--- Log opened Mon Jun 11 00:00:53 2018
00:15 < spaces> Apachez split up ?
00:15 < spaces> didn't they merge some years ago ?
00:20 < Apachez> mmm poooorn.... http://blog.thelifeofkenneth.com/2013/02/tear-down-of-hp-procurve-2824-ethernet.html
00:27 < spaces> Apachez don't fap on your hardware ;)
01:44 < Perme8> That told me to look for a help desk job, with a ccna and a networking admin degree, i already have 4+ years helpdesk experience
02:11 < m0rd3cai> So i go to looking at all traffic at home out of boredom and stumbled across a packet my tv was sending out every so often. I'm not 100% sure what tv is trying to do. the ST is schemas-upnp-org:device:MediaServer:1\r\n is the tv attempting to open a connection?
02:11 < m0rd3cai> http://pasteall.org/pic/show.php?id=6e79ec6cff9b1a0c9c16dea36d1211d6
02:13 < smallville> i just terminated my first ethernet cable
02:13 < smallville> cat 6 solid copper is easy
02:14 < scientes> how can i get iftop to support ipv6 ipv4 tunnels?
02:14 < scientes> v4tunnel
02:14 < smallville> i tried to crimp cat 5 stranded but it's a pain
02:14 < smallville> wires too loose
02:20 < smallville> impossible to work with
02:21 < smallville> i line up the wires in proper order, slide them in the plug, but they get scrambled
02:21 < scientes> thats why I use those wal thingies
02:22 < scientes> instead of crimping
02:22 < scientes> then you don't need an expensive crimper
02:22 < smallville> i crimp cat 6 just fine
02:23 < smallville> i have 50 feet of cat 5 laying around that i wanna reuse
02:23 < smallville> but i can't cause it's a nightmare to crimp it
02:24 < smallville> scientes: what wall things?
02:24 < smallville> ethernet wall socket?
02:25 < scientes> yeah
02:25 < smallville> is it easier than crimping?
02:25 < scientes> i've never crimped, but all you need is a screwdriver
02:26 < scientes> https://www.youtube.com/watch?v=vQ4V6_TuiU4
02:27 < scientes> thats actually a crappy one, most don't need a screwdriver
02:27 < scientes> https://www.youtube.com/watch?v=0gxNZoPcnP4
02:27 < smallville> when you have 500 feet of cable, its better to crimp 5 foot patch cables for outlet-to-PC, than buying premade
02:27 < Perme8> I was gonna say a flat head, line up the copper, keep it flat in the rj-45 and you in there like swimwear
02:27 < scientes> you can get premade from goodwill for $1`
02:27 < scientes> the long stuff is for long runs
02:28 < smallville> i'm taking comercial grade
02:28 < smallville> for offices
02:28 < scientes> short runs it doesn't matter
02:28 < scientes> just make sure it isn't a 4-wire cable
02:29 < scientes> but if you need tons of it sure.....
02:38 < spaces> I'm sexy as linux_probe wants to know it!
02:44 < dw1> i blocked a baidu IP on both input and output with iptables yet it's still showing a fair amount of traffic in nethogs. what's up with that
02:45 < dw1> ? root x.x.x.x:443-180.76.15.30:42283 44.638 3.963 MB
02:47 < dw1> DROP all -- 180.76.15.143 0.0.0.0/0 /* baidu */ DROP all -- 0.0.0.0/0 180.76.15.143 /* baidu */
02:47 < dw1> that's not the IP. :/
02:48 < dw1> also blocking 180.76.15.0/24
02:50 < dw1> and 180.76.0.0/16
02:52 < dw1> maybe nethogs comes before the firewall :S
02:52 < dw1> would really like to save the transmit bandwidth though
02:53 < dw1> maybe firewall blocks it from going out...
03:04 < dw1> it's not hitting web server logs, just nethogs
03:06 < scampbell> dw1: just scanning by but is it possible your seeing the rejected packets?
03:13 < petemc> any reason a vrrpe master would refuse to talk to a host?
03:21 < dw1> scampbell: that's all i can figure yea
03:21 < dw1> though i'm DROPing not rejecting so not sure why tx
03:21 < scampbell> dw1: Isn't it the browser attempting to reach out to them?
03:22 < dw1> they aren't reaching the web server
03:22 < scampbell> dw1: a better question is it outbound traffic or inbound traffic?
03:23 < dw1> posted abovef shows 44.6MB tx 3.9 rx
03:23 < dw1> more tx than rx
03:23 < dw1> and it just keeps trickling up on both
03:24 < scampbell> um not sure if tx is outbound or inbound really.  The fact that there is both is interesting.
03:24 < dw1> i used to have a huge site with millions of pages, so that's why probably, but not sure why bandwidth is showing
03:25 < dw1> nethogs says SENT and RECEIVED
03:25 < scampbell> the 3.9 rx is inbound I'm thinking?  You blocked this a while ago  but it could have just been connections in time_wait death throws after you blocked them.
03:26 < scampbell> are both numbers still rising?
03:26 < dw1> yeah
03:27 < scampbell> hmm.
03:27 < dw1> http://paste.ubuntu.com/p/F9GnJ4bQRh/
03:28 < dw1> ¯\_(ツ)_/¯
03:28 < scampbell> you blocked them with iptables.  You could tcpdump on that interface and see what the heck they are.
03:28 < dw1> good idea
03:39 < dw1> http://paste.ubuntu.com/p/mtsXbrkw5Z/
03:40 < dw1> keeps going up even when no tcpdump traffic on ip.. weird
03:40 < dw1> that's the new persistent ip
03:41 < scampbell> If the traffic isn't on the nic, we must suspect nethog. I have no experience with it however.
03:41 < dw1> i guess it's not using real bandwidth.. not sure it's seen in vnstat
03:41 < scampbell> yeah, I love a good puzzle unless I can't solve it....
03:41 < dw1> hehe
03:42 < dw1> ah one clue.. in nethogs it doesn't say eth0 for dev
03:43 < dw1> all other traffic shows eth0 dev
03:43 < dw1> so must be some internal thing
03:43 < scampbell> I picture this lost packet with infinite ttl bouncing about inside nethog :) (not possible of course)
04:46 < scientes> if my comcast router supports moca does that mean i only need one moca box to connect to the internet somewhere else with coax? https://www.actiontec.com/products/home-networking/ecb6200/
04:46 < fryguy> yes
04:47 < scientes> and how do i know its moca 2?
04:49 < fryguy> search the model number, i'm sure there's tons of technical information
04:49 < scientes> should i replace my splitters with moca splitters?
04:50 < fryguy> probably not
04:50 < scientes> i'm using powerline right now, and the performance keeps cutting off, probably cause they are on differn't power meters
04:51 < scientes> is there a way i can fallow a coax line without running a line from each end to check with a multimeter?
04:51 < fryguy> ?
04:52 < scientes> this place was wired for satellite dishes, not cable tv
04:52 < scientes> so i don't know what cables connect to what
04:52 < scientes> if I had credit i could probably fake that i was signing up for comcast and they would do the work for me.....
05:18 < linux_probe> scientes~ needs something like.. https://www.amazon.com/slp/wire-tracer-electrical/ezzhfrwssr8x535
05:19 <+pppingme> scientes outlets in your apartment/house are on different meters?
05:22 < rewt> no, he said "differn't", short for "differ not", which means same
05:24 < linux_probe> lol
05:24 < Capprentice> HI! On my PPPOE Server a  number of home grade Wifi Routers are not able to connect whereas other routers works well. Is it the MTU which causing the issue or the Authentication protocol which is not properly supprted by the router manufacturer? The routers are from DLINK, Tenda etc. PPPOE server is hosted on CCR 1009. Should I lower the Interface MTU to something like 1300 or increase the MTU to
05:24 < Capprentice> 1580?
05:25 <+pppingme> Capprentice how are these "home grade" routers reaching this pppoe server? are they on the same l2 network or what?
05:26 < Capprentice> On the same L2 Network.
05:26 <+pppingme> what kind of l2 network?
05:27 < Capprentice> Ethernet network.
05:27 <+pppingme> what do logs say?
05:28 <+pppingme> and why are you trying to do pppoe?
05:28 <+pppingme> is this like an apartment building isp or something?
05:28 < Capprentice> Routers dont have the logging system. I only can see the status and its shows 'disconnected'
05:28 < Capprentice> Yes. ISP
05:29 <+pppingme> what do server logs say? does it look like connection is completing then doesn't pass traffic or what?
05:29 < Capprentice> hmm. Have to enable PPPOE debugging. Have'nt checked.
05:33 < Capprentice> what are the most basic reasons for this?
05:34 <+pppingme> if everything is on the same ethernet segment, its not likely to be a frame size issue unless you have something real wacky on the switch
05:35 < Capprentice> Okay.
05:36 <+pppingme> what are clients reporting?
05:36 <+pppingme> even without logging, they are surely giving at least some simple error message
06:11 < Capprentice> pppingme: When dialing form Windows 10  USERS are getting connected, when using router they never connects.  Router debugging shows - 'Iniatilizing connection' and then 'aborted' !
07:47 < nobrain> will I notice any improvement in my LAN if I replace CAT5e with CAT6 cables? devices are 1Gbps and they are all in the same room
07:48 < detha> no
07:48 < nobrain> alright ty
08:44 < scientes> does the in/out of a coax splitter matter to MoCA?
12:33 < TandyUK2> FFS BT, why am I looking at a central london location that cant get FTTC
12:34 < TandyUK2> asdl+annex M, or leased line, those are my options lol
12:34 < TandyUK> its not even that the cab is full and theres  waiting list eitherm the cab simply has never been enabled for fttc
12:45 < paul424> Hello, hello, I am on new ethernet network and would like to connect windows10 machine to it ...
12:45 < paul424> problem is the panel settings does not make any sense ..... it does not display any ethernet network nor ....
12:46 < TandyUK> plug in cable, done
12:46 < TandyUK> unless youve previously fiddled with settings
12:46 < TandyUK> or you have a dodgy cable, or perhaps the network is well secured
12:47 < paul424> heh that's good advice ...
12:47 < paul424> what do I do after that ?
12:48 < light> whose network is it?
12:48 < TandyUK> after that? Talk to the network administrator
12:51 < paul424> sorry the plug was wrongly inserted ....
12:51 < paul424> I have another problem ,.... with installing the orignal Bioshock 1 game
12:51 < paul424> well it started to download or rather search for an online patch before I correcltly plugged in
12:52 < paul424> the network and now there is no progress in downloading
12:52 < paul424> what should I do .... reinstall the game ?
12:52 < light> have you tried turning it off and on again? ._.
12:52 < paul424> the last stage is installing the patch ....
12:53 < paul424> light yes I might start to install that game but that would be a pity ...
12:53 < paul424> to install that game once again ... hmm
13:06 < TandyUK> reboot and try again
13:08 < phinxy> With IPv6 every square cm of the earth can have a unique address?  How many bytes is a IPv6 address?
13:08 < Dagger> 16 bytes
13:10 < Dagger> you can feed "surface area of the earth / 2^128" into google (or wolfram alpha if google isn't having it) to get the answer to the first part; I have a feeling it's more than one address per square cm
13:11 < TandyUK> i address per atom i more like it
13:11 < TandyUK> 2^128 is an insanely high number
13:14 < TandyUK> there are roughly 667220327295957771496812955748 ipv6 addresses per square km of the earths surface
13:14 < TandyUK> (340 undecillion / 510000000)
13:17 < TandyUK> "So we could assign an IPV6 address to EVERY ATOM ON THE SURFACE OF THE EARTH, and still have enough addresses left to do another 100+ earths. It isn’t remotely likely that we’ll run out of IPV6 addresses at any time in the future."
13:17 < TandyUK> https://skeptics.stackexchange.com/questions/22501/are-there-enough-ipv6-addresses-for-every-atom-on-the-surface-of-the-earth
13:18 < TandyUK> "On the surface of" is the key phrase here, there is NOT enough ipv6 addresses for every atom that makes up the earth, by a factor of about 10^12
13:19 < djph> TandyUK: so, we don't have enough ipv6 addresses "for the earth"
13:20 < TandyUK> no, but there are plenty for the surface of the earth
13:20 < djph> we should scrap ipv6, go straight to v8, 256-bit addresses
13:20 < djph> that oughta solve the problem.
13:20 < djph> :D
13:20 < TandyUK> nah we need to maintai nthe jump
13:21 < TandyUK> v4 (32bit) > v6 (128bit)  means > v8 (512bit)
13:21 < djph> so 512?
13:21 < djph> bahhahah
13:21 < TandyUK> and i think we'd need like base64 or something to help note them down in any sensible length :P
13:22 < djph> probably
13:22 < djph> I mean, v6 addresses are just silly as it is
13:22 < avu> Every atom needs its own 64bit address space at least so it can run its own ethernet with SLAAC
13:22 < TandyUK> well obviously, it needs to be able to allocate a subnet per sub-atominc particle
13:23 < TandyUK> each netron gets its own /32 or something lol
13:23 < TandyUK> neutron*
13:23 < djph> I think that's a bit silly
13:23 < TandyUK> oh _THAT_ is silly :P
13:23 < djph> I mean, if /512 is a single address, A neutron shouldn't ever need more than a /128
13:24 < TandyUK> but an address per atom, thats ok :P
13:24 < djph> TandyUK: given that the Earth is a supercomputer designed to calculate the ultimate question to life, the universe, and everything ... it probably is already addressed like that.
13:25 < TandyUK> this is very true
13:25 < TandyUK> https://xkcd.com/865/
13:25 < TandyUK> just reminds me of that :P
13:26 < djph> hahaha
13:51 < tcpdump> morning all
13:51 < tcpdump> Im in wireshark and my preview pane at the bottom is hex encoded for the preview. Any idea how to change that to ascii?
13:56 < Roq> tcpdump: ascii is next to it, or you can right click on your packet do "follow" "tcp stream" and you can dump that output in ascii
14:13 < obsrwr> hello #networking
14:14 < obsrwr> is there a way I can send a packet on an ethernet link, without an ethernet header?
14:14 < obsrwr> but a custom header
14:14 < obsrwr> that is, without using DPDK and putting custom packets in the TX/RX rings of the NIC directly, is thee a way to do this using standard Linux driver
14:15 < djph> sure, but then it's not *ethernet*
14:16 < jelly> y tho
14:16 < djph> (note that there may be hardware issues)
14:16 < obsrwr> jelly: because i have a custom piece of hw that expects a certain header type
14:16 < djph> obsrwr: so, you need something that doesn't talk ethernet (e.g. IPX, AppleTalk, something else)?
14:17 < obsrwr> i just want to send a packet to a NIC's tx buffer without going through the linux network stack
14:17 < obsrwr> the other end will decide what to do with the packet
14:17 < djph> well, the kernel interfaces with the hardware ...
14:17 < obsrwr> yes, that's ok
14:18 < obsrwr> i just wondered if there's a "raw" socket type that lets me avoid the L2 layer in the kernel
14:18 < djph> so you have to work within the confines of the kernel (i.e. likely write a new module) -- BUT, if you're talking a modern NIC, it may only talk ethernet, end of story.
14:18 < obsrwr> so new driver, ok
14:18 < jelly> but ipx is still ethernet when it goes over ethernet, isn't it
14:19 < djph> ... it's been far too long since I've studied it
14:19 < jelly> merely a different layer 3 payload
14:20 < djph> jelly: yeah, IPX/AppleTalk are L3 protocols, it's too early in the morning :(
14:20 < obsrwr> i could also create fake dest/src addresses in such a way that the bits look like the headers the other end expects
14:20 < djph> L2 would be like ATM, FDDI, Ethernet, etc.
14:21 < djph> what (L2?) protocol does this device talk?
14:21 < obsrwr> a proprietary one
14:22 < jelly> but phy bits are ethernet compliant?
14:22 < obsrwr> but theoretically if i set the fake src/dst in the packets and set the static ARP entries, the packets should get on the wire and get ot the other end
14:22 < obsrwr> yes
14:22 < jelly> yay for vendor lockin
14:23 < obsrwr> yes
14:23 < djph> you're fucked.  A generic ETHERNET NIC, is quite likely NOT going to talk "whatever proprietary protocol"
14:23 < jelly> depends on how able you are to rewrite its firmware I guess
14:24 < obsrwr> the NIC is fine talking it, it doesn't care about the contents of the frame
14:24 < obsrwr> i just wondered if i can somehow send one just from userspace
14:24 < djph> That's not necessarily a bad thing -- I mean, you don't *need* a generic network card to talk FDDI or ATM (or ...), so meh.
14:25 < jelly> probably just fakethernet with evil bit set in the wrong place
14:25 < obsrwr> i mean when a linux NIC driver gets an SKB, it doesn't care what's in the buffer the SKB points to, it just places it in the TX ring
14:25 < obsrwr> yeah
14:26 < obsrwr> it's just that i have to go through the linux ethernet layer in the network stack before i reach the NIC, but yeah evil bits should go fine if the ARP entries are there
14:38 < hfp> Hi, I have two domain names. One has a website (A record on domain.com pointing to an IPv4 address) and a mailserver (mail.domain.com pointing to another IP with A record, MX record pointing to mail.example.com). I also have another domain, otherdom.org where I have no A record for otherdom.org, and an MX record for mail.otherdom.org pointing to mail.domain.com. Futhermore, I have SRV records like
14:38 < hfp> _carddavs._tcp TXT records on both domains, both with the values "1 443 mail.domain.com". I also have mail.otherdom.org as a CNAME to mail.domain.com, but when I dig or ping mail.otherdom.org, it never resolves. What am I doing wrong?
14:39 < hfp> and when I try to use a calDAV app on otherdom.org, it tries to lookup _caldavs._tcp.otherdom.org and fails (according to logs)
14:43 < djph> hfp: seems your MX record or CNAME is wrong.  But I can't really follow what you did.
14:44 < hfp> what's even weirder is that everything works fine on some networks but not on others
14:45 < hfp> so I have domain.com that hosts the email server. And I have otherdom.org that I want to use domain.com's email server but with its own domain (i.e. mail for @otherdom.org is handled by domain.com's mailserver)
14:46 < hfp> I have set the MX for otherdom.org with the value "mail.domain.com" with priority 10. I have set the _caldavs._tcp.otherdom.org SRV record to "1 443 mail.domain.org". Those settings work with domain.org, but not with otherdom.com (depending on which network I'm on apparently? works on my cell network but not on my wifi, and linkedin says they have trouble sending me email but I can send an email to
14:47 < hfp> myself fine from a gmail account)
14:47 < hfp> I can't understand if the problem is my DNS configuration or if it's something else, and I don't know how to tell
14:52 < djph> if it's "where you're connected" based, then the nameserver on the one network is fucked.
14:52 < djph> e.g. domain.com has a split-horizon DNS setup ... and you didn't do that for domain.org
15:07 < Donjuanal> Anyone in here have experience with HSRP being used over an MPLS Pseudowire?
15:18 < Roq> Donjuanal: Ive used in a lab before, works fine
15:20 < Donjuanal> Roq: thanks, thats what I needed to know. I was pretty sure it'd work but the confirmation is helpful.
15:20 < Roq> Donjuanal: I used port-to-port xconnect and that worked. Not sure if your setup might be different
15:23 < Donjuanal> Roq: I won't be doing the pseudowire config, so I'm not sure but i'll keep that in mind. the HSRP will be running on 6807XL's, the pseudowire on ASR's between the two sites
15:52 < e^1> networking guys, i got 2 vm's running same VM's how is that even possible ? just want to understand
15:53 < Apachez> 2 vm's runing the same vm ?
15:53 < djph> e^1: what?
15:53 < Apachez> isnt that how fault tolerance works in vmware?
15:53 < Apachez> you have a hidden shadow/mirrored vm running in parallell with the current one
15:53 < shtrb> different instances of the same file ? where is the probelm ?
15:53 < e^1> djph: i create an VM using virt-manager than cloned it now both have same IP addrs and they both are able to connect to the internet.
15:54 < Apachez> if/when the current one goes poff the shadow one becomes current and continues exeuction since all its ram and cpu state was already in sync
15:54 < shtrb> e^1, they both have a private ip which is behind the "vm" NAT ? no problem there
15:54 < e^1> this is for the first time this happened, on my other servers when i clone a VM, the newly created VM always get a new ip address
15:55 < e^1> shtrb: yesh same private ip
15:55 < e^1> shtrb: using bridge connection btw
15:55 < e^1> the problem is when i try to change hostname, it fails no matter what i do, it defaults to the hostname of the original VM
15:56 < tds> if this is with libvirt's built in nat setup (which is a bridge between all vms and then nating on the host from the bridge interface), I wouldn't expect two VMs with the same IP on the same host to work
15:57 < shtrb> tds, don't you need to request the bridge to be built (not default on ) ?
15:57 < e^1> tds exactly
15:58 < e^1> whatever i try to do the new ip address is not getting applied
15:58 < e^1> so i have like 4-cloned vm's with the same ip's and all of them working fine
15:58 < tds> shtrb; I thought the bridge with nat setup was default after installing libvirt, I may be getting mixed up though
15:59 < shtrb> tds, I'm not sure either but I think I needed to enable it
15:59 < tds> what does the neighbour table on the host look like? I'd expect it to only have one entry per IP, so multiple VMs having the same IP wouldn't really work
15:59 < tds> ...unless you also managed to duplicate mac addresses I guess
15:59 < e^1> cross checked mac address are different
16:00 < e^1> this is really a strange thing and I'm really not a networking expert
16:00 < tds> are all the VMs doing dhcp?
16:00 < tds> I'd expect dnsmasq to hand out different IPs for each, you may need to release+renew the dhcp lease in the vms after cloning them though
16:00 < shtrb> Are you using dhcp by hostname ?
16:02 < e^1> here is the pic
16:02 < e^1> https://imgur.com/a/ijRlJjR
16:02 < e^1> yes they are all doing dhcp
16:02 < e^1> the same thing on my other servers works out of the box, this is the first time i ever experienced such issues.
16:03 < tds> if you manually delete the lease and reboot (or ifdown then ifup the interface), does that sort it?
16:04 < tds> leases are in /var/lib/dhcp/something iirc
16:04 < e^1> tds: nope tried that too
16:05 < e^1> tried sudo ifdown wlan0; dhclient than dhcpcd all of them... is their any other method that i a missing ?
16:05 < e^1> instead of wlan0 it's ensp3
16:07 < tds> might be worth doing captures of the vm starting and looking at the dhcp traffic, could check logs of dnsmasq on the host as well
16:08 < e^1> let me know the commands that i should try ?
16:08 < tds> also, what are the VMs using for network management - I was assuming plain ifupdown/whatever with dhclient, is it network-manager or systemd-networkd or something instead?
16:09 < shtrb> e^1 can you check if you can kill avahi (if running )
16:09 < shtrb> also try getting rid of network-manager
16:09 < e^1> on the host machine ?
16:09 < shtrb> gues
16:09 < e^1> tds: its systemd ubuntu 18.04
16:10 < e^1> okay let me check
16:14 < e^0> Oh it seems like i found the fix
16:15 < tds> ah, was there some trick with systemd-networkd?
16:15 < shtrb> e^0, what is the fix ?
16:16 < e^0> no none of those networking related trick
16:16 < shtrb> so ...
16:17 < e^0> went to router, reserved that ip with a distinct MAC and restarted other VM's boom..!! It got new ip addresses
16:17 < e^0> weired but it worked
16:17 < compdoc> boom!!
16:18 < e^0> hehe :D
16:18 < e^0> sometimes networking is such a bitch, it becomes difficult to understand what goes where..
16:19 < e^0> is their a guide or cheat-sheet kind off stuff where most of the necessary commands for linux networking are documented ?
16:19 < e^0> let me search on github
16:19 < djph> the manual.
16:20 < shtrb> tldp ?
16:22 < e^0> looks like still the hostname is not changing... :/
16:23 < djph> shtrb: probably the best.
16:23 < shtrb> or source code ...
16:27 < djph> that'd work too
16:37 < mcdnl> networking is layered, it's pretty easy, but there's a lot of layers
16:38 < shtrb> and that is why they are killing ifconfig and netstat and bring in ss and ip
16:39 < mcdnl> makes sense, both are pretty more easy to use than their legacy counterparts
16:40 < regdude> "TE on international links" (no context) - any ideas what does it mean?
16:41 < mcdnl> terabit ethernet?
16:42 < mcdnl> 1000Gbit links? that sounds good
16:42 < shtrb> Telecom Egypt ?
16:42 < regdude> might be
16:47 < Langley> Hello, I'm trying to solve some certificate trouble, when running 'openssl verify -verbose -purpose any -CAfile $rootca $intermediate $site", I get the error error 20 at 0 depth lookup:unable to get local issuer certificate ... what does that mean? I've manually checked that issuer and subject matches in all three files
16:51 < mcdnl> i think youre missing
16:51 < mcdnl> a switch, like -untrusted or smth like that iirc
16:52 < Langley> Why? They're not self-signed, they're from RapidSSL
16:53 < mcdnl> -untrusted for the intermediate
16:53 < mcdnl> i dont recall why
16:53 < mcdnl> had to do that with comodo rsa domain validation certificates
16:55 < mcdnl> Langley: https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify
16:55 < mcdnl> either you stack root and intermediate and pass both together to -CAfile
16:56 < mcdnl> or you specify intermediate with -untrusted
16:56 < Langley> That seems to work.... I don't understand it though
16:56 < mcdnl> read the stackoverflow post
16:56 < mcdnl> i've had this problem before :)
17:01 < Langley> I still don't get it... those guys seem to be using self signed, or self signed intermediate certificates
17:03 < Fieldy> morons will be morons
17:15 < WeirdTolkienishF> I've had it explained to me that CA authorities are "corporate" (and therefor not trustworthy, although let's encrypt does exist)
17:16 < Langley> In any case I'm no closer to my actual issue, which is Roundcube fails to verify the certificate when connecting to Dovecot
17:16 < Langley> Despite all other clients working fine
17:30 < mcdnl> Langley: thats because de cacerts.jks doesnt include the root ca for your certificates
17:30 < mcdnl> also, all CA certificates are self signed
17:31 < mcdnl> they're trustworthy because they're well known AND placed in the "trust store"
17:31 < Langley> the what? cacerts?
17:32 < mcdnl> oops
17:32 < mcdnl> dovecot has nothing to do with java sorry
17:32 < mcdnl> nor roundcube i guess
17:32 < Fieldy> if java is the answer, the question is wrong
17:33 < mcdnl> thats because either dovecot isnt sending the full certificate chain or roundcube doesnt has the root ca of your certificate issuer in their trust store
17:33 < mcdnl> doesnt have* omg
17:33 < mcdnl> need more coffee
17:35 < mcdnl> Langley: see this
17:35 < mcdnl> https://wiki.dovecot.org/SSL/DovecotConfiguration
17:35 < mcdnl> "Chained SSL certificates"
17:35 < mcdnl> make sure your ssl_cert is built that way
17:36 < mcdnl> in fact, you can test your dovecot server with openssl s_client
17:37 < Langley> It tests fine
17:40 < Langley> All tests are fine, other clients are fine.... it's driving me crazy
17:40 < mcdnl> then roundcube might be using a ca store that doesnt have your CA root certificate
17:41 < mcdnl> i had this kind of problem with a glassfish server
17:41 < mcdnl> it has its own ca trust store (thats why i said cacerts.jks before)
17:41 < mcdnl> that didnt contain the certificate of the root CA that signs my certificates
17:42 < Langley> They're both running Opensuse, both have the same files
17:43 < Langley> They both have the Digivert Global Root CA
17:45 < mcdnl> when using s_client you get a "Verify return code: 0 (ok)" ?
17:45 < Langley> Yep
17:45 < mcdnl> that's odd
17:46 < mcdnl> but i havent used roundcube nor dovecot so i can't think of anything else
17:47 < Langley> Me neither, except one of them not looking in the system's ca store.... but thanks
17:48 < djph> are you serving multiple vmail hosts with the same dovecot installation?
17:48 < mcdnl> i guess you've tried the s_client from the roundcube server to the dovecot server
17:48 < mcdnl> oh that
17:49 < Langley> djph, perhaps
17:50 < djph> Langley: if you are, you'll have to set TLS "by host" keys
17:50 < djph> ... oh whatsitcalled ...
17:50 < mcdnl> SNI?
17:51 < mcdnl> yes
17:51 < mcdnl> local_name foo.bar.baz { ssl_cert =.... }
17:55 < Langley> Where are those set?
17:55 < mcdnl> found it here
17:55 < mcdnl> https://wiki.dovecot.org/SSL/DovecotConfiguration
18:03 < Langley> Hmm I'm not sure if this is the problem here... we only have one set of certificates
18:12 < acos> Howdy
18:15 < acos> Is smime broken yet?
18:15 < Langley> Enough of that for today, but thanks for the help
18:48 < djph> acos: depends on what you mean by "smime"
18:50 < acos> That email tech djph
18:56 < djph> acos: S/MIME is simply "Secure MIME"
18:57 < djph> acos: so ... it really depends on what you're using to "secure" the message
18:57 < acos> Ah thanks
18:59 < djph> I mean, something batshit insane like a caesar cipher ... not so secure.
19:17 <+pppingme>  /join ##english
19:19 < djph> pppingme: I don't want to.
19:19 <+pppingme> ha ha
19:20 <+pppingme> not sure how to pronounce something..
19:20 < Zedax> hello there, is anyone used to handle ipv6 on mikrotik ap? i can't manage to make it get an address with radvd or dhcp, and my router is working for all kind of other devices fine
19:25 < Zedax> my isp just gives me a /128 (i know....) so to be able to have ipv6 on the home devices i have to nat it to another interface in the router, fdc1:: /64, from there with radvd all the other devices can get the address and exit through the nat, now this mikrotik is connected to that interface (to a switch connected to it..), and neither with nd discovery or dhcp6 client is getting anything, it just has it own link-local address but
19:27 < koala_man> gotta avoid the mistakes of the past and not overallocate IPv6!
19:33 < Onionnion> Any advice for what to look for or try to be familiar with for someone who wants to get into public and private cloud implementations?
19:33 < Onionnion> I have a CCNA but I'm not entirely sure what to try for next or even what job titles to look for in this.
19:34 < Onionnion> I so only so far work on my own private cloud on and off, currently proxmox, but just a single host
19:34 < Onionnion> not really enough of anything I think to land me a job easily for that kind of work right away
19:34 < Onionnion> unless I got lucky
19:36 < Onionnion> Just not sure where to go from here for wanting to work in that area
19:38 < Onionnion> Might be “cloud engineer”?
19:39 < Onionnion> I just don’t want to be the guy who’s just running prewritten scripts
20:33 < sruli> in netplan i want to make 2 bonds. bond0=  nic2/3/4 as 802.3ad. bond1= bond0/nic1 as as active-backup with bond0 as primary, can i do that, if yes does this config file look right?  https://paste.fedoraproject.org/paste/QvpQ2OI7dEQ1LB-HV6fk4Q
20:41 < Kingrat> afaik you ideally would have to bridge nic1 and bond0, i dont think you can/want to bond bond0 to bond1
20:41 < Kingrat> dunno why you are even doing it that way
20:42 < Kingrat> just bond0 to all 4 nics and if you are using lacp let it handle failure
20:52 < sruli> Kingrat: i want to set it up that way in case switch fails and needs to use non 802.3ad switch temporarily
20:53 < sruli> Kingrat: if i use a bridge i would get a different ip on each right?
20:55 <+pppingme> no, bridge implies a singularly controlled collection of interfaces
20:56 < sruli> pppingme: ok, will try bridge
20:56 < sruli> i am new to netplan, if i loose connectivity (remove cable) how can get ip lease from dhcp server? netplan apply, does not do it, dhclient connects first nic (ignoring bond) so far the only way i was able to get ip renewed is a reboot
20:56 <+pppingme> that go to different l2 segments (no loops) that can now talk to each other through this singular bridge
21:02 < mgolisch> no idea, never touched 18.04
21:05 < skizzy> I have a question. Ok Here is the scenario. I have a custom firmware router(linux based) wirelessly hooked by wifi to my cellphone and then ethernet wired into 2 computers. Ok I also have 1 computer hooked directly to the wifi on the phone. How can i communicate with the computer on the phones wifi? I can ping it's ip which is weird
21:06 < fryguy> draw this out, I think you are specifying everything backwards
21:07 < mgolisch> i think he means the stuff is connected to the phones hotspot
21:07 < fryguy> short answer, maybe: add a static route for the computer that's connected via the phone
21:07 < skizzy> The phone is my internet connection
21:07 < mgolisch> you probably cant
21:07 < mgolisch> i think it usualy doesnt allow communication between the connected devices
21:07 < skizzy> it's weird cause i can see the ip on other computers i just can't ssh into it
21:07 < skizzy> I was thinking iptables rules would fix it?
21:08 < skizzy> maybe...
21:09 < skizzy2> if anyone answered me i lost power for a sec on that machine
21:10 < skizzy2> storming
21:14 < skizzy2> I think someone said static route? I'll look into that. i don't have irc log on that machine
22:27 < warrshrike> does anybody here know about RFC6238 TOTP
22:28 < warrshrike> i.e. time based otp's
22:30 < DarkestTwilight> Would anyone be willing to look at a Proxmox OVS config for me?
22:33 < tds> DarkestTwilight: just state the actual issue you're having rather than posting in multiple channels, you'll have a much better time :)
22:34 < Apachez> tds: did you answer him this in multiple channels aswell?
22:34 < tds> someone else did in ##proxmox
22:34 < Apachez> I have nothing against cross channel posting because people in channel1 is often different from people in channel2
22:34 < Apachez> even if tds seems to be lurking in both
22:35 < tds> normally I'm not that bothered, but if I could think of one person who I'd expect to be able to help with that question, they were the person who answered in ##proxmox :P
22:36 < SovietBeer> i want to discover hosts on a lan. do i have to send an ARP request to every ip on the subnet?
22:37 < SovietBeer> or is there a way to send a broadcast ARP request that all hosts will respond to?
22:40 < degantyll> Hi guys, I see some mDNS queries to denadbyqbk.local, kjawpsewebovmx.local, qzuugfsfzkykxe.local from some computers, should I worry? I can't find any information about it
22:41 < ||cw> SovietBeer: you could ping the broadcast IP and watch the arp table
22:42 < SovietBeer> ||cw: so i should wait some time after pinging it, before reading the arp table? to give hosts time to respond?
22:43 < ||cw> SovietBeer: i guess?  what do you need the macs for?
22:43 < SovietBeer> ||cw: i need the IPs
22:43 < ||cw> so just nmap
22:43 < ||cw> arp is for macs
22:44 < SovietBeer> but i need the results as an array in my program..
22:44 < SovietBeer> with nmap i'd have to parse the text output..
22:45 < SovietBeer> my rpi client has to discover industrial scales on the lan
22:45 < SovietBeer> for auto config
22:45 < ||cw> oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename.
22:46 < SovietBeer> ||cw: is it also possible to output xml to stdout?
22:47 < ||cw> check man page, but usually, yeah
22:47 < SovietBeer> ||cw: does nmap also just ping the broadcast address and then read the arp table?
22:48 < SovietBeer> or does it send an arp request to every IP on the subnet like the arp-scan tool
22:48 < ||cw> arp and ping are not the same thing
22:49 < SovietBeer> ||cw: but shouldnt a broadcast ping populate the arp table with the hosts that are online?
22:50 < ||cw> technically.  unless there's more than fits in the alloted cache
22:51 < ||cw> nmap can also tell if a host appears up but just isn't talking due to firewall or whatever
22:53 < SovietBeer> ||cw: this seems to be sufficient to find the hosts that are relevant: `nmap myip/24 -p <port> -oX -`, is that the best way?
22:54 < ||cw> it's probably the most reliable way
22:54 < SovietBeer> ||cw: ok. but what exactly does this send out? arp or ping?
22:55 < SovietBeer> if possible i want to do this myself without depending on nmap being installed on the pi
22:55 < gallax> greets
22:55 < SovietBeer> (currently i'm doing it like this: https://github.com/gavynriebau/arp-scanner )
22:55 < gallax> SovietBeer: I just read something
22:56 < SovietBeer> but it takes 17 seconds on my /24 lan whereas nmap only takes like 5 secs
22:56 < gallax> going live within two years
22:57 < ||cw> SovietBeer: IIRC it starts with a ping and then tried other things.  I'm sure the nmap does have a nice walk-through
22:57 < ||cw> does/docs/
22:57 < gallax> Russia creating its own DNS root servers --> “The data centers working with this cloud are all made with ‘Russian components,”
22:58 < SovietBeer> ||cw: ok. but is there such a thing as a broadcast arp request, that only requires sending 1 packet, and all hosts on the subnet will respond?
22:58 < SovietBeer> someone was saying i should do that, but i can't find anything about that online
23:00 < gallax> I wonder if the internal protocols are made public
23:01 < ||cw> arp broadcast is normally for "hey who has this IP?"  I have no idea if there's a common "hey everyone tell me your ip"
23:02 < gallax> ||cw: aren't arp mac addresses tables?
23:02 < zamba> hi guys.. we have the strangest problem.. i'm trying to figure out why i'm not able to query one ntp server..
23:02 < zamba> i can see the ntp 123 client call using tcpdump
23:02 < zamba> does that mean it has left the network driver and is onto the physical layer?
23:03 < zamba> can i be absolutely sure it has left the server?
23:03 < scientes> no
23:04 < TandyUK> SovietBeer: https://wiki.wireshark.org/Gratuitous_ARP  Combined with Wireshark, you can find quite a lot of things this way
23:04 < scientes> not without putting a box between your box and the destination
23:05 < TandyUK> and if you know the local subnet, a ping to the broadcast address can get a few responses
23:05 < zamba> scientes: what can help me figuring out what's going on
23:05 < zamba> ?
23:05 < zamba> scientes: i tried running 'strace' on the ntpclient command
23:12 < SovietBeer> TandyUK: i dont also want wireshark as dependency of my rpi client..
23:14 < nojeffrey> Why would MST(on 3750x) change a port from blocking to forwarding and back again every ~3 minutes?
23:18 < mgolisch> what is mst?
23:26 < zamba> scientes: any idea how i debug this?
23:38 < mgolisch> run tcpdump on the destination server?
--- Log closed Tue Jun 12 00:00:54 2018