--- Log opened Mon May 28 00:00:35 2018 00:00 < i8igmac> i have my home network setup. my router runs dnsmasq, i have a few file server in my home that might change ip address. i would like to give it a name instead of ip 00:01 < ryao> i8igmac: Why not just give them static IPs? 00:01 < ryao> i8igmac: You can give them hostnames too and put those hostnames into DNS, but I haven't heard of someone doing a hostname that changed based on DHCP's lease. Usually, people do a static IP and then assign the hostname to that in the DNS server. 00:02 < i8igmac> i have done the static ip, but something went messy. it didnt auto authenticate with wifi. 00:02 < i8igmac> yes my file server is on wifi 00:02 < jurislav> i8igmac: you can configure dnsmasq to resolve DNS queries from the lease file 00:03 < i8igmac> is there maybe a auto-magicly dns querie from the lease file? 00:03 < ryao> i8igmac: There should be no reason why you cannot use a static IP on wifi. Just don't use an IP from the DHCP pool. Either that or use static DHCP so that DHCP will always assign the same IP to your machine's mac address. 00:04 < djph> fileservers on wifi .... ouch ... 00:04 < i8igmac> its on 5.8ghz at least 00:05 < ryao> djph: It seems less painful than you make it sound, but I am spoiled by a Ruckus AP. 00:05 < djph> so instead of 1/10 the throughput of copper, you're 1/5 ... 00:05 < ryao> djph: You might be able to get 1Gbps over WiFi if you use 4x4 and have a Ruckus Zoneflex R720. 00:05 < ryao> Actually, 3x3 might be all that is needed with that. 00:05 < djph> but anyway; static IP (or even DHCP reservation) is what you need. 00:06 < i8igmac> ill give the static ip a try. it might have went uggly when i swapped out the wifi card. maybe just a dumb mistake 00:07 < i8igmac> i just like the idea of auto resolve DNS queries from the lease file 00:07 < djph> ryao: nope. 750-800 mbps "1300mbps" 802.11ac. And that's ofc with the server being the only device on that AP, and not accounting for bidirectional traffic. 00:07 < djph> dynamic DNS is pretty easy as well, isc-dhcp-server coupled with bind would do it. 00:08 < djph> or I think dnsmasq can - but that depends on the setup 00:08 < ScriptGeek> Hey peoples, have you used HTTrack before to download websites for offline viewing? 00:08 < i8igmac> its a debian based router mini-itx 00:09 < djph> so it should work then 00:09 < ryao> djph: That isn't the case for the chip used in the R720. It is used in the Unifi AC HD. It gets much higher throughput. 00:09 < ryao> djph: I think measurements had it at like 80% of the link speed. Why they didn't do this sooner, I don't know. 00:09 < djph> ryao: there are physical limits to throughput; not to mention that it's half-duplex. 00:10 < djph> and yeah, you can get 75-80% of the PHY in a lab. But out here in the real world, it's a bit less 00:10 < ryao> djph: I know and I have seen benchmarks showing that the specific radio chip in the Unifi AC HD and in the Zoneflex R720 is capable of doing 1GbE at 3x3. 00:10 < ryao> In the real world. 00:10 < ryao> It is a wonder chip. I don't know how it does it. 00:11 < ryao> djph: Although if he has a server, he might as well go for 4x4 so that he leaves airtime for others. 00:11 < djph> if you're using wave2 / 4x4, it's trivial. If you're not ... 00:11 < ryao> djph: I am talking about 3x3. I have seen benchmarks where a client got like 935Mbps from a Unifi AC HD. 00:12 < ryao> djph: That is line rate. 00:12 < djph> but then again, the counter to that is you're eating half of the available spectrum 00:12 < ryao> djph: Supposedly, it does something like 730Mbps with 2x2. 00:12 < ryao> Again, I have seen benchmarks where it did that. As I said, it is a wonder chip. 00:12 < djph> sure, if you're eating 80 MHz of spectrum 00:12 < djph> and "benchmarks" are hardly the real world. 00:14 < ryao> djph: It is the QCA9994. 00:14 < ryao> djph: The benchmarks were from a guy testing it in his house. 00:15 < nbro> Does anyone know what the problem could be if I am not able to connect to the router’s web interface? 00:15 < ryao> djph: Look at benchmarks people post of the Unifi AC HD. The QCA9994 chip in it is amazing. 00:16 < ryao> djph: That is unless you mean "just 1 client". Performance does drop when doing things with multiple clients, but 1 busy client being able to transfer data so quickly is amazing. 00:17 < djph> ryao: "benchmarks" are still tests. Throw it in a building with 47 clients attached to it, and THEN look at how well it holds up. 00:17 < ryao> djph: It likely won't do 940Mbps aggregate then. 00:17 < ryao> djph: But it does do well. 00:17 < lupine> plus, it's ubnt, so injurious to you 00:18 < varesa> not everyone has 47 clients though :) 00:18 < ryao> djph: https://community.spiceworks.com/topic/2014496-uap-ac-hd-confirmed-performance-leader-w-results-matching-3rd-party-lab-tests 00:18 < ryao> A better link: https://community.ubnt.com/t5/UniFi-Wireless/Benchmark-results-and-ACI-test-Aerohive-vs-UniFi-vs-Ruckus/m-p/1984439#M236727 00:18 < djph> exactly. It's a wonderful AP; but "I tested with a half dozen clients in my basement" is wildly different than "we installed it in the lobby of our hotel" 00:18 < ryao> 340 Mbit/s with 100 clients. 00:19 < ryao> The Ruckus version might do better. They tested again the R710, which is using an older radio chip. 00:22 < ryao> s/again/&st/ 00:23 < ryao> djph: Is 340Mb/sec better than what you expected it to do? 00:23 < Apachez> here is your problem https://twitter.com/ABC/status/1000856893450047493 00:24 < redrabbit> Would you recommend Eaton ups products? 00:27 < Apachez> sure 00:27 < djph> ryao: it's in range that I'd figure it'd handle, maybe the upper end of it ... notepad with the estimates is at work. 00:27 < Apachez> we use eaton ups pro 1600VA around here 00:27 < Apachez> you got a nice stats on the display so no need for external snmp polling 00:27 < redrabbit> Sounds good 00:27 < djph> ryao: that being said, the stuff you linked was 240 mbps with ONE (1) macbook using a 3x3 802.11ac card. 40 MHz channel 116 00:28 < djph> *340 00:29 < Maarten> Wifi is high subjectable to all sorts of things... the chip in the AP, the chip in the client, inteference from neighbors and/or other equipment such as bluetooth, etc, etc.... with a good .ac setup you probably will get 400-600 max or so in any practical situation.... which should be more than plenty for any use case. If you need that extra bit of speed, go wired. 00:29 < Apachez> the antenna at the ap 00:30 < Apachez> the antenna at the client 00:30 < Apachez> nearby antennas to the ap 00:30 < ryao> djph: I misread, but that was on 2.4GHz if I read correctly now. 00:30 < Apachez> nearby antennas to the client 00:30 < Maarten> etc, etc ;) 00:30 < Apachez> anything in between 00:30 < djph> ryao: 802.11ac is 5GHz only 00:30 < Apachez> neighbours browsing pornhub searching for gayporn using the same channel as your ap 00:30 < Apachez> etc 00:30 < Apachez> :) 00:30 < ryao> djph: They claimed that the PHY was 600Mbps. 00:30 < ryao> djph: This one is 5GHz with 100 clients. https://community.ubnt.com/t5/image/serverpage/image-id/115095iB6137E313656A867/image-size/large?v=1.0&px=900 00:31 < ryao> 265.4Mbps. 00:31 < djph> Maarten: yeah, the discussion between ryao and myself started with me being against using wifi for a server.. 00:31 < nbro> Does anyone know how to fix the problem of connecting to IPv4 addresses??? 00:31 < Apachez> which channel ryao ? 00:31 < Apachez> and channelwidth etc 00:31 < ryao> Apachez: I am not the guy doing it. 00:31 < Apachez> well those graphs are just bogus marketing material 00:31 < ryao> i8igmac is 00:31 < redrabbit> nbro: duct tape 00:31 < ryao> Apachez: You don't think it can do that in aggregate? 00:31 < Apachez> like selecting best channel and 80MHz width for your test and 20MHz for the competitors and let them use a crowded channel 00:31 < Apachez> etc 00:32 < Maarten> I have 1 Gbps AT&T internet, I have 2 x Unifi AC Pro access points. I get 400-ish on most clients in the same room, 200-300 ish if there is a wall in between, and 100-200 ish when I am sitting out in the yard.... and that suits me just fine. If I get 100 Mbps+ anywhere in the house, I am set. All other devices I need the speed and latency that fiber brings don't belong on wifi, and are wired. 00:32 < nbro> redrabbit: ? 00:32 < Apachez> and then "omg look at how bad competitor X is" 00:32 < djph> ryao: which is perfectly normal for 802.11ac MCS9 utilizing 3x3 radios. 00:32 < djph> on a 40 MHz channel 00:32 < Maarten> djph, "wifi" and "server" should never be used in the same sentence ;) 00:32 < djph> Maarten: IKR :). 00:32 < ryao> djph: Or it is 2.4GHz with the MCS9 extension. 00:32 < ryao> On a 40MHz channel. 00:32 < djph> Maarten: well, "wifi" and "RADIUS server" is fine 00:33 < varesa> how about the server running the Wifi controller application? 00:33 < djph> ryao: here's the thing. 802.11ac *does not* operate on 2.4 GHz, flat out. 802.11n MCS9 is 60 mbit/sec. 00:33 < ryao> djph: I know. 00:34 < Maarten> djph, sure. But the actual server running the wifi controller should be wired to your network. Any server should have a wired connection, not a wireless one. 00:34 < ryao> djph: Okay. I am using the wrong terminology. let me just say QAM256. 00:34 < ryao> I think that is the one that gives 200Mbps per stream on 2.4GHz. The newer qualcomm stuff will do it despite it being nonstandard. 00:34 < djph> ryao: which would be MCS9 for 802.11ac (regardless of chains in play) 00:34 < ryao> Apachez: Anyway, I took the position that Wi-Fi is not as terrible as he suggests because I use an enterprise AP and my WiFi is fairly good. 00:35 < ryao> djph: It got backported to 2.4GHz as a proprietary vendor extension. 00:35 < Apachez> well generally speaking wifi is terrible 00:35 < ryao> Apachez: Not at my house. :P 00:35 < Apachez> specially when you live in suburban areas 00:35 < ryao> I do. 00:35 < Apachez> perhaps its fine in your case where you have 10km to next neightbour 00:35 < ryao> Apachez: I have an AP whose MSRP is $1295. 00:35 < Apachez> and not 2 meters to next neighbour 00:35 < Apachez> and there are like 100 neighbours within a 20 meter radius 00:35 < ryao> Apachez: I take it that you are not familiar with Ruckus. 00:35 < Apachez> and they all got at least one AP 00:35 < Apachez> and at least 3 wifi clients 00:35 < Apachez> so you do the math :P 00:36 < ryao> Anyway, I do think having a fileserver on a wifi is a bad idea, but I don't think it is as terrible as djph suggested. 00:36 < Apachez> and all got microwave owens too 00:36 < ryao> Apachez: I am aware. I have almost everything on 5GHz. 00:36 < Apachez> and some zigbee lamps etc 00:36 < ryao> Apachez: Also, microwave ovens don't affect things connected to the Ruckus very much. I tested. 00:36 < Apachez> and conrete walls with metal framing so your AP who normally can operate for 100 meters only works just about 5 meters 00:36 < ryao> The microwave ovens have improved their shielding and the ruckus is really good at handling interference. 00:36 < Apachez> when you sit on the toilet and keep your smartphone in your right arm it works 00:37 < Apachez> when you move it to your left arm it doesnt :) 00:37 < ryao> Apachez: I have also tested the ruckus through a concrete wall. 00:37 < ryao> It works. :P 00:37 < ryao> Although not well enough for my cellphone. 00:37 < Apachez> ryao: perhaps it was without that metal skeleton? :) 00:37 < djph> Anyway, back to *why* I said it was bad --- ignoring all the fun problems that you get on wifi, you're realistically going to have about 1/5 the throughput of UTP. 00:37 < ryao> Apachez: If it has one, it is so huge that it doesn't affect anything. 00:38 < ryao> djph: That isn't too terrible. Also, what if your UTP is using Fast Ethernet? :P 00:38 < Disconsented> Im looking into network equipment (managed switch) for connecting to a WAN(Internet), what do I need to make sure is supported? Connection will likley come through passive optical fibre to RJ45 00:38 < Apachez> so having tp cables or fiber (preferred) I get the full 10Gbps without any issues and without having to care about what my neighbours does or dont do :P 00:38 < djph> and that's before we even consider fun things like LAG/LACP 00:38 < ryao> djph: Anyway, it is bad, but it isn't terribly bad. 00:38 < ryao> Provided that you have a sane AP. 00:38 < djph> ... or 10g 00:38 < Apachez> I only use wifi for stuff where I dont care about quality 00:38 < ryao> Disconsented: VLAN support. 00:38 < Apachez> like for smartphones and for my laptop 00:38 < Apachez> other than that wired ftw 00:38 < djph> Disconsented: a switch on your WAN link... ? 00:39 < nbro> Does anyone know why I would not be able to connect to my router’s web interface? 00:39 < djph> End of the day - wireless is convenient; but it's not a replacement for a cable in demanding applications 00:39 < djph> nbro: it died? 00:39 < Disconsented> Ah so each LAN is really a VLAN 00:39 < Disconsented> Interesting 00:39 < nbro> It’s still working, at least the lights are on 00:39 < nbro> … 00:40 < tds> nbro: did you resolve your issues earlier? 00:40 < nbro> No! 00:40 < Disconsented> Alright good to know, didnt think it was that simple ryao 00:40 < nbro> I didn’t 00:40 < nbro> It’s so annoying 00:40 < Disconsented> cheers 00:40 < tds> I wouldn't be surprised if the web ui only listens on ipv4, and that isn't going to help :P 00:40 < nbro> I have work to do… 00:40 < ryao> djph: I used to use a switch on my WAN link so that I could have my LAN and WAN share a port on my router, but when I get 1Gbps internet, it ended up limiting bidirectional throughput to 1Gbps, so I stopped doing that. 00:40 < Maarten> djph, there are use cases for that. To bypass and AT&T gateway you don't want to use but still needs to send out authentications every so often... solution: small managed switch, 1 port with vlan to at&t gateway, 1 to the at&t ONT, and 1 to the router you WANT to use. :P 00:41 < djph> nbro: "the lights are on" and "it died" are not mutually exclusive. 00:41 < Disconsented> djph> Moving into my own place and I don't want to use the ISP's equipment if I can avoid it 00:41 < tds> nbro: how are you attempting to connect, what address/dns name are you using? 00:41 < nbro> I realize now that I have almost no understanding of networking... 00:41 < nbro> I am trying to connect to 192.168.0.1, which is the adress written on a paper which came with the router... 00:41 < djph> Maarten: honestly, their gateway isn't too crap in dmz+ mode. 00:41 < tds> well that isn't going to work if you don't have working ipv4 00:42 < djph> I mean, it's still crap, but ... 00:42 < djph> nbro: and your PC has an IP address in the range 192.168.0.2-254, right? 00:42 < djph> Disconsented: what ISP? 00:42 < Disconsented> My Republic NZ likley 00:43 < tds> djph: earlier the computer didn't have a default v4 route, idk if it had an address on the local network though 00:43 < tds> (that's about nbro) 00:43 < djph> Disconsented: most have a list of supported modems / all-in-one gateways. Others force you to use their gateway, but you can stick it into "modem-only" mode, then use your own router behind it. 00:43 < nbro> djph: no, my current ip is in the range 169.254.232… 00:44 < nbro> Why would my IP be in this range? 00:44 < djph> nbro: sounds like the router bit it, if it's not even handing out DHCP addresses properly. Set yourself with a static IP (e.g. 192.168.0.2 / netmask 255.255.255.0 / gateway 192.168.0.1 / dns 8.8.8.8) 00:45 < djph> and then try connecting to it ... but "the router's not giving out addresses" is generally a pretty good tell it's dead. 00:45 < tds> I guess it's possible it's exhausted its dhcp pool, though I'd hope it would handle that better than just not handing out IPs 00:45 < tds> if you have working v6, it sounds like the router is still sorta working at least 00:45 < djph> tds: "not handing out IPs" is exactly the defined behavior for "exhausted DHCP pool" 00:46 < tds> ah, I wasn't sure if consumer routers would tend to just remove old leases under the assumption that it would be more useful than not giving a new one 00:46 < nbro> djph: I am using a Mac. Right now, I am just able to set these configurations if I got to the System Preferences and use that interface. But under "Network , I can only set IPv4, Subnet Mask and "Router" 00:46 < nbro> But you’re suggesting to set Gateway and DNS 00:46 < djph> "router" is the gateway 00:46 < tds> router = gateway, ignore the dns for now 00:47 < djph> DNS usually is required when setting static (although, maybe macs are different) 00:47 < tds> it sounded like you had working dns anyway 00:48 < nbro> tds: Why does it sound like I have working DNS? 00:49 < tds> weren't you able to access some sites (eg ipv6.google.com) earlier? 00:49 < tds> if so, dns must be working, unless you've cached records from before it broke (which sounds unlikely) 00:50 < nbro> I did you said. I am now trying to connect… 00:51 < nbro> What’s the expected output of ping, if I can reach a certain server? I don’t remember anymore 00:52 < tds> I'd expect "connect: Network is unreachable" on linux if you're missing a route, osx is probably similar 00:53 < nbro> If I do "ping www.google.com -c 2", I get "2 packets transmitted, 0 packets received, 100.0% packet loss", but I can access Google and search on Google … 00:53 < nbro> (This affter having done what you suggested, i.e. manually setting the IP address, Subnet mask and router) 00:53 < tds> what about ping6? 00:54 < nbro> tds: I obtain: "2 packets transmitted, 2 packets received, 0.0% packet loss 00:54 < nbro> round-trip min/avg/max/std-dev = 27.828/30.556/33.284/2.728 ms" 00:54 < tds> are you able to ping the router and/or get to the web ui? 00:56 < nbro> tds: I am not able to ping the router (with "ping 192.168.0.1 -c 2") 00:57 < nbro> The browser is still trying to load 192.168.0.1, but it won’t load anything: it does this with all other websites before saying "I can’t connect to… " 00:57 < tds> are you able to get to the web ui over v6 by any chance? 00:58 < nbro> tds: How would I do that? I don’t know the IPv6 of the router 00:58 < nbro> If it has got one 00:58 < tds> if you do a traceroute6 to google.com you should see it 00:58 < tds> it'll be the first hop 01:00 < nbro> I should be doing something more important now than solving this issue :( 01:01 < tds> keep in mind you'll need to wrap the v6 address in square brackets to use it in a url, eg http://[2001:db8::1] 01:03 < raj> why can't SCP resume file transfers? 01:04 < nbro> tds: you said that the first hop of " traceroute6 to google.com" is what? The IPv6 of my router? 01:04 < tds> nbro: yes, it should respond from its global address on the lan interface, assuming it's got one 01:05 < nbro> tds: Yes, I was able to connect to the router’s web interface using that IPv6 01:05 < tds> cool, I guess it's worth confirming that it's got a v4 address on wan, lan, dhcp is enabled and set correctly, etc 01:07 < nbro> tds: In my "DHCP settings", I have the sentence "This sections allows you to configure how the Wireless Gateway assigns IPv4 addresses. It is configured to be a DHCP (Dynamic Host Configuration Protocol) server by default. This provides the TCP/IP configuration for all connected devices." 01:07 < nbro> Then, below, I have "Starting local address: 192.168.0.10" 01:07 < tds> what's the end address of the pool? 01:09 < nbro> I have only "Number of CPEs" and "Lease time" 01:09 < tds> ah, what's the number? I guess it'll calculate the end address from there 01:10 < tds> either way, increasing the number and decreasing the lease time will likely help you 01:11 < nbro> tds: What are CPEs? 01:11 < tds> nbro: in this context that'll just mean the number of devices on your lan 01:11 < nbro> Anyway, it tells me that the max number for CPEs is 245 01:12 < tds> hmm, that's fine, if it's a /24 you won't be able to go higher than that 01:12 < nbro> Anyway, I only have 2 devices connected. It’s written on this web interface 01:13 < tds> does it give you a list of active leases, even if the devices are disconnected? 01:13 < nbro> In this web interface, I also have a "ping tool". I can ping google, but not "skype.com": it tells me "bad address" 01:13 < tds> also, stupid question, I assume you've rebooted this unit? 01:14 < tds> interesting, it sounds like the router itself might not have picked up a v4 address on wan in that case, disabling the dhcp server at that point would make sense I guess 01:15 < nbro> It seems that it only recognizes and pings IPv6 addresses 01:16 < nbro> tds: Why would you disable the DHCP server? 01:16 < tds> what isp is this? is it possible they provide a v6 only service with v4-6 translation (eg nat64+464xlat, or ds-lite) which has broken/been disabled? 01:17 < tds> I wouldn't, I was saying the router may if it hasn't got a v4 address on wan 01:17 < tds> sorta like you have conditional RAs with v6 01:18 < tds> if the router doesn't have a v4 address on its lan or wan interface though, it sounds very broken, so I'd certainly start with rebooting it if you haven't already 01:19 < nbro> tds: I have turned it off more than once. I also clicked the little button to reset it 01:19 < nbro> It didn’t solve the problem 01:19 < djph> raj: because it doesn't. 01:20 < tds> nbro: does that do a complete reset of the router, or just restart it? 01:20 < tds> since I'd be tempted to reset the whole thing that this point, assuming you haven't modified the configuration 01:21 < nbro> tds: I did both. In one case, I just restarted it (after waiting a few seconds). In the other case, I reset it 01:22 < nbro> I ran the Network Diagnostic Tool and I obtained a message "Your Broadband connection is working."" 01:24 < tds> well technically it is, it's just legacy ip that's broken ;) 01:25 < tds> v4 breaking completely does seem like an odd failure mode for a router, but assuming it's an isp supplied one it might be worth contacting them to obtain a replacement, assuming you haven't touched the config at all when it broke 01:26 < nbro_> tds: This is actually my second router. I can actually contact them to obtain a new router. But it’s quite annoying. I had stuff to do… 01:27 < tds> did the one before have the same issue? 01:28 < nbro> No, I never had this issue before 01:29 < nbro> I had issues of not being able to connect to the internet, but being able to connect to certain websites but not others, I never did 01:31 < tds> is your isp cablecom? if so, it sounds like they're using ds-lite, but I'd expect that to just work out of the box - I guess it might be worth contacting them to confirm that there aren't any issues with the ds-lite servers 01:35 < nbro> tds: How did you guess my ISP is cablecom? 01:35 < tds> irc shows the ip you're connected from 01:36 < nbro> Yes, but how can you retrieve this info from my IP? 01:36 < ScriptGeek> tracert? 01:37 < tds> whois 01:37 < djph> ask ARIN / RIPE / APNIC / LACNIC / AFRINIC 01:37 < tds> ^ ripe in this case 01:37 < nbro> djph: those acronyms are familiar to me… I have seen them in the past… 01:38 < tds> they're different RIRs 01:38 < djph> they're the network registrars (i.e. handle the leasing of IP addresses out to people who want them) 01:38 < tpr> rir: https://en.wikipedia.org/wiki/Regional_Internet_registry 01:38 < djph> ... not to be confused with teh domain registrars, of course. 01:39 < ScriptGeek> neato 01:39 < tds> and also not to be confused with LIRs, who are members of the RIR (for ripe at least, not sure about others) 01:41 < nbro> I remember that these were mentioned in one of the lessons of my computer networking course, but it was a couple of years ago, so I forgot the details... 01:43 < nbro> I didn’t know you could gather so much info about the users of IRC channels and I have been using these channels for a couple of months/years 01:43 < nbro> ... 01:43 < nbro> I think this is not a good thing... 01:44 < nbro> I never cared about it 01:44 < nbro> But, well, these chats, in terms of privacy, are quite bad 01:46 < nbro> Why do you keep using these channels? Don’t you care about your privacy? 01:47 < nbro> I mean, there are people who complain about Facebook, which uses data about us to improve ads, but, in theory, only for that, but there are people who do not care about sharing their own location… 01:49 < nbro> Anyway, thank for trying to help me and for all the info! 01:50 < nbro> *thank you 01:51 < tds> good luck with sorting it - it sounds like the translation side of ds-lite has broken, but since I don't know anything about your ISP's setup there's not much I can suggest, so contacting them is probably your best bet 01:52 < tpr> nbro: have you a proposal for a better communication method then? 01:52 < tds> if you're very bored you might be able to do a packet capture on wan and look to see if the aftr's ip/dns name is listed in the dhcpv6 response, and try sending it some 4in6 packets, but contacting them is probably easier ;) 01:53 < tpr> in these "chats" you do not need to register with all your personal details 01:55 < nbro> tpr: I am not sure which chat system would be better, but there may be one. I used to like Telgram until I recently discovered that it has few flaws in terms of privacy… 01:55 < nbro> There’s Slack, Skype, Stack Exchange chats 01:55 < tds> if you're concerned about leaking your ip, connecting over a bouncer/tor/whatever is always an option 01:55 < nbro> I don’t know which one would be better 01:56 < tpr> nbro: so how does telegram work without having a phone number? 01:56 < tpr> nbro: and how does the protocol work, irc being quite simple to implement ? I've never seen some 3rd party implementations, although tbh I haven't looked after one 01:57 < tpr> slack is a company, skype is a company, stack exchange is also probably a company 01:57 < nbro> tds: Yes, I guess it’s probably easier, but I will have to do it later (in a few hours) 01:57 < nbro> How would you perform the packet capture, btw? 01:57 < tpr> slack doesn't have an open protocol spec, skype didn't use to have at least, no clue about stack exchange 01:58 < tds> all my routers run linux, which makes it rather easier with tcpdump on the router ;) 01:58 < raj> djph, why not just check up to what byte has been transferred and then continue? 01:58 < nbro> tds: Yes, I am aware of Tor, maybe I will start to use it. But you can also retrieve more info about me, not just my IP address and my username.. 01:58 < tds> for a router like that, if the wan connection is just ethernet you can stick a switch in between the ont/whatever and the router, then connect a laptop and make the switch mirror the ports, do a packet capture on the laptop's ethernet interface 01:59 < nbro> tpr: Yes, these chat systems are associated with companies, but it’s a little intimidating to have to chat and you know my location, etc, etc. You know too much about me without me wanting to share it, by default 02:00 < nbro> Maybe "intimidating" is not the most appropriate adjective 02:00 < nbro> I start to be a little tired... 02:03 < nbro> This area (i.e. computer networking) is fascinating, but I guess I never dedicated to it the appropriate amount of time to understand and know about it a little more 02:06 < nbro> Which client do you use to connect to these channels, btw? 02:07 < cmj> netcat? 02:12 < tpr> nbro: well, in that case it's easier just to keep off from the internet :P 02:13 < tpr> nbro: but I can see your point in a sense, the thing is, you are leaking that information to someone (at least to the receiver of your comm) every time you do an ip connection 02:14 < tpr> nbro: besides, freenode allows you to register your handle & hide your address 02:16 < tpr> a lot of people around in irc have been using irc before stackoverflow's and twitters existed, so it has kinda stayed that way. up to this point there has been no real challenger on it, in a sense 02:20 < spaces> is there love around here ? 02:29 < nbro> tpr: My point was more that, by default, all this info about addresses should be hidden 02:30 < nbro> I pretty sure that almost no one would want to share this info 03:01 < Jonno_FTW> hello 03:02 < Jonno_FTW> anyone familiar with ip6? I have 2 devices, A has internet from wifi on wlan0 and ethernet on eth0, B has ip6 connection to A through eth0, how do I get B to have internet access? 03:06 < tds> Jonno_FTW: that's actually a fairly complex one to solve, ideally you want to do prefix delegation from the router to get a routed prefix to your device, then you can have that on-link on the link to B, or route some to B, or whatever 03:07 < tds> prefix delegation support as a DHCPv6 server isn't included in most routers though, so you'll probably end up having to use proxy ndp or something similar :/ 03:11 < djph> raj: because it doesn't work that way. 03:12 < Jonno_FTW> tds: ok 03:12 < Jonno_FTW> tds: they are connected via switch, not a router 03:12 < djph> raj: there's nothing stopping you from say, writing a newer version of scp that does restart partial copies; but as it stands it's not written that way. 03:12 < djph> turn A into a router. 03:13 < djph> although, that assumes you have a large enough prefix being handed to you to actually set A up to route a new prefix to B 03:14 < Jonno_FTW> tds: I have this: http://pastebin.ws/b4buez 03:15 < tds> is there meant to be a GUA address on wlan0 on device A? 03:15 < Jonno_FTW> a what? 03:15 < tds> a v6 global address 03:15 < Jonno_FTW> yes 03:15 < Jonno_FTW> A and B can talk over ip6 03:15 < djph> they're talking over link-local 03:16 < tds> is that just ifconfig not showing it, or am I being stupid? 03:16 < djph> and A is only showing a link-local for wlan0 as well ... 03:16 < tds> ^ 03:17 < Jonno_FTW> ok 03:17 < z3t0> is there a channel where I can ask about windows server? 03:17 < djph> Your ISP will minimally hand you a /64 (where they assume you have one flat network). 03:17 < djph> z3t0: #windows? 03:17 < Jonno_FTW> this is on a local network at a university 03:17 < z3t0> djph, I'll try that 03:18 < Jonno_FTW> the only external connection is via wifi 03:18 < djph> doubt the uni will be handing you anything larger than a single host address then 03:18 < Jonno_FTW> so I need a proxy on A? 03:19 < djph> you need to not use ipv6 03:19 < Jonno_FTW> ok 03:19 < Jonno_FTW> I'll try setting B up for ip4 03:51 < ahyu84> how to convert ipv6 to ipv4? 03:51 < ahyu84> anyone can help 03:51 < ahyu84> fe80:1e7d:22ff:fe1c:2c71 03:52 < wxza> You mean ipv6 address to ipv4? If so, it doesn't work that way 03:52 < ahyu84> ok 03:52 < spaces> ahyu84 he.net 03:52 < spaces> get a IPv6 tunnel 03:53 < spaces> wxza if we find a way to do it we will be richt :D 03:53 < spaces> rich 03:53 < wxza> let's do it 03:53 < spaces> :D 03:53 < spaces> it's odd to have a lot of money 03:54 < spaces> I can guarantee you 03:54 < wxza> i wouldn't know 03:55 < spaces> keep it that way ;) 04:08 < spaces> oh git can messup your life when you commited wrong :p 04:13 < luxio> how does google docs collaborative editing work? 04:14 < rewt> works pretty well 04:20 < ahyu84> hey guy 04:20 < ahyu84> I know MS release latest security regarding smb 1 2 3 something 04:20 < ahyu84> previously I can use shared folder in server 04:20 < ahyu84> now cannot access anymore 04:20 < ahyu84> for XP system 04:20 < ahyu84> so is there any update for XP regarding smb? 04:21 < luxio> don't use xp 04:21 < varesa> any update for XP regarding SMB? Yeah, it's called Windows 10 04:22 < ahyu84> serious guy 04:22 < ahyu84> so means there is no way use XP now? 04:22 < phocking> hahahaha 04:22 < phocking> lulz 04:22 < ahyu84> its because the pc too old, hardly support windows 7 04:22 < phocking> anything that can run xp can run 7 04:22 < ahyu84> i know 04:22 < phocking> xp has been eol forever 04:23 < ahyu84> but RAM is not enough 04:23 < luxio> running xp is extremely dangerous 04:23 < ahyu84> its like 256MB ram only 04:23 < phocking> .... 04:23 < phocking> upgrade the ram? 04:23 < phocking> what are you doing with this computer? haha 04:23 < phocking> get rid of it 04:23 < ahyu84> haha not possible upgrade RAM 04:23 < ahyu84> as market EOL DDR2 04:23 < phocking> i just threw twenty core2 duos in a dumpster 04:23 < ahyu84> u shoould give me Core 2 Duo 04:23 < phocking> because that's old useless shit 04:23 < ahyu84> >.< 04:24 < ahyu84> at here still a lot ppl use core 2 duo processor 04:24 < phocking> ahyu84: i know a dumpster in spokane washington where you can find plenty :p 04:24 < ahyu84> even core 2 quad 04:24 < ahyu84> ok 04:25 < phocking> i just bought 50 i5 lenovos with 8GiB ram monitor and mouse/keyboard for $50 a pop 04:27 < ahyu84> w0w 04:27 < ahyu84> so cheap? 04:28 < ahyu84> its second hand unit? 04:28 < phocking> yes these were refurbished units from a school 04:28 < ahyu84> ok better 04:28 < ahyu84> practice recycling 04:30 < ahyu84> KO 04:30 < ahyu84> just checked windows update for XP 04:30 < ahyu84> there is no more new update 04:30 < ahyu84> OMG.... 04:31 < luxio> probably because it's EOL 04:32 < phocking> luxio: lolz 04:34 < ahyu84> I just checked custom, there is still few update not install yet 04:34 < ahyu84> so now installing and later I will report again :) 04:34 < ahyu84> got 14 update on going 04:35 < phocking> good luck bruh 04:37 < ahyu84> hope the luck come to me 04:52 < orlock> ahyu84: there is 04:53 < orlock> ahyu84: google XP POSReady 04:53 < ahyu84> @orlock 04:53 < ahyu84> thx 04:53 < orlock> but still 04:53 < orlock> just don't 04:53 < ahyu84> wat is XP POSReady? 04:54 < orlock> .. is your google broken? 04:54 < ahyu84> nope 04:54 < ahyu84> I see its registry hack 04:54 < ahyu84> are u sure its working? 04:55 < orlock> No, because i burnt all mine in a goddamn fire. 04:55 < orlock> then i took off and nuked the site from orbit 04:55 < ahyu84> then why u asking me to search for it 04:55 < ahyu84> =_= 04:56 < orlock> i thought you wre asking for ways to still get updates for Windows XP 04:57 < ahyu84> I means update for SMB related 04:57 < ahyu84> as for now my XP not able access shared folder on my server 04:57 < ahyu84> its SMB related issue which M$ patched security hole 04:58 < orlock> CVE 2017-0144 , CVE-2017-0146? 04:58 < orlock> Ok, so 04:58 < orlock> ask whoever runs the server? 04:59 < ahyu84> I'm 05:13 < Jonno_FTW> ok 05:13 < Jonno_FTW> I have 2 devices connected on ipv4 both on eth0, with A having net access on wlan0, how do I get net access to B? 05:14 < Jonno_FTW> or do I need to put a proxy on A? 05:14 < ahyu84> B is??? 05:14 < Jonno_FTW> B only has eth0, A has wlan0 and eth0 05:14 < Jonno_FTW> both are connected via eth0 05:15 < ahyu84> use switch? 05:15 < Jonno_FTW> they are connected via switch 05:17 < Jonno_FTW> tds: I have this now: http://pastebin.ws/gdcb6z 05:17 < Jonno_FTW> A and B can talk over ip4 05:17 < Jonno_FTW> but B has no internet access 05:18 < ahyu84> tat weird 05:18 < Jonno_FTW> i think B gateway might be wrong 05:18 < ahyu84> u disable A wifi 05:18 < ahyu84> den try see got internet access or not 05:18 < Jonno_FTW> wifi is the only internet access 05:19 < ahyu84> if no internet access then its something wrong with the switch itself 05:19 < ahyu84> I see, den its not possible to had internet access via switch 05:19 < Jonno_FTW> I'll just use a http proxy 05:19 < ahyu84> u need to had internet from router, connected to switch then it will work 05:21 < Jonno_FTW> I'm certain I can get the internet from wifi to forward to eth0 with routing 05:21 < ahyu84> then I think u able to find info from google 05:21 < ahyu84> try look on it 05:30 < soulisson> Hi. In snort, does the keyword offset applies to the start of the packet or the start of the whole stream? 05:41 < orlock> soulisson: maybe go to efnet and ask in #snort ? 05:42 < soulisson> orlock, thanks 05:46 < orlock> .. you may have to wait a bit... 05:53 < spaces> orlock don't we all wait ? 06:23 < raj> on an LSF system is it better to ask for more time with less cores or vice versa? 06:37 <+pppingme> raj depends on your needs 06:38 < blocky> is there a reason not to have two hosts on a network doing nat? one normal gateway router and also a vpn server that's inside the router nat? i'm just setting up wireguard for the first time and wondering what is the best way to access multiple hosts 06:38 <+pppingme> cores are good when youre running a bunch of small individual tasks, often many at a time, cpu time/speed is better when you're running single long running tasks 06:38 <+pppingme> blocky there's no reason your vpn box should be doing nat 06:38 < raj> pppingme, I submitted a job with 2 cores, 64GB RAM each, and it hasn't run my job for 3 hours still 06:39 < blocky> pppingme: how does the routing generally work if i want to access a different server inside the nat via the vpn connection? 06:40 <+pppingme> there should be NO NAT involved with the vpn, if there is, your implementation is broken 06:40 < grawity> blocky: kinda the same way as it works between two subnets in general 06:40 < blocky> i mean the normal router nat 06:40 < blocky> assuming my vpn box does no nat, as you say 06:41 <+pppingme> once the packet is "unwrapped" by the vpn, it shouldn't be any different than a 2nd subnet 06:41 < grawity> ideally your normal router nat should only take effect on packets going towards the WAN, nothing else 06:41 <+pppingme> vpn users aren't affected by nat 06:44 < blocky> i think wireguard might work differently than some other vpns 06:45 < blocky> encrypted udp packets come into the router on the regular wan interface on a specific port and get forwarded to the "vpn" box via nat on the vpns lan interface 06:46 < blocky> they get decrypted and passed onto a tunnel interface on that box, which has an ip on an unrelated subnet 06:47 < blocky> that box has forwarding enabled so they can go _back_ onto the regular nat subnet, now decrypted 06:47 < grawity> it doesn't sound very different to me 06:47 < blocky> ok good :) 06:47 < blocky> i am just not setting it up correctly then 06:47 < grawity> I think you just described practically all VPNs except for IPsec 06:51 < blocky> so lets say i want to access a different host inside the nat from the external machine, do i just add a route on that external machine for the nat subnet to the vpn? 06:52 < grawity> on your LAN router would be a better place 06:53 < blocky> but then how do i specify what host i want to connect to on the vpn client box? 06:54 < grawity> by its IP address... 06:54 <+pppingme> blocky form your sentances without the word nat and it will allow you to think about this, both differently, and properly.. 06:54 < blocky> ok sorry still new to this 06:55 < blocky> would it help if i used actual subnets? 06:55 <+pppingme> proabably, it might identify any conflicts or issues you may have created 06:57 < blocky> there are 4 subnets here, the client box has a regular internet ip, right now it's 35.x.x.x, the router at the server site has 172.x.x.x on wan, and 10.0.0.1 on lan, the vpn box has a lan ip on its physical interface 10.0.0.15, and the vpn client has 192.168.254.2 on its virtual iface, and the vpn server has 192.168.254.1 on its virtual iface 06:59 < grawity> and you want the vpn client to access 10.0.something.something? 06:59 < blocky> yes 07:00 < grawity> well, no problems then 07:01 < blocky> so lets say i'm on the client box and i want to ssh to 10.0.0.2, how does that box know what to do with that packet? 07:02 < grawity> it receives a list of routes from the VPN server, if the protocol is capable of that 07:02 < grawity> if the protocol isn't, then you statically configure the routes while setting up the VPN 07:02 < grawity> e.g. you route 10.0.0.0/xx through wg0 07:03 < grawity> (openvpn and openconnect are examples where the vpn-server can automatically provide these) 07:04 < blocky> ok i think a route is being added for 10.0.0.0/24 to the virtual iface 07:05 < grawity> so the vpn-client sends packets to 10.0.0.2; they match the route "10.0.0.0/24 dev wg0" and are sent through wireguard 07:05 < blocky> and i see the packets on the vpn box, on the wg interface, 192.168.254.2.36548 > 10.0.0.170.ssh 07:06 < grawity> the vpn-server receives them from wg0; since it has another interface directly in the same subnet (10.0.0.15/24), the packets match the "10.0.0.0/24 dev eth0" route and are sent directly to the destination host over eth0 07:09 < grawity> in the reverse direction, there needs to be a "192.168.254.0/24 via 10.0.0.15" route *somewhere* 07:09 < grawity> it could be in your internal-host itself, or it could be in the LAN's main router 07:09 < grawity> and everything delivers packets pretty much the same way 07:10 < orlock> main router's a good place, setting routes like that per-host is a good way to madness 07:10 < blocky> i think the route back may be the problem 07:10 < blocky> i can see bidirectional traffic on the destination host 07:11 < orlock> blocky: but the responses will go to it's default gateway, not the vpn host 07:11 < blocky> but then it doesn't know how to reply to 192.168, so it sends it to 10.0.0.1, which is also confused 07:11 < blocky> cool i think i see the problem 07:14 < grawity> putting the route directly on the host is easier to understand, but will result in more work (configuring many hosts manually) 07:14 < grawity> (...well, it *could* be done via DHCP classless-static-routes...) 07:14 < blocky> ill just add it statically to the router, seems simplest 07:15 < grawity> putting the route on the LAN router results in slightly asymmetric paths (and more load on the router), but is the easier method and doesn't really have any significant problems 07:16 < orlock> grawity: Not even really assymetric paths assuming that icmp next-hop redirects are functioning 07:16 <+pppingme> grawity first packet should initiate an icmp redirect, so load is neglagible compared to any other method of sharing the route 07:17 < grawity> and I had the impression it wasn't safe to honor icmp redirects 07:17 < grawity> if you do accept them, then yes 07:17 <+pppingme> you probably shouldn't trust them from an unknown network 07:17 <+pppingme> like the coffee shop 07:17 < orlock> dont trust anything from the internet 07:17 < orlock> ever 07:17 < grawity> well I guess Linux's "secure redirects" option is fine (only accept from an existing gateway) 07:17 < orlock> actually, just dont trust anything 07:18 * orlock watches 1.1.1.1 attempt a portscan 07:19 < blocky> traceroute on 10.0.0.2 is showing two hops on 10.0.0.15, and tcpdump on 10.0.0.15 is still only showing unidirectional traffic 07:19 < grawity> tcpdump on which interface of 10.0.0.15? 07:20 < blocky> either actually 07:20 < grawity> so, the traffic *is* visible going out through wg0? 07:21 < grawity> is it visible coming in on the VPN client, too? 07:21 < grawity> if not, then it's a wireguard problem 07:21 < grawity> missing AllowedIPs or something 07:21 < blocky> hmm hang on, not sure why i'm seeing unencrypted traffic on wg iface 07:21 < grawity> uh, *because* it's the wg iface 07:22 < blocky> oh right 07:22 < grawity> it's where the unencrypted traffic gets accepted into the vpn 07:23 < blocky> ok yeah that make sense, sorry getting late i'm getting tired ha 07:24 < blocky> seeing 192.168.254.2.40914 > 10.0.0.170.12345 on both ifaces on 10.0.0.15 07:24 < blocky> which is ingress, but no egress 07:25 < grawity> so are you seeing reply traffic *from* the internal host, or not? 07:27 < blocky> tcpdump on the dest host shows it replying to 192.168.254.2 but 10.0.0.15 never sees that arriving 07:29 < blocky> i added this to my router add dst-address=192.168.254.0/24 gateway=10.0.0.15 07:29 < grawity> looks okay 07:30 < grawity> does the router receive packets? does its firewall rules accept them? 07:30 < grawity> (that's RouterOS, isn't it?) 07:30 < blocky> yeah 07:30 < blocky> i'll have to play with it tomorrow 07:30 < blocky> thanks very much for the help, it cleared up a lot for me 07:31 < orlock> RouterOS from Mikrotik? 07:31 < blocky> yep 07:31 < orlock> Hope you have been upgrading 07:31 < blocky> i rebooted it the other day, it was up for 25wks 07:31 < orlock> what version though? 07:32 < orlock> they had an RCE 07:32 < orlock> i keep seeing comprimised mikrotik boxes probing 07:34 < blocky> hmm 07:34 < blocky> can i check the version from the terminal? 07:34 < grawity> /system package update check 07:34 < blocky> oh nvm 6.40.3 07:34 < grawity> tbh RCEs generally only work if someone is able to connect to the router in the first place 07:37 < blocky> am i connected? 07:39 < blocky> okay all secure now :-P 07:47 < grawity> hmm, speaking of RouterOS... 07:48 < grawity> older versions used MD5 challenge/response for API auth; the latest rc version uses plain password via TLS (because it no longer *stores* plaintext password on disk) 07:48 < grawity> so I'm updating the python API client for that 07:48 < grawity> do you think I should add a allow_plaintext_without_tls=False parameter to login() as a safeguard of sorts 07:50 < truthr> yes 07:51 < truthr> or you could give the user's the maximum amount of control over their own hardware 07:52 < grawity> ką? 07:54 < truthr> si 09:03 < Orbixx> I've experienced no audio on VoIP calls before and they've been relatively easy to figure out the cause of. I'm stumped by the current problem though... Does anybody have any ideas what might cause lack of audio boths ways, but only at the start of a call for a few seconds? 09:04 < linux_probe> packet loss from wrong MTU? 09:14 < Orbixx> Hmm, that could be it... 09:14 < mAniAk-_-> would have to be a really low mtu then :p 09:32 < Orbixx> Would a 1500 MTU be a possible cause in some cases? 09:33 < Orbixx> If clients are sending at 1500 and it's too big and retransmitting smaller... 09:37 < mAniAk-_-> sure, but not for voip 09:40 < Mikato> hi 09:40 < Mikato> can`t synchronize two linux pc by PTP 09:40 < Mikato> would someone help me/ 09:40 < Mikato> ? 09:42 < linux_probe> only reason I could think of @ Orbixx. unless some oddball issue of not having static ports 09:42 < afidegnum> hello, reading about DNS, what's the difference between @ and CNAME ? 09:43 < bezaban> @ denotes current origin 09:43 < linux_probe> or the line is jammed solid and it takes a bit for packet/traffoc shaping to catch up? 09:43 < bezaban> a cname is a domain name pointing to another 09:44 < afidegnum> mostly, A can point to @, cname can point to a name which in turn can point to @ or an IP address, right ? 09:45 < bezaban> a cname can point to @, but can not point to ip addresses 09:45 < bezaban> you define $origin, for which hostnames without an terminating dot or @ will apply for in that section 09:46 < bezaban> if it points to an ip address it should be an A record or some other types 09:47 < bezaban> oh right, I see what you're saying, yes in turn the cname hostnames can point to other stuff 09:47 < bezaban> or you'd never be able to resolve it :) 09:48 < afidegnum> thanks, :) 09:51 < linux_probe> what about pnames =p 10:02 < afidegnum> linux_probe: pname? 10:03 < afidegnum> pname as pathname, i believe is not dns related 10:05 < afidegnum> bezaban: you there? 10:06 < bezaban> afidegnum: I am 10:07 < afidegnum> i have just read, i mudy have 2 name server in each zonefine otherwise, it will be an invalid zonefile, but i only have 1 IP address for the server i m using, 10:07 < afidegnum> should i use ns1 and ns2 pointing to the same IP address? 10:07 < bezaban> afidegnum: no you really should have one master and one slave. A lot of registrars offer free slave dns 10:08 < bezaban> so you allow transfer to their ns, but you manage all changes on the master side 10:09 < bezaban> and watch your dns serial, it's tempting to just add a digit to increase it, but it will hit the max length and it can get a bit tricky to resolve 10:10 < afidegnum> wow, thanks for the reminder, whats the maximum lengh of the serial ? 10:11 < grawity> either 31 or 32 bits, can't remember 10:11 < bezaban> unsigned 32bit 10:11 < grawity> but in decimal it fits YYYYMMDDxx 10:11 < bezaban> aye 10:11 < bezaban> soo... 4294967295 10:11 < grawity> (though I don't bother with daily serials, since DNSSEC inline-signing keeps incrementing them weekly anyway) 10:12 < bezaban> and YYYYMMDDxx is common to use for human consumption 10:13 < afidegnum> ah, ok, i will still be in the limit 10:13 < afidegnum> ok, here is my situation 10:13 < afidegnum> i have a dedi server using bind9, where im issue only 1 ip address, 10:13 < afidegnum> so i want to set up my own DNS system 10:14 < afidegnum> which will manage different domains and mail accounts 10:14 < linux_probe> lol, I was being an arse 10:14 < afidegnum> so does it i will need to request another ip addresses? 10:15 < afidegnum> in tune of the ns thing 10:15 < grawity> why would you need that? 10:15 < grawity> to bypass the two-NS requirement? 10:15 < bezaban> afidegnum: running them on the same machine is a bad idea too, use your registrars secondary dns or ask someone you know 10:15 < grawity> putting both on the same machine kind of defeats the point 10:15 < grawity> plenty of places, such as dns.he.net, will act as secondaries for free 10:15 < grawity> many server hosting companies offer DNS 10:16 < bezaban> I don't think I've ever seen a registrar that *doesn't* have a free slave dns service 10:16 < bezaban> well, maybe a registrar, but the companies who also act as registrars usually do 10:16 < afidegnum> ok, i m hosted at hetzner, i will check from them 10:16 < afidegnum> i have domains from godaddy, hosted at hetzner 10:17 < afidegnum> i will check godaddy and hetzner dns 10:17 < grawity> https://wiki.hetzner.de/index.php/DNS_Robot/en#Option_.22Slave_DNS_entry.22 10:17 < afidegnum> ah, thanks, you are there on time :) 10:17 < grawity> godaddy would work too, doesn't matter really 10:21 < afidegnum> do i need a PTR record as well?\ 10:30 < grawity> only for a mailserver 10:34 < bezaban> afidegnum: you generally don't manage your own ptr 10:34 < bezaban> afidegnum: at least with a single address. Hetzner lets you update their zone via robot 10:35 < bezaban> and I would run it for a while until putting critical email on there, lotsa pitfalls with mail and dns 10:40 < afidegnum> ok 10:59 < Orbixx> linux_probe: Unfortunately a lower MTU did not fix it 10:59 < Orbixx> It's a 500Mbit line that gets less than 10% utilisation :( 11:02 < linux_probe> ahh, I thought maybe dsl/pppoe or something not with 1500 byte packets 11:10 < potatoe> can I ask an ipfw question here if someone familiar with it is present? 11:10 < potatoe> or is that out of scope for the channel 11:11 < bezaban> it's on topic, anything remotely related to computer networking is :) 11:11 < bezaban> don't know if there are many freebsd people, but I guess we'll find out 11:19 < CryptoSiD> Hi, i got a noob question, why aren't im getting the nameserver when doing: dig -x NS X.X.X.X ? 11:19 < CryptoSiD> wich an actual ip 11:20 < TotallyNotKim> CryptoSiD: you want to throw in an ip address and get back something like ns1.foo.bar? 11:20 < detha> potatoe: ehm, does dig/drill using TCP work? 11:20 < CryptoSiD> I want to know what is the nameserver of an ip address yes 11:20 < CryptoSiD> or even a /24 11:21 < CryptoSiD> im having rDNS issue im trying to find why 11:21 < TotallyNotKim> CryptoSiD: there is now nameserver for an ip address. Nameservers are for domain names. To get the hostname of an ip, you use rdns 11:21 < TotallyNotKim> if it's setup that is 11:22 < CryptoSiD> well when i do a nslookup of an IP? 11:22 < CryptoSiD> how does this work? 11:22 < CryptoSiD> a nameserver has to answer somewhere? 11:22 < SwedeMike> CryptoSiD: it uses the name in .in-addr.arpa. to find reverse DNS names. 11:23 < SwedeMike> CryptoSiD: https://www.the.net/tools/docs/reverse.php 11:24 < TotallyNotKim> CryptoSiD: well the command "nslookup 8.8.8.8" or "dig -x 8.8.8.8" does the reverse dns lookup for you 11:24 < potatoe> detha nope, that doesnt work either 11:24 < CryptoSiD> 8.8.8.in-addr.arpa. 3600 IN NS ns1.google.com. 11:25 < potatoe> resolv.conf is present though 11:25 < potatoe> https://gist.github.com/spaghetti-/1c082e5457aaf8fca793095d164b2be4 11:25 < CryptoSiD> that is what i want but for a different ip 11:25 < potatoe> my rulesset ^ 11:25 < linux_probe> lol 11:25 < detha> potatoe: and 300/310 show up correctly in ipfw list ? 11:25 < linux_probe> not every ip is going to have a rdns entry 11:25 < CryptoSiD> when i dig 8.8.8.8 im getting 4 NS 11:25 < CryptoSiD> when i dig the ip im having issue with, i got no NS at all. 11:26 < CryptoSiD> only a SOA 11:26 < potatoe> detha yeah, https://bpaste.net/show/b30ce41dba7f 11:26 < potatoe> im running natd with -m -dynamic, can drill from outside the jail 11:26 < potatoe> just not from inside the jail 11:27 < potatoe> lo1 is cloned from lo0 and the jail is running on it 11:27 < djph> then you messed up your SOA 11:27 < CryptoSiD> "your" but yeah look like this willl be a cause for the network engeneer 11:27 < CryptoSiD> im too noob for this :) 11:27 < CryptoSiD> thanks for help tho :) 11:28 < djph> I mean, the other side is if it was messed up, and the SOA is cached for 24 hours or something ... 11:28 < TotallyNotKim> CryptoSiD: dont know what you do, but im getting "8.8.8.8.in-addr.arpa. 86309 IN PTR google-public-dns-a.google.com." 11:28 < CryptoSiD> sec 11:29 < potatoe> detha is there a way to enable logging for allowed packets so that I can debug this? the conf really looks OK unless i messed up something pretty basic 11:29 < CryptoSiD> TotallyNotKim: https://paste.debian.net/1026875/ 11:29 < linux_probe> lol @ TotallyNotKimjongun? 11:30 < detha> potatoe: don't see anything obvious, I think you can 'allow log any to any' 11:33 < potatoe> detha from the log I can see that the DNS request is going out but it cant recv 11:33 < potatoe> kernel: ipfw: 801 Accept UDP 10.0.2.15:47118 1.1.1.1:53 out via em0 11:34 < detha> potatoe: can you see the reply coming back with tcpdump? 11:35 < potatoe> detha tcpdump is pretty noisy on em0 11:35 < potatoe> is there a way to make it less verbose 11:35 < potatoe> or filter on 53 11:36 < potatoe> nvm found that 11:36 < detha> tcpdump port 53 11:37 < potatoe> detha the reply is coming back to em0 11:37 < potatoe> just not getting natted into the jail 11:38 < potatoe> thats pretty strange i was thinking its a send error all along 11:38 < djph> tcpdump blahblah and port 53 (IIRC, although that may be ... not bsd syntax) 11:39 < potatoe> djph yeah I used tcpdump -i em0 host 1.1.1.1 (my resolver) 11:39 < potatoe> pot is also valid 11:39 < potatoe> port but heh 11:39 < djph> yup, that'd work too 11:44 < detha> potatoe: only thing I can imagine of is that 200 should be before 50 to pick up the established state 11:45 < potatoe> detha but the handbook explicitly states that 50 should be before check-state 11:45 < detha> so not that 11:45 < potatoe> https://www.freebsd.org/doc/handbook/firewalls-ipfw.html 11:45 < potatoe> $cmd 100 divert natd ip from any to any in via $pif # NAT any inbound packets 11:45 < potatoe> # Allow the packet through if it has an existing entry in the dynamic rules table 11:45 < potatoe> $cmd 101 check-state 11:53 < detha> potatoe: and doing http requests from the jail? does that work? 11:53 < potatoe> detha no i tried telnet ip 80 doesnt work either 11:54 < detha> ok, so it is somewhere in the natd logic. dunno then 11:55 < afidegnum> bezaban: so what type of DNS server would you recommend setting on my dedi server? based on this read up? https://www.digitalocean.com/community/tutorial_series/an-introduction-to-managing-dns 12:11 < nbro> Hi 12:11 < nbro> I was not reseting the modem correctly yesterday 12:11 < nbro> Apparently, I had to do it for about 20 seconds, while I thought that about 5 seconds were more than enough… 12:16 < djph> oops :) 12:20 < afidegnum> what dns server would you suggest for me to set up? i have 1 dedi server hosted at hetzner where i want to host multiple domains. Authoritative-Only/Caching/Forwarding? 12:20 < mAniAk-_-> why do you need a dns server 12:21 < mAniAk-_-> if you need to ask that question you probably do not need to run one 12:22 < TotallyNotKim> thehehe 12:24 < afidegnum> because i m managing a mail server as well 12:24 < mAniAk-_-> still not a reason 12:24 < light> you can often get free dns hosting at your registrar 12:24 < mAniAk-_-> just park your domains somewhere like cloudflare and let them take care of dns 12:25 < avu> afidegnum: Hetzner can do DNS hosting for you just fine, including all those fancy TXT records you need for fancy mail servers these days 12:25 < grawity> >fancy 12:25 < grawity> next you'll be telling me they support AAAA 12:25 < avu> they do! it's, like, the future! 12:25 < test1337> oi 12:26 < avu> (in fact, you just supply them with a bind style zone file) 12:28 < nbro> djph: I would need to read the intructions more carefully next time, provided that this is written in the instructions. Do you know why one would need to click a button for about 20 seconds (instead of 5)? I mean, it’s a little button, but it’s still a button. I don’t get why the time I spend on clicking it makes a difference 12:29 < grawity> nbro: possibly two different modes 12:29 < grawity> the minimum time, in general, is just to avoid accidental resetting 12:29 < grawity> but different times can be used to get different results – like data reset vs firmware update vs unbrick mode 12:29 < afidegnum> so far i have installed bind9 and bindutils, 12:30 < djph> nbro: it's a safety catch - "yes, the person pressing it *really* means reset to factory settings) 12:30 < nbro> grawity: Your arguments make sense… 12:30 < test1337> hi nelson 12:30 < djph> and yeah, what grawity said too - dual-mode switch is pretty common 12:31 < grawity> e.g. I think ubiquiti devices have it as 'plain reboot -> tftp/unbricking -> settings erase' depending on how long you hold, with the most destructive one at the end 12:35 < nbro> Who’s this test1337? 12:36 < linux_probe> testicles 12:37 < nbro> WTF does he/she want from me?! :D 13:11 < afidegnum> hello, can anyone give a hand, i m still confused 13:13 < afidegnum> i have a dedi server(on debian) at hetzner and installed bind9, with 1 ip address... i want to host multiple domains and mail accounts, how do i configure the hostname and nameserver based on this ? https://wiki.hetzner.de/index.php/DNS_Robot/en 13:24 < djph> hosting multiple domains would be apache virtual servers triggering on the actual URL 13:24 < djph> probably the same for virtual mailservers 13:25 < afidegnum> i m looking at the fqdn, how many fqdn a server is allow to have ? 13:26 < djph> *the server* will have one. However, all the other virtual servers will have ... well, howevermany you need 13:27 < afidegnum> ok 13:27 < afidegnum> i m setting for the hosting of domains and mail servers 13:27 <+xand> "hosting of domains"... DNS? 13:28 < djph> e.g. your SERVER is named afidegnum.whateverdomain.tld. You also have the apache-virtual servers "customer1.tld" and "goatse.net"; and the virtual email servers ... mail.customer1.tlc and whatever sels 13:29 < linux_probe> lawl, goatse.net 13:29 < djph> granted, you also have told the registrars of all domains to point the relevant A(AAA) records to your server's IP address. 13:31 < afidegnum> well aparently, i need to set up a DNS i believe to be able to host email accounts, 13:32 < afidegnum> and also in case of custom web hosting, i.e sub domains etc.. 13:32 < afidegnum> that's why i struggling to confgure the dns server 13:33 < afidegnum> meanwhile DNS provide their own DNS addresses, so i am wondering how will it pair with my server IP address? 13:33 < djph> you don't have to run your own DNS server for that 13:33 < afidegnum> how what are the config stages 13:33 < afidegnum> ok 13:34 < djph> I mean, when you register afidegnumsdonkeyporn.com, you just tell the registrar to point the URL to 192.0.2.100 13:39 < afidegnum> djph: this s the situation, i have DEDi IP: 192.x.x.x, i want to add domains i.e *.afidegnum.com, *another.com, * * * 13:39 < afidegnum> as well as mx.afidegnum.com, mx.another.com, 13:40 < djph> so then when you register afidegnum.com, and "another.com", you point the A records to 192.whatever 13:40 < djph> and set up apache to load the right directory based on what URL the other party asked for. 13:41 < djph> it'll be quite similar for your mailserver as well 13:42 < afidegnum> ok, let me check and see 13:44 < djph> although, setting up the virtual mailhosts varies somewhat by MTA in play (e.g. postfix vs. exim vs. whatever) 13:55 < dogbert2> hey djph 13:58 < spaces> dogbert2 :D 13:58 < dogbert2> yawn... 14:00 < spaces> oh you naughty boy don't try to dare me ;) 14:06 < djph> 'sup dogbert2 14:08 < spaces> djph it's all down with him... 14:13 < dogbert2> not much...how about u 14:14 < djph> dealing with stupids, who are at least thankfully several hours ahead of me, so I can get gone soon 14:45 < cousteau> hi. My university provides a VPN service, but it requires using a program called FortiClient. Does this typically mean that someone has reinvented the wheel and implemented their own VPN protocol, signatures, or whatever; or is that probably just a helper GUI for people who have no idea how to set up a VPN? 14:46 < grawity> generally the former 14:46 < cousteau> ouch 14:46 < cousteau> (this client is available for Linux so I don't have a reason to not use it other than convenience) 14:46 < grawity> if you're lucky, it'll be built around common protocols, such as AnyConnect using HTTPS and DTLS 14:47 < grawity> because... honestly, the selection of freely available VPN protocols isn't that great. 14:47 < cousteau> oh, so there's no single specification 14:47 < cousteau> weird; Ubuntu has this "set up VPN" thing 14:47 < grawity> no, there's no single specification of how to implement a VPN 14:47 < grawity> Ubuntu's thing is probably regular NetworkManager, which comes with plugins 14:48 < grawity> it has an OpenVPN plugin, an OpenConnect plugin for newer Cisco, a vpnc plugin for older Cisco... 14:48 < cousteau> oh I see 14:48 < cousteau> (yes, NetworkManager) 14:48 < djph> isn't "FortiClient" for dealing with Fortigate VPN concentrators? 14:48 < grawity> djph: yes it is, what's your point 14:49 < cousteau> grawity, so I either use a program that deals with one specific protocol, or use a centralized one that will search for the adequate plugin after identifying the network? 14:49 < cousteau> is that it? 14:49 < grawity> no 14:49 < djph> questioning the comment about "freely available" protocols 14:50 < detha> That like all vendor-locked VPNs, it's just ipsec or ssl with enough extra bits added to make it incompatible with standard clients.... 14:50 < djph> I probably just misunderstood what you were trying to convey. 14:50 < grawity> cousteau: well.... there are so many protocols that "identifying the network" would be a bit hard to do properly 14:50 < grawity> cousteau: (especially if the same host happens to serve multiple) 14:50 < cousteau> oh look, latest Ubuntu has a network-manager-fortisslvpn plugin, nice 14:50 < cousteau> (for people using the latestest Ubuntu) 14:51 < grawity> what NetworkManager has is a single place to start/stop those connections (and a graphical interface to manage them) 14:51 < royal_screwup21> I don't quite understand "access control allow origin". Say I own site A and I want site B to be able to access my resources. From what I gather, I can put site B inside my access control header to make that happen. My question: I have a chrome plugin https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkilj 14:51 < royal_screwup21> bi?hl=en that essentially would allow site B to visit my site, even if it isn't listed in my header. I don't understand how that happens 14:51 < grawity> but that's all it is; it only knows what you tell it 14:52 < cousteau> ok so I'm pretty much stuck into using their client 14:52 < grawity> tbh a vendor's choices re protocol selection are basically a) IKEv2, probably with userspace IPSec because OS native implementations are ass; b) idk, OpenVPN? c) invent their own protocol 14:52 < cousteau> *sigh* I wish they'd give me back the proxy server for web stuff 14:52 < grawity> cousteau: if I were to guess from https://github.com/adrienverge/openfortivpn 14:52 < grawity> fortivpn is essentially PPP inside TLS 14:53 < grawity> (almost like Microsoft's SSTP, but not) 14:53 < cousteau> well, you need the client for Windows, Linux, and Mac, so it can't use anything builtin 14:55 < grawity> sure it can, it just means 5x the code to be written 14:55 < cousteau> I mean in this case 14:56 < cousteau> the Forti thing must be using its own thing and not builtin things 14:56 < cousteau> "can't" meaning "must not" 15:00 < djph> probably more "SHOULD NOT" use builtins; but ... 15:01 < cousteau> djph, I meant "is likely not" 15:02 < cousteau> now, I wonder how hard it'd be to set up a web proxy with a remote computer, so that I can get my good old proxy behavior back 15:03 < cousteau> ...or try to convince the maintainers of the old proxy-cache thing to bring it back 15:11 < djph> why do you want a proxy? 15:12 < cousteau> to browse the internet like I'm at university 15:12 < djph> er ... what? 15:12 < cousteau> so that I can read papers that are only available to universities 15:13 < grawity> then you'd need a special client for proxying all that over TLS, and back to square one 15:13 < djph> usually connecting via a VPN to your uni, then connecting to the journal's site is how you accomplish that... 15:13 < cousteau> (or rather, to *my* university, because it pays a subscription or something) 15:14 < cousteau> djph, the problem is that if I use a VPN then ALL my traffic will be routed through the VPN, and that's somewhat inconvenient 15:14 < grawity> but isn't it the same with proxies? 15:14 < grawity> (read that as: no, that's just what you assume.) 15:14 < cousteau> no, because I can configure Firefox to use a proxy, and only Firefox 15:15 < grawity> and you can configure VPNs to add routes for sites X and Y, and only sites X and Y 15:15 < cousteau> whereas setting a VPN would be a system-wide thing 15:15 < djph> nah 15:15 < djph> you just set the routes (if you need to) 15:15 < cousteau> I see 15:15 < grawity> though admittedly CDNs kinda throw a wrench in those plans 15:15 < cousteau> but... that's definitely not done with the GUI this program has, right? 15:15 < cousteau> (maybe this program has advanced options I need to read about) 15:16 < djph> no idea, never used the fortiwhatever 15:16 < cousteau> djph, but it'd be a unique way for any other VPN that is not directly supported by your OS/distro, right? 15:17 < djph> not really, routing is routing ... 15:17 < cousteau> oh 15:18 < cousteau> so in principle I could start this VPN thing, but NOT make it replace my regular ethernet connection, and then decide myself what goes on each connection 15:18 < cousteau> I'll try that later 15:18 < djph> well, you'd have to take a look at what insanity they're doing with routing 15:19 < djph> although, rarely have I seen sites that trigger "allowed login(tm)" based on where you're coming from 15:19 < djph> I mean, especially for a journal, researchers may not be on campus when they need something 15:19 < grawity> it's more about *bypassing* login based on where you're coming from 15:20 < tds> it might also be worth checking if the uni provide servers you can ssh to, since then you may be able to socks proxy via those 15:20 * tds does that to get to uni stuff, it's much easier than doing namespaces/policy routing/whatever, and vpnc also doesn't seem to want to connect to a v6 address 15:21 < grawity> tbh I should ask the librarians here how to get access to the "organizational login" feature in those sites, for web SSO 15:21 < djph> grawity: ah, yeah, didn't think of that. 15:21 < grawity> since apparently being in eduGAIN is not enough, no, they have their own thing that's almost the same only different 15:23 < cousteau> I think I'll ssh to my remote machine and use its firefox remotely 15:23 < cousteau> what's eduGAIN? like eduroam? 15:24 < cousteau> tds, well, I could setup one; I have a remote computer there 15:24 < grawity> kinda, only for websites 15:24 < cousteau> grawity, oh I see 15:25 < grawity> or in other words: it's "Log in via Google" but for academic orgs 15:27 < cousteau> grawity, oh, reminds me of how I need to do this weird thing to get to Thomson Reuter's JCR 15:27 < cousteau> I need to "log in" each time, but I do that by clicking on a page that ...does some magic with my national universities and eventually I'm logged in 15:27 < cousteau> I think it's magic 15:45 < freakynl> Hi, I'm a bit stumped. If I look-up f4.shared.global.fastly.net. through my local DNS / recursors, it always returns 4 addresses. If I query one of the nameservers for fastly.net directly, I only get 1. Any idea what might cause that? Pretty weird imho 15:48 < Roq> I only get one address, tried from 3 different sources 15:52 < djph> I see one, with a 30 second TTL o_O 15:55 < BenderRodriguez> freakynl: http://termbin.com/3ivj 15:55 < BenderRodriguez> I see the same 15:56 < tds> yeah, I see 4 records from google's resolvers, I've only get 1 from others I've tested 15:56 < BenderRodriguez> what's the other one you tried 15:57 < tds> my own internal resolvers, querying the nameservers directly from a few places, cloudflare's resolvers as well 15:58 < freakynl> Hmm I think it does something 'intelligent' based on the number of queries from an IP or something. All 4 IP's I got here internally host the file at least. 16:04 < minasota> Trying to learn more about my internal network/router. Noticed that all devices connected start with 104 and not 192. Is this normal? 16:04 < Atro> no 16:04 < minasota> I didn't think so. What could be the cause of this? 16:04 < freakynl> Thanks for the checks :) 16:04 < Atro> I have a stupid question, in the ARP packet, is the L2 Sender address mandatorily identical to the sender mac address? 16:10 < freakynl> Atro: well not doing that is called spoofing. Not sure if it's mandatory however, also don't know your definition of 'sender'. In virtualisation land it's very common for a NIC with MAC address xx:xx:xx:xx:xx:xx to send packets with a different source MAC, as each VM will get at least 1 MAC address of it's own 16:12 < djph> minasota: not at all. 104.x is public IP space 16:14 <+xand> well 16:15 <+xand> if 104.whatever is allocated to you then it's fine 16:15 < djph> AT&T owns 104/12; cloudflare is 104.16/12; TWC is 104.32/12 ... 16:15 < djph> and I'm bored now. 16:15 < djph> take that back, TWC is only 32/14 17:25 < roadhog863> hey xand ;) 17:54 < Pomidora_> Those abuse phonelines and email addresses you see in ICMP Whois responses... are those ever used? What kind of things are ever phoned in or emailed? 17:55 <+pppingme> whats an icmp whois response? 17:56 < Peng_> Sure, people report spam and stuff 17:56 < Peng_> Or assholes who don't understand their IDS logs make things up and [goes off on rant] 17:58 < Pomidora_> pppingme: let's say you `dig` some domain with an A-record and run `whois THATIP` 17:59 <+pppingme> that has nothing to do with icmp 18:04 < Pomidora_> pppingme: Right i might be conflating MTR's (or other modern traceroute programs) method of using ICMP with whois 18:07 <+pppingme> whois and icmp have NOTHING to do with each other 18:08 < Pomidora_> yes 18:11 < drac_boy> hi 18:12 < Pomidora_> so does anyone know what stuff actually goes through those Abuse phone numbers and emails? 18:13 < Peng_> People report spam and stuff 18:13 < drac_boy> pomidora dunno..I've never found anything to report in the first place 18:16 < Pomidora_> Peng_: what kind of spam can be classified directly as network abuse? I.e. "This spam is directly coming from / affecting your network" 18:16 < djph> done that with universities before (well, at least ones in western countries. 18:17 * drac_boy on the other hand is happy that a judge officially ruled in my favour on friday! 18:17 < Aleksandar86> is management IP adress on Dlink switches untagged vlan 1 18:17 < Aleksandar86> ? 18:17 < Aleksandar86> I can't access to management from ACCESS switches 18:17 < djph> what, that porn is legal even if you don't pay the hush money? 18:18 < djph> Aleksandar86: by default, usually that's what everyone uses. 18:19 < drac_boy> djph very funny .. no .. just that the long-dragged monopolistic charge has been blocked and that I can't be accused anymore for good as of friday 18:19 < Aleksandar86> I have two stacked CORE switches, and 8 ACCESS switches connected with CORES 18:19 < Aleksandar86> connection is TRUNK with Allow all VLAND ID 18:19 < Aleksandar86> on ACCESS switches I set only VLANs who must have comunication 18:20 < Aleksandar86> but when I set tagged 18:20 < Aleksandar86> I dont have access on another switches management 18:20 < djph> the...what? 18:21 < Aleksandar86> djph 18:21 < Aleksandar86> I have mikrotik who have 5 VLANs 18:22 < Aleksandar86> tagged ofc 18:22 < Aleksandar86> and this mikrotik is connected via trunk on core 1 18:22 < djph> well, then unfuck the dlink ones 18:22 < regdude> what kind of switch and what kind of configuration you are using? 18:22 < Aleksandar86> Core 1 have TRUNK access with all access switches 18:22 < regdude> sounds like the VLAN table is not configured properly 18:23 < Aleksandar86> maybe when port on access switch i Tagged I dont have access default untagged ports 18:24 < Aleksandar86> here is schematic 18:24 < Aleksandar86> https://i.imgur.com/tsqD7ZT.jpg 18:25 < ^7heo> I was like "who the fuck plugged the microturd back in the network" 18:25 < ^7heo> but then I realize it was a different channel. 18:26 < Aleksandar86> Mikrotik is DHCP 18:26 < Aleksandar86> any VLAN have DHCP 18:26 < Aleksandar86> VLAN9 192.168.0.0/21 18:26 < Aleksandar86> VLAN10 192.168.8.0/21 18:26 < drac_boy> djph I've probably mentioned it a few times before but anyhow theres no non-mikrotik option that can even do connection failover and apparently the federal business board was starting to get grumpy about me not offering at least one alternative sale choice 18:26 < Aleksandar86> VLAN30 192.168.16.0/21 18:26 < drac_boy> 7heo heh :) 18:26 < regdude> Aleksandar86: is the CPU port added to the VLAN table? 18:27 < Aleksandar86> I have internet on ACCESS PC 18:27 < djph> connection failover, like the UBNT ER's "loadbalance [interface] failover-only" option? 18:27 < ^7heo> drac_boy: yeah the joys of having coworkers sending pics online for documentation purposes 18:27 < djph> drac_boy: or something else? 18:27 < Aleksandar86> I have comunication from VLAN10 to VLAN9 PC to SERVER 18:27 < drac_boy> 7heo no further comment :) 18:27 < Aleksandar86> CPU port of switch? 18:27 < drac_boy> djph no .. either uart or rj14 as the fialover 18:27 < drac_boy> failover* 18:28 < djph> OH, yeah, not gonna ge... waitwhat? 18:28 < Aleksandar86> Mikrotik have backup link if eth3 down ethr4 is UP 18:28 < djph> uart as in serial!? wtf kind of networking you running where you can failover to *serial*?! 18:28 < Aleksandar86> All access switches have LACP with core1 and core2 18:29 < Aleksandar86> and before Mikrotik I have 2 Optic internet with failover 18:29 < Aleksandar86> in this case there i no options be without network and internet 18:30 < Aleksandar86> if CORE2 down 18:30 < Aleksandar86> or CORE1 18:30 < Aleksandar86> s/networking/network/ 18:31 < regdude> ehh just send me the configuration, you have not set up management properly 18:34 < Korisnik_> here i am 18:34 < Korisnik_> Aleksandar 18:34 < Korisnik_> regdude 18:35 < regdude> ok... 18:35 < djph> good luck regdude ... you're gonna need some booze for this one 18:36 < Aleksandar86> I change every default IP from 10.90.90.90 to 192.168.5.1 - 192.168.5.10 18:36 < Aleksandar86> this is subnet of VLAN9 18:36 < Aleksandar86> from core I have access on every sweetches 18:37 < regdude> just send me the configuration 18:37 < Aleksandar86> but from Access switch 192.168.5.4 I dont have 18:37 < Aleksandar86> look image 18:37 < Aleksandar86> I dont have config here 18:37 < drac_boy> image != configuration 18:37 < drac_boy> :) 18:37 < Aleksandar86> https://i.imgur.com/tsqD7ZT.jpg 18:37 < Aleksandar86> You can see where is ACCESS, TRUNK, etc 18:38 < drac_boy> aleksan and what dns? what port to what ip? etc 18:38 < drac_boy> that's why the image is useless tbh 18:38 < Aleksandar86> from CORE to ACCESS switch I have TRUNK allow anay VLAN 18:38 < djph> ... we're probably all gonna need booze by the end of this ... 18:38 < drac_boy> djph thankfully I don't drink sorry :P 18:38 < Aleksandar86> Mikrotik have DHCP for every VLAN 18:38 < regdude> djph: sorry to say, but Im here for 5minutes, then my day is done 18:38 < Aleksandar86> VLAN9 is 192.168.0.0/21 18:38 < djph> you're a sad, strange little man drac_boy 18:38 < Aleksandar86> VLAN10 is 192.168.8.0/21 18:39 < Aleksandar86> VLAN20 is 192.168.16.0/21 18:39 < drac_boy> djph nope..I'm someone who just drinks non-wheat things daily ;) 18:39 < Aleksandar86> on Access switch I have internet from VLAN 10 18:39 < Aleksandar86> PID is vlan 10 18:39 < djph> me too 18:39 < Aleksandar86> also I have access to VLAN9 server who is connected on CORE 18:39 < djph> corn and barley are my go-to 18:40 < regdude> Aleksandar86: what model switches are you using? 18:40 < Aleksandar86> 2 core stacked is DGS-3630-28TC 18:40 < drac_boy> milk and natural water for me djph .. with occasional fruit juices :) 18:40 < Aleksandar86> Access switches is 1210-28 and also 1210 with more ports 18:41 < regdude> Aleksandar86: so where is the MikroTik? 18:42 < Aleksandar86> Mikrotik CCR1009-7G-1C-1S+ 18:42 < regdude> are you using bridge filtering? 18:42 < Aleksandar86> ether3 and ether4 is Bonding with backup 18:42 < Aleksandar86> ether3 is primari 18:42 < djph> drac_boy: that sounds boring. 18:42 < Aleksandar86> and on this working perfect 18:42 < drac_boy> well its healthy for me so :P 18:42 < djph> drac_boy: but anyway, back to your interesting networking-over-uart approach ... 18:43 < Aleksandar86> guys only regdude understund this network 18:43 < regdude> oh god 18:43 < djph> not arguing it's not healthy ... 18:43 < Aleksandar86> regdude 18:43 < drac_boy> regdude I could say the same thing you just said :-s 18:43 < djph> nah, regdude is the only one of us dumb enough to try helping you out. 18:43 < Aleksandar86> you can see wehere is pc connected 18:43 < Aleksandar86> ? 18:43 < Aleksandar86> on access switch 192.168.5.4 18:44 < Aleksandar86> I have comunication with server who is on VLAN9 18:44 < drac_boy> djph ah you probably got the wrong picture .. its either rj14 for direct modem or uart to add external one in .. same endresult tho :) 18:44 < Aleksandar86> i got IP from VLAN10 18:44 < regdude> Aleksandar86: the problem might be related to STP, check if none ports get blocked at some point. Sorry, I have to go 18:44 < Aleksandar86> :( 18:44 < djph> drac_boy: oh, I figured on it being serial-to-something. just kind of "holy hell, that's still a thing!?" 18:45 < Aleksandar86> djph help me to fix problem 18:45 < Aleksandar86> this network works good 18:45 < Aleksandar86> but only problem is with Accessing from ACCESS switch 18:45 < Aleksandar86> to another switches 18:45 < djph> I mean, most secondaries I see these days are via a different ISP entering the other side of the building (so, ultimately ethernet); or using a 3/4g modem (which again, is ethernet) 18:46 < djph> it's either (a) your firewalls, or (b) you fucked up your configs. Read the manuals. 18:50 < drac_boy> djph yeah I know what you mean .. dual-wan and that sort of typical crap :) 18:51 < djph> yup 18:51 < djph> haven't seen "we need actual, honest-to-cthulhu dialup" in ages 18:56 < drac_boy> djph well its a necessarity due to websites and especially emails these years .. the only alternatives usually are actually worser and yet charges more than $40/monthly (meanwhile modem connection is only $0-20/yr depending on which carrier user want to retain) 18:56 < drac_boy> but what am I to say .. the funny thing is many of these users "technically" should have gprs per commercial coverage map....except they don't by a long shot 19:00 < djph> ouch 19:01 < ct_jack> I'm a bit confused about bandwidth-delay product. When is it calculated using RTT and when is it calculated using end-to-end delay? 19:03 < drac_boy> most users are only paying like about $25-70/mth average for to have adsl+56 all the times and I've never ever found anyone who has actually been down at all (excluding rare 150km-wide power outages etc tho) 19:07 < djph> ct_jack: huh? 19:10 < ct_jack> djph: Hope this is the right channel. Bandwidth delay product I'm talking about is this (https://en.wikipedia.org/wiki/Bandwidth-delay_product) 19:10 < ct_jack> djph: Every resource I've found tells me it's calculated using RTT, but my lecturer says it can be either RTT or end-to-end delay 19:11 < ct_jack> Even though RTT should be approx 2x end-to-end delay AFAIK 19:12 < djph> it's RTT * bitrate 19:12 < djph> that's its definition 19:13 < djph> like saying the product of 2*2 = 4 ... it never won't be 4 19:14 < djph> the whole reason you have to use RTT is noted in the first paragraph -- "transmitted, yet not yet ack'd data" 19:14 < djph> s/yet not/though not/ 19:15 < djph> I suppose if you're talking UDP (which doesn't do ACKs), you can do just the end-to-end delay (i.e. 0.5 * RTT) 19:18 < ct_jack> djph: That makes sense to me. Would it also make sense to use end-to-end if the data transfer is unidirectional? 19:18 < djph> is the data transfer TCP? 19:18 < ct_jack> Either, I suppose. The slides I'm looking at don't specify, they're just talking generally 19:19 < djph> well, if the xfer is TCP (e.g. sftp, http, etc.) it's not "unidirectional" - it falls right back into that "not yet ack'd" part of the statement 19:21 < ct_jack> djph: Right okay, that makes sense. Thank you 19:34 < Aleksandar86> djph 19:34 < Apachez> in short 19:34 < Apachez> tcp is session based and awaits ack from opposite side before sending next packet 19:34 < Aleksandar86> maybe is problem because IP of Access switch is 192.168.5.4 255.255.248.0 19:35 < Apachez> this is tweaked into windowsizes (recveive / send buffers) 19:35 < Aleksandar86> and when I set PID 10 I got IP from VLAN10 192.168.8.0/21 19:35 < Apachez> so you can have x number of bytes on the wire which isnt been acked yet 19:36 < Apachez> so the BDP tells you how large sendbuffer do you need to have in order to fully fill that link between you and host B 19:36 < Apachez> the tricky part with BDP is that it doesnt count on selective acks and further optimizations 20:24 < spaces> Apachez ready for bitchslapping ? 20:36 < sammyg> is it possible to do wildcard whois query? 20:55 < detha> sammyg: short answer: no. long answer: if you have EPP access, you can at least emulate it 20:58 < sammyg> epp? 20:58 < detha> when you are a registrar 20:59 < sammyg> extensible provisioning protocol 20:59 < sammyg> right 21:00 < sammyg> detha, so the zone root trick won't work? 21:01 < detha> sammyg: that would be rather unlikely. what are you trying to do? 21:03 < sammyg> right im trying to figure out what this one domain name is 21:03 < sammyg> but i only have a partial name 21:08 < detha> sammyg: google for site:partialname, or maybe see if one of the SSL certificate transparancy sites has search 21:12 < sammyg> right 21:13 < sammyg> there appear to be paid services that can do this 22:50 <+catphish> catf 22:51 <+catphish> err, yeah, ignore me 22:56 < luxio> what modem should I get? 22:57 < luxio> preferably one with a router 23:00 < BenderRodriguez> luxio: don't buy a modem/router combo 23:00 < luxio> why's that? 23:00 < Epic|> They're generally shit 23:00 < BenderRodriguez> and major security risk 23:00 < Epic|> Buy a real router and a real access point 23:00 < BenderRodriguez> have you not been listening to the FBI announcements? 23:00 < luxio> oh. what modem should i get and what router should i get then? 23:01 < BenderRodriguez> buy a modem, and for a router, I would either recommend EdgeRouter series or Mikrotik -- or perhaps anything that's able to be reflashed with DD-WRT 23:04 < luxio> i can't find a modem that supports gigabit upload and download 23:04 < pekster> dd-wrt, the distro that helpfully and "accidentally" included private customer firewall blanket exceptions into their firmware? ;) 23:04 < vanuatu> tell me more about this dd-wrt thing? got a link? 23:05 < BenderRodriguez> edgerouter I believe can do gigabit forwarding 23:05 < luxio> BenderRodriguez: need a modem though 23:05 < BenderRodriguez> oh 23:05 < BenderRodriguez> maybe your ISP provides one for free? 23:06 < luxio> yeah but i think its a modem router combo 23:06 < luxio> and it's a rental 23:06 < pekster> vanuatu: I used to, but it's on their forums (and my older bookmarks are't accessible.) Suffice to say the buildsystem in dd-wrt is NOT designed for community involvement and as a result gets poor auditing. I'd suggest a more community-driven framework, better yet one you can actually build. OpenWRT is one such example 23:06 < lord|> anyone have some budget open source home router recommendations 23:06 < lord|> I just need at least 2 ethernet ports, wifi, and compatibility with pfSense or VyOS 23:06 < luxio> BenderRodriguez: I need a modem and wireless router that both support gigabit 23:06 < pekster> No one bothers to check that dd-wrt is actually doing the right thing, but people like that it "runs on more hardware" (thanks to blind inclusion of binary blobs.) Caveat Emptor 23:06 < vanuatu> pekster: thanks for the info. 23:07 < BenderRodriguez> lord|: any x86 computer 23:07 < lord|> BenderRodriguez: that's the thing, I'm on amazon and I see a bunch of mini PCs with multiple ethernet ports 23:07 < BenderRodriguez> are you want to buy a pre-built or build your own? 23:08 < lord|> I just need a really minimal setup 23:08 < BenderRodriguez> wanting* 23:08 < lord|> pre-built then load my own choice of software onto it 23:08 < BenderRodriguez> well if the small form factor is a must then there are HP thinclients that could fit the bill 23:09 < BenderRodriguez> or microatx barebone PCs 23:09 < LewsThanThree> Anyone here use Unifi on OVH? 23:09 < lord|> size isn't an issue 23:09 < BenderRodriguez> lord|: oh, then just buy some junk parts from ebay and build your own 23:09 < lord|> (I just don't want it to be taking up as much energy as a gaming computer so these mini PCs look like what I want) 23:10 < LewsThanThree> Also, DD-WRT (to jump into the convo) does some stupid stuff. 23:11 < LewsThanThree> Like encrypting page views, so even if it's open source (hasn't been updated in a long time, btw), it's hard to look into what it does. 23:12 < LewsThanThree> Hm, I appear to be wrong on the updated in a long time, the svn was updated by brainslayer today. 23:13 < pekster> But how well are the component parts kept up to date? :). Regardless, big projects benefit from community involvement, support of general developers reviewing and submitting patches. That largely doesn't happen in that project, while it does in others 23:13 < LewsThanThree> Agreed. 23:14 < LewsThanThree> Plus, commit messages like "add some stupid comments regardings ubnt gpl philosophy", "update", "ignore intel shit, since amd does support it as well" 23:14 < LewsThanThree> Lol. 23:14 < BenderRodriguez> pekster: are you referring to dd-wrt? 23:15 < pekster> BenderRodriguez: Yes. My older bookmarks aren't available to me now, but I had several "wtf" links demonstrating poor project management/design. Plus their buildsystem (at least used to) include such wonderful language like "some of this you have to figure out yourself" -- I assure you they have their own buildscripts they're not sharing, which is arguably a GPL violation in itself 23:16 < pekster> That project literally does not want people to be building and tweaking the project, by design. Poor philosophy, and it's seen in the types of bugs and security issues they have 23:16 < LewsThanThree> There was mention of GPL issues on the wikipedia, but looks like it got removed at some point. 23:16 < LewsThanThree> The guy is a real asshat. 23:16 < pekster> "if we make it hard to build, no one will see all the flaws we have" 23:16 < lord|> hmm, any cheap single-board computers with wifi and multiple ethernet ports 23:17 < lord|> also, is anything special required to connect to WAN? 23:17 < LewsThanThree> lord|, rasp-pi with USB->Ethernet? 23:17 < LewsThanThree> :P 23:17 < lord|> LewsThanThree: sounds slow 23:18 < LewsThanThree> Depends what you want to do with it. 23:18 < luxio> what do I need to buy to get wifi from this, and to get an ethernet connection to my computer? https://www.verizon.com/home/fios-gigabit-connection 23:19 < LewsThanThree> luxio, that doesn't already provide ethernet? 23:19 < luxio> i dunno 23:19 < luxio> i think you have to rent a modem router combo or something 23:19 < BenderRodriguez> pekster: well let me put it this way 23:20 < BenderRodriguez> it's either dd-wrt or some closed off proprietary firmware which will never ever see an update after a year 23:20 < BenderRodriguez> take any mainstream consumer router and you'll find support sharply drops after a few months 23:20 < lord|> hmm http://www.orangepi.org/OrangePiR1/ 23:20 * pekster doesn't buy hardware that won't run openwrt 23:20 < LewsThanThree> Or tomato! 23:20 < pekster> Can't beat jffs2 and UCI, IMO 23:21 < BenderRodriguez> I think, at this point, the only decent consumer/enterprise router that I've seen thus far is from Ubiquiti 23:21 < BenderRodriguez> mainly their Edgerouter series 23:21 < LewsThanThree> Agreed. 23:21 < LewsThanThree> We use Unifi for internal networking, and AirGrid for outside networking. 23:21 < LewsThanThree> Excellent devices. 23:22 < luxio> is it really bad to buy a modem router combo? 23:22 < luxio> it is just a home internet connection 23:22 < pekster> Open-firmware support on those tends to be lacking; you're often better off keeping them separate, and makes it easier to upgrade just one component (moden vs router) later 23:22 < LewsThanThree> Not bad, just hard to do advanced stuff with. 23:23 < luxio> what advanced stuff 23:23 < LewsThanThree> Like, I can't bridge my network with my combo here. 23:23 < pekster> If your ISP only offers a combo, you can often put it into "bridged" or "pass-through" mode where your own router still holds the public IP, giving you more control over firewalling, routing, NAT, VLANs, and so on 23:23 < LewsThanThree> ^ 23:23 < LewsThanThree> A combo by itself will just do basic switching and NAT. 23:24 < pekster> And often poorly at that, though it varies a bit 23:24 < LewsThanThree> If you have deeper needs, you'll have to bridge it, if your combo supports it. 23:24 < LewsThanThree> Yep 23:24 < LewsThanThree> I unfortunately have a HG532e, with a bastardized mexican firmware. 23:25 < LewsThanThree> Doesn't even support loopback, where it's american brothers do. 23:25 < LewsThanThree> I can hack it in, using CLI, but it doesn't survive a reboot. 23:28 < luxio> this good? https://www.amazon.com/NETGEAR-Certified-Xfinity-Spectrum-C6220-100NAS/dp/B01N7L06CF/ 23:28 < luxio> just for a home connection 23:28 < luxio> streaming video, downloading files 23:29 < LewsThanThree> Thats a combo. 23:29 < LewsThanThree> "Modem Router" 23:30 < pekster> I'd check the manual/specs; if it at least supported a bridged setup, you can always opt to supply your own router later 23:31 < pekster> Note that a "DMZ" feature is usually NOT the same as a true bridged configuration 23:31 < pekster> That's more of a marketing buzz-word for default NAT target 23:31 < LewsThanThree> Ive never gotten DMZ working correctly :/ 23:32 < pekster> My DMZ is a separate VLAN on the inside of my border router/firewall ;) 23:33 < LewsThanThree> For a lab setup> 23:33 < LewsThanThree> ? 23:35 < pekster> I have a lab environment too, but no, my DMZ is reserved for more public-facing hardware and VMs, as opposed to internal-only systems like my network-storage, switch management, and so on 23:36 < pekster> Usually in managed networks (my home qualifies here) you split out networks by function so you can filter traffic in meaningful ways between them 23:37 < pekster> My wifi guests can't reach much of anything but the public Internet, so even if I someday buy an IP-thermostat or whatever, it's somewhat protected from any security bugs for example 23:37 < LewsThanThree> Aw ffs. 23:38 < LewsThanThree> Just tried bringing up shell on my router again, looks like they patched it out. 23:38 < varesa> I wouldn't let an IoT thermostat connect to the internet either... 23:38 < pekster> Right, the one I was looking at last year (didn't buy it) had an API so you could control it without it "phoning home" to the company for management 23:38 < pekster> You could _also_ opt in to their managed solution, but it wasn't required 23:39 < LewsThanThree> Gotcha. 23:40 < varesa> IoT! https://twitter.com/internetofshit/status/999619364541394944 23:40 <+catphish> BenderRodriguez: dd-wrt is a proprietary firmware, i don't know why you'd normally use it over openwrt 23:41 <+catphish> dd-wrt doesn't even appear to have had any love for years 23:41 < pekster> varesa: Yup. Also related: https://www.reddit.com/r/Iota/comments/6axglx/how_does_iota_help_with_the_huge_iot_security/ 23:43 < varesa> yeah... 23:44 < pekster> I want to see a more federated IoT landscape where users who want can run their own (personal) C&C server internally. Unlikely to happen universally, but maybe higher-end hardware can support that if there's enough market/demand 23:45 < varesa> I tried to make my echo dot control my Hue lights once but couldn't get them to pair 23:45 < varesa> read somewhere that the Hue bridge wants upnp or something like 8080 (or similar) port forwarded to it from the internet. Hell no 23:46 <+catphish> i've often wondered if there was a market for an open source local IOT server 23:46 <+catphish> something compatible with as many devices as possible 23:46 < varesa> aren't there some already? 23:46 <+catphish> but not had time to build it 23:46 <+catphish> there may be, i hope so 23:46 < pekster> Inbound is spooky, but frankly so is phone-home style outbound because without firmware updates (and who knows how long you'll get them, and how well the company supports their "last-gen" stuff) it can still potentially be exploited with remote attacks, MITM, etc 23:46 < varesa> iirc something like openhab and home assistant 23:47 < pekster> I'd be much more OK with possibly-insecure internal devices/firmware if they all spoke through a gateway that was open-source, updated, and I could control, and _that_ acted as a relay to some service that connect to an app on my phone. Extra bonus if the crypto from my home gateway box was end-to-end encrypted with a keypair on my phone's app too 23:48 <+catphish> i once wrote an iot phone home protocol, i'm pretty confident it won't get hacked :) 23:48 <+catphish> lets hope not :) 23:48 < varesa> oh no, it seems that the port that the Hue lights want is actually 80 (*and* 3000) 23:51 < detha> catphish: chances of being able to write something 'compatible' are slim - the whole premise of iot things is brand lock-in 23:51 <+catphish> detha: there are definitely some standards and compatible products 23:52 <+catphish> the main one i know about is hue, and that's standrd i believe 23:52 < detha> q the xckd about standards, and 'let's make one encompassing one' 23:52 <+catphish> there's zwave/zigby 23:53 <+catphish> maybe others, some documented, some maybe reverse engineerable / could ask the manufacturer 23:53 < varesa> there are two zigbee standards, ZLL and HA iirc 23:53 <+catphish> they care about selling products, i doubt a compatible base station will lose them many sales 23:54 < varesa> at least one of them is encrypted with some industry secret keys, though I think they leaked at some point 23:54 <+catphish> the big players are already interoperable anyway 23:54 < detha> a lot of them care about 'steady revenue stream' 23:54 < varesa> but generally the way these manufacturers seem to go is that they have to make their own hub that connects to the end devices over whatever protocol and then you interface with the hub 23:55 <+catphish> varesa: yes, but those protocols are (usually) not secret 23:56 < tds> there are a few open source projects that attempt to incorporate lots of different protocols for various vendors and then tie them up into a single api/ui, openhab and home assistant come to mind 23:56 < varesa> still in my limited experience it seems that those protocols are more often than not at least in some way custom 23:56 <+catphish> well glad to hear someone's working on it, i might build one :) 23:56 < varesa> so you basically have to support that specific device family/manufacturer, instead of just a device type 23:57 <+catphish> varesa: yeah that seems likely, though i know many bulbs for example are designed to be compatible with hue, so you may be able to target lots of things at once 23:58 < varesa> catphish: that sounds already pretty nice if it's true 23:58 < tds> I started on a similar project a while ago with some ESP8266s, I'm not using that anymore though 23:59 < tds> The sonoff products look very appealing, you can easily flash your own firmware to them, and you don't have to deal with all the 240v level stuff yourself :) 23:59 < varesa> I also had a project with ESP8266s communicating over MQTT with a "hub" that had various applications that received data and left commands --- Log closed Tue May 29 00:00:31 2018