--- Log opened Mon Jun 04 00:00:44 2018 00:10 < spaces> linux_probe how is your IRC life ? 00:11 * spaces waves @ Apachez 00:12 < alabaster> does anyone know now-a-day if GNS3 is better than VIRL 00:18 < spaces> alabaster never heard of VIRL, is it nice ? 00:18 < alabaster> I guess the are both routing and switching emulators 00:19 < spaces> heh you ask something about you don't know what it does ? 00:21 < alabaster> huh? I am starting out yes. But I trying to figure out if it is worth spending 200 on a VIRL subscription. Even watching vids I see that they both emulate IOS and equipment 00:21 < alabaster> and other manufacturers systems 00:22 < alabaster> And spaces have you ever been called obnoxious before or at the very least very ununderstanding?? 00:24 <+catphish> alabaster: not used VIRL but personally i wouldn't spend that money without seeing if GNS3 meets your needs first, as it's excellent and free 00:25 < alabaster> Yeah. As spaces just called me out. They all basically do the same thing. You drag and drop hardware and learn the Operating systems and more to learn and manipulate routing and switching correct? 00:25 <+catphish> when i used GNS3 is emulates real cisco router hardware, allowing you to run real IOS, but not switches, it just provided dumb virtual switches to connect the routers together 00:25 < tds> if you don't specifically want to learn about one vendor's stuff, testing in a bunch of linux vms can work nicely as well, just depends on what you want to learn really 00:26 <+catphish> one nice thing is i think GNS3 lets you make linux VMs too and put them in a network with the virtual cisco routers 00:27 < tds> ah, I wasn't aware of that, neat 00:30 <+catphish> wow gns3 has advanced a LOT since i used it, now you can download all sorts of appliances 00:30 < alabaster> so you can do decent switches? 00:30 <+catphish> https://docs.gns3.com/1aQSkL4KyIh-3j-UCeuukj4Wg1VJ7uI-vwcewaUHbjbU/index.html 00:32 <+catphish> also https://docs.gns3.com/1MAdxz0BSEAfGM7tA-w-o3TMmf8XOx7nBf0z6d9nRz_c/index.html 00:32 < alabaster> Dammmmmn. Thanks for those links catphish 00:34 < alabaster> Thanks again catphish. Imma take a break because my head is spinning since I spent all day reading about this stuff. 00:34 <+catphish> good luck :) 00:35 < alabaster> Thanks 00:39 < Apachez> w 01:03 < Pimpernel_> what sort of open source projects do networkers have their eye on? 01:09 < Apachez> pornhub 01:15 < Pimpernel_> god dammit 01:18 < lupine> lispmob 03:01 < gde33> I dont think pornhub counts as networking, dating maybe 03:02 < dogbert_2> bwhahaha 03:45 < spaces> damn why is my shirt not sexy enough for me, God seems to be a DJ and I can't get not sleep because of all these damn issues! 03:46 < spaces> dogbert_2 gimme the medicine for it! 03:53 * dogbert_2 rocks spaces to sleep (with a real rock) 04:04 < spaces> dogbert_2 yeay let's rock 'n roll :D 05:05 < blocky> on linux I have two interfaces, lo, which has 127.0.0.1 bound, and eth0 (enp10s0) which has 10.0.0.170. if i run tcpdump -i lo and ping 127.0.0.1, i see the packets, which makes sense. but i also see the packets if i ping 10.0.0.170. can anyone explain that? 05:12 < VincentHoshino> yep everything you write to the send buffer gets put right back in the recieve buffer when the NIC realizes it is addressed to itself 05:15 < VincentHoshino> ohh you are saying you see the packets on lo .. well then the OS figured it out before the NIC :P 05:27 < rewt> kernel does routing before the packets are sent to the nic; any packets destined to self go through lo 05:31 < blocky> cool 05:31 < blocky> i wonder if there are hidden entries in the routing table or if it's something totally separate 05:34 < rewt> there are no 'hidden' entries... you can see everything 05:38 < gentoo> that explains the connection interrupt 05:39 < gentoo> apparently an over the air reroute 05:40 < gentoo> hostile environment with no trust 05:40 < gentoo> not much to do but sit 05:41 < gentoo> marlinc pam doin well? 05:42 < gentoo> the thought is at minimum a tether can be disconnected 05:42 < gentoo> the bios is not trusted 05:42 < gentoo> SMBIOS 05:42 < gentoo> yeah Android 05:43 < Drakonan> anybody use a free dynamic dns service that doesn't nag you each month to make sure your name doesnt expire 05:43 < gentoo> with the wifi chip and it has been apparent something brings it up and down without my command 05:43 < Drakonan> if im actively notifying of ip changes there should be no reason to require a human clicking a button 05:44 < gentoo> Drakonan: is this a setup for an advertisment plug? 05:44 < Drakonan> the one im using? definitely... 05:44 < gentoo> routers have drop down lists for providers 05:45 < Drakonan> you get nagged to the point that you wnat to pay the money to make the nag go away 05:46 < Drakonan> mine only has dyndns that costs money now 05:46 < Drakonan> but i have a pi i can install something else on 05:46 < Drakonan> i just need to know a name for a service that just works 05:46 < Drakonan> no-ip is free but nags 05:47 < Drakonan> nevermind you have failed i may have found one 05:50 < varesa> I just use Route53, costs the $6/year. Doesn't nag 05:50 < gentoo> Drakonan: the router isn't going to work with anything else if it isn't built in 05:50 < gentoo> yeah it is more trustworthy to use a paid service 05:50 < gentoo> the credit lines leave a virtual paper trail 05:50 < gentoo> given the scenario there is no trust 05:50 < gentoo> no-ip might steal your wifes liver 05:50 < Drakonan> gentoo, i have a pi i can install anything on 05:51 < Drakonan> it is just vpn and pihole at the moment 05:51 < gentoo> then come and threaten you because you know about the organ harvesting 05:51 < Drakonan> yeah i dont like no-ip 05:51 < Drakonan> its been working but every time i see the nag i want to spend money 05:51 < Drakonan> and i muts stop this before i do 05:51 < Drakonan> this seems interesting 05:51 < Drakonan> http://www.duckdns.org/spec.jsp 05:52 < Drakonan> only thing i dont like is it wants you to isgn in with a non-email service provider 05:52 < brianx> dnsexit seems pretty good about not nagging when giving a free subdomain with ddns. most router software has a url option and if dnsexit doesn't have it's own entry, the url only is easy enough to use. 05:53 < tds> afraid.org also comes to mind 05:53 < Drakonan> going to try that one i can find how to set it up 05:54 < Drakonan> gives you 5 for free 05:54 < Drakonan> cant think of a reason id need more than 1 but 05:54 < gentoo_> Hear anything from vialgent? 05:55 < c50a326> what other than skype gives you a phone number over the internet and is accessible from any country? 05:55 < brianx> dnsexit allows sub sub domains, so effectively no limit to the number of hosts or networks you can configure 05:56 < Drakonan> i should be able to do this with bash pretty easily 05:56 < brianx> i also handle most hosts via a bash script and netcat. 05:57 < gentoo_> c50a326: google and various sip providers 05:58 < Drakonan> oh this is awesome i just need to "get" a page periodically 05:59 < brianx> i was happy enough with their service that i moved several domains there about 10 years back. never looked back. about $2 higher than the cheapest per domain and well worth that. 06:00 < gentoo_> id cogent settle with H.E.? 06:01 < brianx> slow to support new features, they have a focus on reliable. 06:01 < gentoo_> heh moldtelecom 06:01 < gentoo_> seems more like an inverse structure a so called "analouge" 06:01 < gentoo_> such as spirulina 06:02 < gentoo_> the shape fits but it isn't the same thing 06:04 < Drakonan> cool as heck that was super easy 06:06 < gentoo_> Drakonan: dyndns worked looks like dyn now 06:06 < gentoo_> or go with boston 06:07 < Drakonan> just tried that duckdns we'll see how it works but they had a bash script you could do and a howto on how to do it in cron so 06:07 < Drakonan> looks like it updates now i just need ot figure out how i was updating the other and stop it 06:07 < gentoo_> yeah it hurts, if anybody wonders 06:08 < gentoo_> divide the nerves into three lines 06:09 < Drakonan> you know funny enough maybe it was complaining because i wasn't updating it... i cant find where i was doing that 06:09 < gentoo_> yeah Jo-Anna crucifiction hurts 06:11 < gentoo_> anybody do any business 06:11 < gentoo_> anything productive? 06:12 < gentoo_> not so likely, most entrepenuer endevours as of now need to speculate against fraud 06:13 < gentoo_> cobracommand! suprises let me know she cares 06:14 < cobracommand> https://www.bloomberg.com/news/articles/2018-06-03/microsoft-is-said-to-have-agreed-to-acquire-coding-site-github? 06:14 < cobracommand> as a fan of msft, I approve 06:14 < gentoo_> and any president gets excited about nucleur detonations 06:14 < cobracommand> gentoo_ what? 06:14 < gentoo_> how about intermittent tracepathing on biodegenic weapons 06:15 < cobracommand> gentoo_ what are you taking about? 06:16 < cobracommand> star trek? 06:17 < gentoo_> cobracommand: specify 06:17 < cobracommand> and any president gets excited about nucleur detonations??? 06:17 < cobracommand> how about intermittent tracepathing on biodegenic weapons??? 06:17 < gentoo_> mold telecom 06:17 < cobracommand> what? 06:17 < gentoo_> operation Vialgent Guardian 06:18 < cobracommand> are you just typing random shit? 06:19 < gentoo_> cobracommand: are you baiting or really ignorant? 06:19 < cobracommand> What are you talking about? 06:19 < gentoo_> moldtelecom 06:20 < cobracommand> what does moldtelecom have anything to do with what you said before? 06:21 < gentoo_> the mold is identifiable for tracing biodegenic weapons pathways 06:22 < cobracommand> think I came to freenode at a bad time 06:23 < gentoo_> did you deliver the chip engram? 06:25 < gentoo_> If he be the commander I met. 06:29 < gentoo_> jameser_: do you care to undergoe clinical trials for resistant protien builds? 06:30 < gentoo_> I have seen you as kind. 06:32 < gentoo_> Why worry about goo? 06:36 < kbaegis> Did the grey goo apocalypse already happen? 06:36 < gentoo_> Any word from G.E.? 06:38 < gentoo_> kbaegis: If everybody truly knows my name. 'tis so 06:40 < gentoo_> Isn't that paradisical? 06:44 < gentoo_> Where do I find details about my new version of reiser3? 06:47 < gentoo_> /dev/null from the first detonation 06:47 < gentoo_> picking up a cold thread 06:49 < gentoo_> was ManhattanProject the first detonation from Elohiem Genesis 06:49 < gentoo_> this thread wasn't finished 06:54 < gentoo_> Assign Trump a SpecialOperations team to examine the isotopes and theorize. 06:56 < gentoo_> send cobracommand a memo not to be discouraged a laborer is worth his wages 06:56 < gentoo_> SwiftMatt: disconnect ETA 3 min 07:02 < BillyZane> hi 07:03 < BillyZane> my linksys wrt 1900ac v2 keeps having issues with the firmware 07:03 < BillyZane> it works normally for a little while 07:03 < BillyZane> then after 25 minutes, the power light blinks, indicating it is rebooting 07:04 < BillyZane> and then it never gets past post it seems. ethernet connection won't obtain ip, wifi down, i can't access the web server 07:04 < BillyZane> i was originally running dd-wrt on it 07:04 < BillyZane> but after a few reboots, the system went back to the default OS 07:05 < BillyZane> i did a hard factory reset, and the problem still continues 07:05 < BillyZane> now i'm wondering if it's an overheating issue, so i turned it off for a few minutes 07:45 < nojeffrey> We are getting 50/50 fiber internet upgrade, Telstra installed NTU, and our ISP has supplied a Cisco 4300, is this 4300 needed if we have Fortigates already? 07:57 < dminuoso> nojeffrey: What does having a router have to do with having a firewall? 08:06 < nojeffrey> dminuoso The fortigates can do routing, no? 08:07 < nojeffrey> I want to know if I need the 4300, or can I bypass directly and go NTU > Fortigates 08:07 < dminuoso> nojeffrey: What kind of network is this? An internet connection? Some point-to-point connection? Some other bizarre thing? 08:07 < dminuoso> nojeffrey: Maybe ask the ISP? Without knowing what this 4300 is configured to do, its *really* hard to say 08:08 < dminuoso> Who has control over that thing? 08:08 < nojeffrey> I tried to get in over console, but I don't know the pass 08:09 < nojeffrey> to the 4300 08:11 < detha> nojeffrey: find out from the ISP what it does, sometimes ISPs supply gear under their control to chop things into vlans for QoS or similar, if it is doing nothing like that no reason you shouldn't throw it out (or throw the fortigates out) 08:13 < dminuoso> We supply routers to control QoS. 08:14 < dminuoso> Also, who cares that there's a 4300 in the way. As long as its the ISPs and they maintain it.. 08:14 < nojeffrey> It's a fiber internet connection, our last XHDSL connection only had one port out, so we had to install a switch between the router and fortigates last time to properly split and get HA working on Fortigates 08:14 < dminuoso> In a way you could say that the 4300 is the ISPs demarcation point. 08:15 < nojeffrey> So we asked when we went to upgrade can we have something that has more that 3 ports 08:15 < nojeffrey> i see 08:15 < azonenberg> Soooo 08:15 < azonenberg> i'm trying to do some simulation on layer-2 switch queue sizes 08:15 < azonenberg> Trying to think if there's any point in modeling the queue as being bytes/words 08:16 < azonenberg> Or if it makes more sense to pretend that the queue is actually just X packets in size 08:16 < azonenberg> and a smaller packet wastes space 08:19 < detha> That would depend on how queuing is done I guess, there are 3 basic ways: full dynamic allocator, packet takes exactly as many bytes as needed, fully static, every packet takes one slot of max size, buckets, packets 0-64 take 64, 65-128 take 128, etc. 08:19 < azonenberg> detha: This is the design phase for a future switch fabric 08:19 < azonenberg> so i guess i should probably make it more detailed 08:20 < azonenberg> and model word-wide 08:20 < detha> I wouldn't want to implement malloc() in an asic. So buckets, or static. If you want to support jumbo, static becomes ridiculously wasteful...... 08:20 < azonenberg> detha: so, the way i was planning to build it (on an fpga) 08:21 < azonenberg> was to have a separate chunk of ram dedicated to each port's queue 08:21 < azonenberg> And then have that ram be a packetized FIFO 08:21 < azonenberg> basically you have 3 operations... push. pop, and commit 08:22 < azonenberg> When you push the data isnt readable by the pop end until you commit (i.e. checksum is valid) 08:22 < azonenberg> Then either in- or out-of-band you store length of each packet 08:22 < detha> single queue per port, or multiple queues so you can do QoS ? 08:22 < azonenberg> This is an FPGA so i can tweak over time 08:22 < azonenberg> But the initial plan is a single queue 08:23 < azonenberg> The use case of this switch is mostly a personal learning/fun project, as well as to replace the aging EOL'd ciscos i currently have in production in my home office/lab 08:23 < azonenberg> I will be moving lots of data (potentially a couple of 10G or, in the next hardware rev, 40G flows going on at a time) 08:23 < azonenberg> But it will mostly be a small number of flows with very high bandwidth 08:23 < azonenberg> We're talking one TCP stream pushing 10-40 Gbps 08:24 < azonenberg> between various lab instrumentation and my workstation mostly 08:24 < azonenberg> So i don't really see a benefit to QoS there 08:25 < azonenberg> there will be the usual low bandwidth internet stuff but all of the performance-critical stuff is also massive bandwidth and most of the data is going to one of two desktop PCs 08:25 < detha> To make it extensible, maybe implement it as 'a queue is a list of begin/end addresses in memory. Then you can decide how to allocate those addresses, maybe starting from just 'one size fits all' with a bitmask free list, later something fancy where you can use up to 80% of mem for one port 08:26 < azonenberg> that would be a lot more work and probably be delayed until i implemented layer-3 capability 08:26 < azonenberg> To start i'm just gonna have a single circular fifo per port 08:26 < azonenberg> The big question is how big to make it? 08:26 < azonenberg> Which is why i'm doing some modeling 08:26 < detha> big enough to handle a microburst... 08:27 < azonenberg> So, the current plan is to have the fabric be a 28-port crossbar, 64 bits wide @ 156.25 MHs 08:27 < azonenberg> MHz* 08:27 < azonenberg> Which is 10G line rate 08:27 < Apachez> all your opensource is belong to microsoft https://www.bloomberg.com/news/articles/2018-06-03/microsoft-is-said-to-have-agreed-to-acquire-coding-site-github 08:27 < azonenberg> 1G ports will have tiny input queues since the fabric will eat data up as fast as you can supply it 08:28 < azonenberg> 10G ports might need larger since the fabric can potentially stall for a packet or two handling a broadcast from another interface or something 08:28 < Apachez> only time you need larger buffers is if you try to push more hosts than the uplink can deal with 08:28 < azonenberg> Then 10G output ports will have tiny exit queues because they pop as fast as you push 08:29 < azonenberg> might just be a few words of data, enough to compensate for latency in the datapath 08:29 < Apachez> 10x1G clients over 10G uplink needs 0 bytes in buffers (or well a single packet then if you do store-and-forward) 08:29 < detha> difficult to say. it depends on what flows go through it. 20 1G flows will still saturate a 10G uplink 08:29 < azonenberg> 1G output ports will need larger exit queues to handle bursts of packets coming in on the 10G portts 08:29 < Apachez> 11x1G clients over a single 10G uplink, now your buffers will start to kick in but only if all 11 clients starts to push traffic 08:29 < azonenberg> Apachez: you're looking at this model a bit wrong 08:29 < azonenberg> So, the eventual plan for my network is a 2-tiered tree 08:29 < Apachez> nope 08:30 < azonenberg> how do you handle 10G clients? :0 08:30 < Apachez> again look at what I said 08:30 < azonenberg> At the root there's a core switch with a bunch of 10G and 40G interfaces 08:30 < azonenberg> 1-2 40G to my workstation, the rest of the 40G ports to lab instrumentation 08:30 < azonenberg> Then a couple of 10G pipes the the edge switches 08:31 < azonenberg> The edge switches (what i'm designing now) have four 10G optic and 24 1G copper ports 08:31 < azonenberg> The 10G will be a mix of uplinks and connections to high-bandwidth hosts 08:31 < azonenberg> (my workstation before i get the core switch, the file server, etc) 08:32 < azonenberg> The majority of traffic will be from my workstation to everything else and back 08:32 < azonenberg> There will be some between lab instrumentation 08:32 < azonenberg> some to the internet from various hosts 08:32 < azonenberg> and some from various other things like the wifi or my wife's pc 08:33 < azonenberg> Most high-bandwidth flows should be TCP which will self-regulate if links go over capacity 08:36 < azonenberg> So IMO the big concern is a couple of different endpoints sending to the same host at the same time 08:37 < detha> in that scenario, I would probably put most buffers on the 1G ports, you will have multiple flows coming in from the 10G uplink to one workstation 08:39 < detha> each flow may regulate itself, but you will still need at least one frame per flow worth of buffer 08:40 < azonenberg> Yes, that was my thought 08:41 < azonenberg> The 1G output queues need to be large 08:41 < azonenberg> My workstation is going to be on a 10 or 40G port so that link should not bottleneck 08:41 < azonenberg> i'm more worried about what i'm talking to :p 08:41 < azonenberg> This is also a fairly low latency LAN without too many hops 08:42 < azonenberg> I have sub 50 us round trip time to a lot of stuff right now and sub 250us to almost everything 08:43 < azonenberg> My tentative thought for the moment is to have maybe 2 KB of buffer (one packet) on the 10G ports, i may make that down to a few hundred bytes depending on how much pipeline delays etc i have (there needs to be some buffer to do rate matching) 08:43 < azonenberg> And then somewhere around 16-32 KB on the 1G ports 08:44 < detha> that sounds like sane numbers. still, you gain a lot of flexibility if you don't assign memory per-port, but only queue headers 08:45 < azonenberg> The memory is spatially distributed throughout the chip 08:45 < detha> ah, ok 08:45 < azonenberg> performance would severely suffer if i shoved it down to a single bus 08:45 < azonenberg> The FPGA i'm using has a total of 650 SRAM blocks each 2KB in size 08:45 < azonenberg> Each with separate address/data ports (they're actually dual port so i can read and write simultaneously) 08:45 < azonenberg> So 1300 KB available for buffers, mac address table, and other miscellaneous stuff 08:46 < azonenberg> I'm also going to have, tentatively, a single 36-bit QDR-II+ hanging off it 08:46 < azonenberg> That does not have the bandwidth to do queues for all ports but if i needed to enlarge queue size on, say, the 1G exit queues only i could shove it in there i think 08:46 < azonenberg> the external ram is kinda insurance in case i need more capacity for something, it's cheaper to put the footprint on there than respin the board 08:46 < azonenberg> I don't currently plan to use it 08:47 < azonenberg> But it's early enough in the design process that may change 08:47 < azonenberg> Most of my work to date has been on the line card PCB because that's pretty well defined, it's just eight SGMII PHYs, an 8-port RJ45, and support parts 08:47 < azonenberg> http://thanatos.virtual.antikernel.net/unlisted/latentred-27.png 08:48 < azonenberg> Three of those will connect via a backplane to a "brain" board with an arm soc for the CLI, the FPGA, and the SFP+s 08:49 < azonenberg> what i might do is have an "overflow" queue in the QDR-II+ 08:49 < azonenberg> that can be used by any port on a best-effort basis if the hardware-dedicated queue is full 08:49 < azonenberg> But it can't keep up with all ports at once 08:50 < azonenberg> Thoughts on that? 08:51 < azonenberg> This would allow a single microburst up to 36 Mbit before i have to drop packets 08:51 < detha> it complicates things, but yeah, one could. 08:52 < azonenberg> Basically you'd have some kind of metadata queue in on-chip memory that lets you know that there's a packet waiting for you in the overflow buffer 08:52 < azonenberg> then you'd pop from that instead of the hardware queue 08:52 < detha> I can see that going to reorder packets 08:53 < azonenberg> I think that could be easily mitigated by having a timestamp in the metadata 08:53 < azonenberg> the fabric runs in a single clock domain 08:53 < azonenberg> There will be small clock domain crossing fifos at the inputs to the fabric 08:53 < azonenberg> then larger cross-clock fifos for the exit queues 08:54 < detha> that would work. I think. 08:54 < azonenberg> But the fabric itself is a single clock so i can put a cycle-accurate timestamp in the queue header 08:54 < azonenberg> And always pop the oldest packet 08:54 < azonenberg> i.e. either the one in the hardware fifo or the overflow 08:54 < azonenberg> The RAM i'm throwing on now is 36 Mbit of QDR-II+, 36 bits wide @ 550 MHz DDR so 39.6 Gbps each way of raw bandwidth 08:54 < azonenberg> Not enough to match the 64 Gbps of total interface bandwidth, so i can't replace the internal queues 08:55 < azonenberg> (I don't have enough pins on the chip to throw a second bus on) 09:31 < AlVal> I have a netgear r7000 as my home router. I want to be able to block ads and exercise tight control over the 3x chatty samsung tvs in the house. Stock firmaware offers poor options (can't natively add block lists). I've given up on advancedtomato (port forwarding simply didn't work, firewall insisted on dropping all incoming requests) , tried freshtomato firmware also (wan interface refused to recognise the isp PPPoE connection) 09:32 < AlVal> so went back to stock now on that router. tried pi-hole on raspberry pi, finding it quite buggy from the outset, and not overly enamoured at needing the extra device. 09:32 < AlVal> so there always seems to be a new trend on home routing OS/firmware - what are the current opinions? 09:34 < mrtnt> I have an application which creates lot of network interfaces under Linux. Some of those are bridges. I can find those with brctl or with "sudo grep -r bridge /sys/class/net/* 2>/dev/null". However, how can I see the type of those other network interfaces? According to "ip l add help" there are 19 possibilities. 09:35 < AlVal> what do people think about the broadcom chipset and the fact that either the lack of FLOSS support means slow speeds on open-source, or using some blob binary driver which ddwrt got under an nda or something - does that feel shady? (not sure whether this screams some sort of security concern, or whether they may have good reason for their approach) 10:27 < hunderto> hi 10:27 < Atro> hi 10:27 < nobody_404> hi 10:28 < hunderto> do i need to filter my bridge if no interface on it has an ip address? 10:30 < hunderto> i mean to prevent the bridge device itself from being hacked 10:31 < detha> only if you want to prevent anybody from selling the bridge when you are not looking. 10:31 < nobody404> hmm 10:31 < Atro> lol 10:33 < Krisostoomus> https://imgur.com/a/kMTEtfm 10:34 < hunderto> sorry, did not get the joke 10:34 < hunderto> so the answer is yes, no, maybe? 10:34 < nobody404> yes 10:34 < nobody404> of course you need to filter your bridge 10:34 < hunderto> ok 10:35 < detha> default deny says 'if you are not interested in any traffic on the bridge, drop it' 10:36 < detha> that said, that is a rather high paranoia level 10:39 < hunderto> well yes probably 10:41 < hunderto> i'm asking because i accidentally used "ebtables -I INPUT -p IPV4 -j ACCEPT" when i wanted to use it on the FORWARD chain 10:41 < nobody404> iptables? 10:41 < hunderto> no ebtables 10:42 < hunderto> its iptables for bridges on layer 2 10:42 < jarlopez> I've got a multithreaded server/client where the client spins up a few TCP connections to the server, who starts streaming fixed-size data buffers to the client. I expected each connection to transmit data at the same rate (1Gbps/num_conns), but the clients are showing that some connections dominate. Does anyone have any insights about this behavior? 10:43 < TotallyNotKim> jarlopez: hard to say without seeing how the clients are programmed 10:43 < TotallyNotKim> could be any number of reasons 10:45 < Apachez> aliens 10:45 < Apachez> ghosts 10:45 < TotallyNotKim> Apachez: weissbrot 10:46 < hunderto> maybe packets are dropped when a buffer is full or something like this 10:46 < Apachez> jarlopez: congestion protocols fighting each other? 10:46 < Apachez> jarlopez: look at how cubic behaves when others start to use the bandwidth https://blog.apnic.net/2017/05/09/bbr-new-kid-tcp-block/ 10:47 < Apachez> but yeah dropped packets can cause all sort of bad behaviour 10:47 < Apachez> so verify that your app really is polling the queues fast enough 10:47 < detha> maybe something CPU-bound, maybe too small buffers, maybe earthrays 10:48 <+pppingme> don't forget gremlins 10:48 < hunderto> have you tried running clients and server of the same host? 10:48 < hunderto> *on 10:49 < jarlopez> The connections have streams multiplexed over them driven by credit-based flow control, so the producing server is only producing when there is available credit 10:49 < jarlopez> hunderto: Only to verify correctness, not for throughput metrics 10:50 < detha> ah. now you have two interacting mechanisms, TCP flow control and the credit mechanism 10:50 < detha> See what happens if you tune the credit mechanism to load the link at, say, 800Mb/s 10:51 < Apachez> probably missed overhead or such? 10:51 < Apachez> 1Gbps doesnt mean you can push 1Gbps of payload 10:51 < Apachez> it means 1Gbps onto the wire 10:51 < Apachez> where you then have l2 header, l3 header, l4 header etc 10:52 < detha> Different control mechanisms can interact in weird and wonderful ways. See also the TCP-over-TCP document 10:52 < Apachez> I didnt count l1 header since that 1Gbps link is actually 1.25 (or so) Gbps if you look at the wavedistribution 10:53 < hunderto> mostly weird ways i would assume 10:55 < jarlopez> I initially assumed that it was the green-thread executor (Rust's tokio) that was letting certain connections win races more often, but the dominance is consistent for the 60s runs I was doing 10:55 < Apachez> 20 bytes (minimum) for v4 10:56 < Apachez> + 20 bytes (minimum) for tcp incl port 10:56 < Apachez> and 18 bytes for l2 10:56 < Apachez> and 4 bytes för vlantagging (802.1q) 10:57 < Apachez> so 1522 maxsize (without jumbos) on a regular packet 10:57 < Apachez> 1522*8 = 12176 bits 10:57 < Apachez> 1 000 000 000 / 12176 = 82128 pps 10:58 < Apachez> so we had 20+20+18+4 bytes waste, that equals 62 bytes or 496 bits for every packet sent 10:58 < Apachez> 40 735 488 bps is just headers for your 1Gbps link 10:59 < AlVal> I have a netgear r7000 as my home router. I want to be able to block ads and exercise tight control over the 3x chatty samsung tvs in the house. Stock firmaware offers poor options (can't natively add block lists). I've given up on advancedtomato (port forwarding simply didn't work, firewall insisted on dropping all incoming requests) , tried freshtomato firmware also (wan interface refused to recognise the isp PPPoE connection) 10:59 < AlVal> so went back to stock now on that router. tried pi-hole on raspberry pi, finding it quite buggy from the outset, and not overly enamoured at needing the extra device. 10:59 < AlVal> so there always seems to be a new trend on home routing OS/firmware - what are the current opinions? 10:59 < Apachez> so payload wise you can max send 959 Mbps on a 1Gbps link 10:59 < Apachez> so if your buffersystem assumes it can send 1Gbps over this 1Gbps link (who actually can push max 959 Mbps of payload) you will get dropped packets 11:00 < AlVal> pfsense? try another firmware on the r7000 like ddwrt or something, i hear edgerouter x or something mentioned a lot also. 11:00 < Apachez> 4% packetdrop 11:00 < Apachez> AlVal: I would go for edgerouter X or similar 11:00 < hunderto> LEDE (new operwrt) could also be an option 11:01 < Apachez> there are newer models edgerouter 4 and edgerouer 6 which might be an option depending on the throughput you need 11:01 < Apachez> dunno if the ER4 and ER6 are fanless 11:01 < AlVal> hunderto: I'm not sure if LEDE has the broadcom dodgy driver 11:01 < Apachez> and then use a dedicated ap if you need wifi 11:01 < jarlopez> Apachez: Hm I see. Is it not safe to assume TCP's flow control would work to prevent that sort of consistent packet drop? 11:02 < Apachez> regarding microsoft aquiring github: https://scontent-otp1-1.xx.fbcdn.net/v/t1.0-9/34346961_2114024378610929_6879179831590780928_n.jpg?_nc_cat=0&oh=e8d1dc04d14e775aaa1af1b6ab303156&oe=5B821D5B 11:02 < AlVal> I also have a raspberry pi latest model 3b+ lying around since abandoning pi-hole, but don't suppose it would be much use as a router 11:02 < AlVal> as I'd be reliant on usb for the second network port 11:02 < Apachez> jarlopez: sure thats what the congestion method you selected will deal with 11:02 < Apachez> but if you look at my link 11:03 < Apachez> https://blog.apnic.net/2017/05/09/bbr-new-kid-tcp-block/ 11:03 < Apachez> various congestion protocols behaves differently when packets are being dropped 11:04 < Apachez> look at figure 8 for example how cubic shit itself when there were competition 11:04 < Apachez> so in your case you need to figure out whats really happening 11:04 < Apachez> are you missing packets? 11:04 < Apachez> and because of that congestion control kicks in and everything goes south since you have your buffersystem who just ignores this and continue to push traffic? 11:05 < Apachez> if its the case as you described earlier that the first streams goes full speed but the others dies out then its most likely some timing error in your software 11:05 < AlVal> I need 1x wan port, and 9 lan ports. I have a beast of a big media server in the loft, but the throughput limiting factor will probably be the ability of the network card/interface on the samsung tvs it streams to in the housoe 11:05 < Apachez> like it deals with the first packets but then it like fades out to correctly take care of all packets, so the packet becomes dropped 11:05 < Apachez> and tcp resend kicks in 11:06 < Apachez> AlVal: so sound is not an issue? 11:07 < AlVal> Apachez: I doubt theres a router that could drown out the 2x dell md1000 disk trays at full whine up there hahaha 11:07 < AlVal> I know I should put it all in one of those expensive climacab air conditioned and hepa 12 air filtered cabinets, but it has a surprising ability to withstand serious summer heat up there 11:08 < Apachez> https://www.ubnt.com/edgemax/edgerouter-4/ 11:08 < Apachez> https://www.ubnt.com/edgemax/edgerouter-6p/ 11:08 < jarlopez> Apachez: Thanks for the detailed responses. The writer only buffers its next frame when the connection's epoll readiness indicates ready to write, and even so the connection writer only proceeds to do so when woken up by the readiness event 11:08 < Apachez> and then the 24 int lite switch who is also fanless https://www.ubnt.com/edgemax/edgeswitch-lite/ 11:08 < AlVal> Apachez: then I end up with 3 devices. separate router, switch and wireless ap 11:08 < Apachez> yup 11:09 < Apachez> the thing is that you place the ap where its needed 11:10 < AlVal> Apachez: hmm well that's a fair point, I should learn how to conduct a wireless survey 11:10 < Apachez> I prefer the tplink 810 models but your mileage may vary: https://www.tp-link.com/se/products/details/cat-9_TL-WR810N.html 11:10 < Apachez> https://www.tp-link.com/se/products/details/cat-9_TL-WR902AC.html 11:10 < Apachez> or go with the ubiquiti ap's if you need more wireless performance 11:11 < Apachez> and then you needed 9 interfaces and edgerouter only have 8 max 11:11 < Apachez> so get a 24 int switch 11:11 < Apachez> and then the edgerouter itself, its the same hardware in the 4 and 6P model 11:11 < Apachez> so unless you need more routed itnerfaces I would go for the 4 model 11:11 < Apachez> but ER-X is most likely good enough for your needs anyhow 11:12 < Apachez> so the edgerouter becomes router/firewall (fanless) 11:12 < Apachez> switch becomes, well, switch (fanless) 11:12 < Apachez> and the ap (how many you might need) becomes AP's 11:14 < AlVal> hmm I can live with 8, or is that 8 including the wan port 11:20 < refeaime> Hello 11:20 < Apachez> its including the wan port 11:21 < Apachez> so if you are fine with that and noise is not an issue then go for the edgerouter pro 11:21 < Apachez> or the edgerouter infinity if you need 10G interfaces :) 11:21 < refeaime> Can somoeone help me with raspberry pi? I have 3 AP in one domain, with all roaming features setup. But... Raspberry does not switch to new AP AT ALL. 11:21 < Apachez> ERPRO goes for $600 or so 11:21 < Apachez> the infinity goes for $1500 I think 11:22 < refeaime> I can see that with iperf3. I run the test and just wating till rPi3 will switch AP. 11:22 < refeaime> ANd it does not. 11:22 < cnf> Apachez:i need 10G but NOT at that price... 11:22 < cnf> so "need" i guess :P 11:22 < refeaime> wtf? What i am doing wrong? wpa_supplicant config is most simply. There is only 2 lines. SSID and key. 11:23 < Apachez> cnf: that is fairly cheap compared to some other vendors 11:23 < cnf> sure 11:23 < Apachez> also given into account that edgerouter series can deal with full internet bgp tables 11:23 < Apachez> multiple at once 11:23 < Apachez> and loads them faster than juniper MX boxes :D 11:23 < cnf> my ERL needs replacing, though 11:24 < cnf> it can't handle my loads, and it crashes due to overheating regularly 11:24 < Apachez> whats your need then? 11:24 < Apachez> go for the ER4 ? :) 11:24 < Apachez> 3.4 Mpps 11:24 < Apachez> 4Gbps throughput 11:24 < cnf> eh, it does allright, as long as I don't have the packet clasifier turned on 11:24 < cnf> turn that on, and i get maybe 50mbps throughput 11:25 < cnf> Apachez: yeah, been considering the 4 or 6 11:25 < cnf> i do wonder how it'll do with the packet clasifier turned on 11:37 < Reventlov> Oh hi. 11:38 < Reventlov> https://ptpb.pw/Dxl7.pcap, I'm trying to understand this pcap log. It's obtain through the use of a RTL8812AU usb adapter, in monitor mode. I'm running an experiment on an open network between a computer and an access point, running Iperf 11:39 < Reventlov> Everything is fine, until packet 329: it seems I lose all the « Non-ack » packets 11:39 < Reventlov> I still get the block ack, and I do not know why; any idea? 11:39 < Reventlov> (packets are truncated, actual content is not useful) 11:47 < fluctuation> Hello 11:48 < fluctuation> Anyone who could help with wireshark? 11:56 < Reventlov> fluctuation: yeah, ask 12:01 < fluctuation> Reventlov 12:01 < fluctuation> I'm doing an experiment to show how packet sniffing is done for school 12:02 < fluctuation> Do you know an easy example I could do 12:02 < Reventlov> Well, do your school have open (as in « no encryption ») networks ? 12:02 < fluctuation> yes 12:02 < Reventlov> Also, do you have hardware that supports monitoring mode? 12:02 < fluctuation> promiscuous mode? 12:02 < Reventlov> Also, do you use Linux? 12:03 < Reventlov> Yeah, same 12:03 < fluctuation> no 12:03 < fluctuation> windows 10 wireshark only 12:04 < Reventlov> hm. Well, then, what you could do is simply launch wireshark and show how many time Windows 10 « calls home » by counting packets 12:04 < fluctuation> Reventlov okay 12:04 < fluctuation> Any example where I could decrypt messages? 12:04 < Reventlov> Or what you could do is show how to debug some client implementation that is buggy (some http client, for example) 12:05 < dminuoso> fluctuation: decryption is usually not possible or rather complicated. pick a scenario without TLS. 12:05 < Reventlov> If you want to decrypt messages, then you'll have something to decrypt. So either TLS/SSL ( https://wiki.wireshark.org/SSL ) 12:05 < dminuoso> In case of TLS its usually impossible. 12:05 < fluctuation> uhm 12:05 < fluctuation> what about HTTP? 12:05 < fluctuation> Any HTTP messaging? 12:05 < Reventlov> well, http is not encrypted 12:05 < Reventlov> (https is) 12:06 < fluctuation> okay then no decryption 12:06 < fluctuation> A way to capture messaging of someone 12:06 < Reventlov> with Windows 10, I don't know. With Linux and a promiscuous supporting adapter, it's easy. 12:09 < fluctuation> hmm 12:09 < fluctuation> okay 12:09 < fluctuation> But do you know of any HTTP email apps? 12:09 < fluctuation> Reventlov 12:29 < djph> fluctuation: "HTTP email..." what? 12:30 < djph> fluctuation: http and email are two separate protocols ... 12:34 < TandyUK2> dminuoso: TLS is easy to decrypt with the proper pre-requisites (Ie your own CA, trusted by the target machine, and a complete log of the TLS handshake) 12:34 < TandyUK2> and ofc a MITM proxy to do the actual capturing 12:35 < djph> TandyUK2: oh come on now, that's not a point-and-drool setup. No one's ever gonna do that 12:36 < TandyUK2> TLS session Proxy then terminates the session, and re-encrypts as TLS using a cert issues by your CA, and sends it on to the target machine, who trusts your CA 12:36 < fluctuation> djph sorry 12:36 < fluctuation> I'm doing an experiment with wireshark 12:36 < fluctuation> my friend is sending unencrypted IRC messages 12:36 < djph> fluctuation: ah; I obviously missed some setup :) 12:36 < fluctuation> but i can only see the one hes sending to me. 12:36 < TandyUK2> where are you logging this data from? 12:37 < dminuoso> TandyUK2: Im fully aware of this. 12:37 < TandyUK2> fro the switch port his pc is connected to hopefully 12:37 < dminuoso> TandyUK2: And thats a might amount of requirements. 12:37 < fluctuation> From public school wifi 12:37 < TandyUK2> not really, its about an hours work to set it all up 12:37 < fluctuation> I set wireshark to promiscuous mode 12:37 < fluctuation> does that mean I get all networking in my school wifi? 12:37 < dminuoso> TandyUK2: *shrugs* I cant sniff any traffic 12:37 < TandyUK2> on wifi youll still only see your machines traffic 12:38 < dminuoso> because Im forced to use Fortishit VPN 12:38 < TandyUK2> unless its incredibly abdly configured 12:38 < djph> ^ 12:38 < fluctuation> What should I use to do the experiment? 12:38 < TandyUK2> i would seriously hope a school has 'client isolation' enabled 12:38 < fluctuation> I need promiscuous 12:38 < TandyUK2> fluctuation: a cable, and a proepr managed switch would be ideal 12:39 < djph> TandyUK2: we didn't. But then again, it was college; and there was a semi-good reason for it at the time 12:39 < fluctuation> you cant get networking from from wifi? 12:39 < djph> wifi doesn't operate the same way that wired does 12:40 < fluctuation> true 12:40 < fluctuation> So I cant do this stuff via WiFi? 12:40 < fluctuation> you can't packet sniff wifi? 12:41 < TandyUK2> you can, but only YOUR packets 12:42 < fluctuation> how can I sniff my friends packets 12:42 < fluctuation> in my own mobile hotspot for example 12:45 < TandyUK2> using a cable and a switch, and monitor/mirror your friends port 12:45 < TandyUK2> how exactly depends on the switch 12:45 < TandyUK2> same goes for wifi, monitor/mirror the port the AP is attached to 12:46 < TandyUK2> NFI how youd do it with a hotspot 12:48 < fluctuation> I really need WiFi 12:49 < fluctuation> TandyUK2 12:51 < nobody404> then goto starbucks if you need wifi 12:52 < fluctuation> no i dont 12:52 < fluctuation> i need to monitor all packets in an open wifi 12:53 < nobody404> maybe u can use ettercap tool 12:55 < OliverUK> In IPSec, do you need phase 2 to be encrypted seeing as it is within the phase 1 tunnel anyway? 13:04 < plasmoduck> I stay in a share house where I don't have admin access to the router, I have to give the owner the IP of any device I wish to access the internet which is a pain in the ass and he is going to start asking why I need so many devices connected, So my question is, is it possible to have multiple devices connected under 1 ip on his router? like have a box connected to the router via wifi, then have a switch connected to that box with ethernet 13:04 < plasmoduck> and connect all my other devices to the ethernet swith and tell the box/switch to assign the ips to my devices. That way he only see's 1 ip device connected to his router. Is this possible? Or an I dreaming? 13:09 < light> plasmoduck: tell him about dhcp 13:09 < light> you don't want double nat 13:10 < nobody404> yes thats posible 13:11 < hugge> asd 13:13 < nobody404> of course you can configure dhcp-server in that router if you have admin access 13:14 < Reventlov> plasmoduck: yeah, it's totally possible 13:15 < Reventlov> and doable, and done multiple times, let me find you some doc 13:16 < light> sounds like an xy problem though 13:16 < light> just fix your room mate 13:17 < Reventlov> What you want is this: https://openwrt.org/docs/guide-user/network/routedclient 13:17 < TandyUK2> double nat is evil, avoid it at all costs (or get your admin to route a single PUBLIC ip to you, for your router to use) 13:17 < Reventlov> light: the owner might do mac whitelist 13:17 < Reventlov> that's why he is asking for the IP adress of every single device, to then look which mac the device has, and white list it. 13:18 < plasmoduck> Reventlov, thaks 13:19 < Reventlov> plasmoduck: if you buy a tp link to put openwrt on it 13:19 < Reventlov> it's easy using the LuCi web interface 13:19 < light> or just use your words and ask him to cut out this nonsense 13:19 < nobody404> yeah, well documented in openwrt.org 13:19 < Reventlov> light: whitelist of mac address is not really nonsense 13:19 < light> it's retarded for a share house 13:20 < Reventlov> it's a security measure. 13:20 < light> it's daft 13:20 < djph> ^ 13:20 < Reventlov> Well, think what you want, but having a list of authorized devices, that you can revoke when you want, it's pretty nice. 13:20 < djph> unless, ofc, the "whitelist" is some kind of "oh, just skip the need for a new voucher" type system 13:20 < Reventlov> Of course, you can still change mac adresses and so on, 13:21 < djph> I've seen places with "shared" wifi do that. Tenants mac addresses were known, and did radius-assigned VLANs to get them off the "public limited-access" wifi 13:22 < Maarten> lol white listing mac addresses is not a security measure. Mac addresses are easily sniffed over wifi and can be spoofed. If you want to be somewhat secure, ditch WPA2 and get a radius server. Radius authentication is still encrypted and at this moment still considered secure. 13:22 < Reventlov> also helps with static dhcp leases, and the day Police ask to know who did what at which point 13:22 < Reventlov> Maarten: yeah, and how many percent of people know how to change mac adresses ? 13:23 < djph> enough :) 13:23 < Maarten> Reventlov, the percentage that wants to get in your network.... 13:23 < Reventlov> yeah, enough, but each security measure is associated with a threat model 13:23 < Reventlov> you saying « lol no it's not a security measure » because it does not stop everyone is dumb. 13:23 < Reventlov> !bailout 13:23 < fluctuation_> hi 13:23 < light> hi 13:24 < cnf> counting on clingfilm to stop people entering your house is dumb 13:24 < fluctuation_> I have tried installing npcap in wireshark to monitor all data in wifi 13:24 < cnf> sure, it'll stop casual people wandering in 13:24 < fluctuation_> but monitor tab says "----" 13:24 < djph> no, it's at best security-by-obscurity. 13:24 < cnf> but it does NOTHING to stop anyone that wanta to 13:24 < fluctuation_> anyone who cold help? 13:24 < Reventlov> (and btw, most of the people that thinks wpa2 and radius are secured are wrong, not with the one that works on Linux/Mac/Windows) 13:24 < djph> fluctuation_: what'd you break now? 13:24 < djph> Reventlov: if you're talking about krack, that was sorted months ago 13:24 < fluctuation_> Nothing it's just an experiment 13:24 < Reventlov> not about that 13:25 < Reventlov> I'm talking about real world people connecting to real world radius, with username and passwords 13:25 < Maarten> Reventlov, someone that is smart enough to know how to get around the WPA2 flaws can also spoof your mac address. 13:25 < fluctuation_> djph can you follow what I'm doing ? 13:25 < Reventlov> mschapv2, ntlm hashes, people not checking the ca certificate 13:25 < Reventlov> people not checking the domain 13:25 < Reventlov> Maarten: yeah, indeed! 13:25 < djph> fluctuation_: sorry, I had a phone call, and missed a bit of the conversation 13:25 < Reventlov> My point is: associate each security with a threat model. It's not because it doesn't stop everyone it's not a security measure. 13:25 < fluctuation_> djph I wish to read unencrypted IRC messages of my friend 13:26 < fluctuation_> as an experiment 13:26 < Reventlov> « lol white listing mac addresses is not a security measure » is just wrong. 13:26 < fluctuation_> But I can't monitor all packets in the WiFi 13:26 < cnf> and some are just stupid 13:26 < djph> fluctuation_: exactly 13:26 < fluctuation_> how do I monitor all packets 13:26 < Reventlov> fluctuation_: step 1: get linux 13:26 < Reventlov> step 2: get a promisc ready adapter 13:26 < fluctuation_> it's a school wifi, is this a problem? 13:26 < fluctuation_> do I need access to their machines? 13:26 < djph> fluctuation_: probably :) 13:27 < fluctuation_> But I really need to do stuff in their machines? 13:27 < fluctuation_> I thought passive packet sniffing was easy 13:27 < Reventlov> step 3: iw set monitor control 13:27 < Reventlov> step 4: ??? 13:27 < djph> fluctuation_: not on wifi :) 13:27 < Reventlov> step 5: profit 13:27 < Maarten> fluctuation_, it depends. If you are a student at said school, and the sysadmins find out its you..... no idea whether they consider that an offense to get expelled for. :P 13:28 < fluctuation_> so the school adapter or my adapter needs to be promisc? 13:28 < Reventlov> your one. 13:28 < Reventlov> Probably already is, if you have an intel one. 13:28 < fluctuation_> So why would I need to access my schools machines 13:28 < fluctuation_> if I only need my own 13:28 < Reventlov> you do not need access to your school machines. Just use your own computer. 13:28 < fluctuation_> ok thanks reventlov 13:29 < OliverUK> In IPSec, do you need phase 2 to be encrypted seeing as it is within the phase 1 tunnel anyway? 13:29 < Reventlov> But using Linux would make everything more easy; even a live system if you want. 13:29 < fluctuation_> Yeah 13:29 < fluctuation_> So is getting adapter promisc hard? 13:29 < light> ._. 13:29 < Reventlov> nope, just buy one. You have to check that it supports it beforehand. 13:30 < fluctuation_> oh 13:30 < fluctuation_> so this packet sniffing stuff isn't as easy as it seems 13:30 < fluctuation_> ? 13:30 < light> it's very easy 13:31 < Reventlov> Well, if spending 15€ is hard, then yes, it's hard. 13:31 < Reventlov> I use this one : https://www.amazon.fr/CSL-AC1200-double-Protected-dinfrastructure/dp/B06XDQWTBK/ref=sr_1_4?ie=UTF8&qid=1528111843&sr=8-4&keywords=csl+wifi 13:31 < fluctuation_> can I do it without money? 13:31 < Reventlov> >Probably already is, if you have an intel one. 13:31 < fluctuation_> with just my own laptop 13:31 < fluctuation_> yes 13:31 < fluctuation_> intel hp laptop 13:31 < Reventlov> check the model of your wireless adapter 13:32 < djph> depends on whether the admins at your school are good. if they are, they've likely enabled client-isolation on the wifi 13:32 < Reventlov> djph: which changes basically nothing when you're sniffing the medium. 13:32 < OliverUK> Also, why is double NAT so bad? 13:32 < djph> OliverUK: NAT itself is bad. double is doubly so :) 13:32 < fluctuation_> I see a lot of data 13:33 < fluctuation_> which one of them is model 13:33 < djph> OliverUK: I mean, it's a necessary evil, but ... 13:33 < fluctuation_> microsoft kernel debug adapter 13:33 < Maarten> Yeah you don't always have a choice with residential internet and forwarding a port or two :P 13:33 < OliverUK> djph: So it could be doubly necessary :-P 13:34 < fluctuation_> Where do I see the model sir 13:34 < fluctuation_> Reventlov 13:34 < djph> OliverUK: pretty much, it's just another hoop to jump through ... and if you don't control the upstream; it doesn't matter anyway. 13:34 < Maarten> but there shouldn't be any reason to have more than one NAT to traverse in most situations.... 13:34 < Reventlov> fluctuation_: I'm out, I have work to do. 13:34 < fluctuation_> ok thank you 13:35 < djph> Maarten: do "most situations" also include friends who run servers? 13:36 < Maarten> djph, said friends will likely have some sort of NAT going on to make those servers available to the net.... 13:37 < Maarten> but I see where you are going: you have no idea whether your destination is behind a NAT or not :P 13:39 < djph> Maarten: yep ;). But since "I" don't have any clue whether "you" have NAT going on, saying "no more than one" makes perfect sense 13:39 < Maarten> I hear ya. 13:41 < djph> OliverUK: pretty much it comes down to "Keep It Simple, Stupid" :) 13:42 < OliverUK> djph: Sure 13:43 < OliverUK> djph: I was thinking that for the above question about having all of the connections come from one IP address, doing NAT would have worked is all, I was wondering why it was a bad idea, thanks 13:43 < djph> OliverUK: I think I missed some piece of your questioning then 13:44 < djph> OliverUK: I mean, you had something about IPSec, which honestly I don't know ... and then the thing about double-NAT 13:44 < OliverUK> djph: It wasn't my question but one from plasmoduck 13:45 < OliverUK> djph: Yeah sorry, full of questions today 13:45 < djph> OliverUK: ahh, that would explain it :) 13:46 < djph> OliverUK: also, bear in mind that some of the guys in here are "professionals", so their answers will be given from that point-of-view 13:46 < djph> (I'm not, they just haven't caught on yet ;) ) 13:48 < OliverUK> djph: Networking is not what I do for a profession, I am just interested and trying to learn as much as I can :-P 13:50 < djph> OliverUK: me neither. i can hold my own most of the time, but if tandy or catphish start talking bgp or something ... 13:51 < dogbert_2> yawn 13:52 < AlexPortable> Is WPA3 hardware, or software based? As in can an firmware update bring WPA3, or does that require me to buy a new router? 13:53 < dogbert_2> well, any decent brand router in the last 5 years should just need a firmware update to enable WPA3, IMO 13:54 < snpresent> what is https://www.anscorporate.com/ and what they do...??? 13:55 < AlexPortable> snpresent: Telecommunications Solutions 13:55 < djph> dogbert_2: I wouldn't be that optimistic. I mean, "decent brands" have their "shit line" too 13:55 < snpresent> AlexPortable, belong to us nation??? 13:56 < jadesoturi> oki. day 3 of my struggles with the bloody hotel hotspot. this morning i discovered that they seem to have fixed the hotspot auth/cert issues, as i now can get online without getting the pescy "connection not secure" errors form crhome where the certificate is "replaced" by the domain controller here, but, when connecting the VPN(openvpn through networkmanager by NordVPN) i still get the problem that i loose connection every 5 min and either 13:56 < snpresent> owned by usa nation? 13:56 < jadesoturi> have to reconnect or just wait for 5-10 min for it to resume again. could this have been an openvpn issue all along? 13:56 < djph> dogbert_2: although, I'd agree that most (upper-)midrange or better routers should be a firmware update and done. 13:56 < dogbert_2> djph...well, true...but as a rule, anything bought since 2016 should get an update to enable WPA3 13:57 < dogbert_2> I bought a motorola moto g5 plus in December 2017...that should be GTG with firmware update 13:57 < djph> dogbert_2: thereabouts, sure (I've not followed consumer stuff since, er ... 2013...14... crap when did I get this UBNT stuff?) 13:59 < dogbert_2> what kind of UBNT stuff..edgerouter? 13:59 < snpresent> AlexPortable, i mean owned by us gov? 14:00 < djph> dogbert_2: first kit was an ERL and UAP-PRO 14:00 < djph> still have the ERL, but runninc UAP-AC-LITEs now 14:01 < dogbert_2> ERL doesn't do wireless, sooooo 14:01 < dogbert_2> but I'd imagine the UAP's can get firmware updates 14:04 < cnf> i need to replace my ERL 14:05 < AlexPortable> snpresent: no idea 14:05 < dogbert_2> cnf...what's wrong with it? 14:06 < dogbert_2> I just wish UBNT made a wireless router in their brand line is all (oh well) :P 14:07 < snpresent> does QUIC enable default by chrome 67? 14:08 < djph> dogbert_2: yeah, I mean, the ER is just a router :) but I got it all at the same time 14:09 < dogbert_2> nodz... 14:09 < djph> dogbert_2: honestly, I'm glad they *don't* (well, they do have the airmax crap one I think ... unless they killed that off too) 14:10 < cnf> dogbert_2: it crashes from overheating, and it can't pull the loads i want 14:10 < djph> oops, no, the AirGateway 14:10 < dogbert_2> heh...watching the best low tech car chase scene in any Bond movie...For Your Eyes Only - Citroen 2CV vs Peugeot 504 14:11 < djph> cnf: well, that's not good. Upgrade to an ER-4? 14:11 < dogbert_2> sheesh, cnf...what are you doing to that thing 14:11 < cnf> djph: yeah a 4 or a 6 14:11 < cnf> dogbert_2: packet clasification 14:11 < dogbert_2> hmmmph! 14:11 < dogbert_2> ballsy for home use 14:12 < cnf> what? 14:13 < dogbert_2> packet classification for home use :) 14:13 < cnf> why? 14:15 < dogbert_2> at most, I have 4 things using my internet connection (desktop, smart phone, Libre Computer - Pi Clone, and the TV)...TV doesn't get used enuf for traffic shaping, etc 14:16 < dogbert_2> and occasionally a laptop 14:16 < cnf> traffic shaping is stupid 14:16 < dogbert_2> and don't du enuf for packet classification either 14:16 < cnf> i don't trust IoT shit 14:16 < dogbert_2> they should have equipped the ERL with a heat sink 14:17 < dogbert_2> and some arctic silver 5 14:17 < cnf> so the TV alone is enough cause to use packet clasification 14:17 < dogbert_2> not the way I watch TV :P 14:17 < cnf> if it is on the network, it is plenty reason for it 14:17 < dogbert_2> and most of my media (DVD's, etc) are on the NAS 14:18 < cnf> it should not even be on your LAN 14:18 < dogbert_2> well, I like ripping DVD's when I buy 'em, so I can always watch stuff when I want to 14:18 < WizJin> 2 14:19 < cnf> you buy DVD's ? o,O 14:19 < cnf> also, that does not impact anything i said :P 14:20 < cnf> my TV is on a separate IoT vlan 14:20 < cnf> which is very restricted 14:20 < dogbert_2> cnf...of course...I usually go to a discount music shop if I'm looking for something specific, but I can also get stuff from the local library... 14:20 < cnf> but... DVDs... 14:20 < cnf> next you are going to tell us you still watch that stuff on a cathode tube... 14:21 < dogbert_2> no...I have a nice ASUS PV247 monitor 14:21 < cnf> oh my... 14:21 < cnf> my condolences :P 14:21 < dogbert_2> my mom still uses a old cathode tube style TV which is about 12.5 years old 14:21 < cnf> o,O 14:22 < cnf> well, if it makes you happy :P 14:25 < dogbert_2> most of the stuff on TV today simply sucks 14:25 < cnf> well, don't watch MOST, watch the stuff that is good 14:25 < cnf> and "today", nothing has changed 14:26 < cnf> i'd say the quality of content has gone up 14:26 < djph> if you want "good TV", get Netflix 14:26 < djph> although the reboot of Roseanne was funny, too bad twitter and all 14:26 < Apachez> https://www.youtube.com/watch?v=L-7tu40PNAY CEO creates ‘snowflake test’ for job applicants :D 14:28 < dminuoso> Im on macOS and Im using forticlient. What options do I have to sniff traffic that has to go through my VPN tunnel? 14:29 < dogbert_2> Apachez...looked at 30 candidates on Saturday...24 didn't meet the qualifications issue, another 4 bombed the technical interview, and the remaining two had poor soft skills... 14:30 < djph> "What does America mean to you?" "Reigning two-time World War champs." 14:32 < compdoc> means home 14:33 < AlexeyX> Hi there! 14:33 < AlexeyX> Does anybody use Forticlient in Linux? 14:33 < compdoc> Ive heard of Fortinet. 14:34 < AlexeyX> yes, it is their vpn client 14:34 < djph> compdoc: IKR. 14:34 < dogbert_2> welp, let me start getting ready to head into /proc/w3rk... 14:35 < djph> the questions were funny, and good on him for trying to keep the reporter away from politicizing it. She would've failed it hardcore. 14:37 < dogbert_2> LOLZ - Ohio (Akron’s) graduation rate will soar to 93 percent this year. It’s not progress, writes Fordham’s Chad Aldis. The district lowered the bar dramatically to make its numbers look goo 14:37 < dogbert_2> yeah, it's amazing how many you can hand a high school diploma when you keep lowering the bar for getting one :P 14:37 < dogbert_2> s/hand/give/ 14:39 < djph> dogbert_2: brilliant. 14:39 < djph> honestly, I would love if "teaching the test" were banned outright. 14:43 < dogbert_2> djph...you go sit for a IT cert exam, you either pass or fail... 14:44 < dogbert_2> I love watching the Green "You Passed" come up at the end of the exam :P 14:44 < dogbert_2> and I've gotten the opposite as well :) 14:44 < djph> dogbert_2: better yet, when they give "the test", it's not "the test" they told the teachers. I mean, it's close, and if the students were taught *the concepts* they'd still pass; but ... 14:45 < dogbert_2> teaching to the test never works, esp. if you want to expand your knowledge in the future 14:46 < djph> yup 14:46 < djph> but hey, common core! 14:46 < djph> although I hear that someone finally killed that shit 14:47 < dogbert_2> yeah...welp, I'm off...l8r 14:47 < djph> take care 15:06 < grawity> so how well do UniFi APs handle VRRP from the main router? will they filter out the VRRP advertisements, or will they spam all wifi clients to hell? 15:07 < cnf> where it is nice and warm 15:10 < phre4k> when I have an A record for a subdomain already and a wildcard AAAA record, do I have to set up the subdomain's AAAA record, too? Because when I dig -t AAAA subdomain.example.com I don't get any address, but when I dig -t AAAA random.example.com I get the wildcard AAAA addres 15:11 < phre4k> …s 15:11 < grawity> well yes 15:11 < grawity> it's not per-record 15:12 < obcecado> why that concern grawity ? 15:12 < grawity> as long as the specific subdomain exists *at all*, you'll be getting responses based on that subdomain, and the wildcard will be inactive 15:12 < grawity> obcecado: battery usage 15:12 < obcecado> regarding the vrrp/multicast traffic 15:12 < obcecado> ah 15:13 < grawity> and general congestion of course (not that I'm smart enough to know what it really means) 15:13 < obcecado> my guess it the aps will ignore thta traffic 15:13 < phre4k> grawity: aaaah, so when I have ANY record for a subdomain, I have to set all previously "wildcarded" records because the DNS server answers based on domains, not separated by records? Got it. 15:14 < obcecado> i got a similar setup, using carp and a few cisco aps 15:14 < grawity> I mean, the same router – same vrrp mac address – also originates multicast traffic I *do* want clients to receive (namely, IPv6 Router Advertisements) 15:14 < grawity> so I can't just tick "Block LAN to WLAN multicast", I have to allow the MAC 15:15 < phre4k> is it viable to have a server.example.com subdomain which has an A/AAAA record and then just CNAME all subdomains to that server so I can set both IPv4 and IPv6 records "simultaneously"? 15:15 < lupine> yup, even quite normal 15:15 < grawity> phre4k: if they're all identical, sure 15:15 < lupine> just note that you can't have an MX record alongside a CNAME 15:15 < obcecado> iirc, vrrp uses a 'special' mac address 15:15 < grawity> pretty much how most vhosts work 15:15 < obcecado> not the regular port 15:16 < phre4k> lupine: what do you mean by that? 15:16 < lupine> I'm not sure how else I can say it 15:17 < lupine> if you have foo.example.com CNAME server.example.com you cannot have foo.example.com MX anything 15:17 < grawity> phre4k: if you CNAME all your subdomains to one server, you can't add other record types individually for each subdomain 15:17 < phre4k> lupine: that I can't set the MX and CNAME for example.com, but have to set MX and A record? 15:17 < grawity> it's all or nothing 15:18 < grawity> so – assuming your subdomains actually want to receive email – they will all need to use the same MX server 15:18 < grawity> not really a problem in practice, imho 15:18 < obcecado> https://tools.ietf.org/html/rfc5798 - Virtual_Router_MAC_Address 15:18 < phre4k> but I could have server.example.com have an A/AAAA record, then point mail.example.com MX server.example.com 15:18 < obcecado> grawity: ^ 15:18 < grawity> obcecado: yes, but what does that tell me about how the APs handle it? 15:18 < grawity> phre4k: so far, yes 15:19 < obcecado> that i do not know, but you're able to filter traffic if you wish so 15:19 < snpresent> i am curious about tcpros protocol... 15:19 < phre4k> is a CNAME record to a CNAME record a bad idea when it's a low traffic protocol? 15:20 < grawity> depends 15:21 < grawity> if they're all under the same zone / domain, you'll get the whole chain in a single response, no problems AFAIK 15:21 < phre4k> on what? It's just for autodiscovering mail 15:21 < grawity> obcecado: but the problem is that the same MAC originates both the wanted multicasts (ICMPv6) and unwanted ones (VRRP) 15:21 < phre4k> grawity: ah, yes. And when I have mail.example.org CNAME mail.example.com CNAME server.example.com A 192.168.0.1? 15:22 < grawity> might mean more lookups, *IMHO* still not a problem 15:23 < drzacek> Hello 15:23 < Peng_> phre4k: It's fine. Don't get infinitely carried away, but that's fine. 15:24 < Peng_> grawity: Recursive DNS servers might send a query for each name anyway though 15:25 < Peng_> phre4k: If you look at popular CDNs and stuff, 2 or 3 CNAMEs is pretty common. 15:25 < djph> Peng_: phre4k well, except for the RFC1918 IP Address :) 15:25 < Peng_> Haha, good point :D 15:26 < obcecado> grawity: but is any device subscribing the multicast group behind the ap? 15:26 < obcecado> i mean, the gateways using vrrp are wired, right? 15:26 < phre4k> djph: yeah, that was just for documentation purposes because I keep forgetting the IP range for documentation purposes :D 15:26 < djph> 192.0.2.0/24 is one of ther three 15:26 < grawity> obcecado: nope, no subscribers, but at least the IPv4 group is in the 224.0.0.x range which is defined as "spam everyone even if there are no subscribers" 15:27 < Peng_> (Popular CDNs also benefit from fast-ish anycast DNS servers and extremely high cache hit rates, though.) 15:27 < phre4k> weird, I set a wildcard AAAA record for *.example.com to fe90::1 but when I do dig -t AAAA server.example.com I don't get an address?!? 15:28 < xylaoo> https://tinyurl.com/ya79dnx5 15:28 < grawity> phre4k: you said you have server.example.com/A 15:28 < djph> lessee... RFC5737 -> 192.0.2.0/24 -> TEST-NET-1; 198.51.0.0/24 -> TEST-NET-2 ; 203.0.113.0/24 -> TEST-NET-3 15:28 < grawity> it covers the wildcard, for *all* records 15:28 < phre4k> ah, got it. 15:31 < phre4k> how can I do dyndns with my own domains? Is there a hosted service for that (point subdomain home.example.com to service, get URL) or should I install a name server? 15:32 < Peng_> phre4k: You can usually use any DNS service and set a CNAME record to a different dyn DNS service. 15:33 < Peng_> But also any DNS service that lets you change A and AAAA records programmatically could in theory have a dynamic DNS client created for it. 15:34 < dogbert_2> if it's 224.0.0.5-6 and you've got OSPF on your network, just don't filter those out :P 15:35 < E1ephant> /buffer 18 15:35 < grawity> phre4k: some authoritative nameservers, such as BIND 9 or Windows Server, support dynamic zones via DNS UPDATE (nsupdate) 15:35 < grawity> phre4k: others might support e.g. loading zones from a database, which your custom HTTP script can update 15:35 < phre4k> Peng_: so when I have dynamic.example.com and just set the CNAME to server.example.com, then run ddns on my server, will something.dynamic.example.com be resolved by my server or the NS which also provides DNS for example.com? 15:36 < phre4k> because something tells me that's what NS records are for? 15:36 < grawity> CNAME does not cover subdomains, only the domain itself 15:36 < Peng_> phre4k: That is what NS records are for 15:36 < nikio_> hey 15:36 < grawity> NS would work 15:37 < nikio_> is it true that with an email address foo@foodomain.com the foo part is not relevant 15:37 < nikio_> to anything but the email server 15:37 < grawity> yes 15:37 < phre4k> my registrar doesn't support NS records for subdomains, wtf. 15:37 < lupine> time to run your own dns 15:37 < grawity> nikio_: well, in the sense that it doesn't play any part in the main delivery 15:37 < nikio_> so when you send an emal to foo@foodomain.com a dns look up just looks for the mx record 15:38 < nikio_> and then sends it to that ip 15:38 < phre4k> lupine: do I really want to set up a separate server for this? Probably not. :D 15:38 < lupine> *shrug* 15:38 < nikio_> the foo@ then gets resolved by the email server 15:38 < phre4k> time to switch to a registrar which supports NS records :D 15:38 < djph> nikio_: yeah, looks for the Mail Exchange for 'foodomain.com' 15:38 < Peng_> phre4k: Or keep the registrar but switch to a different DNS service. 15:39 < phre4k> Peng_: good idea, know a good DNS service in DE/EU? 15:39 < grawity> djph: I wonder what's the last MTA which supported MR/MG records 15:39 < Peng_> phre4k: Not particularly. There's https://www.rcodezero.at/ 15:40 < Peng_> I'm American :( 15:40 < grawity> phre4k: with servers located in DE/EU, or by companies run from DE/EU? 15:40 < phre4k> Peng_: phew, 2 IP addresses cost 49€/month 15:40 < grawity> like, latency question or 15:41 < phre4k> grawity: both at the same time 15:41 < obcecado> grawity: https://community.ubnt.com/t5/UniFi-Wireless/UniFi-ebtables-rules/m-p/765572/highlight/true#M59084 15:41 < obcecado> seems like filtering using ebtables is the way to go 15:42 < Peng_> phre4k: Do you need IP addresses? 15:42 < grawity> phre4k: tbh you only need to run your own primary/master DNS 15:43 < grawity> many server hosts and registrars provide secondary servers 15:43 < Exagone313> Hi, I have a question regarding the HTTP protocol (HTTP/1.1) (if it's on topic here?). How can a client stop receiving a response without closing the socket, and then send a new request? 15:43 < phre4k> Peng_: I need at least one failover DNS 15:43 < djph> Exagone313: I don't think it does 15:44 < Peng_> phre4k: You don't need unique IPs 15:44 < Exagone313> VLC somehow does it, but I didn't know it was possible. 15:44 < Exagone313> I'm positive it's the same connection 15:45 < Exagone313> but it requests a very large file, so it manages to stop receiving the response 15:45 < phre4k> does a client ask another nameserver of the domain when it couldn't find the record with the first one? Then I could just run a secondary DNS and only propagate the subdomain? 15:46 < Peng_> phre4k: Oh, weird. I take that back. They really only offer you one nameserver on the cheapest plan? It's highly redundant, but still. 15:46 < Peng_> phre4k: No, resolvers don't retry when they receive a valid negative response. 15:46 < phre4k> Peng_: yeah that was my concern exactly :D 15:46 < phre4k> hm ok, seems I have to run my own NS probably 15:46 < Exagone313> unless there is a way to restart an HTTP connection inside a TLS tunnel, without closing the socket? 15:47 < phre4k> I'd use Namecheap FreeDNS but their servers are mostly in America 15:49 < phre4k> any opinions regarding https://dns.he.net/? 15:49 < phre4k> Peng_, grawity ^ 15:50 < E1ephant> works a treat as backup/secondary/tretiary dns for me 15:50 < phre4k> ah, now the AAAA record suddenly worked, maybe it just took a bit to resolve correctly 15:50 < E1ephant> slaving some zones 15:50 < Peng_> phre4k: It's good. It's not German. :P 15:50 < phre4k> E1ephant: nice 15:50 < phre4k> Peng_: well, they seem to have servers in DE? 15:50 < Peng_> phre4k: Probably. I haven't checked. 15:50 < Peng_> But it's a US-owned company, if that's a problem 15:51 < phre4k> hmmmmmmm 15:51 < E1ephant> yeah mark welch owned company as well 15:51 < E1ephant> if that's a problem 15:51 < E1ephant> is he here? 15:51 < E1ephant> that would be nifty 15:53 < phre4k> I found desec.io but they say their DNS hosting is in beta, that doesn't sound trustworthy 15:53 < phre4k> E1ephant: what's wrong with Mark Welch? 15:54 < Apachez> so its official microsoft just aquired github for $7.5 billion... 15:54 < E1ephant> nothing 15:54 < Apachez> phre4k: they work great 15:54 < E1ephant> maybe some poor choices in BGP hygine, but I think it's a good company/guy 15:54 < Apachez> dns.he.net that is 15:54 < phre4k> Apachez: you use desec.io? 15:54 < Apachez> nope 15:54 < Apachez> I use dns.he.net 15:54 < Apachez> as slaves 15:54 < phre4k> ah ok 15:55 < phre4k> isn't slavery illegal? 15:55 < E1ephant> not in the DNS sense 15:55 < obcecado> lol 15:55 < E1ephant> it's alive and well 15:55 < E1ephant> or legal rather 15:56 * E1ephant cracks whip 15:56 < Exagone313> I used dns.he.net but the question I had in mind was: how do they pay their bills? 15:56 < lupine> running dns is super-easy and cheap 15:56 < lupine> they sell peering and whatnot 15:56 < lupine> transit* 15:56 < E1ephant> they're a global value priced ISP 15:56 < phre4k> Exagone313: that's what I ask myself too, I use their DynDNS servers for _some_ of my domains 15:56 < Exagone313> yeah I know they do that but still 15:57 < E1ephant> this and their other features are marketing tools 15:57 < lupine> you might as well ask how a supermarket manages to survive when it gives away free bags 15:57 < E1ephant> (tunnelbroker/v6 cert) 15:57 < djph> lupine: "gives away", "free" 15:57 < Exagone313> free bags do not exist anymore, these are sold too 15:59 < djph> they technically never did - you were just paying for them as part of the cost of your stuff 16:00 < Exagone313> their dynamic dns service is really easy to use, compared to my registrar's dns server that requires to use an api that can manage all the domains with the same token --' 16:03 < phre4k> Exagone313: you should vote with your feet and choose a better registrar 16:03 < Peng_> Good luck finding a better registrar 16:03 < Exagone313> at least they are nice people, I've met some at meetups 16:05 <+catphish> HE are a large ISP, they give a lot away, but they also have paying customers :) 16:05 <+catphish> i just sponge off them 16:05 < phre4k> outlook.com says I'm on their mail blacklist but can I find out why? 16:05 < djph> catphish: hey how'd that router you were writing ever go? 16:06 < phre4k> I have SPF, DKIM, DMARC and even DANE set up 16:06 < djph> phre4k: their response didn't tell you why? 16:06 <+catphish> phre4k: google for email blacklist checkers, some blacklists will allow you to remove yourself, outlook likely operate their own though, may be nothing you can do but wait 16:07 < bezaban> phre4k: I had to do some unblocking dance for my ip address for hotmail and friends blacklists. Looked like they'd blocked a whole range of addresses belonging to my provider, probably blocking entire ranges 16:07 <+catphish> you really shouldn't be on a blacklist unless you were sending spam :( 16:07 < djph> mxtoolbox may show you 16:08 < Peng_> catphish: They give so much away for free, like hijacked routes. . . :D 16:08 < phre4k> catphish: I'm not on any blacklist I had checked (>200 of them) 16:08 < phre4k> bezaban: that sounds likely to me. 16:08 <+catphish> phre4k: well clearly you are on their blacklist if they say you are :( 16:08 < bezaban> as opposed to single hosts when they misbehave 16:08 <+catphish> Peng_: they do enjoy the occasional leaked route :) 16:08 < bezaban> but I never found anything in public blacklists 16:10 < phre4k> catphish: yeah… 16:11 < bgsteiner> For outlook and AOL Make sure you ahve an account and register your domains with their Post Master system otherwise you will be blocked 16:12 < bgsteiner> Its a good idea to register with all major mail services eg: Google, Yahoo, AOL, Microsoft 16:12 < bgsteiner> As they all have a Post master system to manage domains and handle spam and abuse reports 16:15 < phre4k> the response from outlook.com: Please contact your Internet service provider since part of their network is on our block list (S3150). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [HE1EUR01FT049.eop-EUR01.prod.protection.outlook.com] 16:15 < bgsteiner> Is this from a hosted service or server provider? 16:16 < phre4k> bgsteiner: server from a server provider / DC 16:16 < bgsteiner> OVH? 16:17 < phre4k> netcup 16:22 < bgsteiner> I took a look at it since they are have their own data centers contact them they should be able to help. Worst case they may have to change your I block if they cant work out something with Microsoft. I still recommend that commend registering your domain(s) with their postmaster. https://sendersupport.olc.protection.outlook.com/snds/ 16:23 < phre4k> found their unblock form: https://support.microsoft.com/en-us/getsupport?oaspworkflow=start_1.0.0.0&wfname=capsub&productkey=edfsmsbl3 16:23 < bgsteiner> There is also information under https://sendersupport.olc.protection.outlook.com/pm/ 16:23 < phre4k> thanks bgsteiner 16:24 < phre4k> are there similar "SNDS" things for other providers? I registered with Google's webmaster tools which also tell me stuff about my mail servers 16:25 < bgsteiner> Yes just google "*service provider* postmaster" 16:26 < phre4k> oh, ok :D thanks 16:26 < bgsteiner> almost every major provider will have something simmilar 16:26 < phre4k> I usually just do LANs and set up regular servers, the whole mail setup process did change a lot the last 10 years :D 16:26 < bgsteiner> google does have seperate "postmaster tools" as well 16:27 < phre4k> last time I set up a mail server properly was in 2005 or so, idk if SPF and DKIM already existed but I never had to deal with any of it 16:27 < phre4k> bgsteiner: er, I meant postmaster tools, not webmaster tools 16:28 < phre4k> what the fuuuuuck, I just found out this: http://rfc-clueless.org/lookup/crunchweb.eu 16:28 < phre4k> 2014? Really? 16:29 < phre4k> oh wait what, that is a list which includes the whole EU domain? o_O 16:29 < j-fish> I have a tp link WiFi extender with Ethernet port. Can I make it to work as an access point ? (Connecting it via Ethernet cable to the main router ) 16:29 < phre4k> TIL I shouldn't use an EU domain 16:30 < phre4k> j-fish: depends on the model, see its manual 16:32 <+catphish> the only things you actually have to do are 1) be patient and 2) don't send spam 16:33 <+catphish> oh and 3) don't send grossly badly formatted messages that look like spam 16:33 < phre4k> catphish: I don't really do that 16:33 <+catphish> i've never had a problem with blacklists except where i've accidentally sent spam 16:34 <+catphish> j-fish: probably, you'd have to check the specs though, or look in the web interface for AP mode 16:37 <+catphish> phre4k: it may be that you just need to be patient, wait a bit send a few emails, nothing important, wait and see if it fixes itself 16:37 < qoxncyha> my client is missing our SSL certificate's parent, Let's Encrypt. why would that happen, and how do i get him to fix it? 16:38 <+catphish> that seems kinda unlikely :| 16:38 < qoxncyha> i didn't have to do anything to get Let's Encrypt certificates being signed on my of my machines 16:38 <+catphish> qoxncyha: are you sure you're not just forgetting to send the intermediate certificate? 16:38 < qoxncyha> catphish: my client is German 16:39 <+catphish> every client should trust LE 16:39 <+catphish> even if they're German 16:39 < phre4k> qoxncyha: maybe use the full chain certificate 16:39 <+catphish> you *must* use that, without the intermediate certs, it will often fail 16:39 < compdoc> LE is great 16:39 < phre4k> qoxncyha: and tell them to update their OS and browsers 16:40 < lupine> you can (and arguably should) exclude the root certificate from the chain 16:40 < lupine> but yeah, include intermediates 16:40 <+catphish> as lupine says 16:40 <+catphish> normally your certificate issuer will give you a "full chain" anyway, which includes everything you need 16:40 <+catphish> LE certianly do 16:40 < lupine> (any client worth its salt will discard the root anyway, but it'l reduce TLS setup time fractionally to exclude it) 16:41 <+catphish> i've known clients to fail if they were sent a root cert, as they'd try and fail to verify it 16:41 < Peng_> qoxncyha: What client and OS are your client using. What's the site. 16:41 < phre4k> isn't the fullchain.pem provided by certbot already without the root cert? 16:41 <+catphish> phre4k: yes 16:42 < jvdmr> letsencrypt was actually not trusted in a lot of software until about a year ago 16:42 < qoxncyha> jvdmr: how is the trust update propagated? 16:42 <+catphish> jvdmr: i disagree 16:42 < Peng_> jvdmr: DST Root CA X3 has been trusted by most platforms for years 16:42 < jvdmr> qoxncyha: through software updates 16:42 <+catphish> LE were cross-signed by a major CA long before that 16:43 < qoxncyha> jvdmr: what software? would it be web browsers or the operating system, or both? 16:43 <+catphish> i've been using LE in production way longer than a year 16:44 < jvdmr> I'm just speaking from my own experience, a year ago I still had people on older browsers that got security notices about LE certificates 16:44 < Peng_> qoxncyha: Either or both 16:44 <+catphish> qoxncyha: hard to say, ideally update both 16:44 < Peng_> jvdmr: Appllingly old 16:44 <+catphish> but sometimes just one or the other 16:44 < jvdmr> sure 16:44 < qoxncyha> there's no way that the problem is outside the user's computer, correct? the network administrator has nothing to do with this? 16:44 < Peng_> I mean if someone hasn't updated Firefox in 10 years they're gonna have problems 16:44 < qoxncyha> (i.e. should i tell the user to speak to IT?) 16:45 < Peng_> qoxncyha: Maybe 16:45 <+catphish> jvdmr: well sure, but those browsers would still reject those certs now, so it's not really a fair point 16:45 < qoxncyha> maybe what? 16:45 < Peng_> qoxncyha: All 3 questions 16:45 < qoxncyha> the problem is definitely on the user's computer directly, right? it's not on the network? 16:45 < Peng_> qoxncyha: Maybe 16:46 < qoxncyha> i can confirm via local chrome that the certificate is valid 16:46 < jvdmr> although if you go look outside of browsers, the latest Oracle JVM version 1.5 years ago (october 2016) didn't support LetsEncrypt either 16:46 < qoxncyha> i can see the trust chain all the way to DST Root CA X3 16:46 < Peng_> qoxncyha: The server could be misconfigured with the wrong chain. You could be connecting to a different server. 16:46 < qoxncyha> no, the certificate is valid 16:46 < Peng_> qoxncyha: The server could be misconfigured with the wrong chain. You could be connecting to a different server. 16:46 < Peng_> qoxncyha: I didn't say the certificate was invalid 16:47 < Peng_> https://letsencrypt.org/docs/certificate-compatibility/ FYI 16:48 <+catphish> qoxncyha: just because your browser has the intermediates doesn't mean you're sending them, check! 16:48 < Peng_> jvdmr: Yeah, Java and BlackBerry were the big problems 16:48 <+catphish> oh yeah, blackberry / java / windows xp were problems for both LE and SNI for a long time 16:48 < Peng_> XP also because XP's certificate code couldn't handle Let's Encrypt's intermediates! 16:48 < qoxncyha> i would like to solve this in a minimally intrusive way 16:49 <+catphish> when MS dropped XP support, we figured it would be ok to do the same :) 16:49 < Peng_> qoxncyha: You need to figure out what's wrong 16:49 < Peng_> qoxncyha: Before solving it 16:49 < qoxncyha> Peng_: absolutely 16:50 < qoxncyha> my client is using Google Chrome as that is the only client we support 16:50 < qoxncyha> so it's "Known Compatible" 16:50 <+catphish> qoxncyha: did you check the intermediates? 16:50 < Peng_> What version of Google Chrome. What OS. What is the error message? What is the website. 16:50 <+catphish> i know i've said it like 4 times 16:51 < qoxncyha> catphish: we are only sending the leaf certificate, not the full chain 16:51 < qoxncyha> Peng_: i will find out 16:51 <+catphish> qoxncyha: that's your problem then 16:51 < phre4k> Peng_: I don't think qoxncyha is going to provide this information at this point, he ignored your requests 10 min ago 16:51 < Peng_> qoxncyha: You have to send the leaf and the intermediate. 16:51 <+catphish> qoxncyha: you MUST send the intermediates 16:51 <+catphish> it's easy, and it should fix this 16:51 < phre4k> I bet it's the intermediates 16:52 < qoxncyha> i will be back with more information when i get it 16:52 < qman__> qoxncyha: https://www.ssllabs.com/ssltest/ 16:53 <+catphish> the problem appears to already have been confirmed :) 16:54 < qman__> yeah, it's just a good tool 16:54 <+catphish> i agree, i use it for pretty much all SSL debugigng, much easier than remembering how to use the openssl CLI :) 16:54 < qman__> So is https://testssl.sh/ but that's nore advanced 16:54 < Peng_> Sucks for services that aren't public port 443 though 16:54 <+catphish> not seen that 16:55 < qman__> It's basically a really advanced openssl test script, they use a cusom compiled version of openssl that supports all the weak cipers to test them 16:56 < qman__> It works for non-internet facing stuff 16:56 <+catphish> seems implausible 16:58 < qman__> You just download their script and openssl binaries, tgen run it agaibst anything feom anywhere yourself 16:59 < qman__> Sorry, touch screen keyboards are the worst 17:05 < phre4k> when I set up a CNAME for mail.example.org pointing to server.example.org and the MX is mail.example.org, the certificate should be valid for mail.example.org, right? 17:06 <+catphish> what certificate? 17:07 < ||cw> phre4k: cname and cert are unrelated. the cert needs to be fore mail.example.org, or a wildcard, to be valid for it 17:07 <+catphish> phre4k: why would you do that? why not point MX to server.example.org and remove the extra work? 17:07 < qman__> Certificates are valid for whatever name is on the certificate, has nothing to do with the dns configuration 17:07 <+catphish> cert has nothing to do with CNAME anyway, the cert needs to be valid for the name the client is trying to connect to 17:08 <+catphish> i hate unnecessary CNAMEs 17:10 < phre4k> catphish: I have other domains (example.com) with a MX record to mail.example.org; if I ever change the IP of the server I want to just change a single record and not all of them but while I type this I notice this is stupid and I should really just run my own DNS so I can update multiple records without a cumbersome web interface 17:11 < E1ephant> or yeah just find a dns host with api 17:11 < E1ephant> and write your automation for that 17:12 < phre4k> I had this super cool website where you could just send an email to asd8asgd8g@example.com and they tell you what's wrong with your server yesterday, I can't seem to find it – any ideas? 17:13 <+catphish> phre4k: i don't understand your answer, it doesn't explain why the "mail" name even needs to exist, but i do agree that you should just update all the IPs at once where possible rather than using a CNAME and causing an extra lookup step 17:13 < Rayben> Chaos (Greek χάος, khaos) refers to the void state preceding the creation of the universe or cosmos in the Greek creation myths, or to the initial "gap" created by the original separation of heaven and earth.[1][2][3] In Hesiod's Theogony (c. 700 BC), Chaos was the first of the primordial deities, followed by Gaia (Earth), Tartarus (the nether abyss), and Eros (Love).[4] From Chaos came Erebus (Darkness) and Nyx (Night).[5] 17:14 <+catphish> phre4k: there are a few of those email test service, i just google for them every time though 17:21 < Edane> my port 80 and 443 showed as closed on the GRC Shields up test, is this secure? 17:22 < ryao> Edane: Yes. There are some paranoid people who think that is not good enough, but it really doesn't matter. 17:23 < Edane> ryao, can you recommend some other tests I can perform on my network or are the GRC Shields up good enough? 17:24 < ryao> Edane: They are usually fine, although they don't test every port. Get nmap and run it from another external IP and you'll get a complete picture. 17:25 < Edane> ryao, ok thanks. How important is it to pass the ICMP Echo Request? 17:25 < ryao> Edane: To block it or reply to it? Blocking it would break uptime monitors if you set any up. On my router, I allow it. 17:26 < Edane> ryao, I blocked it on mine. What services use uptime monitors? 17:26 < Edane> i mean how important is it to block it? 17:27 < Aeso> Blocking ICMP Echo Requests is nothing more than security through obscurity, imo. Very little value add. 17:27 < Aeso> Rate-limiting ICMP Echo Requests on the other hand is quite valuable. 17:27 < Edane> Aeso, how do I see if I am blocking that? I am using a EdgeRouter Lite 17:27 < ryao> Edane: DSL reports's uptime monitor. Anyway, blocking these things isn't really very helpful. See what Aeso said. 17:28 < Edane> ryao, im using fibre 17:28 < ryao> Edane: That doesn't matter. 17:29 < Edane> ryao, how do I see if im rate limiting echo requests? I have EdgeRouter Lite 17:29 < Aeso> It sounds like you'd be better off spending some time learning about what it is you're trying to secure than blindly running security scanners against your edge and hoping for the best. 17:29 < ryao> Edane: You aren't. 17:29 * ryao doesn't know how to do rate limiting of such things. 17:30 * ryao hasn't seen that feature on the edgerouter either. 17:30 < Edane> ok thanks 17:30 < ryao> Edane: Just do what Ubiquiti says to do firewall wise and you will be fine. 17:31 < ryao> The only real security issue would be if you find open ports. Usually, that is a bad thing. 17:31 < ryao> Unless it is for a VPN server or something like that. 17:38 < Edane> ryao, ok thanks 18:11 < sadtaco> https://paste.debian.net/1027933/ I got a massive spike in DHCP traffic, and DHCPDECLINE. Is there some what I could throttle these in Debian so it won't become a problem again? I have no idea what caused it unless it's related to running out of disk space somehow. 18:11 < shtrb> did you ask in #debian ? 18:12 < shtrb> do you have network-manager and uppowerd running (maybe an interface is in a loop up/down) ? 18:16 < sadtaco> I did and they said it's not a debian question. Yes, network-manager and uppowerd are running. 18:17 < sadtaco> I do not understand what you mean about an interface being in a loop, though. But my interfaces config is the default of an Amazon EC2 image config. 18:17 < shtrb> sadtaco, sometimes when you are on battery power it will bring the device up and down (cycle it) , which will cause it to request network interfaces 18:17 < shtrb> sadtaco, oh , I thought you are on a laptop 18:17 < sadtaco> Ah. Huh. Well it's an AWS EC2 node. Nope. 18:17 < sadtaco> I guess that's an issue you more commonly see on a laptop? 18:17 < shtrb> check /var/log/syslog if you can see some odd interface behavour 18:18 < shtrb> sadtaco, power managment is a laptop issue 18:18 < sadtaco> The only thing that comes to mind is that I ran out of disk space. Maybe that led to such an error. 18:18 < sadtaco> Yeah that's where I pasted the log from. 18:18 < shtrb> and dmesg , do you see anything about network interface go up/down ? or restart in avahi/dhclient etc 18:19 < shtrb> *I mean messages about avahi/dhclient restart not to restart the node 18:19 < sadtaco> I don't think interface was going down, since this is a webserver and I could access it from the outside. And well I'm ssh'd in. Unless this is something about just the dhcp interface going down. But hold on 18:20 < shtrb> and if you have several dhclient / dhcpc clients running on the same time for the same interfaces 18:21 < sadtaco> Well if I tail syslog it's just tons of the same thing I pasted. 18:21 < sadtaco> "[ 5.136290] piix4_smbus 0000:00:01.3: SMBus base address uninitialized - upgrade BIOS or use force_addr=0xaddr" is one thing in dmesg that sort of stands out. 18:22 < sadtaco> "[ 5.227052] xen_netfront: Initialising Xen virtual ethernet driver 18:22 < sadtaco> " is the only thing when I grep 'eth', which seems fine. 18:22 < shtrb> do you get many or just one line ? 18:23 < shtrb> for the ethernet 18:23 < sadtaco> Just that one line. 18:23 < sadtaco> I finally see something a little different in syslog.. https://paste.debian.net/1027941/ 18:24 < sadtaco> And it looks like the spam has stopped. 18:51 < phre4k> ok someone just asked me why you can't buy domains, only rent them. I want to give them a foundated answer, is the answer that registrys require monthly payment and being a registrar costs a lot of money? 18:51 < phre4k> s/registrys/NICs/ 18:53 < dminuoso> phre4k: Because they are a license to print money. 18:54 < dminuoso> phre4k: It also decreases the chance of names being bought and forgotten (=wasted) 18:54 < phre4k> well… 18:54 < phre4k> domain parking exists 18:55 < phre4k> also I don't think TLDs are a license to print money, after all you have to have the infrastructure to sell subdomains of TLDs, right? 18:55 < dminuoso> phre4k: You misunderstand. Say I buy microsense, microsoft, microthing, microlens, micro* - and I leave them unused. 18:55 < shtrb> phre4k, you could actually buy domain (in some time in the past) - but that was before the there had been privatly held registers 18:55 < dminuoso> Now the entire domain space lacks a ton of "micro*" names 18:55 < dminuoso> (under some TLD of course) 18:56 < dminuoso> phre4k: So the rental model increases the chance that domains go back if they are unused. 18:56 < phre4k> can't you still buy "newTLD"s for 210k$? 18:56 < shtrb> phre4k, you might "buy" a domain from the tld operator 18:57 < dminuoso> phre4k: Just consider the case that you create a website, and then you shut it down a year later for some reason. 18:57 < phre4k> shtrb: I'm not aware of any TLD operator who allows this 18:57 < dminuoso> If the domain was bought, it might be left around a zombie 18:57 < shtrb> phre4k, that is normaly "state owned" 18:57 < shtrb> *country tld not just a tld 18:58 < phre4k> I guess the real question is why you can't just pay once and have a domain forever. My answer would be "because NICs and the ICANN don't allow it", right? 18:58 < djph> pretty much 18:58 < shtrb> I don't think ICANN give a rat tail about what happen inside a ccTLD 18:59 < phre4k> I wonder what happens when Germany is divided after WW3 again… will .DE cease to exist? :D 19:00 < phre4k> just like it happened to .YU and .CS :D 19:01 < djph> phre4k: .de.west / .de.east 19:02 < phre4k> djph: .de.oldworld .de.newworldorder 19:02 < djph> ha 19:02 < phre4k> inb4 Germany just gets wiped 19:03 < shtrb> so I asked the people I knew, they didn't bought it, they got a long term lease (did not get an end term ) 19:04 < shtrb> *one person I know first hand that did it 19:04 < shtrb> I wonder if I could register sudo.su 19:05 < phre4k> I wonder if there's a philosophical write-up about that topic already or nobody really bothers 19:05 < phre4k> my client who asked doesn't understand why 19:06 < phre4k> how the f… is it so hard that there are companies running the internet name resolution you have to pay regularly that your domain is translated into an IP 19:06 < shtrb> you should find some corrupt ccTLD and let them sell you the address 19:07 < phre4k> shtrb: I'm glad my client doesn't know this channel or they'd think they can just go somewhere and buy a ccTLD 19:07 < djph> phre4k: "but everything on the internet is free! see, google and dropbox and ..." 19:08 < shtrb> phre4k, you can buy a citizenship , why not buy a ccTLD ? 19:08 < shtrb> "investor visa" 19:09 < phre4k> jesus christ guys 19:09 < shtrb> what ? 19:11 < djph> what'd I do? 19:19 < shtrb> Are consumer routers usually give an option to use LAN as second wan (or come with dual wan) ? or it's uncommon ? 19:20 < skyroveRR> shtrb: uncommon. 19:20 < shtrb> at first I thought the service person was bullshiting me:-( 19:20 < skyroveRR> Happens. 19:20 * skyroveRR pats sh 19:20 < skyroveRR> * shtrb 19:21 * shtrb purrs and reboots 19:22 < grawity> so I was told once, "Thou shalt not mix authoritative and recursive DNS services, and thou shalt take example from Unbound and NSD which keep them wholly separate" 19:22 < grawity> >fast forward to 2018 19:22 < grawity> >Unbound adds authoritative DNS service 19:22 < skyroveRR> grawity: it's more of a "who gives a damn if I run both" stuff. 19:23 < shtrb> in 2018 , Microsoft own github, had GNU/winnt so who care about mixing stuff 19:43 * spaces saw his first snake here today! 19:43 < bob91> hi there 19:43 < bob91> i have a question about networking 19:44 < tds> you've come to the right place then :) 19:44 < bob91> thanks man ! 19:44 < bob91> so 19:44 < bob91> I have to set up a connection with 2 pcs 19:45 < bob91> which is the best protocol with a special regard to the security ? 19:45 < shtrb> null modem ? 19:45 < E1ephant> internet protocol is pretty dope 19:46 < E1ephant> not sure about secure though 19:46 < E1ephant> what kinda sec reqs? 19:46 < bob91> like ssh but it not so secure 19:46 < shtrb> bob91, ssh not secure ?! 19:46 < spaces> tds I thought we only were negative about otherones network here 19:46 < spaces> bob91 back the days, 3com had 3XP nics which could encrypt data 19:46 < bob91> sorry @shtrb, i mean that it is hackerable 19:46 < tds> but then it's just... sh! 19:47 < shtrb> bob91 , everything is hackable 19:47 < shtrb> hence the null modem 19:48 < shtrb> it can be passively tapped, but who are you hiding from ? (if they can brake into ssh) 19:48 < bob91> sensitive data 19:51 < likcoras> bob91: just use TLS, unless your needs are not met by TLS, in which case you would need to specify what your requirements are. 19:51 < shtrb> if you are afraid of someone powerfull enough to brake your 4K ssh keys there is not much we can suggest, maybe stenographic version of IPoAC ? 19:52 < shtrb> maybe data bursts ? 19:52 < bob91> shtrb: sorry, what is IPoAC ? 19:53 < shtrb> RFC 1149 19:53 < likcoras> Internet Protocol over Avian Carriers, it's a joke. 19:54 < shtrb> likcoras, his ssh can be broken , he need something that will be both secure and hidden (some kind low probability of interception protocol) , I don't think data burst over radio have an RFC 19:55 < shtrb> bob91, srsly ssh is normally secure enough (with 4K keys at least) 19:56 < bob91> i have to setup a secure connection over two pc for a job 19:56 < bob91> and the requisite is a secure connection 19:57 < bob91> how rfc works ? 19:57 < E1ephant> what operating systems 19:57 < bob91> ubuntu server of course 19:57 < shtrb> ipsec and ssh do the job in most cases, are they in close proximity or they are very far ? can you afford non internet connection (dial in / line of sight etc) 19:57 < E1ephant> I would use opensshd then 19:57 < shtrb> what is your adversary ? 19:59 < qman__> ssh is probably the highest security protocol in common use 19:59 < bob91> shtrb: what is the meter to determinate if the distance is far or not ? 20:00 < bob91> however it is far 20:00 < bob91> in another country 20:01 < shtrb> you have so many levels of attack ... , but ssh with a big enough key , with expiring passwords might do the job (select 4K keys) 20:02 < shtrb> if you are afraid of someone hacking SSH keys , you assume they have either a wrentch or some kind of quantom computer in both cases there isn't much you can do 20:02 < tds> and make sure you actually validate the fingerprint of the host's key when connecting/setting it up, don't blindly accept it 20:02 < E1ephant> how do I hack a gibson 20:04 < shtrb> but a dial in option normally reduce attack vectors 20:04 < shtrb> I mean ssh over a dialin system 20:07 < shtrb> E1ephant, with the right tool :) 20:07 < shtrb> an axe is an option 20:07 < E1ephant> RISC system? 256MB DRAM?! 20:08 < shtrb> E1ephant, I thought you meant The Gibson ... (guitar) 20:09 < shtrb> You can even us a two factor ssh : SMS will cause the ssh service to start and then you could log in (just setup a good smsd services) 20:09 < shtrb> and kill the service when you log out 20:10 < E1ephant> oh sorry a terrible movie quote from "Hackers" 20:10 < shtrb> Sorry , I messed with the best : 20:10 < tds> there are some much nicer two factor solutions as well (eg pam modules for totp auth) 20:10 < shtrb> :) 20:11 < shtrb> tbh , I'm taking about the service being selctivly enabled 20:14 < qman__> SMS to start the service seems particularly error prone 20:15 < qman__> port knocking or standard two factor solutions would be better 20:15 < shtrb> qman__ if you only accept SMS with specific content (even signed ) could be managed nicly 20:16 < qman__> I mean tge service starting part 20:16 < qman__> If your config breaks or you start having other system issues, you'll be locked out 20:16 < shtrb> my point was for it to be not running in most of the time 20:16 < shtrb> qman__, that is part of the idea 20:17 < shtrb> if you can login other can try 20:17 < qman__> Yes, that's the problem - if it's not running and sonething breaks, you have zero chance to fix 20:17 < qman__> If it is running and something breaks, you might be able to get in and fix it 20:18 < shtrb> qman__ maybe add a "smart" power braker that could cut the power on a call 20:18 < shtrb> and by smart I mean hire a student :) 20:19 < qman__> My point is, use a different solution the keeps the daemon running, better odds of surviving issues 20:20 < shtrb> We have different view on that subject , I say if it brake burn it with fire you say fix it 20:21 < blinkey> Can port forwarding work if i don't have a static ip? 20:21 < shtrb> blinkey, yes 20:21 < shtrb> but not always with Carrier grade nat 20:22 < blinkey> Won't the connection drop after some time? 20:22 < shtrb> why should it ? 20:22 < blinkey> Do dynamic IPs change after a restart? 20:23 < shtrb> if the ip itself is stable (does not change) the connection should be alive (depending on the protocol) 20:23 < tds> if the ip changes regularly, there are various systems for dynamically updating dns records to always point to the new ip 20:23 < shtrb> blinkey, not always (but the norm is yes ) 20:23 < tds> pretty much every router I've ever seen also loses its state table on restart though, so existing connections would be killed anyway 20:24 < shtrb> your best bet is some kind of dynamic dns updater 20:24 < shtrb> tds, I was under impression that he understood that if he restart the router connection will drop 20:24 < blinkey> No no. i meant after the IP changes 20:24 < tds> sure, if you have a tcp connection and restart the router, it sounds likely to me that the connection will drop 20:25 < blinkey> I sould've worded it better 20:25 < ryao> For NAT only. 20:25 < blinkey> *should 20:25 < qman__> in order for your ip to change, all the connections have to drop 20:25 < tds> yeah, seeing as port forwarding was being discussed, I was assuming the router is nating 20:25 < ryao> I misunderstood. I thought it was just a router reboot. I didn't see all of the backlog. 20:26 < blinkey> I have been practicing on metasploitable but now i want to Test on a dummy machine over WAN 20:26 < ryao> There are exceptions though. tmate is fairly nice in that you can change the client IP and still have it work. ^_^ 20:27 < tds> ah yeah, mosh does that as well iirc 20:27 < ryao> I meant to say mosh. 20:27 < tds> :) 20:28 < blinkey> Btw, why is it so damn hard to set up vmware on linux? 20:28 < ryao> It is proprietary software. ^_^;; 20:28 < blinkey> i keep getting a kernel module error that I can't fix (same with virtualbox) 20:28 < qman__> Use KVM 20:28 < ryao> Ask for help in your distribution's support channel. 20:28 < qman__> It's the native option 20:29 < ryao> Or vmware's support channel. 20:29 < shtrb> blinkey, it's that hard honestly 20:29 < ryao> qman__: VMWare is native too if I recall how it integrates. 20:29 < ryao> He is using VMWare player or VMWare Workstation, not ESXi. 20:29 < shtrb> and use a saner vm (vbox and qemu give nice results) 20:29 < ryao> ESXi doesn't require loading modules like virtualbox. 20:30 < shtrb> it also doesn't crash like it , and have good audio transfer 20:30 < qman__> completely different situation 20:30 < ryao> The last I heard, plenty of people did not consider virtualbox to be sane. Maybe it has changed. 20:30 < blinkey> Just what i needed:-D 20:30 < shtrb> ryao, can we agree that both vmware and vbox have issues ? 20:30 < qman__> ESXi is a linux-based system but does not run on common linux distributions, it's a proprietary stack 20:31 < TandyUK2> blinkey: setting up virtualisation isnt hard. do you actually have the virt features of yur cpu turned on? 20:31 < qman__> KVM is in the mainline linux kernel 20:31 < qman__> It's as native as it gets 20:31 < TandyUK2> and virtualbox is perfectly sane imho, although i would recommend it for dev/home use, not anything production/serious 20:31 < compdoc> I tried to mainline KVM, but it hurt 20:32 * shtrb waiting for someone to say chroot and docker 20:32 < TandyUK2> shtrb: stop swearing! 20:32 < blinkey> Virtualisation isn't hard. I just can't get it to work on a specific distro 20:32 < TandyUK2> use a different distro then lol 20:32 < ryao> blinkey: Not that I have time to help, but I am just curious, which distribution? 20:32 < ryao> shtrb: Probably. 20:32 < shtrb> blinkey, #yourdist 20:32 < blinkey> Kali 20:32 < ryao> qman__: I thought VMWare stopped using Linux in ESXi. 20:33 * shtrb facepalm 20:33 < blinkey> relatable 20:33 < ryao> blinkey: May I suggest #pentoo? :P 20:33 < shtrb> at least it's not win10 20:33 < TandyUK2> again back to my previous question 20:33 < TandyUK2> do you actually have the virt features of yur cpu turned on? 20:33 < qman__> ESXi is a lot like android, they use a linux kernel but that's about it, everything else is proprietary 20:33 < shtrb> it's kali on bare metal or in lxss or something like that ? 20:34 < ryao> qman__: I thought that they moved away from using the Linux kernel as a driver donor. 20:34 < TandyUK2> maybe in 6.5, but all the working versions of esxi are linux based 20:34 < TandyUK2> esxi post 6.0 might as well not exist, as they retired vsphere client 20:35 < TandyUK2> and that web thing just sucks ass 20:35 < E1ephant> is it that bad? 20:35 < TandyUK2> yes 20:35 < TandyUK2> its not even html5 (without manualy replacing parts yourself) 20:36 < qman__> They have a really awful broken html5 based interface 20:36 < qman__> You pretty much have to use the flash one 20:36 < TandyUK2> i notice how they eventually shipped a vsphere client for 6.0 (that originally deprecated it) 20:36 < E1ephant> I was using openstack, I want to give joyent/trident a try though 20:36 < TandyUK2> no, just stick with esxi 5.5, or if you really must, 6.0 20:36 < E1ephant> bryan cantrill makes a very compelling case for containers over vm 20:36 < TandyUK2> but 5.5 is the main ne used in production still 20:36 < E1ephant> I am still on 5.5 here 20:37 < TandyUK2> everyone who runs esxi seriously in prod, is on 5.5 still 20:37 < E1ephant> running kvm/openstack in guests 20:37 < E1ephant> it is good for lab, but a gross use of resources 20:38 < TandyUK2> vm versions past 8 might as well not exist either, as they can only be modified using the gash eweb interface 20:38 < TandyUK2> someone at vmware needs beating around the head with the reason vsphere existed in the first place 20:38 < TandyUK2> vsphere client* 20:38 < qman__> we have over 3500 VMs and run 6.5/latest 20:39 < TandyUK2> i asume you have replaced the entire web shite then 20:39 < TandyUK2> or use exclusively scripts to do everything 20:39 < qman__> No, we recently added morpheus for self service provisioning but everything else is in the web client 20:39 < TandyUK2> I refuse to deploy it to a single server until there is a vsphere client for it 20:41 < tds> TandyUK2: are you just running individual hosts, or vcenter? 20:41 < TandyUK2> clusters with vcenter 20:41 < tds> I don't use vmware stuff, but iirc they have/had a beta/temporary web ui for individual hosts, but vcenter still has a full web ui? 20:41 < vectr0n> the html5 client in 6.7 is almost fully functioning 20:41 < TandyUK2> "almost" lol 20:41 < qman__> The flash based web UI works 20:41 < vectr0n> its better then "not" "never" 20:42 < TandyUK2> its still web based, I'll have somethign actually installed on my workstation thanks 20:42 < qman__> It requires flash, obviously, but it works 20:42 < vectr0n> you will keep on waiting the vsphere client wont be coming back lol 20:42 < TandyUK2> indeed, and vmware will start to lose massive clients who will just keep on isolated 5.5 clusters 20:43 < vectr0n> everyones perspective is different 20:43 < TandyUK2> no vsphere client is a blocker to us upgrading, or recommending any of our clients upgrade 20:43 < qman__> Security requirements dictate otherwise 20:43 < vectr0n> ok dinosaur ;p 20:45 < TandyUK2> isolate the hosts, job done 20:45 < TandyUK2> tbfh if anyone can get anywhere near your hosts while not plugged into your mgmt lan, theres something already very wrong 20:45 < qman__> Yes, isolate the stsyem that runs everything 20:45 < qman__> great idea 20:46 < TandyUK2> better than being forced to run some bullshit web gui that requires me to infrect my workstation with flash tbfh 20:46 < TandyUK2> infect* 20:46 < qman__> There have been major CVEs relating to VMs escaping into.the host and other VMs 20:47 < TandyUK2> as long as youre up to date its fine 20:47 < TandyUK2> 5.5 isnt EOL until next year anyway 21:38 < jennie> how to find if an ip address is in use or not on the network? I have tried pinging it, no response and I have tried opening it in web-browser, no reponse. What else is left to check before I assign it to new device?? Is there any way to check from DHCP server? 21:40 < vavkamil> jennie, are you using any switch? 21:40 <+catphish> jennie: the best check is to send an arp request and see if there is a reply 21:40 < Poster> You can also look at arp cache from any system within the same logical VLAN or network segment 21:41 <+catphish> jennie: the easiest way to do that on any OS is to do a normal ping, then look at the arp cache, to see if there's an entry 21:41 <+catphish> if it says "incomplete" then nothing responded and the IP is free 21:41 < Poster> just be sure to try and initiate traffic to it first, such as a ping, etc 21:49 < jennie> catphish: thx, how to check arp cache? 21:49 <+catphish> depends on the os 21:49 < jennie> vavkamil: Yes, there are 1 or 2 switches in between the devices and ip i want to check (if its in use) 21:49 <+catphish> on linux, "arp -n" 21:50 < jennie> catphish: should I run on this on DHCP server? 21:50 < jennie> arp cache? 21:50 < jennie> or any pc will do 21:50 <+catphish> no, just on your PC 21:50 <+catphish> you need to do it immediately after trying to ping it 21:50 < jennie> all pcs are connected in a domain 21:51 < jennie> ok catphish doing it now 21:51 <+catphish> "arp -a" on windows 21:52 <+catphish> on linux: https://paste.ubuntu.com/p/czPx7vSG8X/ 21:52 < jennie> https://i.imgur.com/DA7HseZ.png Please check 21:52 < vavkamil> jennie, so you are on network with DHCP enabled and you want to randomly select one ip and give it to one device? 21:53 < jennie> vavkamil: no, I want to assign Un-used IP address to Printer 21:53 < tds> is the arp command on linux deprecated now (vs ip n)? 21:53 < jennie> but I do not want to use ip which is already in use 21:53 <+catphish> jennie: your PC is 10.10.13.8? 21:53 <+catphish> if so, you're fine, this IP isn't in use 21:53 <+catphish> oh yeah, it is 21:53 < jennie> yes, my pc is 10.10.14.8 21:53 <+catphish> it's not on use 21:53 <+catphish> *in 21:53 < vavkamil> it might be, but the device is off 21:54 <+catphish> if it was, it would either respond to ping, or show up in that list 21:54 < vavkamil> this is not a right approach to do this 21:54 <+catphish> jennie: it's also worth noting that you should *never* manually use an IP that's in a DHCP range 21:54 <+catphish> even if its not in use now, it might be tomorrow 21:56 < jennie> ok, and is there anything i can check from DHCP server inside windows server running domain controller for the network? 21:56 <+catphish> yes 21:57 <+catphish> you can 1) see if that IP is in the DHCP range and 2) see if any leases or reservations exist for that IP 21:58 < vavkamil> you can check DHCP server or logs from switches 22:02 < Vigosky> Hello t¿people 22:03 < RoadRunner> hi 22:04 < Vigosky> hi 22:05 < Vigosky> 5 22:05 < Vigosky> + 22:05 < Vigosky> 2 22:05 < Vigosky> 2 22:05 < Vigosky> 2 22:06 < Vigosky> 2 22:06 < Vigosky> 2 22:06 < Vigosky> 2 22:06 < Vigosky> 2 22:06 < Vigosky> 2 22:06 < Vigosky> 2 22:06 < Vigosky> 2 22:06 < Vigosky> 2 22:06 < Vigosky> 2 22:06 < Vigosky> 1 22:06 < Vigosky> 1 22:06 < endre> rly 22:06 < Vigosky> 1 22:06 < Vigosky> 1 22:06 < Vigosky> 1 22:06 < Vigosky> 1 22:06 < Vigosky> 1 22:06 < Vigosky> 3 22:06 < RoadRunner> besides smb based apps, what specific aps can be recommended for Windows shares? 22:06 < Vigosky> 3 22:06 < Vigosky> 3 22:06 < Vigosky> 3 22:06 < Vigosky> 3 22:06 < Vigosky> no body is talking 22:06 < TandyUK2> catphish around? 22:06 < TandyUK2> no shit because you are spamming, fuck off 22:07 < TandyUK2> ty :) 22:07 <+catphish> i only looked away for 2 seconds :) 22:07 < TandyUK> its all it takes lmao 22:07 < TandyUK> tbh im surprised there isnt a bot in here for floods like that 22:08 <+catphish> i thought there was 22:08 < TandyUK> well if there is, its broken :P 22:08 < RoadRunner> I wasn't spamming :) 22:08 <+catphish> that's ok then 22:08 <+catphish> me neither 22:10 < RoadRunner> so, I am trying to share windows shares with xubuntu (and possibly other distro's) 22:10 < qman__> RoadRunner: windows file sharing is smb 22:10 <+catphish> you want samba 22:10 <+catphish> though most distros have support for connecting to windows shared built in ready to go 22:11 < RoadRunner> hmm, samba was my first stop, but guys at #ubuntu told me to steer clear of all snb aps...; I got xub 18.04 and it doesn't see my win shares as is 22:12 < RudyValencia> So I have an IPsec VPN between me and a colleague in Florida, and when I access an SMB share on his network (or vice versa) there is a ~10 second delay before I can work with the file; any suggestions why this might be happening? 22:13 <+catphish> TandyUK: Sigyn wasn't in here for some reason, i invited it 22:13 < xdroop> RudyValencia: how is the share mounted 22:13 < xdroop> by name or IP? 22:13 < RudyValencia> xdroop: by name; the DNS is local to me 22:13 <+catphish> that should work :( 22:14 < xdroop> try mounting by IP instead 22:14 < xdroop> most of the time when I see SMB delays like this it's naming related 22:15 < RoadRunner> catphish: as far as you know, ubuntu 18.04 should be able to see win shares without samba? 22:16 <+catphish> i thought it used samba, but in any case, it should work out of the box 22:16 < qman__> It already has the necessary samba conponeents installed by default 22:16 <+catphish> i just use it by typing smb://x.x.x.x int the top of a file browser box 22:16 < qman__> For e.g. nautilus to browse shares 22:16 <+catphish> ^ this 22:18 < jennie> catphish: I just checked and the DHCP is at 10.10.13.xxx so static is all 10.10.14.xxx network 22:18 < qman__> I haven't tried 18.04 but it's been that way for the last decade, I doubt they've removed it 22:18 <+catphish> jennie: great 22:19 < jennie> catphish: I guess now, there is no point checking DHCP now, only arp and ping will do the wor? 22:19 < jennie> work* 22:19 <+catphish> correct 22:19 < Aeso> actually, 18.04 is using NetPlan to control NewtorkManager 22:19 < RudyValencia> xdroop: the same thing happens when I have the share mounted by IP 22:19 <+catphish> Aeso: i don't think that has anything to do with smb client 22:20 < Aeso> catphish, probably not. Sorry, I didn't read back far enough. 22:24 < xdroop> RudyValencia: at this point i'd get out tcpdump and see what your local system is doing, what it is waiting for when starting up a connection 22:24 < RudyValencia> Is there a Windows app that I can use to see what is happening? 22:24 < xdroop> wireshark? 22:25 < RudyValencia> I have Wireshark installed, what do I put in the filters? 22:25 < xdroop> I'd just grab everything for the 10-15 seconds you are trying to initialize the connection 22:25 < xdroop> your end is waiting on something 22:25 < xdroop> might be waiting on his end to finish waiting on something 22:25 < xdroop> but looking at the packets should tell you what state the connection is in during the wait. 22:26 < RudyValencia> OK now how do I filter this? 22:26 < xdroop> my money is still on a weird naming resolver problem. 22:26 < xdroop> I'm used to looking at everything 22:27 < RudyValencia> I can't read this 22:27 < RudyValencia> I see a bunch of Dup ACKs and Retransmissions 22:28 < RudyValencia> also we're on TeamViewer at the moment 22:29 < RoadRunner> catphish: just tried your suggestion "smb://x.x.x.x in the top of a file browser" and it worked fine; so does installing Samba give some kind of gui to handle this more conviniently? 22:29 <+catphish> RoadRunner: no, samba is the backend that makes it work 22:29 < RudyValencia> between 5938 and 58905 22:30 <+catphish> RoadRunner: so what's not working? seeing the server in some kind of browser? 22:30 <+catphish> RoadRunner: i've never relied on that, i just type in the ip / hostname manually (both should work) 22:30 < RoadRunner> catphish: yes, (Thunar in my case) 22:30 <+catphish> well i'm afraid i don't know much about the browsing :( 22:31 <+catphish> but that's your problem (the browsing), the client itself is obviously working fine 22:31 < RudyValencia> xdroop: I'm seeing a number of Dup ACKs and Retransmissions between me and the other party from port 5938->58905 and vice versa 22:33 < RudyValencia> xdroop: if I close TeamViewer the delay is under two seconds 22:34 < RoadRunner> catphish: if connecting with "hostname", it is not case sensitive is it? 22:34 <+catphish> nope 22:35 < RoadRunner> I guess nothing under win is case sensitive... 22:35 <+catphish> dns isn't :) 22:36 < qman__> netbios is not case sensitive 22:37 < RoadRunner> any advantage to installing Snb4K? 22:37 < qman__> Never heard of it 22:39 < RoadRunner> https://sourceforge.net/p/smb4k/home/Home/ 22:44 < jennie> thank catphish i put the ips and it worked 22:44 < jennie> thank you vavkamil as well 22:44 < jennie> :* see you guys later 22:44 <+catphish> cool 22:50 < RoadRunner> catphish: actually, want to back track to my earlier question: connecting to shares: connected to a desktop running winxp ok, but can't connect to laptop running win7 22:52 < RoadRunner> are there more problems connecting to laptops or to win7? 23:00 < RudyValencia> So I think I found one issue: our encryption algorithms may have been too intense to handle the traffic between us. 23:01 < RudyValencia> What are the best IPsec encryption parameters to use over 250/25 DOCSIS cable connections? 23:02 < qman__> daemonkeeper: 23:02 < qman__> Oops 23:03 < qman__> RudyValencia: all available options are usable on that speed of a connection 23:03 < RoadRunner> after inputing: smb://x.x.x.x to get to laptop am getting an error: Filed to open file system. Failed to retrieve share list from server: Invalid argument. 23:05 < qman__> RudyValencia: encryption adds CPU overhead, not much in the way of bandwidth consumption 23:06 <+xand> less CPU overhead if you have a CPU or ASIC for hardware support 23:08 < RoadRunner> *Failed to open "File System". 23:09 < qman__> the extra bandwidth needed isn't a concern unless you're talking about connections measured in kikobits, like dialup, 64k isdn, or serial connections 23:12 < RoadRunner> laptop is connecting wirelessly, if it's any help... 23:28 < Danskmand1> Aloha :-) - Someone that runs "Telekom Speedport smart" with an "exposed host" or port forwarding to my servers behind that ? 23:38 < Maarten> Danskmand1, nope.. looks like you may want to find some Deutsche Telekom customers. 23:54 < BenderRodriguez> for a given IPv4 address, it has a network and a broadcast address 23:54 < BenderRodriguez> the broadcast address would allow a packet to be sent to every address in that subnet 23:54 < BenderRodriguez> but that is the network address used for 23:54 < BenderRodriguez> ? 23:58 < Aeso> BenderRodriguez, afaik there's not really a good reason for this, except that it was chosen as an identifier for the subnet and everyone agreed to not use it. 23:58 < DoYouKnow> BenderRodriguez: The network address addresses the network so that routing tables and other intranetwork devices can understand. Broadcast addresses (IP-layer) allow packets to be sent to every node on a network, if directed-broadcast is allowed 23:58 < DoYouKnow> I would recommend reading the Cisco Network Academy training material 23:59 < BenderRodriguez> DoYouKnow: but only the broadcast address is necessary for that though 23:59 < DoYouKnow> or a look on google/websites for more information 23:59 < DoYouKnow> The network address is different. For example, if netmasking is done 23:59 < BenderRodriguez> you could build a logic into the standard to say + 1 bit = the next network --- Log closed Tue Jun 05 00:00:45 2018