--- Log opened Fri Jun 15 00:00:15 2018
--- Day changed Fri Jun 15 2018
00:00 <+pppingme> well you could get your asn, start with an HE peering over a tunnel, then add real connections as you grow, then once you have at least two other connections, drop HE tunnel
00:00 <+catphish> jvwjgames__: i believe you can always peer with HE over a tunnel
00:00 <+pppingme> catphish yes, HE will bgp peer over a tunnel
00:00 < scientes> is the ipv6 privacy extensions on by default?
00:00 <+pppingme> or at least they used to
00:00 <+catphish> scientes: yes in most operating systems
00:00 <+pppingme> scientes varies by OS
00:01 < scientes> no, how do i turn them on
00:01 < scientes> debian, firefox
00:01 < yates> y
00:01 <+catphish> run "ip addr" see how many ipv6 addresses you have
00:01 < scientes> i have them under "ip addr", but firefox isn't using them
00:01 <+catphish> what ip is it using?
00:02 <+catphish> it should always use the most recent address
00:02 < scientes>     inet6 2603:3023:903:9000::dcd5/128 scope global dynamic noprefixroute
00:02 <+pppingme> scientes I believe that most distribs enable it for "workstation/desktop" installs, but disable it for "server" installs
00:02 < scientes> instead of     inet6 2603:3023:903:9000:62a4:4cff:fe60:d3ce/64 scope global dynamic mngtmpaddr noprefixroute
00:02 <+catphish> that looks like a static ip
00:02 <+catphish> you wont get rivact extensions if you're using a static ip
00:02 <+pppingme> that too
00:02 < scientes> it was DHCPv6
00:03 <+catphish> oh ok
00:03 <+catphish> well it looks like you do have privacy addresses too
00:03 < scientes> now how do i get firefox to use them
00:03 <+catphish> maybe the dhcp address was added later
00:03 <+catphish> firefox doesnt choose afaik
00:03 <+catphish> the os does
00:04 <+catphish> and usually the most recent, not sure why it wouldnt be the privacy address unless the dhcp address was maybe added after
00:04 <+catphish> which seems plausible if slaac ran before dhcp did
00:04 <+catphish> im afraid i dont know for sure though
00:06 < scientes> oh no i didn't have a temp addr
00:06 < scientes>     inet6 2603:3023:903:9000:6c09:949b:521d:a492/64 scope global temporary tentative dynamic
00:06 < scientes> https://docs.menandmice.com/display/MM/enable+IPv6+privacy+extension+on+Ubuntu+Linux
00:07 < scientes> but it only works if everyone on the subnet uses tmp addresses
00:07 < tds> it's worth keeping in mind that ubuntu server will use the native kernel stuff for slaac + privacy addresses (so modifying the sysctls makes sense) while desktop uses network-manager (so you need to mess with stuff through that)
00:08 < scientes> I have NetworkManager, but you can mix and match because of systemd/udev introducing stable device names
00:08 < tds> oh actually, I guess server uses systemd-networkd now, idk how that handles RAs and stuff
00:08 < scientes> tds, doesn't it still use ifupdown?
00:09 < scientes>  /etc/networking/interfaces, with systemd-networkd optional, and RedHat still using NetworkManager everywhere
00:09 < tds> 18.04 server has weird new stuff, they have a python script that reads yaml and generates a systemd-networkd or network-manager config I think?
00:09 < scientes> RedHat isn't even supporting systemd-networkd on RHEL yet, they were asking for a use case for them to support it
00:10 < scientes> is there really that much difference between server and desktop?
00:10 < tds> I think 18.04 desktop is still plain network-manager with the gnome stuff to manage it?
00:11 < scientes> yeah but you still have /etc/networking/interfaces
00:11 < scientes> and can enable systemd-networkd if you want---hell connman is even available in the repos
00:12 < scientes> connman is faster at getting a wifi connection than NetworkManager
00:12 <+pppingme> anonymip your IP is 193.183.116.68
00:14 <+catphish> not any more, he changed host
00:14 <+catphish> :)
00:17 < tds> scientes: yeah, just tried an 18.04 desktop iso, out of that box that's network-manager, while server is netplan + systemd-networkd
00:18 < scientes> hmm i use debian for server so i never notices
00:18 < scientes> and ubuntu for desktop
00:18 < Dagger> <scientes> but it only works if everyone on the subnet uses tmp addresses <-- wait what
00:18 < scientes> the privacy part of it
00:18 < Dagger> you can use privacy extensions on a single host, no need for everybody to use it
00:18 < tds> yeah, I do the same, network-manager on my desktop/laptop and debian+ifupdown on all the servers
00:19 <+catphish> it works fine if only one host uses it
00:19 <+catphish> of course only that person will be anonymous
00:19 < scientes> but you don't get any extra privacy
00:19 <+catphish> yes you do
00:20 <+catphish> the person using the privcy estensions becomes anonymous
00:20 < Dagger> the amount of privacy you get is the same regardless of whether or not anybody else on the subnet is using privacy extensions
00:20 <+catphish> as their ip isn't linked with their machine's hardware
00:20 <+catphish> what Dagger said
00:20 <+catphish> it doesn't matter if anyone else on your network uses it or not
00:21 < scientes> oh i c ipv6 static addresses (DHCPv6)are more deterministic than DHCPv4?
00:21 < scientes> well actually you have NAT so that does the NAT thing....
00:21 <+catphish> no, but they're less likely to be hidden by nat
00:22 < Dagger> DHCP is kinda completely orthogonal to any of this
00:22 <+catphish> also most people dont use dhcp with ipv6
00:22 < scientes> why is my ip linked to my mac address?
00:22 < turtle> because that's literally how ips work
00:22 < scientes> with ipv6
00:22 <+catphish> because without dhcpv6 you use slaac, where hosts choose their own ip
00:22 < tds> by default it'll likely use eui64 if that's what you mean?
00:23 <+catphish> and one common way to do this is based on the MAC (eui64)
00:23 < scientes> gotcha
00:23 <+catphish> this has 2 problems 1) your ip is linkable to your hardware 2) your address can be tracked even when you go to a different network because the second part is the same
00:24 <+catphish> and so random privacy addresses were invented
00:24 < Dagger> many OSs are moving to RFC7217-style addresses, in which case your MAC won't end up in the SLAAC address anyway
00:24 < Dagger> and is also not trackable between networks, since the prefix is part of the hash
00:25 < scientes> iphone even uses a fake mac address to listen for SSIDs
00:25 < Dagger> privacy addresses do still serve the useful purpose of rendering historical logs of addresses useless after a week though
00:25 <+catphish> does RFC7217 somehow produce a consistent non predictable address?
00:26 < Dagger> HASH(prefix, MAC, salt)
00:26 < tds> I'd be interested in how people are handling that, presumably logging neighbour tables?
00:27 < Dagger> 802.1x is how you identify hosts on L2
00:27 <+catphish> or just not logging it
00:27 < Dagger> if you're not using that then you don't really care about identifying hosts
00:27 < tds> yeah, that would record the mac address on the radius server, so you'd need to log ndp as well surely?
00:28 <+catphish> Dagger: and what is the salt, something random your host generates and stores? seems ideal if so
00:28 <+catphish> seems like you would need to log ndp
00:28 < Dagger> catphish: yeah, that
00:29 <+catphish> fortunately i have no interest in doing this
00:29 < tds> I'm the only user on my network, so that at least makes abuse reports easy to handle ;)
00:30 <+catphish> lol
00:46 < seven-eleven> hi, do people create a vpn if they want to backup between sites or do they just rely on the backup software encryption and connect to the remote client by its WAN IP?
00:47 <+pppingme> seven-eleven its best to NEVER expose any service or traffic that doesn't need to be exposed..
00:47 <+pppingme> in reality, if you have multiple sites, they are probably already connected via tunnels, if they aren't, then there's probably serious questions about your setup anyway
00:48 < seven-eleven> pppingme, yeah, i was worrying using the WAN IP of two sites is a bad idea, because you'd have to reveal your custom dns server to the WAN, so the two sites can talk to eachother by their fqdns
00:50 < seven-eleven> hmm do people just add another site B to their VPN subnet A or do they create another tunnel that only connects to one machine within site A? i think you can run only one vpn server in one network, so you'd have to use something like ipsec/pptp for the second tunnel
00:51 < seven-eleven> maybe some companies have a very restrictive or complex network so you can't just add another site B to the site A's VPN network, so a second tunnel based on a different protocol is used
00:52 < seven-eleven> so you'd have a GW in site A tunneling to site B
00:58 < seven-eleven> say a company has a Site_A 192.168.0.0/24 10.8.0.0/24 tunneled to SITE_B 192.168.1.0/24 10.8.0.1/24 and now SITE_C wants to connect to SITE_A in a third subnet 10.9.0.0/24
00:58 <+pppingme> seven-eleven if its a fully controlled (you control) everything within both networks, you'd typically do the tunneling at the router level, so users don't even know there's a vpn involved, just acts like two directly connected sites
00:58 <+pppingme> and there wouldn't be two subnets per site, just one
01:02 < seven-eleven> pppingme, can you do that router to router subnet with openvpn?
01:03 <+pppingme> if the router can run openvpn
01:03 <+pppingme> openwrt for example can
01:03 < seven-eleven> hmm, so hosts from site_A and site_B both have IPs within 10.8.0.0/24 and don't need another 192.168.0.0 subnet right?
01:04 <+pppingme> no, each is on its own /24
01:04 <+pppingme> and depending on how you setup openvpn, you might have a /30 on the tunnel itself
01:04 <+pppingme> (personally I always run it in point to point, aka v1 mode for site to site, then server/client for users)
01:07 < seven-eleven> hmm, i see, then i'd use simply a route via my VPN_router if I want to contact an IP within the other's site?
01:09 < seven-eleven> 192.168.0.10 in site A wants to connect to 192.168.2.10 in site B, then i'd do `ip route add 192.168.2.0/24 via 192.168.0.1` and 192.168.0.1 routes e.g. to 10.8.0.2 (site B router)
01:09 <+pppingme> the site routers have full routing to the other sites.. you don't route individual ip's, you simply route the whole subnet and be done with it
01:09 < seven-eleven> yeah
01:09 <+pppingme> also a good idea to avoid 192.168 and also keep all your subnets similar (dont' use 10.8 either)..
01:10 < seven-eleven> what subnet do you recommend?
01:10 <+pppingme> is one of these sites more like an "HQ"?
01:10 <+pppingme> anything out of rfc1918
01:11 < seven-eleven> yeah one is like a HQ
01:12 <+pppingme> then do 10.50.1.0/24 for HQ, 10.50.2.0/24 for 2nd site, and so on..
01:13 <+pppingme> then pick /30's out of 10.50.255.0 for your point to points if you do it that way..
01:14 <+pppingme> crank up ospf on everything specifying a "network" statement of 10.50.0.0/16 for area 1 and be done with it, or use isis, or even use rip2 if you want to keep it really simple
01:16 <+pppingme> you implement one of those and you won't have to add any routes manually
01:18 < seven-eleven> never set up rip2 & co, i'll check those out. and with the /30 p2p thing, I'd have for example 10.50.255.1 for HQ and 10.50.255.2 2nd site?
01:19 <+pppingme> right
01:19 <+pppingme> actually, for p2p, technically they don't have to be part of a /30
01:19 < seven-eleven> yeaaah that's a much better solution than my initial idea to add the other site directly to the HQ subnet
01:20 < seven-eleven> better one /30 p2p with routing than /24 mess
01:20 <+pppingme> I'm assuming you're doing AD, point everyone to a common DNS server, or replicate dns across sites, up to you, and everything AD related will just simply work
01:23 < seven-eleven> i want to deploy bacula which wants to use FQDNs of hosts to do the backup, so I'd have to run my own dns server to translate the hosts IPs and bacula server IP to FQDNs
01:25 < seven-eleven> but I think most HQs have their own dns server already running, so I'd have to just add the p2p tunnel and the bacula server IP of site_B 10.50.2.10 to their dns server
01:27 < seven-eleven> using /etc/hosts is quiete inconvenient when you have many hosts to backup or changing IPs, so I think a custom DNS is the way to go :-)
01:28 <+pppingme> If your'e doing AD (you never really said, but sounds like heavy windows environment), you're already forced to be using MS's dns..
01:28 < seven-eleven> ahhh I think AD will be involved yes :|
01:31 < seven-eleven> so I would be adding site_B's backup server to the AD. guess I'm going to setup an AD server to see how DNS configurations works in it
01:42 < ryao> I want to buy a gigabit switch for my cousin so that his PS4 can download games faster. Is there any reason that I am missing why I should not just buy the cheapest gigabit switch on Amazon for him? https://smile.amazon.com/D-Link-5-Port-Unmanaged-Gigabit-GO-SW-5G/dp/B008PC1FYK
01:44 < ntd> never buy d-link hw
01:44 < ryao> ntd: Why is that?
01:45 < ntd> well, in the case of a five-port dumb switch you may not get any headaches
01:46 < ryao> ntd: I am starting to wonder if I want to know the reason now.
01:46 < seven-eleven> ryao, if you don't want to do VLAN tagging you'll be fine with an unmanaged gigabit switch. if you have an unused consumer router you could even use that as a gigabit switch, but a dedicated switch has less power consumption
01:46 < ntd> sec cameras, wired/wifi nics, etc: just no
01:47 < ntd> these are the people who published their code signing certs on github
01:47 < ryao> seven-eleven: This is for my cousin. They don't do VLAN tagging at his house. ^_^;;
01:47 < ryao> ntd: lol
01:47 < ntd> so msft blaclisted/revoked their cert
01:47 < ryao> ntd: lol
01:47 < ntd> meaning the latest drivers and stuff couldn't be installed
01:48 < ntd> the old drivers were shit and did dlink publish a new, properly signed one? nope
01:48 < ryao> ntd: I used to have an 8-port unmanaged switch from dlink, but I gave it away after I switched to managed switching.
01:48 < ryao> It seemed to be okay.
01:49 < ntd> ryao, basically a run-of-the-mill realtek dumb switch with a plastic housing
01:49 < ntd> only thing d-link about it is the housing/branding
01:49 < ryao> ntd: That is what I expect. :)
01:49  * ryao just wants a switch chip in an enclosure with ports and a PSU.
01:50 < ntd> but their sec cameras: shiiit. buggy fw, never gets updated
01:50 < ryao> I wouldn't touch their security cameras. They aren't OSS.
01:50 < ryao> I'd sooner setup a picam.
01:50 < ntd> lens is to small
01:51 < ryao> ntd: I haven't found my idea security camera yet.
01:51 < ntd> me neither
01:52 < ntd> also, securing a pi is a PITA
01:52 < ntd> the 3b+ with POE hat can be nice, but i wonder why no one had made an IP67 dome housing for it+cam
01:52 < ntd> has
01:52 < ntd> i mean, doing LUKS on a pi is PITA
01:54 < ryao> ntd: I haven't thoroughly researched it, but it comes close to being able to check off the boxes.
02:33 < spaces> linux_probe alive ?
03:59 < wizzi> Hello, what are the powerful tools for test hacking wifi ?
04:06 < wizzi> No one is here ?
04:54 < sanzabark> Anyone here know about Macs? I have a Mac and USB with El Capitan on it. Mac doesn't have the operating system on it and I want to install from USB. My USB has El Capitan on it but booting from it gives me an apple logo for ever and doesn't install anything. What am I doing wrong?
04:54 < sanzabark> It's been killing me slowly for days now
04:55 < ziggylazer> yeah
04:55 < ziggylazer> Make it bootable
04:56 < ziggylazer> https://tutorials.ubuntu.com/tutorial/tutorial-create-a-usb-stick-on-macos#0
04:57 < ziggylazer> And now you dont have that problem anymore
04:57 < sanzabark> I thought I did using TransMac
04:57 < sanzabark> ziggylazer: when I hold option it shows as an option but selecting it doesn't give me anything
04:58 < sanzabark> I think the fact that Mac detects it means it's already bootable
04:58 < ziggylazer> I dont know macs at all. But you did not make that usb bootable. Asuming that you can select to boot from the USB or have set up some boot order
04:58 < sanzabark> ziggylazer: how do you for sure it's not bootable?
04:59 < ziggylazer> Since IF all other parameters are in order. It boots
04:59 < sanzabark> I don't think all other things are in order; Mac is retarded but making bootable is what I followed already
04:59 < sanzabark> p.s. you can boot from USB, and there is not boot order setup like a BIOS but holding Option key is the way apparently*
05:00 < sanzabark> I wonder if there is a channel dedicated to Mac?
05:00 < ziggylazer> I am sure there is. But look
05:01 < ziggylazer> If you can choose to boot from the USB. And it doesnt boot.
05:01 < ziggylazer> You need to make it bootable
05:07 < sanzabark> ziggylazer: I see certain files and folders which make me believe this is bootable like EFI, BOOT, Install OS X El Capitan....
05:07 < sanzabark> I will redo the process but doubt that's all
05:07 < sanzabark> I think I am missing a step in the process
07:15 < jvwjgames__> I am wondering since I have a /36 assignment can I advertise it from multiple ASN's/sites
07:24 < SwedeMike> jvwjgames__: that has a high likelyhood of working yes. Typically people allow /48 and larger blocks
07:25 < SwedeMike> jvwjgames__: are you going to announce the entire /36 from several ASNs, or smaller blocks with no overlap?
07:25 < jvwjgames__> idk yet
07:25 < jvwjgames__> i am going to tunnel via HE then advertise from there
08:57 < kidn3ys> zzzz
09:13 < seven-eleven> is ospf, isis or rip2 all a cisco thing or can you do this with openwrt??
09:22 < regdude> all of them are open protocols, but OpenWRT doesn't seem to be that advanced in routing to support such protocols, note that those protocols are not meant for home users
09:29 < seven-eleven> regdude, mhm, if it's a simple company HQ network with just <20 computers then static routing might do as well and I dont need a dynamic routing protocol such as RIP2 & co?
09:34 < regdude> seven-eleven: you could, but if the network is flat, no tunnels  connecting multiple branches and you don't need expandability, then go with static routing. For more advanced networks you should go for something else than OpenWRT, something that is meant for advanced networks
09:35 < regdude> of course, for a flat network you could set up OSPF and throw all networks in a single area, couldn't be more easy to setup OSPF, but remember that routing makes sense only when you have multiple subnets. For 20 computers not sure if you are going to have multiple subnets
09:36 < Lope> are there any 802.11ad (yes 60ghz) wifi adapters supported in linux? https://www.aliexpress.com/wholesale?SearchText=802.11ad
09:37 < seven-eleven> yeaah, gotcha. i will check out OSPF & co in packet tracer to learn about them, so if i happen to come accross a more complex network that already deploys dynamic routing I wouldn't be clueless
10:01 < spaces> morning!
10:02 < tya99> i have a network which currently uses no VLANs, but rather aliased interfaces
10:02 < tya99> like https://wiki.alpinelinux.org/w/images/thumb/b/b0/Network_diagram_ipv4_tunnel_LANONLY_ROUTE.svg/900px-Network_diagram_ipv4_tunnel_LANONLY_ROUTE.svg.png
10:03 < tya99> the idea is that the router's eth0 192.168.1.1 (untagged), eth0.2 192.168.2.1 (tagged, traffic destined for ISP), eth0.3 192.168.3.1 (tagged traffic destined for VPN), eth0.4 192.168.4.1 (tagged traffic destined to go nowhere)
10:03 < tya99> i have looked at my managed switch and configured it like so:
10:03 < tya99> https://i.imgur.com/MVE70t7.png
10:04 < tya99> at this point the only 'tagging' should be between the router and the switch
10:04 < tya99> after it gets to the switch it's okay to strip tags
10:04 < tya99> the router is plugged into port 1
10:10 < kidn3ys> the shit people come up with in this channel always amazes me.
10:12 < kidn3ys> tya99: so you've described the network you built -- is there a question in there somewhere?
10:12 < Phil-Work> lol
10:13 < tya99> okay so i'm trying to configure my switch
10:13 < tya99> so that i have 3 separate VLANs, that way the router will have separate interfaces
10:13 < tya99> having one interface and aliased IPs on that is bad because they all share the same broadcast
10:14 < tya99> i have configured the switch like https://i.imgur.com/BR9Bp0l.png
10:14 < tya99> is that the right thing for what i am trying to do? that is my real question
10:15 < tya99> the router by the way is just a linux box and i had been routing based on source IP in iptables
10:15 < kidn3ys> tya99: if you're trying to implement VLANs, you want to tag upstream to the router port, and set the ports that have hosts as 'untagged' in their respective VLANs.
10:15 < tya99> yes
10:16 < tya99> essentially the tagging only will be between the router and the switch
10:16 < kidn3ys> rule of thumb is that only one vlan can be 'untagged' on any given port.
10:16 < tya99> any hosts in the switch will be untagged
10:16 < kidn3ys> tya99: correct
10:16 < tya99> okay so they'd all be in the default VLAN of 1 (the hosts)
10:17 < tya99> that looks like what I did in that diagram https://i.imgur.com/BR9Bp0l.png
10:17 < tya99> E is excluded so tagged connections never go in there
10:17 < kidn3ys> tya99: that looks like what you did
10:18 < tya99> so i didn't noob that up :D
10:18 < kidn3ys> yep
10:18 < tya99> i haven't actually tried it outside of a laboratory experiment :)
10:18 < tya99> the VLANs that is
10:18 < tya99> the other described network in that article works like a charm
10:19 < kidn3ys> you'll want to double check the interface on your router though to see if you are tagging for VLAN1 or not
10:19 < tya99> yep, i can do that with tshark can't i
10:19 < kidn3ys> tshark?
10:20 < tya99> wireshark for terminal to do a capture
10:20 < tya99> and then i can open the pcap on a computer with a user interface
10:20 < tya99> because the router is actually a raspberry pi
10:21 < kidn3ys> err, yea you can probably do that
10:23 < tya99> see my network interfaces on my router https://dpaste.de/x6CA
10:23 < tya99> the idea is that traffic on the ISP VLAN (2) will go out the PPP interface
10:24 < tya99> and traffic on the VPN VLAN (3) will go out the tun0 interface
10:24 < tya99> my ISP implements IPv6 with delegated prefixes (/56)
10:24 < tya99> the VPN provider has a ULA address on the interace so I guess I'd need to NAT there
10:24 < kidn3ys> what distribution is this?
10:24 < tya99> alpine linux
10:24 < kidn3ys> I don't see where you're setting a dot1q tag, unless :2 means vlan 2?
10:25 < tya99> i had wondered whether or not i should have a separate VPN gateway router
10:25 < tya99> no i'm not
10:25 < tya99> in that example
10:25 < tya99> :2 means aliased interface
10:25 < tya99> .2 would be a VLAN
10:25 < tya99> the aliased interfaces though are quite bad because they have the same broadcast
10:26 < tya99> so the problem i was facing was IPs in the 192.168.2.0/24 subnet which would go to the VPN would be issued an IPv6 address through link local and that would go directly to the ISP bypassing the VPN
10:26 < tya99> because i think it was doing all that through the link local broadcast
10:27 < tya99> VLANs i expect will solve that problem because they will be segregated networks with their own broadcast domain
10:27 < tya99> where as aliased interfaces are not, do i understand that correctly?
10:27 < kidn3ys> tya99: so that's kind of what I was saying, you'll need to convert those to use dot1q tags.
10:27 < tya99> yup
10:28 < kidn3ys> but for vlan 1, atleast with the way your switch is configured, you won't assign a dot1q tag to.
10:28 < tya99> and i will be changing it so 192.168.1.0/24 is untagged, 192.168.2.0/24 (tagged traffic for ISP), 192.168.3.0/24 (tagged traffic for VPN) and 192.168.4.0/24 (tagged traffic for nowhere)
10:28 < tya99> yeah and also VLAN 1 is reserved for untagged packets
10:28 < kidn3ys> gotcha
10:29 < tya99> so i have to change the subnets so that 192.168.X.0 ( X = VLAN ID )
10:29 < tya99> the idea then would be IPv6 traffic from my ISP would only go out on VLAN 2
10:30 < kidn3ys> yep
10:30 < tya99> meaning hosts in VLAN 3 won't receive my ISPs prefix
10:30 < tya99> but rather will be in their own ULA behind the NAT
10:30 < tya99> (because the VPN provider has servers that have a single IPv6 address)
10:30 < tya99> obviously no PD as that wouldn't make sense in that scenario
10:32 < tya99> it seems like a more robust way of doing it than poking certain IPs at certain hosts based on their MAC address for DHCPv4/DHCPv6
10:32 < tya99> and android doesn't support DHCPv6 anyway
10:48 < horse> good morning networking dudes
10:48 < horse> is anyone familiar with rx_credits ?
10:49 < Lope> has anyone tried any 802.11ad 60ghz stuff? There are cards for cheap online: https://www.aliexpress.com/wholesale?SearchText=802.11ad
10:51 < meowschwitz> 60ghz
10:51 < meowschwitz> is that even legal?
10:52 < meowschwitz> oh, its unregulated
10:54 < Lope> https://en.wikipedia.org/wiki/IEEE_802.11#802.11ad
10:59 < horse> has anyone got any guide/docs to how network traffic is passed to and from buffers/cache in network cards to (drivers in?) operating systems?
11:03 < meowschwitz> horse: drivers -> PCI -> MAC -> PHY -> wire
11:03 < meowschwitz> and other way around, with interrupts
11:11 < GenteelBen> meowschwitz: I like your nick.
11:15 < melissa666> horse, You should check out the book "Computer Networks: An Open Source Approach"
11:16 < melissa666> http://www.stem-edu.com/wp-content/uploads/2017/02/Computer-Networks-An-Open-Source-Approach.pdf
11:17 < melissa666> it breaks down the linux networking stack, and talks about how packets are handled, and walks through the C sources for key parts of kernel networking code ...
11:19 < kidn3ys> sounds like good bed time reading material
11:21 < meowschwitz> GenteelBen: naturally
11:24 < horse> meowschwitz: thanks.  does the driver have it's own buffer? reason i ask is that we've been seeing a problem with our san which was going on for over a year. the vedor fixed it today saying the problem was the "rx_credits" in the chelsio nic driver where not being returned to the buffer
11:24 < horse> and hence the buffer was slowly draining packets
11:24 < horse> i wasn't sure where this buffer was - in the card or in the driver
11:24 < meowschwitz> horse: of course, multiple buffers very licely
11:25 < meowschwitz> im not familiar with drivers on low level but it sounds like something related to QoS
11:25 < horse> meowschwitz: yeah they said it was related to QiS
11:25 < horse> QoS*
11:26 < horse> but there isn't much info online about this "rx_credit" feature
11:26 < meowschwitz> a quick google suggests the driver counts "credits" before acknowledging receipt
11:28 < meowschwitz> and it appears the credit management is configurable via lkm parameters..
11:28 < meowschwitz> 'not being returned to the buffer' probably means not counted correctly
11:29 < meowschwitz> yeah as a quick guess credits are a method of managing buffer fills in the chelsio driver
11:31 < meowschwitz> horse: is this one of those iscsi fabric cards that support tcp offloading
11:31 < horse> meowschwitz: yeah
11:32 < horse> what i don't understand is does the chelsio driver have it's own buffer running in memory on the os?
11:32 < meowschwitz> horse: that's why, this has nothing to do with low level networking, the rx credit thing is in tcp offload code and has to do with tcp buffers
11:33 < meowschwitz> horse: yes, all drivers would, you'd need to take a copy of the frame in the card specific format and method and return it to the kernel in a common kernel format, I imagine
11:33 < meowschwitz> (again not an OS developer)
11:38 < horse> meowschwitz: cool that makes sense - so there are buffers both at a NIC level and an OS level (part of the driver)?
11:38 < meowschwitz> and probably ten more times along the way
11:38 < djph> well, maybe not quite 10 ...
11:39 < djph> but a fair number nonetheless
11:39 < meowschwitz> i got curious so I am reading rtl8139 driver source now
11:39 < meowschwitz> while the dumbass hyperv is installing
11:52 < regdude> what kind of port security features have you seen across multiple vendor switches? Cisco has sticky ports and has an option to limit a port to a single MAC address. Any other features out there for other vendors?
11:55 <+catphish> the only other thing i could think of would be sniffing dhcp and doing some l3 protection (arp filtering), i don't know if this is something swiches do
11:55 < kidn3ys> it is, its not 'port security' though
11:55 <+catphish> regdude: https://en.wikipedia.org/wiki/DHCP_snooping
11:55 < regdude> yes, that is DHCP Snooping
11:56 <+catphish> dhcp snooping is port security
11:56 < regdude> a metro ethernet stanrdrd feature
11:56 < kidn3ys> bpduguard, root guard, dhcp snooping, arp inspection, unicast/multicast flood control
11:56 <+catphish> and you could extend that to blocking rogue arp
11:56 <+catphish> good list :)
11:56 <+catphish> i forgot some of those
11:57 < kidn3ys> catphish: depends which vendor you ask I guess -- what he mentioned above were literally all controlled with comamnds that contain 'port-security'
11:58 < kidn3ys> i'm speaking from a very cisco centric perspective
11:59 < kidn3ys> dot1x might fall into that category as well
11:59 < regdude> does the Cisco's port-security option involve something more noticeable than just limiting the port to a MAC address?
12:00 < kidn3ys> regdude: you can do a mac or number of macs (in the case you have pcs behind phones)
12:00 < kidn3ys> aging also comes into play
12:00 < Lope> it looks like 802.11ac does include the 2.4ghz band, and ONLY 2 TYPES of AC use 5ghz band ONLY: AC450, AC1300... ?
12:00 < Lope> https://en.wikipedia.org/wiki/IEEE_802.11ac#Advertised
12:01 < regdude> kidn3ys: well aging is important if MAC learning is enabled. I assume that internally Cisco turns off MAC learning and uses static host entries as port security
12:01 < regdude> and, of course, disables unknown unicast
12:01 < kidn3ys> regdude: err, yes, i was referring to the port-security againg for sticky macs
12:02 < kidn3ys> aging*
12:02 < kidn3ys> e.g. if you had a port that random people use for the day but the following day it might be a different device
12:03 < kidn3ys> I forget the default sticky timer
12:04 < kidn3ys> but say it was 4 hours, if someone plugged in with mac AA, then disconnected and someone with mac BB plugged in before the aging timer expired youd trigger port-security to do whatever its configured to do (e.g. shutdown or ignore the new mac)
12:05 < Terraformer> Hello how to get an access to filesystem of consumer market router with web control pannel?
12:05 < kidn3ys> more often than not port-security is a giant pain in the ass and dhcp snooping with arp inspection is much more scalable
12:06 < Terraformer> if it is in your homenetwork
12:07 < kidn3ys> Terraformer: its going to vary based on the router you have and/or not be possible without some tinkering. what are you trying to do?
12:08 < Terraformer> just trying to look at a filesystem
12:08 < kidn3ys> cool, good luck
12:09 < regdude> you know, usually vendors are trying to keep you out of the filesystem
12:09 < Terraformer> looks like no trust in your words
12:09 < kidn3ys> I don't know what that means.
12:10 < regdude> you can always unsolder the NAND chip and read it
12:11 < Terraformer> i have an ancient firmware, so wondering if i've catched some malware
12:11 < regdude> it is very likely that the filesystem is going to be a very common one
12:11 < regdude> what vendor are you using?
12:11 < Terraformer> tplink
12:12 < meowschwitz> Terraformer: binwalk(1)
12:12 < Terraformer> kidn3ys: i dont know what exactly im trying to do at first i think i need to get an access
12:12 < Terraformer> meowschwitz: salam
12:12 < kidn3ys> Terraformer: like i said, good luck.
12:12 < Terraformer> ok
12:12 < meowschwitz> hizar
12:13 < kidn3ys> regdude: i guess you could throw sourceguard in that list as well
12:16 < regdude> kidn3ys: that one seems like simple reverse path filtering
12:17 < kidn3ys> yep, basically the same thing
12:17 < kidn3ys> it sort of overlaps with arp inspection
12:21 < kidn3ys> holy shit am I bored =/
12:22 < regdude> like all fridays
12:23 < kidn3ys> read-only fridays
12:23 < djph> ^
12:24 < regdude> you can read "What Hackers Know About Your Switches", there are some interesting things about port security
12:25 < kidn3ys> could disable cdp/lldp as well I guess.
12:26 < regdude> of course, these protocols can be used to overload the CPU on a switch
12:26 < regdude> a lot of tools out that that does that
12:27 < kidn3ys> such as?
12:29 < regdude> one tools was Yersenia (or spelled something like that)
12:30 < kidn3ys> hrm, i see a vtp attack that it has...
12:31 < jozefk> hi. I am not getting the meaning of "network" part of interfaces file: https://paste.fedoraproject.org/paste/hnAlobGTM-V1Pw3-Kh1WQw
12:31 < jozefk> what is it for?
12:32 < grawity> nothing useful, really
12:33 < jozefk> can I remove it?
12:33 < grawity> if you were asking about 'broadcast' I'd say some networks still use a nonstandard (all-zeros) broadcast address, but
12:33 < grawity> the 'network' value can be perfectly determined from 'address' & 'netmask'
12:33 < grawity> so yeah you can remove it
12:33 < jozefk> thanks :)
13:35 < skyroveRR> .
13:51 < Lope> How can I find out if rtl8821au has good support in linux?
13:51 < light> you could bing it
13:51 < squ> )
14:23 < djph> realtek and ralink / mediatek are all pretty garbage ...
14:29 <+catphish> realtek isn't usually garbage, because it has good open source driver coverage, ralink definitely is
14:30 < jvwjgames__> I agree with catphish
14:30 < kidn3ys> I agree to disagree with catphish.
14:30 < Demos[m]> Lope: I don't know, does linux support Wireless Display port?
14:51 < Lope> Demos[m]: I've got no idea.
14:51 < Lope> I agree with catphish also
14:51 < Lope> DisplayLink is a piece of shit though.
14:53 < Demos[m]> nah that's not what I'm talking about
14:53 < Demos[m]> there's a standard for doing actual display port over 60Ghz, so totally uncompressed
14:55 < Aeso> Demos[m], you got a link to that standard? 4:2:2 4K60 is like 25Gbps uncompressed, I have doubts you'd get any kind of reasonable range at 60GHz
14:56 < Lope> no, I wouldn't expect it to work uncompressed, not without a lot of dropped frames.
14:57 < Lope> might as well compress it and get a decent framerate, but the hardware to compress and decompress data that fast would be intense.
14:58 < Aeso> You might be able to achieve a 'visually lossless' video transport via mezzanine compression, but even that would be pushing bandwidth limits.
15:03 < regdude> some 60G links are over 1km long, seems to be quite stable even at 1Gbps
15:04 < regdude> intel is pushing to 60G to work for multimedia uses in short  distances, I think HTC Vive is going to support a wireless addon
15:04 < Demos[m]> ah it looks like that standard may not be around yet. I'll look around more once I get to the office and can browse the nonfree standards
15:05 < Demos[m]> it's unclear how the compression works. I would guess they do something like hevc compression in hw but br has unique latency requirements
15:17 < rud0lf> hello. i'm writing a bot script to check for i-lines for given ipv6 address.. is there an official page that lists which ipv6 addresses are public namespace?
15:18 < rud0lf> for example fc00::/7
15:21 < Phil-Work> rud0lf, why is there a requirement to know this for said bot?
15:52 < Tywin> Does /etc/hosts support some sort of ip address fallback? If the first IP assigned to a domain fails, try a second one?
15:58 < ||cw> Tywin: no, and dns doens't either.  at best you can round-robin it.
15:58 < Tywin> ||cw, well, darn. Thanks for telling me.
16:01 < UncleDrax> depending on what your mail goal is, there are other ways perhaps to skin that cat
16:01 < UncleDrax> but most are way overkill for a small scale network (ie: what I imagine in most cases of editing hosts files)
16:12 < ||cw> UncleDrax: you'd hope anyway
16:13 < UncleDrax> not that I work in that space, but I imagine there's some justification for doing it on ephemeral containers or something like that.
16:13 < UncleDrax> if you have a static enviroment but can make changes at creation.. saves the speed of doing the resolve
16:18 < tds> AFAIK most browsers at least will retry other addresses if you have multiple a/aaaa records and connecting to one fails
16:19 < tds> I've seen it used for IRC as well, though client support for that was worse, I had situations where my bouncer only wanted to connect to one server (which was down)
16:32 < regdude> is there something noticeable and significant in AVB protocol other than QoS?
17:15 < khelpw> Is anyone here especially familiar with sonicwall CLI? I'm trying to put together repeatable steps to configure some basic settings on TZ300Ws that we send out to our clients and I can't figure out how to assign a default gateway on the WAN interface.
17:16 < djph> DHCP?
17:16 < khelpw> Nah, static IP
17:17 < djph> lemme rephrase -> "DHCP"
17:17 < djph> :D
17:18 < djph> I mean, it should literally be something along the lines of set system gateway [ip_address]
17:20 < khelpw> Doesn't seem to be the case.
17:23 < spaces> I want to make sure that all networks are sexy for the weekend
17:23 < spaces> are they ?
17:24 < regdude> https://bgpstream.com/
17:24 < regdude> I would say they look avarage
17:30 < jvwjgames__> if i tunnel to he and use bgp there don't i need to get an ASN for he to do my bgp
17:32 < Phil-Work> jvwjgames__, not necessarily - they will probably let you use a private ASN
17:32 < jvwjgames__> cause on there from it says public ASN
17:32 < Phil-Work> presumably, though, if you have address space to advertise then you have an ASN
17:35 < jvwjgames__> but arin says i have to pay for an ASN
17:35 < jvwjgames__> i don't have one yet
17:36 < Phil-Work> but you have address space already?
17:36 < jvwjgames__> yes
17:36 < Phil-Work> from Arin?
17:37 < jvwjgames__> yes
17:37 < Phil-Work> speak to HE and see if they'll let you use a private AS but it's worth getting your own
17:37 < Aeso> jvwjgames__, if all of your upstream transit providers support it, you can advertise your space via a private ASN to the carriers and have them announce publically for you
17:38 < Aeso> but you should really just get your own ASN. If you can afford IP space, you can afford a public ASN
17:38 < jvwjgames__> true
17:43 < jvwjgames__> i just called HE they said i could try to use a private AS range
17:43 < Phil-Work> HE, despite their flaws, are really flexible
17:43 < Phil-Work> they ran a custom optic for us
17:44 < jvwjgames__> but won't that private range not work when i try to peer to other people
17:44 < jvwjgames__> on the internet?
17:46 < Aeso> jvwjgames__, a private ASN and private IP space are too different things
17:46 < Aeso> if you're actually intending to announce private IP space, every carrier is going to outright ignore those routes
17:47 < Phil-Work> HE will strip the private AS from the path and just pretend the prefix originated directly from them
17:47 < jvwjgames__> oh ok
17:51 < jvwjgames__> i am trying to google private AS ranges is this correct 64.512 – 65.534 – private AS numbers.
17:58 < Aeso> jvwjgames__, correct. As per RFC 6996
18:02 < spaces> kidn3ys I had quite a good day :D
18:02 < spaces> no need to die(); yet!
18:06 < jvwjgames__> and when i do do bgp do i want to announce my /36 or break it up
18:19 < Aeso> jvwjgames__, that's going to depend a lot on what you're doing internally with those IPS, whether you have multiple upstream carriers, etc. There's plenty of documentation on BGP best practices, I recommend you do some reading
18:26 < tds> jvwjgames__, there's also the larger private as numbers if you want to use those (and all your routers support 4 byte asns, which they should)
18:27 < jvwjgames__> if i chose not to go through he would that work cause there form rejected the private range
18:27 < tds> You'd be reliant on whatever other transit provider you pick to strip the private asns from the path
18:28 < tds> If you want to run your own network, there's very little reason to not get an asn imo
18:28 < jvwjgames__> ok
18:28 < jvwjgames__> I called ARIN i basiclly get it for free
18:28 < tds> :)
18:29 < jvwjgames__> after the $550 fee
18:29 < jvwjgames__> cause i am classed as an ISP so the yearly fee foir the ASN is waived
18:30 < tds> Ah, here it's a 50 EUR one off charge if you have a sponsoring lir iirc?
18:37 <+catphish> why are you even allowed an ASN if you have no peers at all?
18:40 < TandyUK> isnt it rather a ctahc 22 between getting peering and an AS
18:40 < TandyUK> can you get peering wihtout one?
18:40 < TandyUK> kinda makes sense till you actually have the first one though
18:40 < TandyUK> *to wait
18:41 <+catphish> well with RIPE you just neeed to submit a plan
18:41 <+catphish> you tell them a minimum of 2 people you intend to peer with
18:41 <+catphish> and then its fine
18:41 < TandyUK> yeah so makes sense
18:42 < TandyUK> they wont give you an AS because youre 'thinking about pering at some point'
18:42 < TandyUK> thats the next major step i need to look into tbh
18:43 <+catphish> do it :)
18:43 < TandyUK> i can think of 4 networks i would want to peer with instantly
18:43 < tds> Heh, I don't know if they actually attempt to contact the peers you list
18:43 < TandyUK> lol that would make it kinda pointless
18:44 < TandyUK> i wanna peer with facebook and google, gimme AS :P
18:44 < jvwjgames__> right
18:44 < tds> I'm still not peered with Google :'(
18:45 <+catphish> they're on linx route servers, good enough for me
18:46 < tds> Yeah, we've had this discussion several times before :P
18:46 <+catphish> we have
18:46 <+catphish> im going home now
18:46 <+catphish> have fun
18:46 < tds> In fact I got an email last night saying my peering ticket had "expired" so idk what's going on there
19:05 < Apachez> https://cached-images.bonnier.news/cms30/UploadedImages/2018/6/15/f54f619e-dc17-48ae-8fd7-4c8432adebca/bigOriginal.jpg?interpolation=lanczos-none&downsize=*:568&output-quality=80&output-format=webp
19:24 < tonsofpcs> anyone else having trouble getting through to netgear support this week?
19:25 < Aeso> I'm more shocked netgear even has a support program, tbh
19:39 < tonsofpcs> Aeso: all of their professional products have lifetime warranties too, you call them and say "this thing died" they say "how died?" and you explain how half the switch won't talk to the other half and they ship you a new one for like $30 (cost of shipping)
19:39 < tonsofpcs> (you have to send the old one back)
19:40 < UncleDrax> mmm delicious google peering
19:41 < UncleDrax> I just need to drive more traffic to netflix so we qualify for an OpenConnect appliance :[
20:20 < Apachez> https://www.flightradar24.com/IDPCC/1cc90850
20:22 < tpr> italians invading sweden?
21:08 < Apachez> https://cached-images.bonnier.news/cms30/UploadedImages/2018/6/15/c9cfa364-8e17-4533-87e6-6b4b87aba511/bigOriginal.JPG?interpolation=lanczos-none&downsize=*:568&output-quality=80&output-format=webp
21:26 < Apachez> https://pbs.twimg.com/media/DfwS8oQX4AAqn2d.jpg:large
21:28 < Maarten> Apachez, I have seen a DC-10 do that just a few miles from my house..... it wasn't water though but the red foscheck stuff.... even so, pretty amazing to see a fucking JETLINER fly so low over a fire.
21:29 < Maarten> Those pilots have balls of steel
21:30 < Maarten> this is the VERY drop I saw..... I live near there. https://www.youtube.com/watch?v=-3KyWLvUT5Q
21:36 < ldiamond> For a TCP connection, I see SYN, SYN ACK, ACK, FIN ACK, FIN ACK, ACK
21:36 < ldiamond> The first FIN ACK is the server requesting to close the connection right?
21:36 < ldiamond> Is there any field I can check to figure out what the reason is?
21:36 < Emperorpenguin> Yes
21:36 < Emperorpenguin> No
21:36 < Aeso> Maybe so? :P
21:36 < ldiamond> Ok then, just blame Cisco I guess.
21:37 < Emperorpenguin> What happens ldiamond
21:37 < Aeso> ldiamond, it won't be in the packet, it'll probably be in the firewall or server logs
21:37 < ldiamond> Emperorpenguin: There's supposed to be a HTTPS connection happening, but the TCP connection is closed right away.
21:39 < Emperorpenguin> If it was a firewall it would be likely terminated right away with a RST
21:39 < Emperorpenguin> Not opened then closed
21:39 < ldiamond> it goes throught a proxy
21:40 < Emperorpenguin> And what happens on the other side of the proxy, ldiamond ?
21:47 < atsu> Do you have access to the proxy?
21:55 < ldiamond> I don't have access to it but I'm on the phone with people who do
21:55 < ldiamond> It's a Cisco CMX appliance trying to send us data via a HTTP post
21:56 < ldiamond> but when I tcpdump on my end I just see the source closing the TCP connection right away
21:56 < Emperorpenguin> Then ask them what they see on the proxy
21:56 < ldiamond> that's what I'm doing
21:56 < Emperorpenguin> Good. Our work here is done.
21:57 < ldiamond> I was just wondering if I could find info from the TCP packet on my ned
21:57 < ldiamond> end
22:09 < Apachez> https://www.youtube.com/watch?v=3X9X8BVEuGs
22:09 < Apachez> Maarten: yup specially when they waterbomb on the hills
22:09 <+catphish> so, here's an absurd bit of bureaucracy and wasting taxpayer money: as a uk government organization, one is entitled to a .gov.uk domain name, this domain name is reserved, only one person can ever have it, the government owns it, but in order to register it, the registration has to go via 2 separate private companies at a cost of £120
22:09 <+catphish> who thinks up these things
22:09 < Apachez> I can imagine the cockpit sound "PULL UP! PULL UP! FFS PULL UP!!!!!!!!" :)
22:13 < Mattx> Hey guys. Quick question. In a http2 connection using multiplexing, if I send two requests A and B, is there any chance of B reached the server before A?
22:13 < Apachez> https://www.youtube.com/watch?v=OZ2_cUBflcc
22:14 < Mattx> I'm sending two rests requests to a server, but it says B can't be executed (as it depends on A), and then A gets executed
22:14 < Mattx> so either they receive B and then A, or they receive A and then B but they process it in parallel so B gets executed first for whatever reason
22:16 < Emperorpenguin> Mattx: since http2 is TCP packets COULD get to the destination in the wrong order but would be correctly reassembled
22:19 < Mattx> yeah, so correct order when sending is guaranteed
22:19 < Mattx> the problem should be they process the requests in parallel, what do you think? Emperorpenguin
22:20 < Mattx> I don't know how to fix it. maybe adding a small delay between them helps. any other workaround?
22:20 < Emperorpenguin> Why would it be a problem?
22:21 < Mattx> because I need to get A executed before B, and even though I send them in that order, it happens that B gets executed first and fails
22:21 < Emperorpenguin> Could be a race condition inside the server code
22:22 < Mattx> actually they don't say they execute them in fifo order so it wouldn't be a "bug"
22:23 < Mattx> I'm guessing what happens if they are processed in parallel by the web server is A takes longer to execute so B completes first and fails
22:23 < Mattx> adding a small delay should work if that's the case
22:25 < kottt> just had a technical contact phone us to ask us for our phone number
22:25 < kottt> because the signal on his cell phone
22:25 < kottt> where our number is saved
22:25 < kottt> is too poor for conversation
22:26 < tds> catphish: it seems bizarre it's not just done through nominet directly (eg iirc sch.uk is run centrally by nominet, but handing out domains is authorised by local authorities or something)
22:27 <+catphish> Mattx: your question seems strangely familiar
22:27 <+catphish> Mattx: anyway, there is afaik no guarentee that get executed in order, servers process requests in parallel
22:28 < Mattx> yeah, I asked something similar the other day. but it was this morning that I finally tested it and saw B fail because A wasn't executed yet
22:29 <+catphish> well my answer still applies
22:32 <+catphish> the problem isn't the order they reach the server, the problem is that you're assuming one will finish before the next one starts, which simply wouldnt be the case, that would be inefficient, maybe http/2 has a way to request that, but by default they'd be processed at the same time
22:33 < Mattx> it would be absolutely useful if that can be requests with a header or something
22:36 < Apachez> what if the server listens on twoports?
22:36 < Apachez> and first req is like 10 bytes
22:36 < Apachez> and the second is 500 megabyte
22:36 < Emperorpenguin> What if you use two connections?
22:36 < Apachez> think of the children!
22:36 < Mattx> Emperorpenguin, how that would help?
22:36 < Emperorpenguin> You start one connection
22:37 < Emperorpenguin> Ask for a
22:37 < Emperorpenguin> Then open a new connection and ask for b once a is done
22:37 < Mattx> that can be done in http2 with one connection
22:37 < Mattx> I just would need to wait to get the first response byte for A before sending B
22:38 < Mattx> but that would be around 30x to 50x slower compared to multiplexing
23:03 <+catphish> Mattx: can you not just ask for a single request to achieve everything you need?
23:03 < Mattx> I wish but there's no endpoint to do that
23:04 <+catphish> that's why i said ask :)
23:04 < Mattx> oh no, I can't
23:04 <+catphish> shame
23:04 < Mattx> I got interested in that idea you had about requesting the server to process them in order. you read that somewhere or was it just a crazy idea?
23:05 < Mattx> I couldn't find anything like that on the internet
23:06 <+catphish> crazy idea, you probably can't, i just said it because i don't know http/2 and didnt want to say it was impossible
23:06 <+catphish> by the way, did you actually try http/1.1 like i suggested before?
23:06 <+catphish> that's way more likely to process them sequentially instead of simultaneously
23:08 < Mattx> no I didn't try but that should be easy to test, I'll disable http2 and have a look
23:08 < Mattx> how http1.1 would help? I know it doesn't support real multiplexing
23:08 < WrinkledCheese_> I have an odd issue.  If I ping, I get 0.1ms.  If I access a specific port via browser, I get a web interface.  If I try to telnet or ssh, I get no route to host.  Client is slackware linux and server is OpenSuSE linux.
23:09 < Mattx> is it supposed to work just because it would take more time to send B?
23:10 < WrinkledCheese_> ping client ip is 0.01ms and ping switch is 1.0ms, which is significantly longer than server, but neither server nor client are directly connected to router.
23:10 < WrinkledCheese_> Any ideas how to diagnose such an odd error message?
23:10 <+catphish> Mattx: it's precisely the fact that it doesn't support multiplexing that helps!
23:11 <+catphish> Mattx: it means it will likely process the requests one at a time
23:11 < WrinkledCheese_> The only thing I can think of is ssh and telnet are tcp whereas ping is icmp
23:12 < Mattx> catphish, that approach would be equivalent to sending A, read the first byte of A, then send B, and finally read both responses. right?
23:12 < Mattx> I mean, it can be done on http2 that way ^
23:13 <+catphish> Mattx: no, because you don't have to wait for the first byte to reach you, then send the next request, you send them all at once, as soon as the server *sends* the first byte, it'll start processing the next request
23:13 < Maarten> WrinkledCheese_, sounds like ssh might be blocked (or the server firewall blocking an ip) on the server.....
23:13 <+catphish> it'll be faster by at least 1 round trip time
23:13 < WrinkledCheese_> Maarten, I considered that, but would that give a no route to host error?
23:14 <+catphish> Mattx: see this diagram: https://upload.wikimedia.org/wikipedia/commons/1/19/HTTP_pipelining2.svg
23:14 < Maarten> WrinkledCheese_, if the firewall completely drops the traffic (not reject) it has no way of knowing why the traffic didn't arrive... so your side may assume its a routing issue.
23:15 <+catphish> you're describing the thing on the left, you send each request after you receive the response, but http/1.1 pipelining is on the right, you send all the requests, it processes them in order and sends back the response for the first request as it starts to process the next
23:15 < WrinkledCheese_> Maarten, Hmm, must be a linux thing.  I've been doing FreeBSD networking and if there's a route. i've never gotten no route to host when there was a valid route.
23:15 < WrinkledCheese_> Thanks very much Maarten I suspect you're right.
23:15 < Mattx> I didn't know that, thanks catphish!
23:15 <+catphish> http/2 is different, because it processes all the requests at the same time, http/1.1 can't do that, so it processes them in order
23:15 <+catphish> but you can still queue them up
23:16 < Maarten> if a firewall rejects something, it typically sends back a message traffic is rejected.... if its dropped, it just disappears into a black hole, and nothing is sent back to the client..... so the client will make up its own mind as what is wrong :P
23:16 < Mattx> I guess the queue is created on the server side, so right after A finishes it already have B waiting
23:16 <+catphish> Mattx: a clever http/1.1 server *might* choose to process them at the same time, but probably not
23:16 <+catphish> Mattx: right
23:16 <+pppingme> WrinkledCheese_ do you get the error right away, or does it take several seconds?
23:16 < Mattx> that should work, that's exactly what I'm looking for :)
23:17 <+catphish> with http/1.1 the responses must be sent in order, with 2.0 they're multiplexed
23:17 <+catphish> so i think pipelining might be exactly what you want
23:17 < Maarten> WrinkledCheese_, if its a NEW server, most linux distros have common ports such as ssh configured in the firewall for security reasons, and you actually have to open up the port for it to work.... but.... I have no real experience with slackware or opensuse, I am mostly a RHEL and Debian guy.
23:17 <+catphish> just make sure you send "Connection: keep-alive" in your request headers
23:18 < Mattx> I really didn't know pipelining was different than multiplexing. it's weird http2 doesn't support pipelining, I suppose at some point http 1.1 is deprecated and some apps will stop working
23:18 <+catphish> and as long as the server supports keepalive, you can just send all 3 requests at once, in order
23:18 <+catphish> pipelining isn't considered that useful
23:18 < Mattx> I mean, that won't happen anytime soon. I guess they will add a pipelining mode at some point (?)
23:19 <+catphish> normally if you send multiple requests at the same time, you want them all processed at the same time, and you want the response to each as soon as possible, not in order
23:19 <+catphish> so http/2 is basically just the same as opening LOTS of connections, but more efficient
23:19 < WrinkledCheese_> pppingme, it is immediate
23:19 < Mattx> I see that, but in my use case pipelining is clearly better
23:20 <+catphish> the fast pipelining processes the requests in order has never been useful to anyone, normally its used when you just want to download a load of stff fast like web page assets
23:20 < WrinkledCheese_> Maarten, Thanks.  Slackware is wide open out of the box, much like FreeBSD.  OpenSuSE seems to be pretty locked down.
23:21 <+catphish> Mattx: the thing is... normally you should never send a request that depends on a previous request without first checking the response code of the first request, that would be a really bad idea
23:21 <+catphish> but i assume in your case you don't care
23:21 <+pppingme> WrinkledCheese_ then that leaves no doubt, the host is rejecting with that error (you can basically pick the error with iptables and most other firewall setups, see this:  https://unix.stackexchange.com/questions/124624/what-a-input-j-reject-reject-with-icmp-host-prohibited-iptables-line-does-ex )
23:21 <+catphish> either they both succeed, or they both fail, you don't need to care much :)
23:22 < WrinkledCheese_> pppingme, sounds about the right direction, but ping and http over 9090 works.
23:22 < WrinkledCheese_> everything else is no route to hsost which im not used to.  coming from a freebsd background in networking
23:22 < Mattx> that's the point, for me if A gets executed fine then B is guaranteed to execute fine, so I don't need/want to wait for A
23:23 < WrinkledCheese_> im just finishing my beer and going to give the firewall a look and I will let you know.  Thanks so much
23:23 <+catphish> as long as B won't cause weird effects if A fails and you don't know
23:24 < Mattx> I tried doing it "the correct way" (ie, waiting for A) but it doesn't work, the events comes so fast that I end up with an ever increasing queue
23:25 < Mattx> but this pipelining thing should finally fix it
23:25 < Maarten> WrinkledCheese_, sometimes when you install a service or an application, it will automatically add the required rules to iptables to allow the traffic. SSH is pretty much a system function. If it's a virtualized server you can launch a console server from your hypervisor and fix it remotely, if its a physical server you'd have to walk up to it and fix.
23:26 < Mattx> just when I thought I was improving it by upgrading to http2 :P
23:28 < WrinkledCheese_> I'm sitting here with two keyboards Maarten just installing the opensuse gui firewall which is the point of switching to opensuse from freebsd in the firstplace
23:31 < WrinkledCheese_> That's interesting.  OpenSuSE has it's firewall config setup like an actual firewall.  You can have "runtime" aka running config, or you can have "permanent" aka saved config ( switch command save run )
23:31 <+pppingme> WrinkledCheese_ the fact that some stuff works, then others gives an error that doesn't make sense for the situation (with no delay), pretty much confirms its firewall..
23:31 < WrinkledCheese_> I opened the port and now I'm getting connection refused.  Thanks Maarten and pppingme
23:32 < Maarten> well thats a start :D
23:32 < WrinkledCheese_> Just have to start ssh manually I guess.
23:33 < WrinkledCheese_> Thanks guys.  no route to host seems like an odd error.  Although, FreeBSD ( I only mention it because I've been using it at work for the past 5 years ) has no route to host if there is actually no available route ( no default response ) but if there is an explicite route, such as in this case, it says network unreachable.
23:39 < kerframil> WrinkledCheese_: if it matters, Linux issues a RST for TCP connections to unbound ports. Nefilter can have it behave otherwise, though.
23:40 < kerframil> Netfilter*
23:57 < discipulus> I have this strange issue. I'm running archlinux with i3, and for some reason, each time I boot my computer it takes a while to establish a network connection. After the desktop is fully loaded, it'll take an additional 5-10 seconds to get a network connection.
23:57 < discipulus> I'm talking about a wired connection btw.
23:58 < discipulus> To start with I used dhcpcd, but since I had to get a vpn, I switched to NetworkManager.
23:58 <+pppingme> Whats the purpose of the vpn? to connect to work? or what?
23:59 < discipulus> I'm not sure what I've configured wrong, but I won't get any error messages, anywhere, so it's hard to crack this nut.
--- Log closed Sat Jun 16 00:00:00 2018