you mean
18:05 < BT709> yes that is a vulnerability
18:05 < Apachez> you want me to explain this once more?
18:05 < BT709> Nope, got it
18:05 < Apachez> the thing is that from the 1x switch point of view the interface never goes down
18:05 < Apachez> and it will never receive any EAPOL-logoff frame
18:06 < Apachez> since evil switch (who sits in between 1x device and 1x switch) just shutdown the interface towards the 1x device
18:06 < Apachez> and then enable the interface towards evil host
18:06 < Apachez> evil host now use the same mac as 1x device (who is disconneted)
18:06 < Apachez> so if you want to protect against that you should use vpn at your clients
18:07 < detha> Apachez: your scenario assumes you have a 'good' and an 'evil' device to begin with. What if you don't have a 'good' device ?
18:10 < Apachez> detha: at most places there are a "good" device
18:10 < Apachez> otherwise you wouldnt have an 1x enabled interface running there
18:11 < BT709> I was lead to believe that there are newer versions of the 802.1x standard which allow mapping vlans to mac addresses, and therefore different devices can be on the same int with access control. You are talking about 802.1x only being able to up or down a port once authed. Correct me if im wrong obviously
18:12 < Apachez> well thats the basic of 1x
18:12 < Apachez> doesnt matter if you then put the device in various vlans
18:12 < BT709> VPN is unfortuntely not an option due to requiring as close to wirespeed as we can for users work
18:12 < Apachez> the evil device will look like the good device from the 1x switch point of view
18:13 < Apachez> there are 10G vpns :)
18:13 < Apachez> so anyway, 1x is often a good choice but dont rely on it
18:14 < Apachez> we use it as countermeasure against people connecting the wrong cable in the wrong interface and creating a loop
18:14 < Apachez> since we got multiple physical networks in the same area
18:14 < BT709> yeah i get what youre saying, its totally not the only security method we have but it addresses the issue of ports not being shut on the corporate vlans in meeting rooms for example :P
18:14 < BT709> at least as a first method of prevention
18:15 < BT709> multiple physical networks? Wow interesting, due to security or performance?
18:15 < Apachez> you should check the secured enduser connection guidelines
18:15 < Apachez> other methods is to limit to max 1 mac address per interface
18:15 < Apachez> etc
18:15 < Apachez> logging all mac addresses and which physical itnerface they connect to
18:15 < Apachez> logging mac overflows
18:15 < Apachez> etc
18:16 < Apachez> well both
18:17 < Apachez> like only voip devices on the voip network
18:17 < Apachez> this way we dont need poe switches where we dont have any voip devices
18:17 < Apachez> and no need to qos either since there are only voip devices on the voip network
18:17 < Apachez> and then some other networks
18:17 < Apachez> so with 1x you got a first line of defence where somebody connects unwanted device or loop networks
18:18 < Apachez> its not foolproofed against somebody who have intentions to fuck things up as I described but it protects from the "oops"
18:18 < BT709> Are your IDFs not a bit messy then?
18:18 < Apachez> IDFs?
18:19 < BT709> patch closets/rooms
18:19 < Apachez> nope
18:19 < Apachez> you can colorcode things :)
18:19 < Apachez> black = encrypted traffic
18:19 < Apachez> red= cleartext sensitive traffic
18:19 < Apachez> grey = regular prod (client/server)
18:19 < Apachez> green = mgmt network
18:19 < Apachez> and so on :)
18:20 < BT709> But it requires physically going to a site and patching new connections, we have all pre patched. Anyone call can from a site and we can remotely enable and provision from our desks
18:20 < Apachez> well you dont patch things where you dont expect to have anything
18:20 < spaces> Apachez are still holding whiel I'm sitting on your lap ?
18:20 < spaces> are you..
18:20 < Apachez> so a new site gets fully patched for the purpose it will be used for
18:21 < Apachez> like if there will be no sensitive network at site X then you dont have any red cables and red switches there
18:21 < Apachez> spaces: whiel?
18:21 < spaces> while
18:21 < spaces> I'm whining you know... I cannot type straight
18:21 < Apachez> dont get horny...
18:22 < spaces> how can I ? I'm full of emotions
18:22 < BT709> True, if its a quite static setup then I see that working. My place scales up and down quite a lot so we just have to be prepared for any port on any network.
18:22 < spaces> are you trying to get an advantage out of it Mr Whinefield ?
18:22 < Apachez> well then you reallyu should consider vpn
18:22 < Apachez> because its those kind of arguments who fucks things up
18:23 < Apachez> and suddently unwanted client sits on sensitive network doing bad things
18:23 < Apachez> because you were lazy
18:23 < Apachez> I have seen many bad implementations during the years
18:23 < Apachez> where the main argument was that "its so hard to make it secure and it takes time"
18:23 < BT709> I still dont see VPN as solving what im trying to do tbh, I see where it may fit for low performance situations but not for users that need fast disk access
18:24 < Apachez> while implementations who did stuff properly had far less downtime and troubleshooting time
18:24 < spaces> Apachez is now known as Mr. Whinefield
18:24 < BT709> Its nothing about being hard or slow, its just about implementing the correct technology where its required.
18:24 < Apachez> sure an dyou are doing it wrong ;)
18:26 < BT709> So you implement machine based vpn on all your systems?
18:26 < BT709> Sounds great in terms of a purely L3 infra too, I can see the appeal
18:29 < raefe> hey guys can someone help me connect to //server?
18:29 < spaces> try to make it \\server
18:31 < transhuman> hi! I its been a while since I have done this sort of thing. Can't remember on a 10.0.0.0/8 network is the default broadcast address 10.255.255.255 or is it 10.0.0.255?
18:31 < transhuman> I think its the first but just want to be sure
18:31 < raefe> sorry i did mean \\server
18:31 < raefe> no connection
18:33 < zamanf> hello
18:34 < transhuman> never mind I was right thanks
18:34 < zamanf> I am trying to do this: iptables -t nat -A PREROUTING -p tcp --dport 110 -j REDIRECT --to-port 8080 but unfortunately it doesn't show on iptables -L
18:34 < raefe> i can connect to the server via the standard "remote desktop connection"
18:34 < zamanf> I get no error also
18:34 < raefe> so there is an internet connection between both pc and server
18:36 < detha> zamanf: iptables -t nat -L
18:36 < raefe> @spaces ...
18:36 < zamanf> ty
18:37 < raefe> detha can you advise pls?
18:37 < detha> raefe: that sounds like it is windows
18:39 < raefe> correct
18:39 < detha> in that case, all I can say is 'No Idea, haven't used it for years'
18:40 < raefe> maybe someone else could help?
18:52 < raefe> anyone with windows knowledge for my question?
18:52 < spaces> windows sucks and we all know it :P
18:53 < spaces> still I like windows 10
18:53 < raefe> so how to approach?
18:54 < spaces> raefe tias while you are waiting for an aswer
18:55 < raefe> tias?
18:55 < Apachez> raefe: spaces is drunk
18:55 < spaces> do you actually use google for your problem ?
18:55 < Apachez> raefe: we told him several times before "dont drink and irc" but nooo
18:55 < spaces> Apachez no, you didn't feed me Whiskey`
18:55 < skyroveRR> :D
18:56 < rewt> tias = try it and see
18:56 < raefe> no i use irc chat relay
18:56 < raefe> thx rewt
18:58 < raefe> so how do i check this valid //server path?
18:58 < raefe> \\server
18:59 < raefe> i cant call it up in windows explorer
19:00 < rewt> does it work with the ip address?  like \\192.168.x.y
19:01 < raefe> in windows explorer or cmd?
19:01 < raefe> the “remote desktop connection” works, so the ip address will be fine too
19:03 < rewt> there is no "1 solution for everything"... you have to troubleshoot problems, which involves trying things to figure out what the problem actually is before you can fix it
19:04 < rewt> saying "oh that will work because some other thing works" is just an assumption that has to be validated
19:04 < raefe> i think it may have something to do with the windows-share filename
19:04 < raefe> how can i check what \\server is related to?
19:05 < rewt> you have to try things to figure out what the problem is
19:05 < raefe> ok
19:05 < rewt> see if \\ip works
19:05 < rewt> then see if \\ip\share works
19:10 < yawkat> is there a way to configure port security for one vlan only?
19:10 < yawkat> i want port security on the untagged vlan (which will be tagged by the switch) but not on the other vlans
19:13 < raefe> @rewt i tried the //192.168.0.250 but no connection in windows explorer
19:14 < raefe> i mean \\192....
19:14 < rewt> and with the share name on the end?
19:15 < raefe> windows cannot access \\192.168.0.250\\server
19:15 < rewt> the share name is "server"?
19:15 < rewt> why do you have \\ between the ip and the share name?
19:16 < rewt> should be just a single \
19:16 < rewt> by share name, i don't mean server name; i mean share name as in what you shared the folder as
19:16 < raefe> still no connection
19:17 < rewt> have you checked the firewall on that server?
19:18 < raefe> there used to be a connection months ago when i last used it and didnt change the firewall
19:19 < raefe> the name of the remote computer in remote desktop connection is server
19:21 < raefe> there is a subnet mask but no standard gateway on the server ipconfig
19:21 < raefe> its empty
19:28 < raefe> @rewt should there be a standard gateway?
19:29 < skunkz> Hello, what do I need to do so that clients connected to my vpn are able to access other vpn users by their hostname ? Isn't setting up a DNS server a bit overkill for that since I'm the only user of the vpn ? I know Avahi but the version installed on some of my devices is broken and not fixed in debian packages yet (well actually it's nss-mdns which seems to be broken) so I'm open to new suggestions
19:30 < rewt> only if it needs to connect to hosts outside its local network
19:33 < Whiskey`> spaces: i dont think your my type, so need you aint getting fed
19:34 < spaces> Whiskey`don't think, let it happen...
19:35 < Whiskey`> spaces: uh huh i bet to say that to everyone your try to roofie. wont work here.
19:36 < spaces> Whiskey` everyone his own choice... if you don't provide people an option they will never chose ;)
19:58 < raefe> i see the microsoft windows network “workgroup” and shared ‘Server’ on the server, but not on the windows 10 laptop
19:59 < raefe> how do i connect to same workgroup in win10?
20:00 < raefe> @rewt
20:25 < Laki> I have a server on my LAN running VNC software , and it's also connected to a VPN, how can I connect to the VNC service? port the vnc service forward to the VPN or how?
20:27 < rewt> you should still be able to access it from the LAN
20:28 < Laki> rewt: so I thought, it doesn't say connection refused, but it does time out after not connecting for a while
20:29 < rewt> then the server's routing tables are not set up right
20:31 < Laki> rewt: ive not touched any routing tables, is that iptables?
20:32 < tds> no, iptables is for firewalling (and mangling packets in various other ways)
20:32 < tds> what's the output of "ip route" on the server?
20:33 < crng_init> are you connecting with the right port and ip?
20:35 < Laki> rewt: https://bpaste.net/show/ef18efa05467 now is also a good time to mention I'm running it inside of a docker container
20:35 < tds> ifconfig is deprecated, you should be using ip a these days ;)
20:35 < rewt> ^
20:35 < Laki> oh really? I must be oldschool ;)
20:35 < rewt> and where's the vpn?  i don't see it there
20:35 < tds> is the docker host NATing the container and also running the VPN client or something?
20:36 < Laki> rewt: hmm i just ran ip route for you at the bottom there
20:36 < tds> as rewt said, there's no interface or routes that you'd expect from a vpn client (ie a tun device)
20:36 < Laki> ah, sorry hang on, that's all before the vpn connects, one moment lol
20:40 < Laki> rewt: https://bpaste.net/show/eab1d6eeec10 sorry i took a while there :-)
20:41 < tds> what ip are you connecting to with your VNC client; is docker doing some NAT horribleness for you?
20:42 < Laki> im using 192.168.1.113 (the machine running docker) to connect to the vnc, here's the host machine ifconfig if it helps https://bpaste.net/show/1fc2b1f559e2
20:42 < Laki> tds: ^ :)
20:42 < Laki> it ofcourse works fine with the vpn turned off
20:42 < tds> is that 192.168... network a plain flat network with a single /24?
20:43 < Laki> yes I think so
20:43 < tds> if so, does "ip route add 192.168.1.0/24 via 172.17.0.1" sort it?
20:43 < Laki> on the host machine yea?
20:43 < tds> no, in the container
20:44 < Laki> 192.168.1.0 should be the gateway right? (actually 192.168.1.1)
20:44 < tds> since the destination of the packets to 192.168.1.113 will be switched with DNAT, but the source address will still be on the 192.168.1.0/24 network, so the container will try to route back out over its new default route rather than via the host
20:44 < tds> the gateway for what?
20:44 < Laki> the network/router
20:45 < tds> anything on that 192.168.1.0/24 network probably wants a default route via the router on that network (could be 192.168.1.1)
20:45 < tds> you shouldn't need to change that to sort routing in the container though
20:45 < Laki> alright, i'll try having the container route 192.168.1.0/24 to 172... :-) one moment
20:46 < Laki> should this be done before connecting to the vpn or after tds ?
20:46 < Laki> i suppose it doesnt matter
20:46 < tds> after
20:46 < Laki> ok
20:46 < tds> but yeah, it probably doesn't matter
20:50 < Laki> tds: okay, that seemed to of sorted everything out! :D
20:50 < Laki> tds: thank you very much for your help! :-) fantastic, you too rewt!
20:51 < tds> docker likely has some way to automatically add the route for you, I'm not familiar with it though, so google that :)
20:51 < Laki> tds: havent a clue, I've only just started playing with docker today, it's pretty darn nice! :-)
21:32 < skunkz> Hi, how can I make it so that when users connect to my vpn server they are able to access other vpn users by their hostname ?
21:38 < nbro> Hi
21:39 < nbro> I am facing a network issue. Right now, I am able to connect to certain websites, but I am not able to connect to most of them.
21:39 < Kingrat> by any chance are you getting ipv6 only? have you checked that ipv4 is working for you?
21:41 < nbro_> If I used ping to connect to the Skype website, I get: "ping: cannot resolve https://www.skype.com/en/: Unknown host"
21:41 < tds> nbro_: you want to ping just the domain, not the full url
21:41 < tds> ie ping www.skype.com, rather than ping https://www.skype.com/...
21:42 < nbro_> Anyway, I get "ping: sendto: No route to host"
21:42 < tds> what's the output of ip route and ip -6 route?
21:42 < tds> (and ip addr and ip -6 addr)
21:43 < nbro_> tds: How do I get that output?
21:43 < tds> run those commands
21:43 < tds> stick the output on paste.debian.net or a similar site
21:43 < tds> that'll output the state of your interfaces and their addresses, as well as your routing table, for both ipv4 and ipv6
21:44 < nbro> I am on a Mac, btw
21:44 < tds> oh, oops, I just assumed a linux box
21:44 < tds> if those ip commands don't work, I guess you could try ifconfig and route
21:46 < skunkz> No idea how to do what I want ? DNS seems to be what I need but I'm not sure, can anyone confirm?
21:46 < nbro> tds: I have this ifconfig command
21:46 < nbro> And I used it in the past
21:46 < nbro> The output looks stranger than usual
21:47 < tds> skunkz: yes, plain dns with openvpn hook scripts to update records is probably the best solution, it's likely that your devices won't all have decent support for mdns/similar
21:48 < nbro> I can access https://www.experts-exchange.com/questions/28929489/ifconfig-output-on-OS-X.html…
21:48 < nbro> WTF!
21:49 < skunkz> thanks tds, I was afraid of this because I know nothing about DNS but I guess it's time to learn
21:49 < tds> nbro: that sounds a lot like working ipv6 but broken ipv4 as Kingrat suggested
21:49 < tds> can you get to ipv6.google.com but not ipv4.google.com?
21:51 < nbro> tds: exactly!
21:51 < nbro> I can connect to ipv6.google.com but not ipv4.google.com
21:52 < nbro> Who is Kingrat?
21:52 < tds> I'm not familiar enough with osx to help, but I'd suggest to check that you have a working dhcp server on the network and that it's handing out addresses
21:52 < tds> he replied to you earlier and suggested that v4 might be broken (but v6 working)
21:52 < nbro> I was probably disconnected in the meantime, because I don’t see his/her message
21:53 < nbro> But I can’t even search on the web
21:54 < compdoc> dont you know Kingrat? hes married to Queenrat
21:54 < nbro> So, does anyone know how to solve this problem?
21:54 < nbro> I mean, I can’t even search for a solution
21:58 < nbro> So, do certain websites have a IPv6 but not all of them? Is this the probable reason why I can connect to certain but not all websites?
21:58 < nbro> *I can’t connect
21:58 < nbro> It’s been a while I have studied computer networking
21:58 < nbro> But I am aware of the transition from IPv4 to IPv6 that people is doing...
21:58 < tds> yes, sadly lots of sites still don't have ipv6
21:59 < nbro> But where do you think is the problem? In my router?
21:59 < tds> are there other devices on the same network that have working ipv4 connectivity? (ie they can get to ipv4.google.com in a browser)
22:00 < nbro> I can’t connect to ipv4.google.com using my phone
22:01 < ryao> BT709: Usually defense in depth requires each layer to be solid. If each one can be circumvented, it is just annoying the attacker, but not stopping him. :/
22:01 < nbro> Kingrat: what does it even mean for "v4" to be broken? What did you mean?
22:01 < ryao> BT709: Of course, adding 802.1x so that an attacker gets annoyed before seeing that you have a solid VPN setup is sadistic in a very satisfying way.
22:02 < Kingrat> nbro, can you ping 8.8.8.8?
22:02 < ryao> BT709: Anyway, you can get close to wirespeed with a VPN if the CPU has AES acceleration.
22:02 < nbro> No, I get "ping: sendto: No route to host"
22:02 < nbro> What does this address represent?
22:03 < nbro> https://en.wikipedia.org/wiki/Google_Public_DNS
22:03 < Kingrat> sounds like you have no ipv4 gateway, can you pastebin the output from ifconfig and route -n
22:03 < ryao> BT709: You also need your VPN gateway to be able to handle it.
22:03 < nbro> I can access Wiki...
22:03  * ryao is responding to a conversation from earlier where he had to step out.
22:03 < tds> you can only access the superior parts of the internet ;)
22:04 < Kingrat> pastebin should support ipv6 i hope ;)
22:04 < Kingrat> pastebin.ca is ipv6 at least
22:04 < tds> pastebin doesn't, https://paste.debian.net/ does :)
22:04 < Kingrat> or that
22:08 < nbro> How exactly should I use "route -n"? "-n" is an argument, but if I use just "route -n", I get "usage: route [-dnqtv] command [[modifiers] args]", so I suppose this command is to be used with another command as argument
22:09 < tds> does netstat -rn get you anything useful?
22:10 < nbro> tds: I get some output...
22:11 < tds> stick that on https://paste.debian.net/ then :)
22:12 < crng_init> I'm trying to connect to my global ipv6 address on port 80. I can connect from inside my LAN, but not from the outside. Why is that? Is my router blocking traffic or my ISP?
22:12 < nbro> Can I share this output with you? lol, I mean, does this output contain any condifidential info that would break my security?
22:13 < nbro> I have a few IP addresses
22:13 < nbro> -n should show the network addresses
22:13 < nbro> Which ones?
22:13 < nbro> -r should show the routing tables
22:14 < linux_probe> you have to open the port in the firewall/s crng_init
22:14 < linux_probe> on isp modem/router and your machine
22:14 < crng_init> I assume it's open on my machine since I can reach it from other machines on my LAN
22:16 < linux_probe> then open/allow the port on router/modem
22:18 < crng_init> Well I succesfully port forwarded other ports with ipv4 already. How do I do that with ipv6 though?
22:20 < linux_probe> similar but it's not forwarding, it's allowing the traffic to pass
22:21 < crng_init> so disabling a firewall?
22:22 < crng_init> Is it correct that ipv6 doesn't use NAT?
22:22 < linux_probe> dont disable the whole firewall, just allow that port and ipv6 address to pass through
22:27 < memelover> I want to connect a cell phone to the internet with a router that sends all traffic through tor. With that, I'm a little limited in hardware. Would it be possible to bridge the wireless connection on a laptop to the wired connection, but to make the traffic from the wireless go though tor somehow?
22:27 < Epic|> Looking for some presumption of guilt eh,
22:27 < Epic|> ?
22:27 < crng_init> I can only connect to my router over an http interface, which limits my options. I cannot set specific firewall rules, I can only set it to "low,medium,high". And setting it to low does not work.
22:29 < linux_probe> dont know what to tell you crng_init, but there should be a page similar to the port forward one that allowyou to "open" pass through ipv6 traffic
22:29 < linux_probe> if not, maybe ipv6 was an afterthought on the device and time for an upgrade
22:39 < djph> replace it with something that'll let you do what you want?
22:39 < jurislav> any idea what could cause _very_random_ wifi connectivity issues? majority of the users are fine, but _some_ of them _sometimes_ report DNS resolution issues (the browser message). if they wait a couple minutes, or reconnect to a network, issue disappears :/
22:39 < djph> gremlins
22:39 < jurislav> it sure looks like that :/
22:40 < djph> distance from the AP, you forgot to make a sacrifice to the radio gods, etc.
22:40 < jurislav> they have APs right above their heads..
22:40 < jurislav> or in the next room. coverage and signal are good, as I was. also the APs are not overloaded
22:41 < djph> could be too close as well...
22:43 < crng_init> linux_probe: Well I think I'm out of luck with this router. Thanks for your help!
22:44 <+pppingme> jurislav how many ap's? how many wifi users? when they are in this "dns blackout" can they ping anything on the lan by ip?
23:01 < jurislav> pppingme: 28APs, ~150 clients (varies). haven't asked them to troubleshoot this particular thing (the lan access)
23:03 < spaces> bedtime!
23:03 < spaces> (with dog :))
23:05 <+pppingme> jurislav thats a few ap's, I'd start to question if they are interfering with each other..  how big of an area are these covering?
23:05 < djph> ^
23:07 < jurislav> 2 floors in a hotel, 2 halls each, one obove the other. every 3rd room there is an AP. the aim was to cover 3 rooms with 1 AP so that the clients don't need to reach further than behind 1 wall.
23:10 <+pppingme> how are you setting channels?  are the ap's between floors directly above one another or are they offset?
23:15 < jurislav> pppingme: they're offset. channel setting is set to auto, and in monitoring, I see evenly distributed 1,6,11 for 2,4GHz, and random higher channel numbers for 5GHz
23:16 <+pppingme> are these individual ap's, or part of a larger centrally controlled and configured system?
23:16 < jurislav> ruckus zonedirector
23:20 < nbro> OMG!!
23:27 <+pppingme> are they running full power or reduced power?
23:31 < jurislav> pppingme: we wanted to give a try the Ruckus' Self Healing feature, which requires pwoer setting at automatic as well. it's supposed to "inteligently" help with exactly these issues, but perhaps there is some space for improvement.. :/ anyway, I don't know if that's what *causes* the issue. i sure can reconfigure everything to manual. I just wanted to ask first, whether there could be another issue, say,
23:31 < jurislav> with mikrotik being a router, or just some 3rd party method of monitoring the radio for exactly these kinds of issues. but I guess there are not tools for this, and all we can do is try various settings..?
23:36 < djph> there are loads of tools - you jsut have to be there *when* things are acting up
23:42 < jurislav> yeah, thats the tricky part :/
23:42 < jurislav> i cant really be there all the time
23:43 < jurislav> thats why i was hoping for another way
--- Log closed Mon May 28 00:00:35 2018