--- Log opened Thu Jun 14 00:00:11 2018
--- Day changed Thu Jun 14 2018
00:00 < ||cw> we're specifically talking about Dot1q.  I'm aware there are other things called vlan
00:00 < alesan> OK I guess one can use a linuc host with multiple interfaces to do that...
00:00 < alesan> linux
00:00 <+catphish> not necessarily even .1q, you can implement port-vlan in a totally proprietary way
00:00 < alesan> well I believe most routers that have a hardware swtich also do HW VLAN
00:01 <+catphish> almost any hardware switch will do vlan processing in hardware, yes
00:01 < ||cw> many consumer/openwrt routers that have vlan support do not use hardware
00:02 <+catphish> if they're doing vlan switching, they're probably doing it in hardware
00:02 <+catphish> but they can also do vlan processing at the linux level for routing purposes which is kinda different
00:03 <+catphish> my earliest attempt at this was i tried to make an open source firmware for the mikrotik CRS125G based on openwrt
00:03 <+catphish> but i never got permission to release the open source switch drivers from qualcomm, so tht failed
00:04 <+catphish> this is why i'm interested in a truly open source switch
00:05 < ||cw> were yours based on something you got from then under NDA?
00:05 <+catphish> ||cw: yes
00:05 <+catphish> i got it working, but could never release it, shame really
00:06 <+catphish> i've been impressed with azonenberg's efforts, but there's a lot still to do, and i don't think many people have the skills required to help
00:06 < ||cw> how much would be left if you took out the bits that are NDA affected and let someone else try to fill in the blanks?
00:07 < ||cw> or even make it plugable on top of their binary blobs?  possible?
00:07 <+catphish> ||cw: essentially you'd be left with what is already open source for similar switch ICs, i mostly took the existing ones and filled in the magic addresses and values from the datasheets :(
00:08 <+catphish> there are open source drivers for other more primative qualcomm switches
00:08 <+catphish> it wasnt a huge leap, just needs the proprietary data
00:08 <+catphish> you could maybe sniff it from the wire and piece it together, but i guess nobody cares to bother
00:09 <+catphish> the thing is, the switch is awsome, you can do so much more functionality if you have the datasheet
00:09 <+catphish> i only did the basics to begin with (implementing the most basic vlan functionality)
00:12 < ||cw> I never understood that.  seems like it would increase sales.  I guess it might leak some clue to competitors, but they'll get it eventually anyway
00:13 < johnpringa> Hi everyone - I would like to deliver Fiber to some of our clients in USA but want it to be under a reseller program. I don't mind if the fiber is using our backbone ip transit or if it is from a big ISP. Do you know of any reseller programs I can use?
00:14 <+catphish> ||cw: it's not clear to me either why it's secret, but i assume there's a reason
00:17 < ryao> I noticed that manufacturers of garbage consumer grade gear are now demanding enterprise level pricing for them. Is it just me or do others find that situation perverse?
00:17 <+catphish> johnpringa: i don't know the USA but it makes sense to ask major carriers, zayo comes to mind
00:17 <+catphish> ryao: like what?
00:18 < ryao> I sent messages to a few publications asking them to do a comparison of Ruckus' APs with mesh and gaming wifi solutions to bring the matter to light. So far, everyone has told me to talk to SNB. ^_^;;
00:18 < ryao> catphish: The latest Asus ROG Wireless Router costs $480 off Amazon. A Ruckus R510 can be purchased for $307 off eBay and it will mop the floor with the Asus in just about every metric that matters.
00:19 < ryao> s/Ruckus R510/Ruckus Zoneflex R510/
00:19 <+catphish> oh you mean things like asus supermegasamingXstation16000ROG type products
00:19 < ryao> That and also the mesh stuff.
00:19 <+catphish> the mesh stuff is IMO a bit more involved and worthwhile, they run dedicated backhaul networks
00:20 < djph> how about "product state: New in box"
00:20 < ryao> Even the Zoneflex R310 would mop the floor with the Asus. Few clients support more than 2 streams and the Zoneflex does a better job of handling multiple clients than just about anything consumer grade. The test results whenever anyone checks to see how the consumer grade stuff does are embarassing.
00:20 <+catphish> definitely worth more than a standard AP because they likely have 3 radios and some clever software
00:20 < ryao> catphish: Well, only the Netgear Orbi.
00:20 <+catphish> but i think we can all agree those "gaming" routers are like gold plated hdmi cables
00:21 < djph> catphish: _Monster_ gold-plated HDMI cables
00:21 <+catphish> maybe they're reasonable quality build, but they have no technical merit and likely use the same soho chipsets
00:21 < ryao> catphish: However, here is the thing. The Ruckus APs basically have dozens, hundreds or even thousands of emulated low gain directional antennas inside them (called antenna patterns). Versus 2 or 3 directional APs, the Ruckus should match or exceed the coverage and be a better deal price wise, while having fewer problems and in general handling multiple clients more gracefully.
00:21 <+catphish> ryao: i assumed that's what you meant by mesh
00:22 < ryao> catphish: Also, the Ruckus APs are able to operate in a mesh. :)
00:22 < ryao> I have never met anyone who needed 2 ruckus APs in their house though.
00:22 <+catphish> oh yeah i remember they can do that
00:22 <+catphish> you haven't been to my house :)
00:22 < ryao> The range is just that amazing. Professional installations of Ruckus APs use 2 to 3 times fewer APs than installations of other vendors' solutions.
00:22 <+catphish> i do wonder how a ruckus would do actually, i have 2 unifi pros atm
00:23 < ryao> catphish: I replaced my 2 unifi AC Lite APs with a single ruckus 7982 and got better coverage.
00:23 <+catphish> yeah, i covered a major uk city with ruckus, they're sexy
00:23 < ryao> That is a 802.11n model. I later upgraded to the 802.11ac wave 2 R710 in anticipation of gigabit fiber.
00:24 <+catphish> "covered" may be an overstatement, but it didnt take many to cover a wide area
00:24 < ryao> catphish: The Unifi AC Lite APs and Unifi AC Pro APs have the same coverage on paper, so I expect a single Ruckus to do a better job.
00:24 < ryao> catphish: I am able to get coverage outside from my indoor AP at 100m on my cellphone, although it is slow.
00:24 <+catphish> ryao: actually what i have are the unifi-ac-lr (not pro at all)
00:24 < MarkusDBX> Putting swap on a remote machine over rdma, useful or stupid?
00:24 <+catphish> i hope the lr has slightly better antennas than the regular ones
00:24 < johnpringa> catphish: thanks - zayo has their own fiber or broker from other providers?
00:24 <+catphish> but i don't know the details
00:25 < ryao> catphish: This might be the case where the ruckus is only able to match 2 competiting APs in coverage.
00:25 <+catphish> johnpringa: zayo have their own fiber, but really you need to take advice from someone who really knows the US market, i don't
00:25 < djph> catphish: it does
00:25 < ryao> I think zayo has a map somewhere showing where their network end points are.
00:26 < ryao> Google can find it. It is in a PDF. It was either zayo or lightower...
00:26 <+catphish> in any case, it would be cool to try a ruckus, might be neater for my house, and we have problems in the office with unifi and apple products
00:26 <+catphish> the apple users blame unifi, i blame apple ;)
00:26 < djph> UBNT agrees with you
00:26 <+catphish> they would
00:26 <+catphish> lol
00:26 <+catphish> apple does have a pretty bad history with wifi anyway
00:26 < djph> They've been trying to work with apple for ages, IIRC ... but Apple keeps saying they're not giving enough info or something
00:27 < ryao> catphish: That is funny. A previous employer had the same issues. I had a Ruckus AP and said "I have no clue what you mean". I do recall UBNT having a bug report saying that they disabled TxBF because of compatibility issues with Apple. Also, Apple uses broadcom. ^_^;;
00:27 < ryao> djph: I am confused. Wouldn't they say that Apple isn't giving enough information?
00:27 <+catphish> anyway, maybe i'll try ruckus and see how it compares
00:27 < djph> ryao: no, they're giving apple anything and everythign they can to be like "unfuck your stuff"
00:27 <+catphish> what's their current entry level ac device?
00:28 < ryao> catphish: Anyway, the Ruckus APs do fine with all of the Apple equipment that I have tried using with it. Mostly iOS devices, but I did connect a Mac Mini to it before running wired ethernet and I did try out a MacBook Pro (that I returned). They had no problems.
00:28 < ryao> djph: lol - I think this is broadcom's fault.
00:28 <+catphish> R310 maybe?
00:29 < ryao> Speaking of which, I do remember 1 problem that I have had with Apple. Every few months, I encounter an iOS device that behaves like its radio's microprocessor hung.
00:29 < ryao> catphish: Well, if you want 802.11ac with full bells and whistles at the lowest price possible, then that is a good choice, although the prices on eBay are $30 higher than they were yesterday.
00:30 <+catphish> ryao: i'm more interested in stability than bells
00:30 < ryao> catphish: If you don't need alot of throughput and are okay with a bare bones AP, then the zoneflex 7982 can be purchased for $45.
00:30 < ryao> catphish: I haven't had stability problems with 1 exception. Some clients don't like it when the AP changes channels dynamically. You should turn off channelfly to avoid issues.
00:31 <+catphish> i don't need serious throughput, ideally something that can sustain 80MBit with half a dozen users lightly active
00:31 <+catphish> yeah i always use static settings
00:31 < ryao> catphish: My two uncles are using zoneflex 7982 models at each of their homes with the standalone firmware. They love them. The only real issue that happened was due to a buggy PoE injector that wouldn't provide power after a power cut if the network cable was plugged into it first. It was weird.
00:31 <+catphish> can always reconfigure manually if interference changes
00:32 < ryao> catphish: You should love the 7982. If you don't need 3 streams, you can go with the 7962 to save money. That is the 2 stream version.
00:32 < ryao> The 7962 costs between $25 and $30. You might need to flash the standalone firmware. You can download it from ruckus after signing up for a free account on their website.
00:32 <+catphish> is zoneflex 7982 an old model?
00:32 <+catphish> i don't see *any* zoneflex on their site
00:32 < ryao> catphish: Yes. 802.11n. They declared all 802.11n models EoL.
00:33 < ryao> catphish: Zoneflex is their wi-fi AP brand... they should be there.
00:33 <+catphish> oh ok, i was kinda hoping for ac
00:33 <+catphish> but if n is a lot cheaper i'd be happy to try it first
00:33 <+catphish> it may be fast enough, and more stable
00:34 < ryao> catphish: It looks like they dropped the zoneflex brand. They had a change of ownership recently.
00:35 < ryao> catphish: The 802.11n stuff is much cheaper. They are equally stable in my experience. The bells and whistles are missing from the 802.11n stuff without the expensive dedicated controller, but you still get all of the basics like multiple SSIDs, radio settings, WPA2 encryption setup (including RADIUS support), network configuration, etcetera.
00:35 <+catphish> wow i can get Zoneflex 7025 for £5 each, guessing they're only good for very small installs
00:36 <+catphish> or ZoneFlex 7341, where do i find the specs for these old devices
00:37 < ryao> catphish: Well, the 7962 and 7982 were their top of the line models that cost $995 if I recall. Those other ones were lesser models. Googling for a specification sheed should bring it up.
00:37 < ryao> catphish: https://a030f85c1e25003d7609-b98377aee968aad08453374eb1df3398.ssl.cf2.rackcdn.com/datasheets/ds-zoneflex-7300-series.pdf
00:37 <+catphish> thanks
00:38 < ryao> Ugh.. while that came up, it isn't for the 7341. One moment.
00:38 <+catphish> remind me, does 11n run on 5GHz?
00:38 < ryao> catphish: You need to be careful with some of the lower end 802.11n stuff. I recall hearing that it didn't have standalone support.
00:38 < ryao> catphish: Yes.
00:39 < ryao> The datasheet says: "Offered in single and dual band models, the ZoneFlex 7300 series can be deployed as a standalone access point or as part of the centrally-controlled Smart Wireless LAN with the Ruckus ZoneDirector."
00:39 <+catphish> i'll make sure there's a standalone firmware, unless the controller is free? in which case thats fine
00:39 < ryao> The controller is a 1U and is not free unfortunately.
00:39 <+catphish> right now we use the unifi software controller which is fine
00:40 <+catphish> ah, don't want that
00:40 <+catphish> i'm wondering if 11n ruckus might be a cool thing to try
00:40 <+catphish> at work nobody cares much about speed, they just want it to work
00:41 <+catphish> at home, i only use 2.4GHz because of range issues
00:41 < djph> well, if you didn't live in a place with meter-thick stone walls ...
00:41 <+catphish> lol
00:41 <+catphish> my home is my castle
00:41 < ryao> catphish: The 5Ghz range on the APs that I tried is equal to the 2.4GHz range on the Unifi AC Lite in my informal tests.
00:41 < ryao> catphish: https://support.ruckuswireless.com/products/30-zoneflex-7341#documents
00:41 < zOthix>  nslookup
00:41 < zOthix> > help
00:41 < zOthix> The 'help' command is not yet implemented.
00:41 < zOthix> >
00:41 < zOthix> can anyone help me with this ^ ?
00:42 <+catphish> yeah but with 11n, i see no benefit to 5GHz anyway
00:42 <+catphish> since there's no ac with more speed :)
00:42 <+catphish> zOthix: try just typing a hostname :)
00:42 <+catphish> or reading its manual
00:43 < S_SubZero> zOthix: hang on let me implement the 'help' command
00:43 < S_SubZero> *patches nslookup*
00:44 < ryao> catphish: Less congestion. Anyway, this model seems somewhat cut down, but it looks like it would be roughly equivalent to the modern R510, except it is a 802.11n model.
00:44 <+catphish> well that seems like a reasonable midrange device
00:45 <+catphish> i can get 7341 for £10 each!
00:46 <+catphish> if they meshed, that would be a dream
00:46 < zOthix> S_SubZero,  how can i impliment the help comand
00:46 <+catphish> could just put one in every room and lol
00:46 < ryao> catphish: The 7025 that you mentioned earlier looks super entry level. It is 2.4Ghz only, it lacks beamflex+ and maximum power output is cut. I wouldn't recommend it: https://c541678.ssl.cf2.rackcdn.com/datasheets/ds-zoneflex-7025.pdf
00:46 < ryao> catphish: Well, they actually are able to do that, but not without a zonedirector.
00:46 <+catphish> zOthix: why would you want to do that? if you did want to you'd just find the source code and write it
00:46 < S_SubZero> zOthix: well, you need to 1) write ALL of the help material.  Then 2) submit that to the people who maintain nslookup
00:47 < zOthix> right xD thanks!
00:47 <+catphish> maybe i could buy an old zonedirector
00:48 < ryao> catphish: You'd want a ZD1000. I am looking it up to double check.
00:48 < djph> it's pretty simple -> nslookup domain.tld <-
00:48 <+catphish> ryao: but they're practially giving away 7341 and other n models
00:49 < ryao> catphish: https://support.ruckuswireless.com/answers/000002018
00:49 < ryao> catphish: True.
00:49 <+catphish> found some 7962 - £17 each
00:49 < ryao> catphish: I think that the zonedirector 1000 has per AP licenses that come in 6 packs. I never really looked.
00:50 < ryao> catphish: That is less than they cost here.
00:50 <+catphish> i think it's just luck, when someone strips some out of a corp who upgraded
00:50 < ryao> catphish: Here is their smart mesh datasheet by the way: https://ruckus-www.s3.amazonaws.com/pdf/feature-sheets/fs-smartmesh.pdf
00:51 < ryao> catphish: It has been like this for years. Prices keep dropping.
00:51 <+catphish> i'd love to put them in every room of my house and try the mesh
00:51 < ryao> catphish: Businesses don't want these because they are EoL, even though they are still good. They want to upgrade to 802.11ac.
00:51 <+catphish> i only have one ethernet per floor, so could benefit form some mesh
00:52 < ellyacht> can you remove busybox from an Asus router using telnet?
00:52 < ryao> catphish: This is the lowest price that I can find: https://www.ebay.com/itm/Ruckus-ZoneDirector-1012-1000-ZD1000-Wireless-Controller-12-APs/142750840724
00:52 <+catphish> ellyacht: why? that sounds like a really bad idea
00:52 < ryao> ellyacht: Why would you want to do that? It probably would break the router by the way.
00:52 < ryao> You would need to do far more than just remove busybox.
00:53 < djph> ellyacht: given that busybox is what's running the show ...
00:53 < ryao> You would need to download the sources and heavily modify the userspace.
00:53 < ellyacht> catphish: ryao: no reason was just curious, so in theory could someone remove busybox and replace it with their own "version"
00:53 <+catphish> ellyacht: it would be as simple as replacing the binary in the image
00:53 < ellyacht> let me rephrase that
00:53 < ryao> ellyacht: In theory, you can put your own custom OS onto it. In practice, it is not so easy.
00:53 < djph> ellyacht: sure, but given it's an embedded device, busybox is probably the best option there
00:54 < ellyacht> could someone remotely flash a router? Whether it was with firmware, WRT, etc...?
00:54 <+catphish> you'd usually compile a whole new image rather than trying to patch it in, but it might be possible just to cp it into place
00:54 <+catphish> ellyacht: yes
00:54 < ryao> ellyacht: The way you would do things (assuming that the router is not locked against firmware updates requiring the bootloader recovery be used) is to build a new image and update it to that.
00:54 <+catphish> all routers can be remotely flashed
00:55 < ellyacht> catphish: seriouisly?
00:55 <+catphish> so yes, you could install a replacement remotely, this is done all the time for both good and evil reasons
00:55 < ellyacht> seriously*
00:55 < ryao> Well, US models now are locked down due to the FCC's order.
00:55 <+catphish> ellyacht: look in your router's gui, you'll find an "upgrade firmware" option
00:55 < ryao> For the most part.
00:55 < ryao> You need to use the a bootloader to flash it.
00:56 < ryao> catphish: Supposedly, they do code signing now.
00:56 <+catphish> there you can replace the firmware, in some cases it must be signed by the manufacturer as ryao says
00:56  * ryao never really checked to be certain.
00:56 <+catphish> i've never had one that needed signing, but maybe some do now
00:56 < ryao> catphish: Only on US models and only on most of them.
00:56 <+catphish> i've never been to the US for more than an afternoon so meh
00:56 < ellyacht> catphish: ryao: yes there is a firmware upgrade option. I usually upgrade my Routers firmware via the recovery mode GUI
00:57 < ellyacht> interesting
00:57 < ryao> catphish: There was a wave of firmware updates sent out implementing firmware signing to comply with a FCC order meant to prevent people from using OSS firmware.
00:57 <+catphish> ellyacht: same thing :)
00:57 <+catphish> ryao: that was very silly, but i heard that too
00:57 < ryao> catphish: And I know for a fact that Asus was one of them. I have an affected model. I dodged the bullet by never getting that update.
00:57  * ryao ran asuswrt-merlin instead.
00:58 <+catphish> well if its only a softare protection you can always jtag openwrt on there :)
00:58 <+catphish> but much more annoying
00:58 < ryao> catphish: Now they need to be flashed this way: https://www.reddit.com/r/HomeNetworking/comments/4q09b9/guide_to_downgrading_from_the_asuswrt_380_version/
00:58 < ryao> catphish: At least the FCC was stupid and didn't think to order them to lock down the bootloader too.
00:59 < ellyacht> ok heres a even better question. What command could I use in telnet (terminal) that would indicate to either you guys or myself, whether or not my router had been compromised or "attacked" having had malware installed?
00:59 <+catphish> unless the fcc were retarded their regulations wouldn't be that specifically worded
00:59 <+catphish> they'd just say that the mfgr must prevent custom software to be run
00:59 <+catphish> this would mean at all relevent levels
01:00 < ryao> ellyacht: Oh, I see why you are interested in that now. No idea. It depends on the attack.
01:00 <+catphish> i found a 6-AP zonedirector here, £125
01:00 < ryao> catphish: Is that enough for you?
01:01 < ryao> ellyacht: It is funny though. I said years before the malware was discovered that the router firmware was incredibly insecure. The engineering is shoddy.
01:01 <+catphish> ellyacht: you'd cat the flash and run it through an md5 hash
01:01 < ellyacht> by the way, is it just me or have Router manufacturers become a little like cell phone manufacturers? Where there is only really two major brands to choose from? Asus and Netgear?
01:01 < ryao> When I heard about the FBI's warning, I was surprised it didn't happen sooner.
01:01 <+catphish> then you could compare it to a known good device
01:01 < ellyacht> where would I find a known good device?
01:01 <+catphish> ellyacht: no, there are loads
01:02 <+catphish> ellyacht: no idea
01:02 < ryao> catphish: That might not work out well. There is NVRAM storage in the flash for settings.
01:02 < ryao> catphish: I guarantee you that every single device is going to have a different hash.
01:02 <+catphish> ryao: then i guess you'd neeed the flash map and do the relevent partss
01:02 < ryao> Also, good malware is able to fake a signature of not being present.
01:02 < ellyacht> ryao: I usually clear NVRAM before flashing new firmware.
01:02 <+catphish> that seems dumb
01:02 < ryao> catphish: What?
01:03 < ellyacht> catphish: ok good to know
01:03 <+catphish> clearing the nvram
01:03 < ryao> catphish: The flash map is easy to get, but it is easier to just reflash it.
01:03 <+catphish> seems a bad idea, it would contain macs
01:03 < ryao> catphish: Ah, yeah. If the software isn't designed to handle an empty state, that could mess it up.
01:03 <+catphish> and other factory settings
01:03 <+catphish> probably
01:03 < ryao> catphish: Well, the hardware should have the mac addresses hard coded for lookup and defaults should be written into the software.
01:04 < ryao> It depends on whether the firmware's developers test that scenario though.
01:04 <+catphish> the mac address could be "hard coded" in the nvram :)
01:04 <+catphish> it's a perfectly valid place to keep it
01:04 < ryao> catphish: I don't think it is, but I am willing to say that I am wrong.
01:04 < ellyacht> catphish: so there would be no real point in running the flash through a md5 hash if I had no known good device to compare it to?>
01:04 <+catphish> but i agree it would be better not to do this and maybe they don't
01:04 < ryao> catphish: I never tested either way. :P
01:04 <+catphish> maybe they're capable of generating fresh settings
01:04 <+catphish> ellyacht: indeed
01:05 < ryao> catphish: I vaguely recall that it is, but I am not certain.
01:05 <+catphish> if you found the right parts you could compare it to an image downloaded from the manufacturer
01:05 < ryao> ellyacht: There is no point. You'd need a SPI programmer to be able to image the flash with the device off and then inspect it.
01:05 <+catphish> https://www.ebay.co.uk/itm/Ruckus-1000-1006-Zone-Director-Wireless-Controller-with-No-PSU/282996742877?epid=1750595445&hash=item41e3eb9add:g:XDEAAOSwxUtbFyRf
01:06 < ryao> Otherwise, well written malware (like from the supposed nation state hackers that the FBI claims to be behind the hacks) will be able to hide itself.
01:06 < ellyacht> is there a modem on the market that you can connect to its GUI via HTTPS:?
01:06 < ryao> ellyacht: lol
01:06 < ryao> ellyacht: No.
01:06 < ellyacht> WHAT?
01:06 < ellyacht> damn
01:06 < ryao> And there never will be. At least not with a certificate signed by a trusted CA. :P
01:06 <+catphish> well yeah a perfect hack could fake its own flash content :)
01:06 < ellyacht> seriously?
01:07 < ellyacht> so what is the safest way to communicate with your modem?
01:07 < ryao> ellyacht: Yes. The accusations being made are that the hacks weren't done by amateurs, so any of the advanced techniques could be in use.
01:07 < ryao> ellyacht: Okay... please answer this question for me. What is a modem?
01:07 <+catphish> ellyacht: there is no safe way once it's hacked
01:07 < ryao> I don't think we are talking about the same thing.
01:08 <+catphish> if it's hacked, anything it sends you might be a lie :)
01:08 < ryao> catphish: There is, but you need to use a SPI programmer while it is offline.
01:08 < ryao> It can't lie then.
01:08 <+catphish> oh yeah, what ryao said
01:08 < ryao> Unless the hardware has a backdoor that the malware is using, but that is unlikely.
01:08 < ellyacht> ryao: my Coaxial cable from my ISP goes into my modem. Converts Digital to Analog. From my modem ethernet runs to my routers. From there its out to the devices
01:08 < ryao> It is incredibly unlikely that mass production equipment will have hardware backdoors of that nature. It costs extra to make the chips.
01:09 <+catphish> the 7962 AP looks kinda chunky and ugly :(
01:09 < ellyacht> or analog to digital not sure*
01:09 < ryao> ellyacht: Okay. So, you get to rely on your cable company for that entirely. DOCSIS modems are incredibly locked down and are designed so that the cable company has full control over them.
01:09 < ryao> catphish: Get the 7982. It is nicer.
01:10 < ellyacht> DOCSIS 3.0 are are the only modems available to the public no?
01:10 <+catphish> none available
01:10 < ryao> catphish: Darn. I guess the 7341 is an option then.
01:10 <+catphish> yeah, loads of those
01:11 <+catphish> its 7341 or 7962
01:11 < ryao> ellyacht: No, but the DOCSIS 2.0 modems are having support dropped and DOCSIS 3.1 modems are rare and pricy. They don't change the situation with being locked down.
01:11 <+catphish> the 7962 just isn't going to work except in a warehouse, it's huge
01:11 < ryao> catphish: You might like the 7962 for the root AP and the 7341 for the client APs.
01:11 < ryao> catphish: I wouldn't say huge, but it is fairly large.
01:11 < ellyacht> so there is no real work around for having my ISP control my modem?
01:12 < ryao> ellyacht: There is, but it is a grey area and ISPs hate it.
01:12 <+catphish> i'm not really sure whether to bother buying the controller, its kinda expensive, but if it does seamless roaming i might be tempted
01:12 < ellyacht> I love grey
01:12 < ryao> ellyacht: Look into forceware firmware. It is supposed to be GPL, but the sources aren't distributed. -_-
01:12 < koala_man> can ISPs run code on docsis modems?
01:12 <+catphish> ryao: ask them then ;)
01:12 < ryao> koala_man: Yes.
01:13 < koala_man> wat
01:13 <+catphish> they wouldnt want to break precious copyright law rught
01:13 <+catphish> *right
01:13 < ryao> catphish: Have fun asking them. It is a dark web thing.
01:13 < ryao> ellyacht: https://hackaday.io/project/20063-flashing-forceware-on-sb6141
01:13 <+catphish> oh ok
01:13 <+catphish> how odd
01:13 < ryao> ellyacht: There are modems on eBay with it preinstalled, but there is no telling if anything had been done to them.
01:13 <+catphish> i wouldnt trust that one bit
01:14 < ryao> catphish: I am not sure which is worse. The stock cable modem, or one running forceware.
01:14 <+catphish> lol
01:14 < koala_man> ryao: are you talking about ISP routers with built-in modems?
01:14 < ryao> ellyacht: That is supposed to be extremely customizable. It tends to be used for illegal things. I have never used one. I just know of it through a defcon talk.
01:15 < ellyacht> ok so for a single guy (Paranoid) single guy that likes to game on PC but also likes security, has only 4 devices, what setup would I want to choose if money were no object?
01:15 < ryao> koala_man: No. Actual DOCSIS cable modems. There were a few defcon talks about this. The manufacturers were forced to release part of the sources under the GPL, so people started hacking away at them.
01:15 < ellyacht> the sb6141?
01:15 <+catphish> if money were no object, you'd get ethernet fiber to the home, a juniper router, and ruckus APs
01:16 < koala_man> wow, definitely watching this
01:16 < ellyacht> ryao: APs access points?
01:16 < ryao> ellyacht: Well, I'd get pfSense router, a subscription to "Private Internet Access" or another reputable VPN provider, and then send all traffic through the VPN.
01:16 < stonelore> fiber to the modem, man
01:16 < ellyacht> I have PIA
01:16 < ryao> ellyacht: Then what the modem is won't matter.
01:17 < ellyacht> Pia, pfsense router and fiber to the home?
01:17 < ellyacht> with rukus APs
01:17 < ellyacht> ?\
01:17 < ryao> ellyacht: Then set it up to force all traffic over it at the gateway. I am not sure if the Asus router lets you do that. You will be better off with a pfsense one. I'd ask what your internet speeds are, but I assume that they are lousy, so you could probably get away with the cheap pfSense SG-1000.
01:17 <+catphish> is there a simple answer to 7341 vs 7962?
01:17 < ellyacht> 300 down 12 up
01:17 < ryao> catphish: The 7962 should get somewhat longer range.
01:17 <+catphish> oh 7341 Single-band (2.4GHz) 11n AP
01:18 < ryao> I thought it was dual-band... maybe that is the 7343.
01:18 <+catphish> so thats a big difference right away
01:18 < ryao> It is single band. You probably don't want it for a mesh network.
01:18 <+catphish> shame the 7982 isn't available, thats cool and not ugly
01:19 < ryao> catphish: We have tons of them in the US.
01:19 <+catphish> if the range is awesome then mesh isn't a requirement
01:19 < ryao> catphish: It is a shame that shipping to the UK is pricy.
01:19 < ryao> catphish: Well, that is true. You won't need the ZD1000 either because of the awesome range. ^_^;;
01:20 <+catphish> that was my thought
01:20 < ryao> ellyacht: FTTH is nice and somewhat more secure than cable, although sending all traffic through PIA makes it pointless.
01:20 <+catphish> it only matters at home
01:20 < ryao> catphish: A single ZF7341 probably would serve you well given that you don't use 5GHz.
01:21 < ryao> ellyacht: With a VPN in place, the confidentiality of the channel doesn't matter.
01:21 <+catphish> maybe i'll buy some 7341 then, they're so cheap
01:21 <+catphish> it's mostly for the office because of apple whiners
01:21 < ellyacht> ryao: mmk. So if a person is worried about the integrity of packages being delivered to their home. How would I go about purchasing a pFsense router, and rukus APs?
01:21 < ryao> catphish: Enjoy. You will love it.
01:22 <+catphish> lol "40 X Ruckus Zoneflex 7363 Access Points"
01:22 <+catphish> current bid 0.99
01:22 < ryao> catphish: 40 pack. Score.
01:22 < ryao> ellyacht: Why did you ask about Ruckus APs? ^_^;;
01:22 <+catphish> 7363 is dual band
01:22 < ryao> catphish: Okay. That clears up my confusion.
01:23 < ryao> ellyacht: Anyway, wow, that is paranoid. Build your own Intel box for router duty and then install pfSense on it.
01:23 <+catphish> 6 x Ruckus Zoneflex 7762 outdoor wireless access points - £50
01:23 <+catphish> i can do my yards too :)
01:23 < ryao> ellyacht: Ruckus APs aren't particularly magical when it comes to security. However, they do support VLANs, which lets you keep the management functions off limits from connected devices if you use them to make another subnet.
01:23 < ryao> catphish: Nice. :)
01:24 <+catphish> i do wonder if that ugly shape serves some antenna purpose
01:24 < ryao> ellyacht: VLANs are a really nice security feature, if used properly with a firewall to keep routing from breaking the isolation.
01:24 < ryao> catphish: It does.
01:25 < ryao> catphish: They shrunk it in the 7982 and later models, but the proprietary antenna array is actually using some of the space.
01:25 < ryao> I hate the shape too though.
01:26 < ryao> ellyacht: As for making certain that someone didn't compromise a Ruckus AP... flash it? I don't think many people know how to backdoor one of them and flashing things generally wipes out installed backdoors unless someone went out of their way to replace the flash chip with something special.
01:27 <+catphish> what if someone hacked your eyes?
01:28 < ryao> catphish: It doesn't matter what I do anymore. It would be game over. :P
01:28 < ryao> s/doesn't/wouldn't/
01:29 <+catphish> this is a great source of info https://support.ruckuswireless.com/product_families/4-eol-products
01:38 < ryao> catphish: It just dawned on me that I forgot to mention someting important. With Ruckus APs, the PSU and mounting equipment are not included.
01:38 <+catphish> they all say poe, it's not clear what kind
01:39 < ryao> catphish: 802.3af, although I recall them mentioning that they could take advantage of 802.11at on some models (newer I think).
01:39 < ryao> catphish: They also support >1.25A 12VDC PSUs with 2.5mmx5.5mm barrel connectors.
01:39 < ryao> I think you can get away with a 1A though.
01:40 < ryao> s/802.11at/802.3at/
01:40 <+catphish> my current stuff is a combo of 802.3af and proprietary dumb poe
01:40 < ryao> catphish: Then you should be fine. :)
01:41 <+catphish> the office where i mostly want these is all 802.3af so i should be good to go
01:41 < ryao> catphish: Silly question, but are you going to get the zone director for your work and do the mesh setup? I am curious.
01:41 <+catphish> no, i'm gonna get 2 and run them standalone
01:41 <+catphish> or maybe just one, range being good enough
01:42 < ryao> Let me know how you like them, although I think that I already know the answer to that. :)
01:42 <+catphish> right now we have one unifi per floor, and its fine apart from apple users :)
01:43 <+catphish> at home i have one ceiling mounted unifi per floor, they're ceiling mounted, i will *try* replacing then with a single ruckus ap, but i can't be bothered to ceiling mount again, so unless its amazing from the place where my switch is, i probably won't bother
01:43 < ryao> catphish: You probably already know this, but I suggest: setting 2.4GHz to a static 20MHz channel, setting 5GHz to a static 40Mhz channel, setting power output to the legal maximum, using different SSIDs for 2.4GHz and 5Ghz
01:43 <+catphish> that's exactly my current setup
01:43 <+catphish> though i think maybe i use 20MHz on 5G too
01:44 <+catphish> whatever the minimum us
01:44 <+catphish> *is
01:44 < ryao> catphish: I am in the same situation. I had the unifi ceiling mounted. I was going to ceiling mount the ruckus, but I misplaced the ceiling mount kit between getting it and having time to do it. It is awesome from the cabinet where I have it resting though.
01:44 < ryao> catphish: 20MHz is the minimum. I like to go higher on 5GHz because I consider that to be for throughput and 2.4GHz for range.
01:44 <+catphish> well i'm redcorating my halls at some point, would be nice to lose the surface mounted cables to the ceiling
01:45 < ryao> catphish: In dense deployments, you don't have that luxury, but the ruckus handles multiple clients fairly well.
01:45 < ryao> catphish: It is hard to find fault with ruckus APs, aside from the top of the line model being too expensive. :)
01:46 <+catphish> well since i won't be wall mounting, i guess the ugly 7962 is the better choice
01:46  * phogg takes careful notes
01:46 <+catphish> it'll be on a shelf anyway
01:47 < ryao> By the way, I remember hearing that you shouldn't place APs near metal objects... I have it next to a metal model airplane. No issues. ^_^;;
01:47 <+catphish> lol
01:47 <+catphish> all the 11n devices claim a max throughout of 300mbps
01:48 < ryao> That is for 2 stream performance and a 40MHz channel bandwidth.
01:48 <+catphish> ah that makes sense
01:48 <+catphish> so more realistically 150Mbit at 20MHz
01:49 < ryao> And in practice, you can expect only half the link throughput on these things. At least, that is my old rule of thumb. The latest 802.11ac radios seem to have broken that threshold. On the 802.11g equipment, I only expected 30%.
01:49 < ryao> catphish: Yes.
01:50 < ryao> Of course, that is only on single client tests. I never did multiple client tests to know if it gets better (although at large numbers, it gets worse).
01:50 < ryao> Latencies remain awesome the entire time though, provided there is not a bufferbloat problem upstream.
01:52 < ryao> catphish: If you are doing a 20Mhz channel on the unifi, then I suspect that a 40Mhz channel on the ruckus could be okay. The ruckus is really good at dealing with interference and the signal strength should improve, despite the 3dB penalty from a 40Mhz channel.
01:52 < ryao> The ruckus has more range after all.
01:52 <+catphish> there are so many seemingly identical models
01:53 < ryao> catphish: They probably had a few ways of 802.11n line ups before EoLing all of them.
01:53 < ryao> s/ways/waves/
01:53 <+catphish> ah ok
01:53 < ryao> I know that the 7982 replaced the 7962 as the top end model.
01:53 < ryao> With 802.11ac, they have had 3 different high end models. The R700, R710 and R720.
01:54 < ryao> Those are wave 1, wave 2, wave 2 with a better radio :P
01:54 < ryao> They have had 2 different groups of midrange and low end models on 802.11ac. I am not familiar with the history of the 802.11n product line.
01:55 < ryao> catphish: The key specifications to look at are maximum client count, spatial streams, antenna pattern count, receive sensitivity and transmit power.
01:55 <+catphish> i don't really have those specs :(
01:55 < ryao> When doing comparisons in their 802.11n line up.
01:56 < ryao> catphish: It is in the datasheets that you can find mirrored on other sites by searching google with their names.
01:56 < ryao> They are all pdfs.
01:56 < ryao> e.g. Google `filetype:pdf zoneflex 7982`
01:57 <+catphish> i mostly want to know if the 7962 is worth much more than the 7341 to me
01:57 <+catphish> the obvious difference is the 5ghz band
01:58 <+catphish> your google fu works well
01:59 <+catphish> 40 X Ruckus Zoneflex 7363 Access Points would be awesome, but 10 days more auction
01:59 <+catphish> https://www.erre1.it/upload/1fe33535a8af3485.pdf
01:59 <+catphish> nice comparison
02:03 < Harlock> i have just one older ruckus i am using at home
02:03 < Harlock> an 11n model
02:09 <+catphish> well i've ordered a couple of the cheap 2.4GHz ones, will have a play in the office, hopefully it'll be more stable for the apple users
02:09 <+catphish> if they're awesome, i'll try the range at home too
02:10 <+catphish> but ultimately i'll want ac for home because i use a fair bit of bandwidth
02:10 <+catphish> ryao: thanks for the pointers, i'll see how it goes and maybe but more current ones in the future if they're good
02:24 < ryao> Harlock: Cool. I imagine that you like it. :)
03:02 < jennifer> Hey guys, haven't thought about this topic for a while. If I connect to a company wifi, can they spy on me? Read content, etc?
03:04 < Peng_> Unencrypted stuff, yes. Encrypted stuff, not normally. But if you're installed monitoring software (or just a CA) on your device, encrypted stuff too.
03:04 < koala_man> jennifer: they can generally see which web sites you go to, and sometimes what you do on them
03:04 < Peng_> Good point. Even "encrypted" communications are revealing.
03:11 < local_host> It must be refreshing to be a spy all you have to do is get paid to stalk.
03:12 < jennifer> I see
03:13 < jennifer> I guess I just need to spend my time wisely at this company then
03:14 < dogbert2> hehehe...whazzup in here?
03:44 < spaces> and I thought what did I feel there in my neck, it was a tick!
03:45 < spaces> damn tiny small thing
03:50 < spaces> dogbert2 you as a dog must have them often, I just hugged my dog so I know where it came from :P
03:50 < dogbert2> LOLOL!
03:51 < spaces> damn they are really small I only saw then dead or sucked with blood
03:51 < spaces> I like to remove them, it's just fun if a animal trusts you
03:51 < spaces> *an
03:57 < spaces> dogbert2 what are you doing ? spining that chick all the time?
04:32 < Harlock> ryao yes it works well, and i don't get random disconnections
06:00 < Goop> I want to try to network two Raspberry Pi's together over a CAT5 cable with no additional boards.
06:01 < Harlock> you have my permission
06:02 < Goop> I don't want to reinvent the wheel, so is there some software (on Linux) that takes a string of text and sends binary signal out, and takes care of all the timing?
06:03 < Goop> That's what I've never understood about networking--how computers negotiate how long a "1" and how long a "0" is.
06:04 < Harlock> don;t these have an ethernet port
06:04 < Goop> The Raspberry Pi 0's don't have Ethernet ports.
06:04 < Goop> I want to build something, and I won't want to add extra weight with a network switch.
06:05 < Harlock> why would you need a switch
06:05 < Harlock> and you never said you had a pi 0 in the first place
06:05 < Goop> Sorry, my mind is a few different places.
06:06 < Goop> I want to use the GPIO pins to send/receive data from another Raspberry Pi (zero).
06:06 < Spice_Boy> there is a serial interface in those GPIO pins
06:07 < Goop> Spice_Boy, I'm not sure what that is. I'm fairly new to doing this kind of thing.
06:08 < Harlock> one of those new fangled serial ports eh
06:09 < Goop> Are you saying that I would have to have the GPIO pins act as a serial port, then have it use the face serial cable as a network cable?
06:09 < Harlock> you want to run ip over it?
06:09 < Harlock> you can use slip or ppp over serial
06:10 < Goop> Yes, I want to run Internet Protocol over GPIO.
06:10 < Spice_Boy> its GPIO pins have serial, but it's not rs232 voltage levels, but if you're going between two pis then it should be fine
06:10 < Spice_Boy> then yeah, ppp or something
06:11 < Goop> Is ppp is a Linux package? How would I go about doing this as far as a software side?
06:11 < Spice_Boy> okay, stop there. If you don't know these things, what are you actually trying to acheive?
06:13 < Goop> I'm trying to achieve using multiple digital, electrical input/output pins a computer has and have Linux recognize the pins as a network interface.
06:15 < Goop> That really is what any other network port does--it's just a fancy set of input/output wires that leads to a fancy physical port, which goes over to a cable of wires.
06:18 < Goop> Is it making sense what I'm saying?
06:21 < grawity> it's technically possible, yes
06:25 < grawity> but it depends on what protocol you want to run over those pins, electrically
06:27 < Goop> So I need an electrical protocol, and the Internet Protocol goes on top of the electrical protocol?
06:27 < grawity> sure
06:28 < Goop> I don't really have an opinion on electrical protocols.
06:28 < Spice_Boy> as we said, use the built in 232, same levels because both are Raspberry Pi, then run PPP on it, then you're done
06:28 < grawity> packets don't just go over the wire, you need to turn them into some sort of signal, whether it's standard like RS232 or Ethernet or custom
06:28 < grawity> if the device already has *dedicated* RS232 ports, yeah, that'd be a lot easier
06:28 < Spice_Boy> https://pinout.xyz/pinout/serial_pi_plus#
06:28 < Spice_Boy> pins 8 and 10
06:28 < Spice_Boy> easy
06:29 < Spice_Boy> too easy
06:29 < grawity> what's the highest bit rate you can get on pi's serial?
06:29 < Spice_Boy> just don't connect it to a standard computer serial port, as voltages are different
06:29 < Spice_Boy> don't know... never actually used it, just know it's there
06:29 < Spice_Boy> I tend to use a usb-serial adapter
06:30 < Spice_Boy> ...at 9600 generally
06:46 < Goop> So the "baud" (bits per second) rate of the serial connectors is 115200. That is 14.4kilobytes per second
06:47 < CuriosTiger> baud != bps
06:47 < grawity> I was told bits per second wasn't anywhere the same as "baud rate" anymore
06:48 < CuriosTiger> grawity: They were never the same. Back in the day, they used to correlate, but compression algorithms changed that.
06:48 < grawity> also, I think some raspberry pis *can* go up to a Mbps or two
06:48 < CuriosTiger> baud measures physical pulses per second across some medium, like a phone line.
06:48 < grawity> hmm
06:49 < Apachez> baud rate = characters per second
06:49 < Goop> I got at least 30mbyte/s on a wireless connection over a wireless USB interface.
06:49 < CuriosTiger> pulses don't quite correspond to bits. For example, in a typical 8B10B encoding, a byte (eight bits on a computer) requires 10 pulses across a phone line.
06:49 < Apachez> bit rate = bits per second
06:49 < grawity> CuriosTiger: so actually it *is* the same for raw RS232 then, no?
06:49 < Apachez> bits are always in size of 1 bit
06:49 < Apachez> baud can be anything between 5 and 8 bits per char depending on charset being used
06:49 < Apachez> back in the days you had like 5-7 bits, 8 bits per char is pretty new invention
06:49 < CuriosTiger> grawity: For raw RS232 with no compression or other manipulation at the endpoint, yes, I suppose.
06:49 < grawity> since I don't think serial uses any fancy modulation
06:50 < Apachez> or lets say unicode would been used then baud would have been 16 bits/char
06:50 < CuriosTiger> grawity: Serial does generally use 8B10B, basically to avoid long runs of all zeroes or all ones that may be mis-counted by the hardware.
06:50 < Goop> https://elinux.org/RPi_Serial_Connection that is the context
06:50 < Apachez> so default is often 9600 for com ports while you often want to change that into 115200 for switches/routers
06:50 < Apachez> because a show run will take so much longer with 9.6kbps vs 115.2kbps
06:51 < Apachez> other than that a com port in a computer often supports up to 2 megabit/s
06:51 < Maarten> 1988 is knocking and wants his com1 port back.... ;)
06:51 < CuriosTiger> Apachez: Wrong. Baud has nothing to do with bytes, nor with whether you're using unicode or ASCII or EBCDIC.
06:51 < CuriosTiger> Baud measures the number of pulses per second. Changes from one to zero or from zero to one.
06:51 < Apachez> CuriosTiger: wrong bytes is always 8 bit, baud have nothing to do with bytes
06:51 < grawity> CuriosTiger: ah right, I forgot stop bits and stuff
06:51 < CuriosTiger> The closest corresponding unit is bit, not byte.
06:51 < Apachez> baud can be anything between 5-8 bits depending on standard being refered to
06:52 < CuriosTiger> Apachez: And no, bytes aren't always 8 bits.
06:52 < Apachez> nowadays they are
06:52 < Maarten> baud is just a raw bitrate, how you transfer things really depends on what the settings are, some connections only use a start bit + 7, others start, 6 bits, stop bit.... I forget, its been so long :(
06:53 < Maarten> I used to GAME against friends using a com1 cable between two PC's.
06:53 < grawity> ah, here's the page about overclocking serial (on the original raspberry I think) https://www.thedevilonholiday.co.uk/raspberry-pi-increase-uart-speed/
06:55 < Tegu> isn't baud the symbol rate, not bitrate?
06:56 < Goop> So the stop bits is "1", the bits are in 8, no parity in the context of this page here: https://elinux.org/RPi_Serial_Connection
06:56 < grawity> Tegu: yeah, though we're talking about RS232 where they're apparently close enough
06:56 < Tegu> if one symbol represents one bit, the it equals to bitrate
06:56 < grawity> Tegu: though I don't understand why Apachez insists it's related to bytes somehow
06:57 < Tegu> ah yea, context. didn't read enough backlog
06:59 < grawity> ...oh right, if byte size is 8 bits, then I guess the bitrate is 8/10ths of the baud rate due to the start/stop bits
07:06 < Tegu> it still transfers the stop bits etc, so would that be more like "effective bit rate" or "effective data rate"
07:17 < iateadonut> i just made a reverse proxy, and the configuration on the original source server says this: Proxied. Traffic is being served from this site, but your domain may be configured behind a proxy like Fastly or Cloudflare.
07:18 < iateadonut> i wonder how that could be detected?
08:06 < Kirball> There’s a Mr Robot Badge PCB on eBay from last years defcon personalized and autographed by int80 of Dual Core. If anyone’s interested.
08:21 < dionysus69> I understand concept of multiple application servers behind the loadbalancer, but what about the loadbalancer itself? how many requests can loadbalancer(nginx) handle
08:21 < dionysus69> and what's the practice of scaling the loadbalancers themselves? and how often is it needed?
08:49 < melissa666> I'm looking at this wifi antenna --> https://www.amazon.com/gp/product/B01LY35HGO/ref=ask_ql_qh_dp_hza ... I thought it would be easy to find on Google, but I can't find a consistent answer on what the range of a USB wifi adapter like this, with 5dBi antenna would get outdoors with clear line of sight.
08:54 < detha> melissa666: there is no simple answer to that. It depends on too many factors (AP, how noisy is the environment, reflections/multipath, how are you holding the device, ....)
08:55 < grawity> how about "compared to adapter with an internal antenna"
08:57 < detha> "slightly better, but not much"
09:00 < melissa666> detha, assuming low traffic on the channel they are on, do you think it would be reasonable to say that two hosts using this card would be able to communicate from indoors across a city street (assuming they were in a window or something without any walls, etc between them)? I am wondering if they would have strong signal 50-100 ft away in with nothing significant between them and low traffic on channel?
09:01 < melissa666> is that something that could be said with any confidence?
09:01 < grawity> how wide are your streets
09:01 < melissa666> or just no way to say for sure, even for that short range?
09:02 < melissa666> grawity, that's what I meant by the 50-100 feet - I was referring to distance across streets of that width
09:02 < detha> No. It is likely to work, most of the time, but don't be surprised if for example a large truck or a car with noisy ignition passing through the street breaks your link
09:04 < melissa666> detha, ok, thanks
09:49 < veek> when you do a traceroute.. what's that stuff in (brackets)
09:49 < veek> 15  72.249.137.132 (72.249.137.132)  288.276 ms ae-6.r10.dllstx09.us.bb.gin.ntt.net (129.250.5.4)  304.049 ms ae-5.r11.dllstx09.us.bb.gin.ntt.net (129.250.5.24)  292.284 ms
09:50 < veek> it's hop wise acknowledgements - so.. what's ae-5
09:59 < grawity> it's literally each router's hostname and IP address
09:59 <+xand> veek: the IP address...
09:59 < Reventlov> I don't see any bracket :|
09:59 <+xand> and the name...
09:59 <+xand> () are brackets
09:59 < grawity> ae-5 is whatever NTT decides to name the thing
09:59 < Reventlov> shit, I have been calling that parenthesis
10:00 < grawity> some definitions of 'brackets' include all levels of curliness
10:00 < EvanR> () are often called brackets
10:00 <+xand> Reventlov: yeah that's a more specific term :p
10:00 < EvanR> maybe we should be fair and sometimes call [] square parentheses
10:01 < veek> okay so that's because traceroute's sending multiple pkts with different ttl
10:02 < veek> 1st line started with 3 pkts with different ttl and i guess depending on routing they get sent through different paths
10:03 < veek> what's funny is that the final destination should resolve to 1 host unless it's multihomed like yahoo and i'm getting 2 hosts.. and i w as redirected to a scam page but the site's legit
10:04 < winsoff> How would someone take devices from multiple subnetworks and put them all into one logical network? For instance, if I have devices all over 10.0.0.0/8, but I wanted to put 100 or so of those on 192.168.1.1-101.
10:05 < grawity> if both networks use different routers, just make sure each router has routes to the other network...
10:06 < winsoff> grawity, is there no way to symlink these things together, in networking tersm?
10:06 < winsoff> terms*
10:06 < grawity> I don't see why that would be necessary
10:06 < grawity> hosts in one network can alreadt reach hosts in another network
10:06 < grawity> that's literally how internet works
10:07 < winsoff> Right, but if I've got multiple devices behind multiple routers, all behind one big boy router, and I wanted to hack a network together out of multiple devices on all of those networks, is that possible?
10:07 < winsoff> Like a VPN, but accessible/addressable by any host behind the big boy router.
10:08 < grawity> well yes, sure
10:08 < bezaban> what network would they 'be' on? You could use multiple interfaces and vlans or virtual interfaces if supported by the hosts
10:08 < grawity> tell that router which device handles which subnet
10:08 < grawity> again, literally how internet works
10:08 < winsoff> So would I just set up the hosts without dhcp, in that case?
10:09 < grawity> no, why?
10:09 < ahyu84> how to set inter-vlan to communicate vlan with other vlan each other?
10:09 < winsoff> Or are dhcp servers complex enough that I can say, "hosts from this vendor get this IP"
10:09 < grawity> some servers can certainly do that, but uh, I don't see how that's in any way relevant
10:09 < bezaban> ahyu84: you use a router like any other network :)
10:09 < ahyu84> managed switch
10:09 < winsoff> grawity, I've recently seen a network in which multiple IP cameras from multiple different places (and therefore, definitely different networks) were all on 192.168.1.1/24.
10:10 < ahyu84> hi bezaban ^_^
10:10 < bezaban> ahyu84: hey again :)
10:10 < ahyu84> yup
10:10 < ahyu84> haha
10:10 < grawity> winsoff: connected to a bunch of home routers which perform NAT by default, I guess
10:10 < winsoff> grawity, nah, enterprise.
10:10 < grawity> well
10:10 < winsoff> No nat, though I don't know the exact implementation. I guess I could ask the sysadmin, but I'm curious if this was commonly in use.
10:10 < grawity> 1) enterprise doesn't mean "not stupid"
10:11 < winsoff> lolol
10:11 < grawity> 2) different places don't mean different networks
10:11 < grawity> could have a single "IP cameras" VLAN across the whole thing
10:11 < winsoff> So the VLAN *can* be IP-based?
10:11 < grawity> nothing in the above implies that it's an IP-based VLAN
10:12 < winsoff> Well, if they are indeed only connected by layer 3 tech, then it would have to be, right?
10:12 < winsoff> The places that these IP cams are in are like half a mile away from each other
10:12 < grawity> what do you mean by "connected by layer 3 tech"...
10:12 < winsoff> Routers, not switches.
10:12 < winsoff> Is "layer 3 tech" satisfactory to describe the difference?
10:12 < grawity> it's perfectly possible to have L2 links half a mile across, anyway
10:13 < shangul> I have a dial-up modem, a DSL splitter/filter, a DSL modem and a telephone. How should I connect these?
10:13 < winsoff> grawity, those would just need repetition, right?
10:13 < winsoff> without going into wireless, that is
10:14 < grawity> winsoff: not if it's over optical fiber
10:16 < grawity> fairly sure fiber ethernet can go at least 10 km without any sort of repeater
10:16 < winsoff> Hot damn.
10:16 < winsoff> Did I already ask where you got all of your networking knowledge, grawity
10:16 < grawity> https://xkcd.com/903/
10:17 < squ> haha
10:18 < winsoff> There is no way that 1) you are that good at searching wikipedia and 2) wikipedia is as comprehensive as you are.
10:18 < winsoff> Maybe for most of the discussion, though.
10:20 < grawity> I mean, I've been screwing around with networks since 1st grade and currently manage the LAN of a tiny local college
10:20 < winsoff> Are you US-based?
10:20 < grawity> more like eastern europe
10:21 < shangul> I think I asked a too advanced question!
10:22 < winsoff> Be right back.
10:22 <+catphish> yes, fiber ethernet can go 100km :)
10:22 < grawity> "For standard NRZ-OOK links with G652 fibers, the unamplified limit is approximately 100 km" that's a lot of acronyms I don't know
10:22 < squ> grawity: thinking about wiring local college with optical cables?
10:22 <+catphish> yeah, the best transceivers i see can do 100km
10:22 < grawity> squ: well it's already got those between buildings anyway
10:23 < squ> inside, between routers
10:24 < grawity> >routers
10:24 < grawity> 'tiny' in European scale
10:24 < squ> let's say you have 3 story building, each floor has mikrotik WiFi with SFP
10:25 < grawity> are we talking about routers, or about wi-fi access points?
10:26 < squ> if you want to define difference between access point and wifi router
10:27 < grawity> "wifi router": a 2/3/4-in-one device that bundles a wifi access point, an ipv4 router, and an ethernet switch
10:28 < grawity> I'm not sure why you'd put that in a large network *at all*
10:28 < squ> what do you have there?
10:28 < grawity> (admittedly, one such mikrotik device *is* hanging on the wall behind me, but it's not doing any IP routing, just like the other APs aren't)
10:29 < grawity> there's one dedicated 'router', going to a bunch of switches, going to a bunch of assorted wifi access points
10:30 < squ> with fibre 100km range wifi access points can be plugged directly to 1st router
10:30 < grawity> and I suppose they are
10:31 < squ> so you are considering to upgrade the network?
10:31 < grawity> no
10:32 < squ> did you setup cameras too?
10:32 < grawity> no
10:36 <+catphish> this conversation is weird
10:36 < grawity> it is
10:38 < squ> why? Is it not up to network admin to setup cameras?
10:38 < grawity> we don't *have* cameras
10:41 < grawity> https://superuser.com/q/1331111/1686
10:42 <+catphish> grawity: wonder what kind of weird cable they have, but seems like it'd work fine
10:50 <+catphish> violet: please stop that some time soon
10:51 < violet> catphish: I'm sorry it is over now, I had issues from my phone.
10:51 < violet> sorry and thank you for the patience
10:51 <+catphish> violet: it's ok :) was just getting a bit annoying
10:51 <+catphish> not a big problem
10:51 < violet> I'm sorry I'll avoid trying to identify from my mobile, thanks once more have a great day :)
10:52 <+catphish> oh i see what happened :) you have a nice day too
12:01 < darsie> Will a device only connect to a hotspot with matching SSID and password or would it also connect to a hotspot of a hacker which accepts any password on is open and the hacker could then connect to the device and mess with it?
12:02 < darsie> Will the password be transmitted to the hotspot or does it use some challenge/response algo?
12:03 <+xand> darsie: it doesn't just send a password out so it can be captured
12:03 <+xand> it's challenge/response
12:03 < darsie> k
12:04 < spaces> all networks sexy ?
12:04 < darsie> What about a hacker offering a hotspot with the same SSID?
12:05 <+xand> darsie: it wouldn't connect if the key didn't match...
12:05 < darsie> ok thx
12:07 <+xand> the AP will send encrypted packets which the client will try to decrypt and fail to
12:07 < kidn3ys> darsie: look up 'wpa evil twin'
12:08 < darsie> ok
12:12 < imado> .
12:12 < darsie> .
12:16 < imado> anybody knows how to register to ##electronics channel ? or where should i ask this question?
12:16 < darsie> #freenode
12:17 < Mead> good morning ##hardware
12:22 <+catphish> imado: see https://freenode.net/kb/answer/registration - ask in #freenode if you get stuck
12:24 < Aviyah> Hey, room. I am new here. Anyone awake right now?
12:24 < Roq> Sure
12:25 < Aviyah> So I bought the cheapest linksys repeaters I could find on amazon and I didn't realize this upon purchasing them but it is impossible to disable WPS on them.
12:25 < Aviyah> Does that sound absurd to anyone else?
12:25 < Aviyah> lol
12:25 < winsoff> Is it usually a sign of routing issues when one traceroute (tcp) goes straight to the router and into a subnet, and when another (udp) goes all the way out to an edgerouter?
12:28 < Roq> Aviyah: I dont know, does it have a webinterface where you can turn it off perhaps
12:28 < djph> Aviyah: given "the cheapeast consumer crap" ... no
12:31 < Aviyah> There is a very minimal user interface on the repeater. I couldn't find a disable WPS option anywhere so I went on to linksys customer support chat twice. First, guy didn't have a clue what I was talking about. Second guy knew and said there is no way to disable it on that particular device.
12:32 < Aviyah> It is pretty stupid.
12:32 < Aviyah> I guess there would be a way to disrupt the WPS through modding the firmware, right?
12:33 < djph> maybe *wrt
12:33 < djph> but "maybe"
12:33 < Aviyah> I am not even going to try to do such a thing though. These were literally bottom of the barrel repeaters.
12:33 < Aviyah> I am just going to buy a better, newer set of repeaters and go from there.
12:34 < winsoff> Aviyah, I know what's wrong here
12:34 < Aviyah> Shoot?
12:34 < winsoff> you're using a repeater.
12:34 < Aviyah> Yeah, I know. They are not for me particularly.
12:34 < Aviyah> I use a different network than these repeaters connect with but they are for my housemates.
12:35 < winsoff> Aviyah, what's the size of the house?
12:35 < winsoff> If you are willing, I bet we can find a better solution.
12:35 < djph> Are they *repeaters* or extra APs?
12:35 < Aviyah> It is decent sized but the dimensions of the house make two repeaters necessary.
12:35 < winsoff> Not necessarily.
12:36 < Aviyah> Because the house has wings and a courtyard like situation.
12:36 < kidn3ys> run cable, add more Aps.
12:36 < winsoff> I have one of these situations. Large house.
12:36 < Aviyah> Anyways, if I needed to extend a signal, I wouldn't use repeaters.
12:36 < winsoff> AP placed in the middle of the house covers the entire house.
12:36 < djph> winsoff: not necessarily
12:36 < Aviyah> Yeah, I have a different set-up. For now.
12:36 < winsoff> djph, I'm saying in my case, which is a super large house.
12:37 < winsoff> Some ludicrous 4k sq ft or something.
12:37 < Aviyah> I am going to start messing around with some kind of wireless mesh and learn more about it.
12:37 < winsoff> Aviyah, what is the current primary AP?
12:37 < djph> Aviyah: are they actually *repeaters*, or are they wired-in APs?
12:37 < winsoff> And what devices are your housemates using?
12:37 < Aviyah> They are actual repeaters.
12:37 < Aviyah> Linksys repeaters hooked up to their own access point.
12:38 < winsoff> What model are these linksys repeaters?
12:38 < Aviyah> RE2000
12:38 < djph> ew, why'd you do that to your poor housemates?
12:38 < winsoff> Looks like they are dual-band.
12:38 < mcdnl> what about plc aps?
12:38 < Aviyah> Yeah, they're not impressive and they were literally dirt cheap.
12:38 < winsoff> Aviyah, if you are insistent on keeping these, all you need to do is put the link on the 5ghz band and then the repetition on the 2.4ghz band.
12:39 < winsoff> How cheap is dirt-cheap?
12:39 < winsoff> Good dirt is $14 a cubic yard.
12:39 < Aviyah> Interesting idea, winsoff.
12:39 < Aviyah> lol
12:39 < Aviyah> I'll try that out actually.
12:39 < djph> winsoff: which is way better than mulch ... goddamn
12:39 < winsoff> djph, lolol
12:40 < Aviyah> I am going to just deploy them with the WPS and be done with it. I don't like WPS though.
12:40 < winsoff> Why are you mulching?
12:40 < winsoff> Aviyah, don't use WPS. It's heavily vulnerable.
12:40 < Aviyah> I know.
12:40 < Aviyah> It is extremely easy to exploit.
12:40 < Aviyah> Which is why I am bummed out.
12:40 < djph> winsoff: because weeding the rose garden sucks
12:40 < Aviyah> I am not going to deploy both of them. Just one for the sake of a smart tv which will be the only device connecting to it.
12:41 < winsoff> djph, loller. Landscape fabric is cheap!
12:41 < winsoff> Inb4 "but ugly"
12:41 < djph> winsoff: yeah, but it's not as nice looking.  Gotta keep the missus happy.
12:41 < winsoff> Another option is just wood chips and pine needles.
12:41 < winsoff> The missus is gonna go missing if she keeps piping up about how the rose bush looks
12:41 < Aviyah> On the subject of router firmware builds though, how do the current mainstream options size up to you guys
12:41 < Aviyah> ?
12:41 < winsoff> Aviyah, what is your current gateway's make/model
12:42 < djph> winsoff: haha, yeah, we do the natural / woodchip mulch.  still like $20/yd
12:42 < winsoff> Hot fuck. I wonder how much they get out of a decent sized diseased tree.
12:43 < winsoff> I really need to make a better (illegal) wifi antenna setup.
12:43 < Aviyah> The gateway for their network to which the repeaters were to connect was a ISP-provided modem.
12:43 < winsoff> The book I have on antenna design is really hefty, though.
12:43 < squ> winsoff: illegal?
12:43 < winsoff> squ: only for certain jurisdictions
12:44 < winsoff> Aviyah, what make/model
12:44 < kidn3ys> I've never seen an antenna design declared as 'illegal' only channel usage and power usage.
12:44 < squ> emitting forbidden frequencies is illegal probably, but antenna design?
12:44 < winsoff> kidn3ys, a boosted antenna is still a designed antenna.
12:45 < Aviyah> That doesn't matter. It isn't the weak link.
12:45 < winsoff> The larger power usage is specifically part of the antenna's design, as far as I know, since there are not many cards that let you use them as power supplies.
12:45 < winsoff> Aviyah, it matters to my question. Don't treat me like tech support.
12:45 < kidn3ys> sure, but isn't it then illegal because of the output of the antenna?
12:46 < winsoff> kidn3ys, indeed, though the criminal intent is in the design and assembly of the antenna for illegal purposes (malicious intent), or whatever.
12:46 < Aviyah> I wasn't treating you like technical support. I wasn't really dismissing you so much as preserving my infosec. It is a modem/VOIP hub.
12:46 < squ> what is your intent winsoff
12:46 < Aviyah> I would have to go look at the thing to tell you.
12:46 < Aviyah> This isn't my network.
12:46 < winsoff> squ: nice try fbi
12:47 < winsoff> Aviyah, I figured you already knew. You don't have to go look at it; you can just log into it
12:47 < djph> winsoff: although, that may include delivery (I really need a truck, but ~money~)
12:47 < winsoff> You could also just pull the make/model out of the air if wps is enabled, Aviyah
12:47 < winsoff> djph, I hate trucks, and I still try to do everything in a sedan.
12:48 < djph> winsoff: yeah, but it's kinda hard to do bulk mulch in that :)
12:48 < Aviyah> Oh, the gateway doesn't have WPS enabled. I made sure of that when I set it up like a year ago.
12:48 < Aviyah> Right now I am not even connected to that network.
12:48 < kidn3ys> winsoff: hrm, maybe im splitting hairs -- my understanding is that it doesn't matter the intent if you're output power has broken the threshold of the local governing body it's illegal. intent of use of the antenna would be an entirely different situation/charge (assuming they could prove it)
12:49 < Aviyah> I am using my own but I am hopping back and forth between two different networks.
12:49 < Aviyah> Anyways, what do you all think about home mesh networks out there?
12:49 < Aviyah> Are they worth the cost?
12:49 < djph> copper > mesh.
12:49 < kidn3ys> e.g. in Moscow you're limited to 25mW -- if you were to break that the FSB gets to crawl up your ass about it
12:49 < djph> 25 mW!?
12:50 < winsoff> Aviyah, it's cheaper and easier to buy PATCH CABLES in 50 foot lengths and run them where you need them
12:50 < djph> that's like what ... 6 dBm?
12:50 < winsoff> Still cheaper, I think, to just buy a spool of ethernet, the tools to crimp and test it, and then to crimp and test it yourself and run the damn lines
12:50 < djph> oops, 13 ... but still
12:50 < winsoff> I still don't get db in terms of "oh wow that's a lot":
12:51 < kidn3ys> djph: yea -- small cells :(
12:51 < winsoff> For instance, if a network's rssi is -70dbm from where I am sitting, and then I put on a 5dbi antenna, does that mean the theoretical max rssi i'm going to get is -65dbm?
12:51 < squ> did you know that google does not have mW to dBm conversion
12:51 < djph> winsoff: 0 dB = 1 mW.... from there every 3 dB is doubling (or halving) the wattage.  10 dB = *10 (or /10)
12:51 < Aviyah> Yeah, I know. I like to learn the air but you're right. I don't even have wireless interfaces in some of my systems. I took that shit out.
12:52 < djph> winsoff: well, the theoretical minimum, yes.
12:52 < djph> barring any losses in cabling between the antenna and the radio tranceiver.
12:53 < winsoff> WPA2 is extremely insecure. If someone were to put up the cash for an ASIC that bruteforces WPA2, they could get intensely fast speeds (think Giga/terahashes/sec).
12:53 < kidn3ys> winsoff: rssi doesn't translate directly to dbm
12:53 < djph> winsoff: er, what?
12:53 < winsoff> djph, I was replying to Aviyah
12:54 < winsoff> WPA2 itself is extremely insecure in that it's not very good crypto against modern computational power.
12:54 < djph> winsoff: that WPA2 is "extremely insecure"?  Last I looked, AES was still a "hard" problem.
12:54 < kidn3ys> Depends who you are.
12:55 < squ> who?
12:55 < kidn3ys> If you're a nationstate -- WPA2 is likely a very small hinderance in the grand scheme of things.
12:55 < winsoff> djph, forgive me, but as far as I know, bruting wpa2 just requires the handshake and the ability to do 4096 rounds of sha really quickly
12:55 < Aviyah> Yeah, I do not trust wireless networks.
12:55 < Aviyah> At all.
12:55 < djph> winsoff: er ... maybe if it was TKIP?
12:55 < winsoff> oh it's sha1
12:56 < djph> winsoff: but using AES/CCMP as the underlying crypto ... I don't think it's quite that straightforward
12:56 < winsoff> It doesn't matter if it's tkip or ccmp i think
12:56 < Mead> TKIP has been shown to be insecure for over a decade
12:56 < djph> admittedly, I'm not a cryptonerd
12:56 < djph> Mead: I know
12:56 < winsoff> i'm pretty certain it just has to do with the weakness of the known plaintext in the mic
12:57 < winsoff> weakness in wpa2 overall, that is
12:58 < Mead> what size of nails do I need to attack fence pickets to 1 x 3 rails?
12:58 < Aviyah> I was once involved in a certain foreign interests several years ago and witnessed a successful attack against a pairwise key.
12:58 < Aviyah> I don't like Wifi.
12:59 < winsoff> Mead, well, if you just want to attack them, you don't even need to grow out your nails. Just punch them.
12:59 < kidn3ys> The general consensus is if you're not using EAP-TLS you're fucked.
12:59 < winsoff> doesn't eap-tls still make it possible to evil twin though
12:59 < winsoff> or am i thinking of earlier eap
12:59 < Mead> err attach them,  sorry typo.  But I need this info before I go to the hardware store
12:59 < winsoff> Mead, buy screws, please.
12:59 < djph> Mead: I'd imagine brads would be fine with that small of material
13:00 < Mead> winsoff:  screws don't fit in my nail gun
13:00 < kidn3ys> winsoff: you can still evil twin but eap-tls provides mutual certificate auth between the infrastructure and the client.
13:00 < winsoff> Mead, lolol
13:00 < winsoff> Mead, just buy finish nails
13:00 < winsoff> kidn3ys, ah, interesting. Hmm.
13:00 < Mead> what size finish nails?
13:01 < kidn3ys> or maybe im thinking of eap-ttls -- i always get them mixed up
13:01 < winsoff> Are the rails only .75" thick
13:02 < Mead> they are the standard 1 x 3 inch boards,
13:02 < winsoff> I think they make them in 1.5 inches.
13:02 < winsoff> How thick are the pickets, though? They make those in different sizes.
13:03 < winsoff> The entire thing is probably only 1.5" thick. Buy 1in nails.
13:03 < Mead> gosh I didn't measure them, maybe 3/8 inch
13:04 < Aviyah> I am getting more and more concerned with networks so I imagine I'll pop in here with some frequency. Any systems architects running aroun this channel?
13:05 < squ> only fence architects
13:05 < kidn3ys> Aviyah: titles don't mean shit.
13:05 < Mead> hehe
13:05 < winsoff> Everyone in this channel is required to be licensed, insured, and bonded with the state for general contracting.
13:05 < Aviyah> I agree. I was merely curious.
13:06 < Mead> which state?
13:06 < kidn3ys> well, atleast in the US.
13:06 < Aviyah> Utah.
13:06 < djph> Mead: Sealand
13:07 < kidn3ys> I was surprised to learn that 'architect' and 'engineer' are controlled titles in Russia.
13:07 < djph> they should be controlled here too
13:07 < djph> but meh
13:07 < kidn3ys> I agree.
13:07 < winsoff> Aviyah, you're in Utah?
13:08 < Aviyah> No, I was making a guess. I am in Oregon.
13:08 < squ> land of bears
13:08 < squ> sequoiyas
13:09 < Mead> and stanky hippies
13:09 < Aviyah> All of the above, yeah.
13:09 < Mead> can you guys pump your own gas yet?
13:10 < Aviyah> If your county has less than a certain population it is permissable.
13:10 < djph> o_O
13:10 < Aviyah> It is funny you mention that because I work part time pumping gas. LOL
13:10 < Mead> that is retarded,  Pumping gas is not rocket science
13:10 < djph> ... and this is why everyone thinks the US is back-asswards...
13:10 < Aviyah> No, it is the easiest job on Earth.
13:10 < kidn3ys> Mead: not everyone is a rocket scientist
13:10 < djph> pickup nozzle, put in gastank
13:11 < Aviyah> And it keeps me entertained and physically active.
13:11 < squ> last news from Oregon was this on 15 May 2018 http://handofmoscow.com/2018/05/15/american-ninja-infiltrated-in-the-womens-toilet/
13:11 < Aviyah> But it doesn't pay well. Fortunately I have other streams of income.
13:11 < hagbard> nothing like silling coke to make ends meet. ;)
13:11 < Mead> Aviyah: I'm don't blame you for taking the job, just that the state has the laws
13:11 < Aviyah> Yeah, I know. I wasn't offended.
13:12 < Aviyah> It is the most basic job. You push some buttons and you slide cards. You squeeze a handle. It really isn't rocket science.
13:12 < Aviyah> I did it in high school. I did it in college. I do it again now. I enjoy it.
13:13 < Aviyah> I wouldn't work at the most bottom of the barrell job if I didn't enjoy it.
13:13 < Mead> I drove through in 2004 and was dumbfounded by the concept.  I had not seen full service gas stations in my state since before the end of the coldwar
13:13 < hagbard> I did that back in '03, Redmond to SF
13:13 < mgolisch> why do you need people for that anyways?
13:14 < mgolisch> cant the driver fill gas in their car themselves?
13:14 < Aviyah> You really don't. I imagine in the 50's when the law was passed that enough people viewed it as a serious liability issue.
13:14 < hagbard> Ostensibly, so there are jobs for people who fill gas into cars, I believe.
13:14 < mgolisch> hm i see
13:15 < Aviyah> People treat gas pumpers like they're morons though. That is the most entertaining part.
13:15 < Mead> Didn't a bunch of old people freakout after never having pumped their own gas in their life?
13:15 < hagbard> I mean, they're not wrong, they're morons too.
13:15 < Aviyah> Stuck up yuppies in their Volvo n' shit.
13:15 < hagbard> I mean, the people calling the attendants morons are also morons.
13:15 < Aviyah> Pretty much.
13:16 < hagbard> you gotta be a special kind of stupid to degrade the people serving you.
13:16 < kidn3ys> Are we making a blanket judgement that all attendants are not morons?
13:16 < hagbard> I wasn't.
13:16 < Aviyah> I like this channel more and more talking to you guys. It has personality and it's active at this hour. Perfect.
13:16 < Mead> I always try to show people doing shit jobs that society depends on to function nicely.
13:16 < mgolisch> i saw that alot in spain too but it not a common thing here in germany
13:16 < Mead> err treat
13:16 < hagbard> It's like the beginning of the American Gods show - Always be nice to the ladies behind the counters at airports.
13:17 < Mead> See a janitor cleaning up shit?  "Hello, how is it going."  and try to avoid the wet floor they are mopping or whatever.
13:19 < Aviyah> If my girlfriend finds out i am still awake at this hour I'll  have to figure out an excuse that alleviates what will become her adderall theory.
13:19 < Aviyah> lol
13:19 < squ> 4 in the morning in Oregon
13:19 < Mead> this hour?  It's 6am, time to start your day
13:19 < kidn3ys> just have some porn off to the side
13:20 < Aviyah> Or just go low-key and curl up with this shit on my chest and if I hear her door I act like the dude who passed out paying his shit the proper diligence.
13:20 < Aviyah> Whereabouts are you guys?
13:20 < kidn3ys> Moscow at the moment
13:20 < Mead> The Republic of Texas
13:21 < Aviyah> Moscow, eh? I would like to visit someday.
13:21 < kidn3ys> It's a beautiful city.
13:21 < Mead> https://en.wikipedia.org/wiki/Moscow,_Texas
13:22 < kidn3ys> stand by
13:22 < Aviyah> I know a lot of Russian Jews. I used to date one.
13:22 < Aviyah> A lot of Jews in Russia.
13:23 < squ> half of Israel is russian
13:23 < Aviyah> In fact a majority of the organizentia leadership are Jewish.
13:23 < Aviyah> Yeah, I know.
13:24 < Aviyah> You Israeli, squ?
13:24 < squ> no
13:24 < squ> but sometimes friends tell me I behave like one
13:25 < Aviyah> You never wait for a table. There are worse things.
13:25 < Mead> I got called a jew after beating most of the basketball team at dominos when I was in College
13:25 < Aviyah> lol
13:26 < kidn3ys> Bah. I was going to get a picture of St Basils with a sticky note that said 'No, Mead not Texas' but there is a bunch of shit in the way.
13:26 < Mead> Oh, so Moscow idaho?
13:27 < kidn3ys> Pretty sure there is only one St Basils cathedral...
13:27 < Aviyah> Alright. That's a whole pack of smokes since the afternoon yesterday. I am on a roll.
13:29 < Mead> I don't pay attention to where cults worship, so I don't know what st basil's is
13:29 < Aviyah> lol
13:29 < kidn3ys> Less about the cult, more about the architecture. Lots of really cool buildings here.
13:30 < squ> how cool?
13:31 < Dalton> ice cold
13:31 < kidn3ys> Umm, we'll call it 61 degrees cool?
13:32 < Mead> 61 degrees is cool it was like 98 degree here yesterday
13:33 < kidn3ys> Yea, the weather has been great -- only a couple rainy days.
13:36 < kidn3ys> lunch time, bbl
13:39 < Aviyah> Any of you guys following Westword right now?
13:40 < Aviyah> Westworld***
13:40 < Mead> not me,  waiting for the second season to be over to binge it
13:41 < Mead> been big on The Expanse lately
13:42 < Aviyah> Yeah, I am secretly doing roughly the same thing. My girlfriend insists that I disconnect to watch it every sunday but I just spend the time thinking about shit. I want to watch it straight through in silence, alone and on my terms.
13:42 < Aviyah> Everybody makes way too much noise for me to get into it.
13:44 < Aviyah> It seems like a good season though.
13:44 < squ> its just because we had no adequate series on space thematics
13:48 < Aviyah> So I am merely curious and not that it matters but are there any Jewish regulars in this channel?
13:49 < Mead> Why would a person's religion be relivant in an irc chat about networking?
13:49 < Aviyah> Being Jewish is more than just a religious framework. It is a culture as well.
13:50 < djph> s/culture/cult/ bahhahaha
13:50 < djph> anyway, seriously bro (cue triggers for gender assumption), it doesn't matter.
13:51 < Aviyah> You're right. It was merely another curiousity.
13:51 < Aviyah> I wasn't suggesting that it makes a difference honestly.
13:51 < Mead> I'm not your bro, man
13:51 < djph> I'm not your man, bud
13:51 < Aviyah> lol
13:52 < Aviyah> I really like this channel.
13:52 < Aviyah> I think you guys are cool.
13:52 < Mead> I'm not your bud, dude
13:52 < djph> c-c-c-c-combobreaker
13:52 < djph> i'm not your dude, pal
13:52 < Mead> I'm not your pal, guy
13:52 < djph> i'm not your guy, friend
13:52 < Aviyah> You guys have humour. Something a great many freenode channels seem to lack.
13:52 < Mead> I'm not your frwiend, buddy
13:53 < djph> i'm not your buddy, homie
13:53 < Mead> I'm not your Homie, vato
13:54 < djph> anyway, if a channel doesn't have fun, it's probably infested with leftwing commies
13:55 < Mead> damn commies,  sprouting up in the USA again.  I thought they all realized the error of their ways when the USSR fell
13:55 < Aviyah> Or people who take themselves way too seriously.
13:56 < Aviyah> Don't get me started. And while we're after the commies, we should send all the Mexicans back to Guatemala.
13:57 < Mead> Guatemala doesn't want them either, you know who likes mexicans?  mexico
13:57 < djph> shit, even Mexico doesn't like Mexicans
13:57 < Aviyah> Not these days.
13:57 < djph> but yeah, the left wingnuts are cancer ... all of their ideologies are cancer ...
13:58 < Mead> Left wingers are almost as bad as right wingers
13:58 < Aviyah> lol
13:58 < Mead> I'd rather be a torso than a wing
14:00 < squ> )))))
14:01 < djph> Thank Cthulhu that we got the reincartion of the god emperor of mankind.
14:02 < Aviyah> lol
14:02 < kottt> ideology isn't the problem, it's dogmatic adherence and the vilification of the opposing viewpoint
14:02 < djph> the far-[left|right] are all crazies.  center-left can be okay people.
14:02 < djph> although, the weird thing is that the conservatives are apparently this generations dissidents.  holy hell, talk about role-reversal.
14:02 < Aviyah> I prefer to stay off the whole mat when it comes to politics.
14:03 < kottt> left and right wing politics in the US are two sides of the same coin, and it's the coin used by the god damn illuminati to systematically oppress free thought
14:04 < djph> Aviyah: I was much the same, until the 2016 election ... although it's taken til like April / May this year to get educated enough to at least consider that I'm not just getting drawn in by propaganda.
14:04 < microwaved_> kottt: its called *Cabal*
14:04 < Aviyah> There are a shit ton of people parked in this room. Roundabouts how many active regulars in here?
14:04 < djph> depends on the day, really
14:04 < djph> and time-of-day as well
14:05 < djph> kottt: and yeah, you're right about the whole vilification thing.
14:05 < Aviyah> I have the same indignation, djph. I started to weigh in here and there since the 2016 election myself.
14:05  * TotallyNotKim set's parking break on
14:05 < Aviyah> But as a usual policy I don't go there. It just pisses me off.
14:05 < Aviyah> lol
14:05 < Mead> so back on the topic of networking,   anyone messed with ethernet over coax lately?
14:06 < squ> I have a problem and reading irc while I don't know how to solve it
14:06 < TotallyNotKim> Mead: that would be basically one tp?
14:06 < kottt> that's what irc is for
14:06 < Mead> one tp?
14:06 < Aviyah> I have to wake up and drive in like 2 hours.
14:07 < TotallyNotKim> well twisted pair, but I dont think coax is even twisted
14:07 < Aviyah> It was honestly a pleasure talking to you guys tonight/this morning. I will be back for sure.
14:07 < Mead> no, I'm talking about coax like what tv/cable traditionally uses
14:07 < squ> remember we are not your guys, Aviyah
14:07 < djph> Mead: not since 10BASE-T
14:07 < detha> Mead: thinnet?
14:07 < djph> detha: I think RG6/RG59 is thicknet
14:08 < Mead> detha: moca
14:08 < detha> thicknet is more like RG8, aka garden hose
14:08 < djph> ah
14:10 < djph> I've only seen thinnet as like RG17something
14:10 < Mead> My directv install already uses some modern form of ethernet over coax,  the boxes even get IP's from my internet gateway.  Was wondering if I could use it to get connectivity for other devices and computers
14:20 <+catphish> i think this might have been a little too much load :) https://i.imgur.com/xLUsibq.png
14:22 < djph> load average?
14:22 < djph> yeah 30 is probably a bit much
14:22 <+catphish> yeah
14:22 < djph> how many cores?
14:22 <+catphish> 8
14:23 < djph> so only about 3.5x over-worked
14:23 <+catphish> i had 2 x 8 core servers in a cluster, both in the same state, i've added 2 more :)
14:23 < djph> probably a good idea
14:24 < djph> I really have to get better at "Linux Server Administration"
14:24 < djph> I mean, I know my way around the CLI and everything ... but actual spinning up something "automatic" (ansible?) ... not so much (and probably loads of other things)
14:26 <+catphish> i'm still mostly of the "do everything manually and document it" school
14:26 < djph> catphish: yeah, same here -- but looking for an admin job, they all want that kind of stuff.
14:26 <+catphish> though of course one should have proper automated processed for some things, in our case monitoring, firewall and security policy management mostly
14:27 < djph> (need to GTFO this company)
14:29 < detha> catphish: you just went past automation threshold - one or two servers: do it manually. 3 or more, automate it.
14:30 <+catphish> detha: i think that's probably it
14:30 <+catphish> individual servers are configured manually and documented, company-wide things are automated
14:32 < squ> how are you documenting things? A file with dates and changes you've made to the system?
14:33 < detha> "The Little Black Book"......
14:34 < Minnebo> is there a way to check which TLS version a client uses when using FTP?
14:34 < djph> no, because FTP doesn't use TLS
14:34 < djph> upgrade to SFTP.
14:35 < grawity> Minnebo: you arrived right in the middle of Pedantry O'clock here, so you need to call it "FTPS"
14:35 < Minnebo> :)
14:35 < Minnebo> Same question ;p
14:35 < Minnebo> (using ftps)
14:35 < djph> grawity: wait, when is it not pedantry-o-clock in here?
14:35 < grawity> djph: when you're not around
14:36 < grawity> Minnebo: are you checking from the client side, or from the server side?
14:36 < Minnebo> client side
14:36 < djph> grawity: logs seem to disagree...
14:36 < grawity> then ask your client program I'd say
14:36 < grawity> some in fact put that in the logs
14:36 < grawity> for those which don't, idk, I'd try Wireshark and see if it shows that in the handshakes
14:36 < Minnebo> Some of our clients are using 'moveit cmd line' a pretty large script with certificates to setup the connection (it is to upload credit card stuf)
14:37 < grawity> of course, the best option would be to disable undesired TLS versions server-side
14:37 < djph> ... and this is why cc info gets stolen ...
14:37 < Minnebo> ATOS Worldline forces TLS 1.2 as of July 2018
14:37 < Minnebo> which is a good thing : )
14:39 < dogbert2> get the new lenovo P52 thinkpad with 128GB of ram, 6TB HDD, 15,6" 4K screen, and the gfx card from hell :)
14:40 < kottt> 128GB of ram...
14:40 < kottt> :thinking:
14:40 < UncleDrax> 64kB should be enough for anyone
14:40 < kottt> get out of here grampa
14:40 < djph> dogbert2: an AMD?
14:40 < djph> UncleDrax: 640
14:41 < UncleDrax> djph: 640B? or 640kB ? either way don't care. I'm sticking with my 64kB.. because C=64s rule, Apple]['s drool
14:41 < kottt> so cyberpunk he shits model M's
14:42 < djph> if that were the case, you'd think they wouldn't cost so damn much
14:42 < grawity> model M's are literally the opposite of cyberpunk
14:42 < kottt> hmm
14:42 < kottt> yes i suppose so
14:42 < kottt> nevermind me
14:43 < kottt> still so mad at myself for throwing away the model M i had growing up
14:43 < kottt> for a shitty razer arctosa membrane keyboard
14:43 < UncleDrax> because you really like AT connectors?
14:43 < djph> UncleDrax: I believe the quote was (more or less) "I can't imagine a time when someone will need more than 640K of RAM"
14:44 < kottt> i needed the anti-ghosting for counterstrike 1.6
14:44 < UncleDrax> djph: prob true.. tbh I've paraphrased it for so long the actual quote has been lost to me
14:44 < djph> Model M's had PS/2 as well (although that might've been after IBM sold to ... Unicomp?)
14:44 < djph> UncleDrax: yeah, hence the "more or less" -- could be 640K is enough for anyone ...
14:44 < UncleDrax> ya. well there's a whole Mech-KB scene now. unfo getting ergo/split type mech KBs is usually very $ or the models are too weird.
14:45 < kidn3ys> seems to have livened up in here
14:51 < djph> UncleDrax: well, mechanical keyboards were quite good ...
14:52 < kottt> my BFF got me a DasKeyboard, it is my favorite thing... <_<
14:52 < kidn3ys> kottt: which model?
14:53 < kottt> let me find out, I always forget
14:53 < kottt> it's pretty baseline
14:54 < UncleDrax> djph: yeap. There's a IndieGoGo for a reasonablly priced (<$300usd) fixed-frame split mech KB that I'm prob gonna jump on. They do move some of the meta-keys so I'll have to relearn how to type.. so that's annoying.. but might be worth it
14:54 < kottt> The Model S Professional is the closest to what I've got
14:54 < kottt> https://www.daskeyboard.com/model-s-professional/
14:55 < kidn3ys> Ah, I think i ended up with the professional (non-s). Really enjoy it though.
14:56 < UncleDrax> the biggest problem with the X-Bows though if I used it for home is they recommend WASD mapping -> RDFG or something.. which would be great except half the games out there still don't let you remap right
14:57 < djph> ew
14:57 < kottt> UncleDrax: Use a program with profiles to remap your keys at the OS level so that R->W, etc
14:57 < kidn3ys> that sounds ugly.
14:57 < kidn3ys> in game chat/multitasking goes to shit
14:58 < kottt> mmm
14:58 < kottt> fair point
14:58 < UncleDrax> ya i'd imagine so
14:58 < UncleDrax> aight.. conf call. please return the hcannel to the usual 'my wifi router is crap and I can't VPN to netflix'-problems by the time I return. kthx
14:59 < kidn3ys> netflix has VPNs?
14:59 < UncleDrax> no, but enough ppl try to VPN to get around NF's region locking, it comes up enough.. so it seems
14:59 < grauzikas> Hello, i`m trying TC rule on Centos machine to shape virtual machine traffic, but i`m geeting some error: https://pastebin.com/VmKmpey3
15:00 < grauzikas> and in virtual machine internet speed is only 300kbps after this rules
15:00 < kidn3ys> UncleDrax: I know -- I was just fucking with you. :D
15:00 < hiya> What's up?
15:01 < hiya> I want to redirect all the UDP/TCP traffic to a local transparent socks-proxy with can handle both on my Debian Linux laptop
15:01 < hiya> Can someone help me with it?
15:04 < kidn3ys> hiya: which part are you stuck on?
15:05 < hiya> :P
15:05 < hiya> kidn3ys, Wait I will show you what i wrote with iptables okay?
15:05 < kidn3ys> k
15:08 < ALowther_> If a router is on layer 3, then how come they so often support ports? Aren't ports layer 4? If I SSH into my router, doesn't it have to have port 22 open(or whatever non-standard may be configured)?
15:09 < djph> because the "layers" aren't "hard limits"
15:10 < grawity> ALowther_: but ports aren't involved in routing
15:11 < hiya> https://hastebin.com/tirukotiza.bash <-- kidn3ys
15:11 < ALowther_> grawity: So it's main purpose is to deal with things on layer 3, but it may have functionality for layer 4 or even above...I guess if a router has a web interface then it's even supporting layer 7, yeah?
15:11 < ALowther_> djph, too. :)
15:11 < hiya> https://manpages.debian.org/testing/shadowsocks-libev/ss-redir.1.en.html <-- kidn3ys this where i took it from
15:11 < grawity> ALowther_: yes – L3 routers, L2 switches, even L1 media converters can additionally act as hosts and speak the entire stack
15:12 < grawity> there's really nothing in the "layering" thing that forbids it
15:12 < kidn3ys> hiya: so were are you getting stuck?
15:12 < lupine> don't forget, layers are the enemy
15:12 < ALowther_> grawity: It's more generally what it is purposed for and what it will do best?
15:12 < grawity> it's about how routers are L3 because they make their routing decisions based on IP addresses, and not Ethernet MACs or TCP ports
15:13 < hiya> kidn3ys, when I turn it all on, it shows my ISP's external IP instead
15:14 < grawity> (that said, yes, there are L2 switches which do "IP-based VLANs", and there are routers which do TCP port "policy routing" – *this* would be a layering violation strictly speaking)
15:15 < kidn3ys> they are not IP-based VLANs.
15:15 < kidn3ys> that is 100% just how someone decided to associate subnets to those VLANs
15:15 < grawity> sometimes they are
15:16 < kidn3ys> explain...
15:17 < djph> grawity: well "violation"
15:17 < grawity> kidn3ys: literally, some switches support assigning the VLAN membership based on various things like ethertype, or MAC vendor, or IP source address
15:17 < grawity> as in https://i.imgur.com/z71XHaS.png
15:17 < grawity> it's ... probably to deal with some shitty VoIP phones, I assume
15:18 < kidn3ys> .. that looks like a fucked up gui for setting up an SVI.
15:18 < kidn3ys> again -- has nothing to do with the VLANs being 'ip based'
15:18 < grawity> no, it's not
15:19 < djph> VLAN tagging is L2 isn't it?
15:19 < grawity> they don't behave anything like SVIs, and the same config section has "MAC-based VLAN" and "Protocol-based VLAN"
15:19 < kidn3ys> djph: yes
15:19 < djph> this coffee has far too little booze :|
15:21 < kidn3ys> grawity: what device is that from?
15:21 < grawity> ZyXEL GS1910-24
15:21 < kidn3ys> -_-
15:22 < kidn3ys> like i said, some fucked up implementation of multiple technologies
15:22 < grawity> I see our TP-Links support VLAN assignments by MAC or protocol, too
15:22 < kidn3ys> that's dynamic vlan assignment
15:22 < grawity> how's that any different
15:22  * meowschwitz strangles TP-Link as a concept
15:23 < kidn3ys> its not far off from dot1x
15:23 < hiya> kidn3ys, do you know? what is going on?
15:23 < kidn3ys> hiya: haven't looked
15:23 < hiya> Ok
15:24 < grawity> kidn3ys: so like it sees a frame with MAC x:y:z:t:a:b, and internally tags it as VLAN 42 based on that?
15:25 < kidn3ys> grawity: likely swaps the port to that specific vlan when a device is connected
15:25 < ALowther_> kidn3ys, grawity, djph: Thanks for the trialogue. Information for all :)
15:25 < grawity> though either way, that's the same as what I was talking about moments earlier, just replace 'MAC' with 'IP' :)
15:26 < kidn3ys> grawity: I understand what you're talking about but VLANs are NOT ip-based.
15:26 < hans_> i'm behind 2 routers, the deepest has subnet 192.168.0.0/31, the upper 1 has 192.168.1.0/31, the computers connected to the deepest subnet can connect up to 192.168.1.* , but not vise-versa.. and now that's a problem
15:26 < djph> check routing, also NAT
15:27 < grawity> kidn3ys: well, why can your "dynamic vlan assignment" be MAC-based and protocol-based but not IP-based?
15:27 < hans_> by assignment, you mean assign IPS?
15:27 < hans_> IPs* i guess
15:28 < kidn3ys> grawity: you can use all kinds of information to drop things into specific VLANs, under the hood it's just a means of authentication
15:28 < kottt> hans_: routers above the 192.168.0.0 subnet don't have a route to the 192.168.1.0 subnet
15:28 < grawity> if you use the IP header to drop things into VLANs, that's by definition "IP-based"
15:29 < kottt> set a static route on your 192.168.0.0 router to point 192.168.1.0/24 traffic to the address of the 192.168.1.0 router
15:29 < hans_> kottt, yeah that sounds about right
15:29 < kottt> or learn about RIP or something and have the deepest router advertise its subnets
15:29 < grawity> much like using 'regular' tags is called "802.1Q-based" in some switches, etc.
15:29 < kidn3ys> grawity: and yet the VLAn exists regardless of the addresses you're using, right?
15:29 < kottt> which is technically the more proper way of handling it but may be overkill depending on your use case
15:39 < kidn3ys> grawity: makes me wonder how they handle devices that use dhcp though...
15:39 < grawity> kidn3ys: I assume the tagging decision is done per-packet, not just based on what's seen initially
15:39 < grawity> oh, yeah, I get what you meant
15:40 < grawity> the feature seems so special-purpose that they probably don't bother with dhcp
15:40 < UncleDrax> innit that what option 66 stuff is for?
15:40 < UncleDrax> assuming said switch will still accept ingress vlan tags for said mapped vlan
15:40 < UncleDrax> ?
15:41 < UncleDrax> (or about a dozen other auto-prov protocols)
15:41 < kidn3ys> hrm, isn't 66 just specificying an ip -- as in "go talk to this IP for your config"?
15:42 < kidn3ys> sure
15:42 < kidn3ys> i only recall it for phone configs
15:42 < UncleDrax> yeap.. then your device applies said config, which in theory you might use to force it into a VLAN
15:42 < UncleDrax> I've seen some ONT/NIDs that use it
15:43 < UncleDrax> but that's like 'hey i'm doing FTTx and your CPE needs to be generic and get a config based on what port it is connected to' stuff
15:43 < kidn3ys> UncleDrax: I was thinking more along the lines of where does the dhcp server live if the switch dynamically changes the vlan based on source ip
15:43 < UncleDrax> oh the switch is changing the default vlan?
15:43 < UncleDrax> i figured it was just mapping based on l2/l3 info
15:43 < kidn3ys> UncleDrax: Yea -- grawity pointed out that zyxel has an 'ip' 'mac' and 'protocl' based vlan feature
15:44 < kidn3ys> It seems like a closet case where you have a switch that doesn't support dot1q tags connected to a single port with devices that typicaly reside in multiple broadcast domains
15:45 < UncleDrax> ya.. although I'd spend to get a .q aware switch.. I mean the up charge these days is minimal
15:45 < kidn3ys> agreed
15:45 < kidn3ys> just an intersting idea
15:46 < UncleDrax> I could see if it you deployed WhositWhatsit brand SIP phones and they all start with mac ff:ff:ff and you want to slap them into a VoIP VLAN.. that sorta thing
15:46 < kidn3ys> sure
15:46 < kidn3ys> the mac based makes sense
15:47 < kidn3ys> not far off from dot1x with mab
15:47 < hanshenrik> the outer subnet is 192.168.1.* , the deep router's ip on the outer subnet is 192.168.1.100, the deep subnet is 192.168.0.*, the deep router's ip on the deeb subnet is 192.168.0.1, and i have no idea what i'm doing. any suggestions? https://i.imgur.com/FNX8bub.png
15:48 < kidn3ys> hanshenrik: what's the problem?
15:48 < djph> hanshenrik: before we go any farther, what are the make/model of these two routers?
15:48 < hanshenrik> kidn3ys, devices in the outer subnet cannot initiate connections with devices in the deep subnet
15:48 < hanshenrik> but vise-versa works fine
15:48 < djph> oh, linksys ... you're fucked, and have to use NAT.
15:48 < kidn3ys> hanshenrik: sounds like you're probably NATing.
15:49 < djph> oh wait, sweet, you can turn off the nat - turn that off on the "deep router", and add a static route on the "outer-router" to get to 192.168.0.0/24 via 192.168.1.100
15:50 < grawity> UncleDrax: yeah the zyxels actually default to a bunch of voip oui's in that feature
15:51 < hanshenrik> the outer router is a Linksys... this 1 https://www.linksys.com/dk/support-product?pid=01t80000003KOIsAAO  - and the inner router is TP-Link AD7200, this 1 https://www.tp-link.com/us/products/details/cat-5506_AD7200.html
15:52 < djph> hanshenrik: if hte tp-stink can't disable NAT, you're SOL.  Why're you doing this anyway?
15:54 < hanshenrik> djph, i need a device connected by cable to communicate with a TP-Link HS110 smartplug that can only communicate via wifi, and the wifi is from a different router, bleh
15:54 < grawity> kidn3ys: are ACLs on switches a common feature?
15:55 < grawity> kidn3ys: like "drop packets matching this condition"
15:55 < kidn3ys> on a port?
15:55 < djph> hanshenrik: so you don't actually need the second router to route?
15:56 < kidn3ys> grawity: most access layer switches only support inbound filtering and doing an ACL per port is a pain in the ass to manage
15:56 < kidn3ys> mots of the time it gets pushed up to the SVI/gateway for that subnet
15:56 < djph> hanshenrik: set it up to be an "ap only" (if you can), or turn off all the DHCP and whatnot, and instead of using its "WAN" port as the uplink, use one of the switchports (NOTE, set its LAN IP Address to something in the 192.168.1.0/24 range)
15:56 < kidn3ys> but dot1x can dynamically apply ACLs as wel.
15:56 < kidn3ys> and those are applied at the port level
15:56 < hanshenrik> ill try that
15:57 < kidn3ys> depending on what you're trying to do, private VLANs might be a better option
15:59 < grawity> just asking because the zyxel has this kind of packet filtering, so I suppose they thought "hey we have accept and drop, why not add an action to mangle vlan tag"
16:01 < meowschwitz> omg zyxel still exists
16:02 < kidn3ys> grawity: sure, im not saying its not useful. my point was just that VLANs are not tied to IPs -- regardless of what a single manufacturer decides to name a feature
16:25 < hans_> doesn't seem like i can turn off NAT x.x is this related? https://i.imgur.com/nR5usCC.png
16:26 < Dalton> how many public ips are you going to route through that Tp-Link residential wifi router?
16:29 < hans_> randomishly 4-10 i guess (4 right now), but there's only 1 device/ip that i need to communicate with from the outside
16:35 < HTiberian> anyone ever experienced problems with linux active-passive bonding (mode 1), using VLANs on top of bond and a centralized firewall connected to both VLANs and seeing the same MAC address several times in every VLAN/zone?
16:35 < Dalton> hans_: i don't know that you can disable NAT on that kind of a device.
16:36 < meowschwitz> hans_: you might be able to turn off nat by switching device mode to bridging or whatever
16:37 < HTiberian> We are seeing our switches flooding frames to all hosts in this VLAN, which are directed to these machines
16:37 < meowschwitz> personally I'm never going to buy tp-link garbage again
16:38 < meowschwitz> HTiberian: the *firewall* is seeing the same MAC in different zones?
16:38 < HTiberian> meowschwitz, right!
16:38 < meowschwitz> and this is actually arriving on the wire?
16:39 < HTiberian> normally linux does not change or scramble MAC address when adding subinterfaces on top of bond
16:40 < meowschwitz> I'm wondering if this is an actual problem with your network layout and configuration or the particular box which sees a phantom effect
16:40 < HTiberian> so switching gear learns 00:00:00:00:00:01 in VLAN 10 and VLAN 20
16:40 < HTiberian> and also does the firewall
16:41 < HTiberian> firewall is Cisco ASA 5580
16:42 < HTiberian> but what i'm wondering about is that the switches actually flood these frames to all ports in this VLAN
16:42 < meowschwitz> look at switches' host tables
16:42 < tds>  hans_: if you can't do what you want in the stock firmware, it may be worth checking if openwrt/similar supports that device
16:42 < meowschwitz> tds: I checked, it doesnt
16:42 < HTiberian> nothing suspicious in the frames when doing a capture, just normal unicast forwarding
16:42 < tds> meowschwitz: ah, that's annoying :(
16:43 < meowschwitz> HTiberian: there's nothing inherently wrong with same leg of the firewall having same mac being presented to different vlans
16:44 < HTiberian> meowschwitz, thats what i'm assuming too, but what i don't get is the flooding on the switch (which is only doing L2)
16:44 < meowschwitz> is STP on? did you examine the host tables?
16:49 < hans_> according to the following article, tp-link is deliberately blocking OpenWRT.... https://www.pcworld.com/article/3044594/open-source-tools/tp-link-blocks-open-source-router-firmware-to-comply-with-new-fcc-rules.html
16:50 < hans_> but how, exactly? do they require a signed flash file before flashing?
16:50 < ||cw> yes, fcc requires it
16:50 < ||cw> and it's stupid
16:50 < hans_> .....
16:51 < HTiberian> meowschwitz, this is a Brocade Ethernet Fabric running with TRILL. No STP needed
16:51 < HTiberian> meowschwitz, and yes i check the MAC table, shows the MAC for VLAN 10 and VLAN 20
16:52  * meowschwitz shrugs
16:52 < meowschwitz> the normal behaviour for switches is to unicast flood when the destination mac is not in the host table
16:52 < hans_> think i can still flash openwrt on there with 1 of these? https://img.staticbg.com/thumb/large/oaupload/banggood/images/BD/C9/0b6c45a2-9177-4dc5-9530-f2de1ac5b287.JPG
16:52 < meowschwitz> i dont know if it's different for fabrics
16:52 < hans_> if im lucky and the network drivers are available..
16:52 < HTiberian> meowschwitz, normally it isn't ;-)
16:53 < hans_> flashing it directly to the firmware chip
16:53 < HTiberian> but sometimes such things kill all your years on network knowledge :-D
16:54 < meowschwitz> according to pediwikia an overflow of the host table could also cause this
16:54 < meowschwitz> ymmv and so
16:54 < ||cw> hans_: unless you want to get into jtags can crap, best to stay with the supported hardware list
16:54 < ||cw> can/and/ (wtf fingers)
16:54 < hans_> jtags?
16:54 < ||cw> exactly
16:55 < hans_> like this? https://en.wikipedia.org/wiki/JTAG
16:55 < HTiberian> yeah but then i would see all traffic in that VLAN, as the switch transitions into a hub
16:55 < ||cw> yes
16:56 < hans_> well, to piss on FCC, sounds pretty tempting right about now, but nah
16:56 < ||cw> hell of a learning curve, but is some fun if you have the time
16:57 < obsrwr> Hi #networking, be prepared to roll your eyes. I have 2 network interfaces eth1 and eth2 on the same host, they are connected to eachother to an ethernet switch. Can I ping through eth1, so that it goes to the switch, and back on eth2 ?
16:58 < ||cw> obsrwr: sure?
16:58 < obsrwr> something is preventing the packet to reach the switch
16:58 < ||cw> maybe routing tables?
16:58 < obsrwr> say eth1 has mac address ::01 and eth2 has mac address ::02
16:58 < obsrwr> routing table seems ok, i have static routes
16:59 < ||cw> and you're sure they are correct?
16:59 < obsrwr> but if i have a packet leaving eth1 with dest mac ::02, it doesn't reach the switch
16:59 < obsrwr> but if i modify eth2 mac's address, it reaches the switch
16:59 < tds> if it's a linux box, there will be a separate routing table (local) that causes it to go via the loopback interface?
16:59 < obsrwr> i was thinking about the local table too
17:00 < tds> so traffic back to an ip on the same box shouldn't ever leave a physical interface afaik
17:00 < obsrwr> but the MAC seems the problem, not the IP
17:00 < obsrwr> if I change eth2 mac to ::03 but still send dst address from eth1 to ::02, it reaches the switch
17:01 < obsrwr> if i change eth2 back to ::02 and eth1 packet has dest address ::02, it doesn't reach the switch
17:02 < obsrwr> if i had network namespaces maybe this wouldn't be a problem. but I can't have a custom kernel on this particular box, all i can do is change routes and arp table, any posible solution?
17:02 < obsrwr> i think the linux network stack is not letting packets leave the interface if the dst mac is a mac of one of the interfaces on the host
17:04 < meowschwitz>  /me rolls his eyes indeed
17:05 < meowschwitz> obsrwr: first, how do you know it does or doesn't "reach the switch"
17:05 < meowschwitz> second, ip route get <ip>
17:05 < obsrwr> i have access to the RX FIFO counters of the eth switch's XLAUI interfaces
17:08 < obsrwr> can i ip route get for a particular interface?
17:08 < obsrwr> when i ping i use ping -I eth1/eth2
17:09 < mcdnl> ip route | grep devname
17:10 < obsrwr> there is only 1 route to the ip of eth2, the one i set statically, 192.168.2.1(eth2) via 192.168.1.1(eth1) dev eth1
17:11 < obsrwr> same for eth2, 192.168.1.1(eth1) via 192.168.2.1(eth2) dev eth2
17:11 < detha> obsrwr: ip route show table 0 | grep 192.168.1
17:12 < obsrwr> hmm there is this local 192.168.1.1 dev eth1  table local  proto kernel  scope host  src 192.168.1.1
17:12 < obsrwr> should i also modify local routes so that the vias cross?
17:13 < mcdnl> oh i see what you want to do
17:15 < obsrwr> mcdnl: i need to do this just to develop the firmware for the switch, but linux is being a bit weird, and i don't have much flexibility with changing the kernel
17:15 < detha> obsrwr: it would make life a lot easier if you had two machines.
17:15 < obsrwr> yes, but all interfaces are on the same PCB
17:16 < mcdnl> make a different route table for the other interface
17:16 < detha> ^
17:16 < obsrwr> a different route table... huh
17:16 < obsrwr> i would have thought i would need a different arp table
17:16 < detha> ip rule to 192.168.1.2 rtable 2
17:16 < detha> then add a route in rtable 2
17:17 < obsrwr> ok i'll try
17:17 < mcdnl> if it doesnt know the other interface is directly connected
17:17 < mcdnl> it will forward it instead of "directly delivering" the packet into the interface
17:18 < obsrwr> actually it doesn't even "directly deliver"
17:18 < obsrwr> the packet is seen from tcpdump as exiting but nothing reaches eth2
17:18 < obsrwr> somewhere it is silently dropped
17:19 < obsrwr> but i think tcpdump is a few layers above the TX ring of the nic
17:19 < detha> you are trying to make the kernel do things the kernel devs have tried very hard from not happening....
17:19 < obsrwr> haha
17:20 < obsrwr> i was considering to cheat like do mac-nat with ebtables
17:21 < obsrwr> if eth2 receives ::5 , nat to ::2, then back
17:33 <+catphish> what are you trying to achieve?
17:33 <+catphish> ah, just found the start
17:34 < obsrwr> to test SRAM and DDR memories of an ethernet switch in the long run
17:34 <+catphish> obsrwr: to answer your first question, linux will never allow an inbound packet with a source IP of itself, it will be silently dropped
17:34 < obsrwr> i just want a simple way to generate traffic from one host between 2 interfaces
17:34 < obsrwr> catphish: it will with network namespaces... which i don't have
17:34 <+catphish> so even if you make your packet loop, it will be dropped unless you "spoof" the source ip
17:35 < obsrwr> like do SNAT?
17:35 < obsrwr> snat on inbound, hm
17:35 <+catphish> frankly i'd skip all that and just open a raw ethernet socket
17:35 <+catphish> and send it manually
17:36 <+catphish> assuming there no actual practical reason you want this to work
17:36 < obsrwr> raw ethernet socket, hm
17:37 <+catphish> also you definitely *can* do this using multiple routing tables, but only if the original source (ie the source IP of the packet) is not the host doing the weird loop
17:37 < obsrwr> i can just send L2 packets through the linux network stack?
17:37 <+catphish> ie an intermediate router can do this, but not the host that created the packet
17:37 <+catphish> obsrwr: yes, you just open a raw ethernet socket
17:37 < obsrwr> i'll look into that thanks
17:37 <+catphish> ten you can write your own raw ethernet frame and send / receive whatever you like :)
17:38 < obsrwr> that would be more than enough
17:39 <+catphish> https://gist.github.com/austinmarton/1922600
17:42 <+catphish> obsrwr: http://man7.org/linux/man-pages/man7/packet.7.html
17:43 <+catphish> "SOCK_RAW packets are passed to and from the device driver without any changes in the packet data." it's cool if you want to do weird experiments or write a userland ethernet switch
17:45 < obsrwr> catphish: i love IRC, it's like a pool of free hackers
17:46 <+catphish> basically
17:46 < obsrwr> gotta run home, hungry af, thanks again
17:48 < wdc65c02> hi, i have a question regarding queuing on openbsd
17:49 < wdc65c02> i am using an openbsd box as a router and am trying to limit download and upload speed for a single host
17:49 < wdc65c02> so far I have "queue main on $lan bandwidth 1000M"
17:50 < wdc65c02> along with 2 leaf queues
17:51 < wdc65c02> "queue limited parent main bandwidth 1M min 0K max 1M burst 3M for 1000ms" (the slow queue) and "queue unlimited parent main bandwidth 1000M min 0K max 1000M default"
17:51 < wdc65c02> the host i want to slow down is defined in a table <slowfolk>
17:51 < wdc65c02> so for limiting download speed i have a rule "pass in on $lan from <slowfolk> to any set queue limited"
17:51 <+catphish> i don't know bsd at all, but i shall provide one piece of advice: you can generally only limit on tx interfaces, so consider that you may need to have the queue on the right interface for the traffic in each direction
17:52 < wdc65c02> catphish: hmmm that makes sense, ill try it
17:52 < wdc65c02> but basically if i have working download limits
17:52 < wdc65c02> and i have that queue in lan
17:52 < Kingrat> if you use pipes and ipfw you can do it on both ingress/egress on the same interface
17:52 < Kingrat> but it doesnt tie in nicely with pf atm
17:53 < wdc65c02> it means i would need a queue on $wan
17:53 <+catphish> so if this is a router between the host and the internet, for the host's download, you'd need to use the queue on the internal interface, and for its upload you'd use the wan interface
17:53 < wdc65c02> hmm
17:53 < detha> wdc65c02: you can do it with one rule like that, or just throw in a 'match in on $intf from <slowfolk> set queue slow
17:53 < wdc65c02> hold on lemme try that
17:54 < wdc65c02> detha: oh ok you just want me to use that rule instead
17:54 < wdc65c02> ok
17:55 < wdc65c02> yeah its cleaner
17:56 < detha> wdc65c02: matter of taste, that's how I do it - match for some ToS from upstream or some address, and put the connection state in the right queue
17:56 < wdc65c02> no i can see how that reads better
17:56 < detha> then the actual pass/rejects go in a separate rule
17:56 < wdc65c02> the most important thing is to be able to actually see what the hell you have written 3 years ago
17:58 < wdc65c02> ok now im a little confused as to how i would set a limit on the wan interface
17:58 < wdc65c02> if i do the same as for the lan (different names obviously)
17:59 < wdc65c02> then how do i match packets after they have been natted?
17:59 < detha> the limit actually sits on the lan interface - you cannot limit what gets sent to you, as catphish said, but you can limit what gets sent to the client
17:59 < detha> TCP will slow down when you limit it like that
18:00 < wdc65c02> so match in on egress to <slowfolk> set queue u_limited?
18:00 < wdc65c02> that doesnt do anything
18:00 < detha> I do it the other way around, match in in $int_if from <slowfolk> set queue limited
18:00 < detha> that sets state
18:01 < detha> *match in on
18:01 < wdc65c02> that limits download speed
18:01 < detha> correct.
18:01 < wdc65c02> thats what im doing alreay
18:01 < wdc65c02> already(
18:02 < wdc65c02> i am trying to control upload speed
18:02 < detha> ok, then you have to have a queue on wan_intf
18:02 < wdc65c02> the wan interface?
18:03 < detha> yeah. but rules on 'match out on wan_int ...' come after NAT
18:03 < wdc65c02> yeah thats what i was wondering
18:03 < Apachez> https://imgur.com/gallery/k3YTHdJ  GDPR We have updated our privacy policy
18:04 < detha> I think you will need to do marking in an 'match in on lan ....', then a 'match out on wan tos 0x01'
18:04 < wdc65c02> detha: can i "tag" packets like i would do in smtpd
18:05 < wdc65c02> hmm
18:06 < detha> the (in)conveniences of NAT
18:09 < wdc65c02> maybe i can tag them in my nat line?
18:11 < detha> set tos in the nat line should work, but do you have a separate nat line for <slowfolks> ?
18:11 < wdc65c02> i can make one
18:12 < wdc65c02> my current nat line is "match out on egress inet from !(egress:network) to any nat-to (egress:0)"
18:13 < detha> I would make a separate match rule, just for the tagging; keep it separate from routing logic
18:14 < wdc65c02> match out on egress inet from <slowfolk to any set tos 0x01
18:15 < detha> ehm, match in on int_intf from <slowfolk>
18:15 < detha> you want to tag the initial packets
18:15 < wdc65c02> should i just add it to my download queue rule
18:15 < detha> that would work I guess
18:15 < wdc65c02> i already have match in on $lan from <slowfolk> set queue d_limited tag slow
18:16 < wdc65c02> erm ignore the "tag slow" i just added that now
18:16 < detha> yeah. then you can do the egress rule on the 'slow' tag
18:17 < wdc65c02> so then "match in on $isp tagged slow set queue u_limited"
18:17 < detha> that would be download?
18:18 < wdc65c02> no upload
18:18 < detha> $isp is the wan interface?
18:18 < wdc65c02> yes
18:18 < wdc65c02> and no that rule doesnt work (just tested)
18:18 < detha> so to limit upload, match out on $isp tagged slow set queue limited
18:19 < wdc65c02> nope, doesnt do a thing
18:19 < wdc65c02> still the most asymmetric connection ever
18:20 < wdc65c02> im still a little confused about "in" and "out"
18:20 < wdc65c02> gg/in
18:20 < wdc65c02> erm wrong window
18:20 < detha> vi ;)
18:20 < wdc65c02> actually the manpager
18:20 < wdc65c02> man pf.conf
18:21 < detha> think like the packet - initial SYN goes in on $lan, out on $isp
18:21 < wdc65c02> right
18:22 < wdc65c02> so that packet can be matched either "in on $lan" or "out on $isp"
18:22 < wdc65c02> hold on
18:22 < wdc65c02> you said i cant limit RX, only TX right?
18:23 < wdc65c02> wait nvm
18:24 < drathir> mornin/evenin...
18:24 < wdc65c02> moin
18:24 < wdc65c02> detha: ok now im very confused
18:24 < wdc65c02> my (working) download limit
18:24 < wdc65c02> is:
18:24 < wdc65c02> match in on $lan from <slowfolk> set queue d_limited
18:25 < wdc65c02> how can it be "from <slowfolk>"?
18:25 < wdc65c02> unless you are specifically talking about TCP where it could mean that it is the initiator of that connection
18:26 < detha> you match the packets based on source, then set that flow to queue d_limited
18:26 < detha> each flow (tcp, udp, whatever) has state
18:26 < wdc65c02> huh
18:28 < wdc65c02> oh wait i got it
18:28 < detha> from man pf.conf: "By default pf(4) filters packets statefully: the first time a packet matches a pass rule, a state entry is created."
18:29 < detha> you can add 'no state' if you don't want it to
18:30 < wdc65c02> hmmm
18:38 < wdc65c02> well ill need to figure this out slowl
18:38 < wdc65c02> slowly*
18:39 < wdc65c02> luckily for now i only need to worry about 4k netflix shit
18:39 < wdc65c02> eventually some torrent folk may use this network
18:50 < rtmataeu34> hello
18:50 < skyroveRR> hi
18:51 < rtmataeu34> skyroveRR: hi
18:52 < rtmataeu34> hows things
18:53 < skyroveRR> They're good, over there?
18:53 < rtmataeu34> usual
18:53 < rtmataeu34> gonna make lunch soon
18:53 < skyroveRR> What does that mean?
18:54 < rtmataeu34> correction- things are fine
18:54 < rtmataeu34> lol
18:56 < rtmataeu34> got an old laptop with a screen that quit- was thinking of making it like a network monitor or some sort of appliance
18:56 < rtmataeu34> but its pretty old
18:58 < Apachez> https://pbs.twimg.com/media/DfnuGu-WsAIatlp.jpg:large  :D
18:59 < rtmataeu34> wait a second. .
18:59 < rtmataeu34> that sure is some good looking ice
19:13 < ||cw> rtmataeu34: is it like Pentium 2 old?
19:15 < efb> is it possible to have CUBE register to sip servers on different vrfs ? I.e sipserverA on VRFA and sipserverB on VRFB?
19:29 < rtmataeu34> ||cw: compaq v2000
19:30 < rtmataeu34> its the AMD turion one w 2GB ram
19:30 < ||cw> not terrible
19:30 < rtmataeu34> no
19:31 < ||cw> does it have gigE?
19:31 < rtmataeu34> had debian on it atm and can ssh with it
19:31 < rtmataeu34> good question
19:33 < rtmataeu34> 10/100 ethernet lan w b/g wireless
19:33 < rtmataeu34> :(
19:34 < rtmataeu34> tried using it as a pi-hole server once via wireless but the dns became quite slow because of it
19:35 < ||cw> yeah i wouldn't do that on b/g
19:35 < rtmataeu34> just wanted to see :)
20:26 < Aviyah> I am back. You guys still around?
20:26 <+catphish> Aviyah: there are 1290 people here
20:26 <+catphish> :)
20:27 < n3t> Shhh, don't scare them.
20:27 < Aviyah> I know,. Those with whom I spoke earlier will know who I addressed.
20:27 < Aviyah> But anyways, I am a big fan of this room.
20:27 < Aviyah> It has a good culture.
20:30 < kottt> o/
20:44 < skyroveRR> \o
20:56 < forgotmynick> I have 2 IP's pointing to servers at the same data centre taking completely different routes. One has 8 hops, the other has 14. The ping averages are the same. What are the disadvantages of more hops aside from more points of failure (I'm assuming)?
20:56 < grawity> worse latency, usually
21:01 <+pppingme> forgotmynick are they pointing to the same server, or different servers?
21:04 < forgotmynick> pppingme: different servers, same rack
21:15 <+catphish> forgotmynick: the ISP is likely sharing load across multiple upstream connections, its not likely to be a big problem
21:15 <+catphish> they may have different latency, but hopefully not dramatically so
21:16 <+catphish> oh yeah, you said latency was the same, so i wouldn't worry about it
21:16 <+catphish> just balancing different routes, ISPs do that sometimes
21:18 <+catphish> the route the other way is likely the same for both :)
21:35 < epitamizor> if lan is faster than upstream, it's better to use iterative dns queries?
22:10 < rtmataeu34> any recommendations for irc "hardening"
22:14 < Aeso> rtmataeu34, how do you mean? server or client?
22:14 < rtmataeu34> Aeso: client side atm
22:14 < Aeso> Use a bouncer, make sure you use SASL to authenticate to the IRC servers, etc
22:16 < rtmataeu34> i havent made a key yet
22:16 < rtmataeu34> cert*
22:18 < rtmataeu34> cool thanks ill have to look more into it
22:26 <+catphish> TLS is a good starting point
22:32 < rtmataeu34> hi catphish
22:38 < wdc65c02> detha: so um
22:38 < wdc65c02> any idea how different openbsd's pf is from freebsd pf?
22:39 < wdc65c02> i know how to achieve upload limits on pfsense
22:39 < wdc65c02> so i setup a pfsense vm
22:39 < wdc65c02> do limits
22:39 < DoctorDick> limters?
22:39 < wdc65c02> dump the pf rules table
22:39 < wdc65c02> DoctorDick: uh yea
22:40 < DoctorDick> I love pfsense
22:40 < wdc65c02> im trying to limit upload speed of a single host behind my NAT (obsd router)
22:40 < felda> I ALSO LOVE PFSENSE
22:40 < DoctorDick> WANNA HOLD HANDS?
22:40 < felda> YES
22:40 < DoctorDick> OKAY!
22:40 < felda> I actually own the pfsense nick on freenode lmao
22:40 < wdc65c02> pfsense is cool and all but i dont want magic, i just want to lern teh ruules
22:40 < wdc65c02> lol
22:40 < wdc65c02> so i can do teh fairwall without leaving it to the pf gods
22:41 < felda> have you seen this thread?  https://forum.netgate.com/topic/48694/limit-bandwidth-per-ip/5
22:41 < wdc65c02> i know how to do it in pfsense
22:41 < wdc65c02> i want to do it on openbsd
22:42 < felda> ah
22:42 < wdc65c02> so ill do it in a pfsense vm
22:42 < wdc65c02> then dump the rules
22:42 < felda> I haven't fooled around with PF on OBSD
22:42 < wdc65c02> and try to figure them out
22:42 < felda> does PF on OBSD do limiters?
22:42 < wdc65c02> im fairly sure it can
22:44 < rtmataeu34> how can i pfsense
22:44 < rtmataeu34> and can i use a really old AF laptop
22:44 < rtmataeu34> :D
22:45 < felda> you could run a VM to try it out
22:45 < felda> pfsense would probably struggle on anything older than a Core2Duo
22:46 < wdc65c02> not really?
22:46 < wdc65c02> ive run it on worse
22:46 < wdc65c02> pentium HT
22:46 < wdc65c02> in production
22:46 < felda> well yeah I've run it on old pentium watchguard
22:46 < wdc65c02> 100mbit dualstack routing with some heavy rules+proxy+couple of vpns
22:46 < felda> but new versions are getting heavier
22:47 < wdc65c02> this was a while back ill admit
22:47 < wdc65c02> like 2 years
22:47 < felda> RIP 32bit pfsense
22:47 < wdc65c02> r i p
22:48 < felda> PF originated on OBSD so in theory PF on that platform should be newer?
22:48 < wdc65c02> in >>theo<<ry
22:48 < Aeso> do I remember that pfsense backported some patches to make pf multithreaded?
22:49 < wdc65c02> no one leaves till the raadt speaks
22:49 < Aeso> I could be wrong, it's been a while
22:49 < wdc65c02> i thought freebsd did the multithreaded pf first and openbsd took it back
22:50 < felda> I guess now that i think about it I don't really know much of anything about the original PF
22:50 < felda> I just always used pfsense
22:50 < Aeso> eh, at this point eBPF >>> all
22:50 < wdc65c02> just remember that openbsd is never usually faster
22:50 < wdc65c02> but they are usually correct
23:29 < yates> any samba experts here (under linux)?
23:30 < yates> i'm trying to create a samba share on ubuntu 16.04lts. https://paste.fedoraproject.org/paste/wCM7xnYQBNut8vbmVLEyXA
23:30 < yates> testing yields this https://paste.fedoraproject.org/paste/wmMPwJNtRBt-5-krQAsH8w
23:30 < yates> i've googled and all leads fizzle out..
23:33 < ||cw> yates: -L means list, you only give the server name, not the UNC.  also IPs don't always work as a name, there's a separate option for that
23:33 < ||cw> also, #samba ?
23:33 < ||cw> you did smbpasswd -a your user right?
23:33 < yates> ||cw: no, i did not
23:34 < ||cw> needed for the NTML hash
23:38 < yates> ||cw: smbpasswd itself gives the same error: Unable to connect to SMB server on machine 127.0.0.1. Error was : NT_STATUS_CONNECTION_REFUSED
23:41 < yates> ||cw: what is the alternate syntax for ip address?
23:41 < ||cw> are you sure it's running?
23:41 < yates> systemctl restart smbd
23:41 < yates> systemctl status smbd says it active
23:42 < yates> it's
23:42 < jvwjgames__> can I advertise my v6 range over the internet if i got the space from ARIN
23:42 < jvwjgames__> ?
23:42 < ||cw> man smbclient says -I
23:42 <+pppingme> not running; firewall; not listening due to bad config
23:42 < yates> oh $*(#
23:42 <+pppingme> jvwjgames__ sure, when you find someone to peer with
23:42 < yates> what port does smbd use?
23:42 < jvwjgames__> i have CenturyLink ARIN said they should let me
23:42 < yates> i think the firewall is blocking it...
23:43 < jvwjgames__> CenturyLink residential that is
23:43 <+pppingme> over a residential connection, probably not
23:43 < jvwjgames__> cause i thought BGP was blocked on residential ISP's
23:44 <+pppingme> its not that its "blocked" its more simply they just simply don't do it
23:44 < jvwjgames__> I did tell ARIN that it would be from a residential ISP and they still said yes they should let you
23:44 < jvwjgames__> so i got an IPV6 /36 from ARIN
23:44 <+pppingme> you might be able to get them to advertise the space, then deliver it to you over a typical routed subnet, like they might do for a business connection
23:45 <+pppingme> but they aren't going to do that for some $30/month residential acct
23:45 < jvwjgames__> :(
23:46 <+pppingme> do you have an AS#?
23:46 <+pppingme> or just a /36 assignment?
23:46 < jvwjgames__> So i can't goto my router and say setup BGP with google will Centurylink Still block it?
23:46 < jvwjgames__> just a /36
23:46 < jvwjgames__> i will get an ASN
23:46 <+pppingme> no, bgp doesn't work like that
23:47 <+pppingme> if you have an AS, you can tunnel to HE, and talk bgp to them
23:48 <+pppingme> that'd be free
23:49 < scientes> mind if I ask, why do you care for a /36?
23:49 < scientes> I mean /64 is pretty big
23:50 <+pppingme> scientes the pracitice is t assign a /64 per network, so if he has customers, or runs multiple subnets, each gets a /64
23:50 <+pppingme> so with that practice, no, a /64 isn't "pretty big"
23:50 <+pppingme> its exactly one network, one subnet
23:51 < jvwjgames__> So basically without the Tunnel even if I had an ASN it still wouldn't work?
23:51 <+pppingme> jvwjgames__ you always have to "peer" with someone, you don't just start throwing bgp out and hope its seen, it doesn't work like that..  If you "peer" with centrylink, then that also means they "peer" with you.. and takes manual configuration from both parties..
23:52 <+pppingme> note that "peer" I'm talking about a bgp concept, that doesn't mean from a transit or billing perspective that its still viewed as a "peer"ing relationship
23:52 < jvwjgames__> ok
23:53 <+pppingme> and in most cases, that "peer" needs to be a device that you're directly connected to..
23:53 <+pppingme> thus why HE is able to do it over a tunnel, the tunnel simulates a direct connection between your router and HE's router
23:53 < jvwjgames__> oh ok
23:54 <+pppingme> in most cases, isp's aren't even talking bgp on the customer edge of stuff
23:54 <+pppingme> thus, they can't peer without special setup
23:56 <+pppingme> jvwjgames__ what are you doing with this /36 ??
23:57 <+pppingme> does it amount to play/learning/experimenting, or does it amount to something missin critical, or what?
23:57 < jvwjgames__> I have a webhosting business and i prvide web hosting, VPS, and LXC Services
23:58 < jvwjgames__> I am classed as an "ISP" according to ARIN
23:58 < jvwjgames__> witch is why they gave me an ISP allocation sized /36
23:59 <+catphish> you need an AS number and someone to peer with, that is all there is to it
--- Log closed Fri Jun 15 00:00:15 2018