--- Log opened Sat Jun 23 00:00:09 2018
00:01 < AaronTTT> kuahara: there would be a bottleneck somewhere, Im fairly certain windows displays the connection to the switch, Erhm, is an openvpn client running on each machine or the router?
00:01 < kuahara> there's a client installed, but I am using the service to connect since it does a far better job of it
00:03 < AaronTTT> so each computer is connecting directly to the vpn server? (just making sure im thinking right)
00:03 < kuahara> yes
00:03 < AaronTTT> Okaydokay, hmm, can you speedtest.net on one to see?
00:06 < kuahara> how would I force it to use the correct interface?
00:07 < Ouroboros> by pointing the default route there, i guess, the vpn software should already do this
00:08 < kuahara> We usually specifically indicate not to use the remote gateway as the default gateway
00:08 < kuahara> so we don't start routing non business related traffic through the vpn server
00:08 < tds> iirc on windows the openvpn tap device may show a connection speed of 10Mbps but actually be capable of more?
00:09 < drathir> mornin/evenin...
00:09 < tds> oh yeah, it does on linux as well
00:09 < drathir> tds: server side restricted/limited?
00:10 < tds> no, it's not an issue, I've happily pushed a few hundred Mb/s through those interfaces
00:10 < tds> the interface speed just shows as 10Mb/s
00:10 < Ouroboros> kuahara: i that case, i am not sure, it may be possible to configure the src ip in the browser
00:12 < Ouroboros> kuahara: or i suppose that you can add a temporary route for speedtest
00:13 < drathir> tds: thats interesting probably openvpn bug...?
00:14 < tds> eh, not really a bug, the link speeds on these kind of things tend to be made up
00:14 < tds> eg I've got lots of VMs where the virtio ethernet interfaces claim to be 10Gb/s, you can happily push 15Gb/s through them
00:15 < drathir> tds: at linux im worried that app detecting that could have problems but its guess only...
00:34 < AaronTTT> ryao: Hm maybe removing the UPS's from outside the rack will be better?
00:34 < AaronTTT> ryao: for space etc
00:45 < godsmack_> Looking for a "stresser" service to use on my website. Will pay $800/day in bitcoin or monero, pm me if you can do it
00:46 < AaronTTT> godsmack_: How big of a stress you need?
00:46 < godsmack_> 100 gbit i think
00:47 < AaronTTT> Ah daym thats a bit, I cant help im afraid but there should be people around who can :)
00:48 < godsmack_> will give a bounty if you find someone who can
01:04 < drathir> godsmack_ or just use memcached  vuln... CVE-2018-1000115 ^^
01:06 < drathir> 260 Gbps of inbound traffic should be enough ^^
01:11 < MarkusDBX> That new edgerouter 4 or 6, any good?
01:11 < MarkusDBX> Looking for a solution to have 3 way failover
01:11 < MarkusDBX> so 1 lan port, and then 3 wan
01:11 < atsu> Depends on what you're using it for. Just home stuff? Or small office?
01:13 < MarkusDBX> homelab, but it's my office too
01:14 < MarkusDBX> atsu: I would say, think demanding small office =)
01:14 < linux_probe> ur mum
01:14 < MarkusDBX> atsu: I do got three wan for a reason
01:14 < myrat> hello guys
01:15 < myrat> my laptop starts too long after installing netplan can somebody help to fix this
01:15 < atsu> For that purpose, yeah Edgerouters are good. IIRC they make multiWAN pretty simple
01:15 < myrat> 5min 5.887s networking.service
01:17 < MarkusDBX> atsu: any contenders? The edgerouter 4 is about $200, and seems good value. Maybe something more serious might be available from ebay?
01:17 < atsu> Performance is good as long as you stay in the ASIC, which usually means limited/no QoS, but hey, for the money and performance it's not bad
01:18 < MarkusDBX> any other disadvantages? Some kind of IDS would be nice
01:18 < atsu> Something more serious will need more of your time for sure
01:18 < MarkusDBX> atsu: more time to manage?
01:19 < atsu> Mainly more time to setup and take more research
01:19 < atsu> IDS, you are not going to get with EdgeOS
01:19 < atsu> IDS, you should really just use a PC and play with different UTM/firewall software
01:19 < MarkusDBX> I do got a few spare machines, should I just go for pfsense?
01:21 < atsu> Sophos UTM comes to mind, just cause that's what I have experience with, but a lot of players in the firewall/UTM game that you could possibly try out
01:21 < atsu> Not sure if pfsense does IDS/IPS?
01:21 < MarkusDBX> isn't sophos pricey?
01:22 < MarkusDBX> IPS in this context?
01:22 < atsu> D = Detection. P = Prevention
01:22 < atsu> You could mirror to another system more specialized in IDS
01:22 < MarkusDBX> ah
01:23 < MarkusDBX> I wonder what is a better solution long term
01:23 < MarkusDBX> I guess pfsense isn't going anywhere
01:25 < atsu> There are some free IDS systems out there, but they only really do IDS. Can't remember the names at the moment. I know a lot of IDS/IPS just uses snort with different rules
01:25 < atsu> and IDS really just needs to know about your traffic. Port mirrors are pretty simple
01:26 < mead> Anyone familure with Directv DECA  (ethernet to coax) I can't find much real information like hardware compatibilitiy
01:26 < atsu> Ubiquiti EdgeOS certainly has the performance for the money factor
01:27 < atsu> Those hardware ASICs are pretty decent at forwarding
01:28 < atsu> they are a little lacking in some of the features you would expect from a real router, but usually nothing you run into for SoHo
01:30 < adleff> atsu, there are not hardware asics dedicated to forwarding in a ubiquiti router
01:30 < adleff> they are functions provided by the network cpu on the router
01:31 < atsu> Sorry. I don't know details of the hardware. I just know they do hardware based forwarding
01:31 < adleff> you can call the main cpu an asic if you want
01:31 < adleff> and may not be entirely inaccurate
01:31 < adleff> but there are not dedicated asic to data plane
01:31 < atsu> yeah
01:33 < atsu> Thanks for the correction. Certainly not the same as getting a high dollar router/switch
02:27 < cobracommand> basically now if you're not a paid streamer of the fifa world cup, your internet is slowed down. prove me wrong
02:28 < cobracommand> If you're paying to stream the world cup, you get priority qos.  If not, you get throttled. Welcome to the end of net neutrality.
02:29  * compdoc throttles cobracommand with some coax
02:32 < Ouroboros> what fraction of public smtp servers currently support some form of tls?
02:33 < tds> not enough
02:36 < Ouroboros> i mean, is there even any point in enabling it for incoming mail on your own server?
02:37 < kerframil> yes
02:38 < kerframil> though it doesn't provide a direct answer to the question, here's some insight: https://transparencyreport.google.com/safer-email/overview
02:38 < kerframil> if you want the percentages to increase, then support it
02:39 < qman__> it won't start being widely used unless people start using it
02:39 < qman__> so start using it
02:40 < tds> and ideally use a valid cert with the right hostname, otherwise it's a bit useless
02:41 < qman__> a fair number of people do support it but it's not practical to require itm
02:41 < qman__> but supporting it as optional gains progress toward the goal
02:41 < tds> iirc google has started displaying warnings when sending/receiving email over non-tls, which is a nice start
02:41 < tds> s/google/gmail/
02:42 < Ouroboros> interesting
02:44 < Ouroboros> re getting a real certificate, i am looking at letsencrypt, but it is a bit of a pain because it requires a web server
02:44 < tds> you can do dns-01 validation if that's easier
02:44 < tds> some acme clients have a built in webserver as well, which makes life easy
02:44 < qman__> yeah, dns validation is the way to go
02:45 < qman__> i use dehydrated with a hook I wrote for my dns host
02:50 < tds> I still just do http-01 for all my stuff, it's easier for me
02:52 < Ouroboros> hm, dns validation does seem simpler, but still it will take me a few days to figure out how to do it
02:53 < Ouroboros> i suppose that i could use a self-signed certificate 'temporarility'
02:57 < kuahara> ok, me and 3 other technicians are completely spent on ideas, so I'm just going to do some explaining and see if anyone else can come up with an idea or theory about what is going on here.  Bear with me while I get the facts out of the way first.
02:57 < kuahara> We have a file share on a folder in our datacenter.  Users connect to the datacenter using openvpn, then launch our softare on their PCs.  PCs are generally Windows 10 or Windows 7.  The login happens in IE and our product uses wscript to launch an image viewer (an executable on the local client machine).
02:57 < kuahara> That viewer will contact our server in the datacenter, request the relevant file (pdf or tif) and display it for the user.  The file in question is only 47k in size and is a .pdf
02:57 < kuahara> From the client PC, I can navigate into the share, double click the file, and it opens in adobe reader instantaneously.  For a few days, on only 1 PC out dozens, this file would take 40-60 seconds to load up in the viewer before being displayed.  Naturally, we assumed the problem was with the PC and did extensive troubleshooting to try and prove it.
02:58 < kuahara> On many other machines located in different counties within Texas, we VPN'd in and used the same software and it loaded up within 2 seconds.  This was true during the same exact time that the one PC was taking 40-60 seconds.
02:58 < kuahara> The network interface on all client machines tested is 1Gbps and I can do a large file transfer between the troubled machine and the datacenter and sustain 50Mbps for a long period of time in both directions.
02:58 < kuahara> I'm told the datacenter is sitting on a 100Gbps backbone with burst speeds up to 400Gbps and no bottlenecks on the way out the door.
02:58 < kuahara> This evening, between 4:45pm and 5:15pm CST, the problem showed its ugly face on all test machines spread across 3 different counties in Texas.  It was taking forever to load this image everywhere.  Now (more than 2 hours later), it is just a problem on that 1 machine again and is loading fast everywhere else.
02:58 < kuahara> The problem machine for testing purposes only has no antivirus or antimalware software of any kind installed on it.  It is not subject to any real time scanning, and is not behind a firewall (hardware or software).
02:58 < kuahara> What would you look at next?
02:59 < light> mtr
02:59 < tds> what are you using for the file share, samba/cifs?
02:59 < kuahara> Try not to laugh, but sitting in this $300 million facility is a buffalo nas unit that these images are on.
03:00 < tds> sorry, I meant what protocol?
03:01 < qman__> that's netbios for you
03:01 < kuahara> I'll have to look.  Not sure what the buffal nas terastation does by default, 1 sec
03:01 < kuahara> buffalo*
03:01 < tds> it probably does a whole load of protocols by default, it's how you actually connect to it that's interesting
03:02 < tds> ie do you to go \\yournas\pictures on windows machines?
03:02 < qman__> do you have a wins server?
03:02 < kuahara> well, when I test outside of our software, yes.  I use windows to access it via \\server\share\file
03:03 < tds> hmm, as qman__ suggests, this sounds a lot like it's related to name resolution and cifs to me
03:03 < kuahara> would that it explain it working in multiple locations and not in 1 or 2?
03:04 < qman__> netbios is the default way to resolve windows file shares, as the protocol dates back to the early 90s before IP networks were common
03:04 < Ouroboros> ok, now the real question: exim or postfix ;)
03:04 < kuahara> Also, we don't use a server name.  The software requests something like j:\folder\file.pdf  and J is mapped to the \\server_ip\share
03:05 < qman__> Ouroboros: postfix
03:05 <+pppingme> server ip or server name??
03:05 < kuahara> we don't use a hostname in the mapping, we use the IP
03:05 < Ouroboros> qman__: yeah, i think so too, seems like it is ultimately more configurable
03:06 <+pppingme> sloppy
03:06 < kuahara> pppingme agreed
03:06 < kuahara> There are worse things going on that I've brought up over and over through the years, but ultimately above my paygrade
03:06 < kuahara> PPTP, SMB1, I could go on.
03:07 < qman__> anyway, what I was getting at is that SMB has what's known as a master browser, which is where everything on the network looks to find shares
03:08 < qman__> by default, the master browser is elected via what is essentially a shouting match of everything on the LAN
03:08 < qman__> and it's common for machines to disagree on who the master browser is, particularly on intermittent or slow connections
03:09 < qman__> such as wifi or vpn
03:09 < Ouroboros> qman__: how much screwing around will i need to do to get the most basic config up? just smtp to a spool, no imap etc
03:09 < qman__> the result is inconsistent share access
03:10 < qman__> Ouroboros: with postfix, not much, most distros work out of the box
03:10 < kuahara> does it matter that the routes are the same on the test machines and tracert -d \\server IP shows the same 3 nodes across the working and non-working machines?
03:10 < kuahara> I guess I am asking if that rules out the master browser issue
03:10 < qman__> no, it doesn't
03:10 < qman__> that's layer 3, smb master browser is layer 7
03:11 < Ouroboros> qman__: does it require an imap server, or can i just write to a spool for a few days?
03:11 < qman__> Ouroboros: nope, imap is completely separate
03:11 < qman__> postfix doesn't care about it
03:11 < kuahara> qman__ how can I test/fix this?
03:12 < Ouroboros> ok, good, i don't have time to set up everything right now
03:12 < qman__> packet captures and lots of head bashing
03:12 < qman__> alternatively switch to a protocol that's more sane, or re
03:12 < kuahara> you mean switch away from SMB1?
03:12 < qman__> redesign your system to use wins and a smb server that is always the master
03:13 < kuahara> Why would it consistently be this same machine that always has trouble, though?
03:13 < kuahara> your suggestion sounds like the problem should be intermittent for all machines
03:13 < qman__> you would think so but no
03:13 < qman__> they tend to happen to the same machines
03:14 < qman__> I've also seen it happen due to a hardware/driver bug with a specific ethernet card
03:15 < qman__> the card was not picking up the packets during the election and the machine was electing itself as a result
03:15 < kuahara> I hope that's not the issue.  I'm nowhere near this machine.  Am remoted in from a few hundred miles away
03:16 < Ouroboros> ugh, i have not heard the term 'election' in about 20 years :P
03:16 < qman__> the card otherwise worked perfectly
03:17 < qman__> so it was a bug specifically around smb master browser elections
03:17 < qman__> multiple versions of windows
03:17 < kuahara> wtf..
03:18 < kuahara> eh.. maybe this doesn't matter since this public workstation is the 1 machine not in their domain.  It's a standalone workgroup machine.  Just noticing that the primary and secondary DNS servers are set to 8.8.8.8 and 8.8.4.4
03:19 < kuahara> Thought this was a domain machine for a minute.  The rest of that county is.
03:19 <+pppingme> that won't work for AD
03:19 <+pppingme> obviously
03:19 < kuahara> yea, it won't.
03:19 < kuahara> My domain doesn't use public DNS anywhere.  Just the DC.
03:19 < qman__> yep, it will also affect smb name resolution
03:19 < kerframil> qman__: he says he's using a raw IP address in the UNC path, though
03:20 < qman__> joining a domain changes smb's settings
03:20 < kuahara> qman__ this machine is not joined to a domain though, so it won't matter that it's using public DNS servers, right?
03:20 < qman__> yes, but smb is a janky old protocol and browsing by IP doesn't rule out netbios issues
03:21 < qman__> you still talk to the master browser
03:21 <+pppingme> But that doesn't work across a routed environment, master browser is a lan concept
03:21 < qman__> kuahara: it's less about the dns severs and more about the fact that it's not on a domain and not getting domain policies
03:22 < qman__> so it could have different settings than everything else
03:22 < qman__> for the smb protocol
03:23 < kuahara> ah.  that makes sense
03:23 < kuahara> so short of getting them to join this machine to the rest of the domain, I'm still back at troubleshooting SMB
03:24 < qman__> so, i suggest starting there, compare the applied policies and registry settings related to smb
03:24 < qman__> which is a lot of them, unfortunately
03:24 < kuahara> I don't manage this network, so I won't even have access to look.
03:24 < kuahara> and the group that is contracted to manage is, firmly believes the problem is our software
03:24 < qman__> well, in a roundabout way, it is
03:24 < kuahara> which we have demonstrated is not true, but we're trying not to treat the client like we've just throw the issue over the other side of the fence and looked away
03:25 < kuahara> yea, I can't argue that
03:25 < qman__> mapping network drives over openvpn is pretty kludgy
03:25 < kuahara> That's just another thing in the pile I've complained about and I think they are tired of me pointing out things that need to change
03:25 <+pppingme> qman__ not if you have dns setup properly and you aren't natting anything
03:26 < qman__> if you're just loading a pdf, serve it on http instead
03:26 < kuahara> the scariest thing that makes me uncomfortable is that the default .ovpn file they are distributing through attorneys offices in Texas gives all other cloud customers access to that attorney's data
03:26 < dogbert_2> u cannot fix stupid :P
03:26 < kuahara> so if you have 10 customers in the cloud on that server, nothing is stopping them from browsing into \\server\ and then just double clicking on a diffent county's share and viewing their confidential files.
03:27 < qman__> yep
03:27 < Ouroboros> yeah, but, i mean, it is texas ;)
03:27 < kuahara> nothing is stopping ransomware from taking all the customers out at the same time too.
03:27 < qman__> no, that kind of thing is common
03:27 < qman__> it's awful, but tons of companies do business with stuff like that
03:27 < kuahara> When I brought it up at the last company meeting 2 months ago, the VP interrupted me to say it wasn't a problem because she could spin up another virtualized copy of the data in under an hour and everyone would be back online
03:27 < kuahara> .gov does this everywhere
03:28 < Ouroboros> sure, security and reliability always come last
03:28 < kuahara> I thought, ok... you can mitigate all customers being offline for a bit, but what about when they find out their confidential information isn't.
03:29 < Ouroboros> like in that gitlab thing, primary db deleted, 5 out of 5 backup methods mostly useless
03:29 < qman__> yeah, you can be held liable for that
03:29 < Ouroboros> how do you even do that?
03:29 < kuahara> our backups are solid in a lot of places.
03:29 < qman__> gross negligence, and especially if you're selling this to lawyers, that's a really risky proposition
03:30 < kuahara> Not private lawyers, but I doubt that matters.
03:30 < kuahara> They'd be county attorneys and DAs
03:30 < kuahara> county and district judges, county and district clerks, and justices of the peace
03:30 < qman__> sure, but lawyers know how courts work and how to sue people
03:30 < dogbert_2> anyone heard of ****ing encryption?
03:31 < dogbert_2> assjacks deserve to lose their data
03:31 < Ouroboros> dogbert_2: wait, there is encryption for ****ing now?
03:31 < qman__> and they definitely will if they experience significant damages by your company's gross negligence
03:31 < kuahara> I'm hoping to be out in a few more months.
03:31 < kuahara> moving off to fort worth for 3.4x the money
03:31 < dogbert_2> pfft...you don't put stuff in the cloud without encryption, period.
03:32 < qman__> a smart choice
03:32 < kuahara> dogbert_2, he sells the customers on how well encrypted all the backup data is
03:32 < kuahara> and I have to hold back my eyerolls at the fact that the live data is not nearly as well protected
03:32 < qman__> I'd also make sure you have some evidence that you pointed this problem out to your company
03:32 < Ouroboros> dogbert_2: alas, sometimes end-to-end encryption is not possible
03:33 < dogbert_2> then you find some other solution :)
03:33 < qman__> so that you personally can't be held liable later if it comes to that
03:33 < kuahara> yea, I wrote it up in a few emails for exactly that purpose.  Knowing I was irritating people by repeating myself.
03:33 < dogbert_2> I can't log into work assets on the laptop w/out using the VPN
03:33 < kuahara> and I will take those emails with me when I go.
03:33 < kuahara> I'm that guy that never, ever deletes mail.
03:34 < Ouroboros> dogbert_2: i mean like if i want to run public 'services' in the 'cloud', then i can't really have the data encrypted there
03:34 < kuahara> Ouroboros why not?
03:34 < qman__> sure you can
03:34 < qman__> aws even has a key manager for it
03:35 < Ouroboros> but aws can see the key?
03:35 < qman__> you do have to trust that aws isn't skimming your keys, of course
03:35 < kuahara> I can put a cause number into the software and a list of image keys is associated with the case.  It's pulled from the database on the fly when I open it up.  When I click view, it should be able to request and decrypt the file on the fly.
03:35 < qman__> but that's adequate 99% of cases
03:36 < Ouroboros> yeah, that is what i meant, you have to trust the cloud provider (and possibly other users in case there is *cough* spectre)
03:36 < kuahara> the risk that they are skimming my keys is better than just leaving the data unencrypted
03:36 < qman__> nah
03:36 < qman__> oh
03:36 < qman__> misread
03:36 < kuahara> we are the cloud provider in this case.
03:36 < kuahara> we own that datacenter
03:37 < qman__> yeah, aws is a pretty trustworthy system, as providers go
03:37 < qman__> they take it seriously
03:37 < kuahara> I tried selling the company on aws glacier, but admittedly I've only read about it.  I kinda wanted to test it out with Cloudberry.
03:37 < qman__> random cloud offerings, on the other hand, are very risky
03:37 < kuahara> for the customers that can't afford to buy Barracuda backups.
03:38 < kuahara> aws is housing data for CJIS and the FBI and several banks among other people with sensitive data
03:38 < kuahara> s/FBI/CIA/
03:38 < kuahara> (CJIS and FBI are pretty much the same thing)
03:38 < qman__> aws .gov stuff is in different datacenters that public aws
03:39 < kuahara> I figure bank data is more sensitive than anything .gov
03:39 < Ouroboros> just read about how ach works
03:40 < kuahara> I don't know why I'm wasting my Friday evening on this.
03:40 < qman__> finance is one of the worst areas when it comes to it security
03:41 < ALowther> I just got a new router & I am trying to set it up. In the meantime, I'd like to set up static routes, something I have never done before & I am having a difficult time figuring out what to tell it the gateway is....I have WAN -> Modem -> .88.1 -> .3.1 -> .11.1...I want to set up static routes between .88.1 <- .3.1 -> .11.1...I assume the destination IP address is pretty straightforward in that if something is destined for .11.x/24 the
03:41 < ALowther> n it will route it to that network, but what do I put as the gateway? That is where I am having issues.
03:41 < Ouroboros> most banks don't even support 2fa yet
03:41 < qman__> most banks are still ftping pifi data across the internet
03:42 < kuahara> ALowther, I feel like I'm qualified to answer that question but, paradoxically, can't figure out what you're asking.
03:42 < h0dgep0dge> same here. are you talking about nested subnets?
03:42 < dnanib> ALowther: me too.
03:42 < kuahara> qman__ we still FTP as well, but for the most part it's intralan
03:43 < kuahara> andI am always the go to person when they wind up having to do outside to inside FTP (anothing thing I complain about!)
03:43 < h0dgep0dge> ALowther: maybe draw a quick diagram of your physical setup, and explain how you want it to work
03:44 < kuahara> also, telling us your inside ip scheme and addresses doesn't put you at risk
03:44 < dnanib> And please use full IP addresses + subnet masks. You can make them up, but be honest about the masks
03:45 < h0dgep0dge> kuahara: i think they might just be doing it for the sake of brevity
03:46 < qman__> i used to work for managed service providers, so i have a lot of experience with different kinds of businesses, including banks and government stuff, like township offices, police departments, etc
03:46 < kuahara> maybe, but I can't tell if .88.1 is in the same subnet as .3.1 and .11.1
03:47 < h0dgep0dge> yeah, that's confusing, i'd assumed that was the suffix, but if that where the case .3.1 would represent a host, not a network
03:47 < ALowther> kuahara: dnanib: Hmmmm, maybe I have no idea what I'm talking about.....I have 3 routers. The WAN goes to my first router 192.168.88.1/24 network. Then, plugged into that router is a 192.168.3.1/24 network. Plugged into that router (.3.1/24) is a 192.168.11.1/24 network....How can I allow the 192.168.88.1/24 and 192.168.11.1/24 networks to communicate through the 192.168.3.1/24 network without using NAT?
03:48 < kuahara> before I read the rest of the sentence.  why are we using 3 routers?
03:48 < qman__> one sensitive system for the state police department, they controlled access by not having a dns record, and putting it in the hosts file on computers of people who needed access
03:48 < ALowther> kuahara: It's temporary while I configure my new router...It's my home LAN, this change won't affect my speeds I really am just asking for learning purposes.
03:48 < qman__> i wish i was making that up
03:49 < kuahara> qman__ that's officially up near the top of the list of most ridiculous things I've heard of in networking
03:49 < kuahara> if we can still call that networking
03:50 < h0dgep0dge> ALowther: i get setting up complex systems because it's interesting and a learning eperience, but I would recommend starting simpler
03:50 < h0dgep0dge> and it's entirely possible your router devices aren't really made to be configured in that way, so you're going to have a hard time making it work with stock firmware
03:50 < kuahara> Start with quadruple NAT, it'll build character
03:51 < qman__> haha
03:51 < h0dgep0dge> yeah, multiple layers of nat aren't going to make your life pleasant if you want to make inbound connections
03:52 < ALowther> h0dgep0dge: Is this complex? My Linksys router has an Advanced Routing tab with the option for Dynamic Routing(RIP) & Static Routes
03:52 < tds> bonus points if you make a network where connections are properly routed in one direction, but nated in the other
03:52 < ALowther> I assumed this would be trivial for a more experienced networker, idk, maybe not.
03:52 < h0dgep0dge> it's complex in comparison to merging all 3 subnets into one larger subnet. you can even keep your addresses, just use a bigger netmask
03:52 < kuahara> ALowther it is because the nat problem alone is going to quickly get you asking questions that no one in the channel will be able to answer or help you with.  And it will end in "don't do that".
03:53 < kuahara> h0dgep0dge is right.  start simpler for sure
03:53 < ALowther> I also may not be helping by poorly explaining my configuration.
03:54 < kuahara> You trying to create a lab for a network cert or something?
03:54 < h0dgep0dge> i think we get it, you have 3 lans, each with an 8 bit subnet, each with a router, and the wan side of the routers are linked into a third lan where they can talk to the internet router?
03:54 < h0dgep0dge> fourth lan, excuse me
03:56 < ALowther> Yes. It's just a router behind a router behind a router, each with their own address space.
03:56 < h0dgep0dge> is it nested, or branching?
03:56 < ALowther> Nested.
03:57 < tds> a diagram is especially helpful at this point :)
03:57 < h0dgep0dge> and you want all hosts to be able to talk to eachother?
03:57 < kuahara> for the record, that's now how you would put different offices into different subnets in the real world.  Again, just guessing at the learning objective.
03:57 < dnanib> So you have subnets arranged serially?
03:57 < ALowther> tds: Any free websites where I can easily draw a schematic?
03:57 < tds> draw.io is neat
03:57 < h0dgep0dge> mspaint.exe
03:57 < tds> but in general just disable NAT everywhere other than the last router, set a default route on each route via the one "above" it, then add static routes via the next downstream router for all downstream networks from each router
03:58 < tds> if I'm correctly understanding your design
03:58 < dnanib> And how many routers do you have? Typically one router must be able to route between all the subnets (3 of them) you have and allow WAN access too (though to block one of them off the WAN you need a firewall too)
03:58 < dnanib> ALowther: lucidchart too
03:58 < kuahara> tds, I don't think you mean a default route on the one above it.  just a static route that knows how to find the network below it.
03:59 < tds> kuahara: oops, I'm missing an r there, should say "set a default route on each router via the one above it"
03:59 < kuahara> also, multiple static routes will need added.  just because router 4 knows a route to router 3 doesn't mean it knows where to send traffic to get to the subnet under router 2.
03:59 < h0dgep0dge> you're definitely going to want to be disabling nat, but that's not something that's necesarily trivial, or even possible. i shit you not, my current router doesn't let you change the subnet mask
03:59 < dnanib> ALowther: Let us take your routers one by one. Each router needs at least two subnets directly connected to justify its name. So you are saying on router1 you have 88.1/24 on wan side, and 3.1/24 on the other side (lan side)?
04:00  * tds just uses linux machines as routes, then you can do pretty much whatever you like
04:00 < tds> s/routes/routers/ I think I need a new r key
04:00 < kuahara> I was going to trample over your linux machine to get from A to B
04:01 < dnanib> static routing, dynamic routing with quagga, policy routing with iproutes2... the full stuff
04:01 < tds> boo, they all use bird not quagga :)
04:01 < kuahara> if you want to learn cisco stuff instead, Jeremy Cioara's CCENT, CCNA, etc... video series is awesome.
04:02 < Ouroboros> tds: you mentioned acme clients with a built-in web server?
04:03 < tds> Ouroboros: sure, certbot has a standalone mode, I think various other clients do as well
04:04 < h0dgep0dge> ALowther: i'm drawing a diagram of what i'm imagining, just hold tight
04:05 < ALowther> dnanib: Yes, so the WAN side for .3.1/24 is .88.1/24 and the LAN side is .11.1/24
04:05 < dogbert_2> damn...a waste of fine booze: 9,000 barrels of bourbon fall in Kentucky distillery building collapse
04:05 < Goop> What is the most I can get out of a (one, single) fiber optics cable that is 19 miles long, with a budget for the end-devices of $2,000 each?
04:06 < Goop> I guess you could call them fiber optics modems, but I'm not sure that's the appropriate word.
04:06 < h0dgep0dge> hire a chimp with a laser pointer
04:07 < h0dgep0dge> ALowther: take a look at this https://imgur.com/a/8pwZ8eC
04:07 < h0dgep0dge> is that what you're working with?
04:07 < ALowther_> Exactly!
04:08 < Goop> I'm just looking at raw fiber optics, and what to expect for long-distances.
04:08 < tds> ALowther_: what routers are these, what options do you get with NAT?
04:09 < ALowther_> .88.0/24 & .11.0/24 are MikroTiks. .3.0/24 is a Linksys
04:09 < tds> ideally you want to disable it on everything but connections going out via the wan interface on router 1, then set up static routes as I described above
04:09 < dnanib> Subnets are not devices, ALowther_
04:10 < Goop> Was my question not clear?
04:10 < h0dgep0dge> for static routes, each router should have it's default gateway set to the router above it, with static routers for each subnet below it, and the gateway for the static routes should be the router directly below it
04:10 < h0dgep0dge> Geep: hold tight chief, we're just helping out this other poor chap
04:10 < h0dgep0dge> LOL ^Geep^Goop
04:11 < Ouroboros> tds: is there a reason why that is a worse idea than dns validation? i assume that this web server runs only at the time of validation?
04:11 < dnanib> ALowther_: there will be a router which has 2 cables going into it, and having IP addresses in two different subnets. You need to identify those devices and the subnets configured.
04:11 < tds> Ouroboros: yeah, it only runs for validation
04:12 < dnanib> On each of them, you need to add a static route to the subnet that appears ONLY on the other one. This static route will have a gateway of the other router's IP address in the common subnet.
04:12 < ALowther_> h0dgep0dge: but how, for example, does .3.0 know the gateway to .11.0. Wont it have been assigned some IP address by .3.0’s DHCP server?
04:12 < tds> dnanib: the only thing we're really missing per that diagram is the subnet on the wan interface of router 1, which I'd guess may be dynamic?
04:13 < dnanib> Oh. Was there a diagram? :-)
04:13 < tds> https://imgur.com/a/8pwZ8eC
04:14 < h0dgep0dge> ALowther: if you're using dhcp to configure the routers, static routes go out the window. static ips my friend
04:14 < tds> stick with dhcp and just run ospf/rip/whatever, what could possibly go wrong? ;)
04:15 < dnanib> Here is typical deployment scenario: --> 192.168.88.1/24|Router1|192.168.3.A/24 <-----> 192.168.3.B/24|Router2|192.168.11.1/24 <--
04:15 < dnanib> ALowther_: with this scenario you need to local Router1 and Router2, and identify what A & B are.
04:16 < dnanib> Then add static route in Router1 : ip route add 192.168.11.0/24 via 192.168.3.B and in Router2: ip route add 192.168.88.0/24 via 192.168.3.A
04:16 < dnanib> That's all to it
04:16 < dnanib> s/local/locate/
04:16 < h0dgep0dge> yeah, just use the ip command on a domestic router, piece of cake
04:17 < ALowther_> Hahahaha. I think he’s using Mikrotik commands
04:17 < dnanib> Whatever, just use the appropriate incantation of the device you are working on.
04:17 < dnanib> ip route was used only as an illustration.
04:17 < ALowther_> But those won’t work on my Linksys which is the middle router.
04:17 < tds> well you can with openwrt on a consumer router :)
04:17 < tds> or even put bird on that if you want
04:18 < h0dgep0dge> there are better ways to do it if we can switch around the topology of the network, but that's not the game, this is network golf
04:18 < ALowther_> dnanib: BTW. Your example is EXACTLY what I’ve been trying to do. I just don’t know what to put for Default Gateway which is where I ran into the initial problem.
04:19 < tds> default gateway just always needs to be the router "above" each router in that diagram
04:19 < dnanib> ALowther_: as I said: identify A & B in your scenario and put those in
04:20 < tds> then you want 2 static routes on r1 via r2 for the subnets below it, 1 static route on r2 via r3, then you should be done
04:20 < h0dgep0dge> tds: they're asking about the default gw in the topology dnanib is describing
04:20 < tds> ahh, I was getting very confused, that makes more sense
04:20 < tds> it's 3:30am here, I should probably sleep or something :)
04:21 < h0dgep0dge> ALowther: we've given the configuration you need for your set-up, tds and myself gave outlines above. if you want to know the best configuration for these clients to talk to eachother that's another question
04:21 < ALowther_> h0dgep0dge: The .11.0/24 network connects to a VPN. The .88.0 router has no WiFi capabilities. Ultimately, I’d like to figure out how I can move the VPN configuration from the .11.0/24 network to the .88.0 router & then set up another VPN network on the .88.0 router, if that’s possible. Then I can get rid of the .11.0 router.
04:22 < h0dgep0dge> oh good, i thought this was a tricky setup, turns out you've got vpn involved
04:22 < ALowther_> h0dgep0dge: Yes, thanks. I’m currently providing my son the comfort of my presence while he doses off to sleep, then I will test it out & see if I can get it working :)
04:22 < h0dgep0dge> np, let us know if you have any luck
04:22 < h0dgep0dge> Goop: you wanted to know about fibre?
04:23 < tds> handling the vpn sounds like a bit of a pain, you'll probably want to add an extra interface for the "vpn lan", then policy route traffic from that via the vpn gateway
04:23 < dnanib> ALowther_: have you solved your first problem?
04:23 < ALowther_> h0dgep0dge: Yes, the current .11.0 router is a hAP lite. It only supports 2.4 band & fast Ethernet. I’d like to get rid of it.
04:23 < dnanib> Is the 11.0/24 network on the remote side of the VPN?
04:23 < ALowther_> dnanib: maybe, I haven’t been able to test yet for the reason stated above. I will be shortly.
04:24 < dnanib> And what type of VPN is that? One that hooks two locations/offices or one that allows roaming folks (roadwarriors in VPN lingo) to hook on?
04:24 < ALowther_> tds: Idk what any of that means right now! But it sounds doable! Lots for me to learn ;)
04:25 < ALowther_> dnanib: it’s a personal VPN between the home’s of my family members.
04:27 < ALowther> If I disconnect on both clients, we'll know it didn't work ;).
04:29 < ALowther> Yeah, idk what it is I'm not understanding. On my .3.0 router I am putting: { Destination IP: 192.168.11.0, Subnet: 255.255.255.0, Gateway: 192.168.11.0 }. It says the gateway address is not valid.
04:30 < h0dgep0dge> does that router have a 192.168.11.0/24 address?
04:30 < h0dgep0dge> the .3.0 router, i mean
04:31 < ALowther> I need to find the address that the .3.0 router has assigned to router through that ethernet port, right?
04:31 < h0dgep0dge> no routers should be being assigned addresses by dhcp
04:32 < h0dgep0dge> as long as your routers are configuring themselves using dhcp your static routes aren't going to work
04:32 < ALowther> What is the default gateway for the WAN?
04:32 < h0dgep0dge> of which router?
04:33 < ALowther> h0dgep0dge: Sorry, that was unspecific. The .3.0 router. What is the gateway to the .88.0 router, which is on the incoming WAN to the .3.0 router.
04:33 < dnanib> ALowther: identify A & B please
04:33 < dnanib> Typically A and B are not 0
04:34 < h0dgep0dge> ALowther: i'm sorry guy i don't know what you just said
04:34 < ALowther> Is the gateway 0.0.0.0?
04:35 < h0dgep0dge> i'm sketching out another drawing to show how it should be configured
04:36 < ALowther> WAN -> .88.0 -> .3.0. -> = ethernet cable from LAN port to WAN port....How do I determine gateway address for .3.0 -> .88.0, for outbound traffic?
04:37 < h0dgep0dge> the gateway address for the .3.0 router is the lan ip address of the 88.0 router
04:37 < whatsabinki3> are you configuring a router or a computer? if you are configuring a router that's the isp info, if it is the router plugged into the modem... if you are configuring the computer than it is the local ip address of the first router connected to the computer
04:37 < h0dgep0dge> but that should be in the wan configuration for .3.0, not the static routes
04:37 < dnanib> ALowther: Destination IP: 192.168.11.0, Subnet: 255.255.255.0, Gateway: 192.168.11.0
04:37 < h0dgep0dge> whatsabinki3: this is what alowther is trying to do https://imgur.com/a/8pwZ8eC
04:37 < dnanib> This is incorrect. This config is supposed to allow your router to send packets to the 11.0/24 subnet. If its gateway is in 11.0/24 itself, we have a chicken-and-egg problem.
04:38 < dnanib> ALowther: refer back here: --> 192.168.88.1/24|Router1|192.168.3.A/24 <-----> 192.168.3.B/24|Router2|192.168.11.1/24 <--
04:38 < dnanib> Look closely where I have mentioned A & B. Identify those in your scenario.
04:38 < h0dgep0dge> dnanib: they're talking about for traffic going from .3.0 to .88.0, nothing to do with sending packets to 11.0/24
04:40 < dnanib> h0dgep0dge: maybe I missed something then. I was responding to this: "Yeah, idk what it is I'm not understanding. On my .3.0 router I am putting: { Destination IP: 192.168.11.0, Subnet: 255.255.255.0, Gateway: 192.168.11.0 }. It says the gateway address is not valid."
04:41 < h0dgep0dge> the gateway should be the address router #3 has on the .3.0/24 subnet
04:41 < dnanib> Yes, A or B in my scenario :-)
04:42 < ALowther> h0dgep0dge: Right, I figured that out, I think. So I looked at the static IP the .3.0 router had assigned to the .11.0 router...but how about a static route going the other way. What is the gateway for the .88.0 router from the .3.0 router?
04:42 < ALowther> h0dgep0dge: I should say, I looked at the dynamic IP it had assigned & then I made it static & used that.
04:43 < whatsabinki3> I'd recommend using a switch and one router, but figuring this out might be interesting...
04:43 < ALowther> whatsabinki3: Hahahha, yes. This won
04:43 < ALowther> won't be a permanent configuration. Just a temporary setup/learning lesson.
04:43 < whatsabinki3> ahh
04:43 < strixdio> can I connect to a cisco switch management port with a rollover ethernet cable connected to my laptop ethernet port?
04:44 < strixdio> or do I need to specifically use the usb/serial cable?
04:47 < dnanib> " So I looked at the static IP the .3.0 router had assigned to the .11.0 router" - this doesn't make sense. Is the first router assigning addresses to the second one via DHCP?
04:47 < h0dgep0dge> this is the configuration you want. https://pastebin.com/RdQFzfte
04:47 < dnanib> strixdio: I think recent models can automatically detect the type of cable so it doesn't matter?
04:47 < strixdio> this is a 3560G
04:49 < ALowther> dnanib: Yes, the .88.0 and .3.0 are both assigning IPs via DHCP.
04:49 < strixdio> happen to know how to factory reset it without console access?
04:49 < dnanib> ALowther: h0dgep0dge's config suggestion should work. I think I misunderstood your topology a bit.
04:49 < h0dgep0dge> ALowther: stop using dhcp to configure the routers, it's only going to make your life more difficult
04:50 < h0dgep0dge> dnanib: this is the topology https://imgur.com/a/8pwZ8eC
04:50 < ALowther> Am I still here?
04:50 < h0dgep0dge> sure looks like it
04:51 < ALowther> Ah man, I'm so confused.
04:51 < ALowther> Good thing these routers are constructed to be smarter than I am :p
04:51 < ALowther> So I set the static routes, but I can't ping 192.168.88.1 from the .11.0/24 network.
04:51 < whatsabinki3> that reminds me... if you turn of dhcp on all routers, except on the one plugged into your modem, then you can plug the output of the modem router right into the output of another router and if it's dhcp is off it will work like a switch
04:52 < ALowther> But I am still connected to the Internet on the .11.0/24 network which has to go through the .88.0 router to get to the Internet and come back..
04:52 < dnanib> ALowther: maybe you should post the full config of the routers.
04:52 < dnanib> h0dgep0dge: thanks. Three routers, cascading? :-)
04:53 < ALowther> dnanib: How do I grab that from a Linksys?
04:53 < h0dgep0dge> have you disabled nat on routers 2 and 3?
04:53 < dnanib> Oh wow. The web UI must have a config backup/download somewhere.
04:53 < ALowther> h0dgep0dge: Yes
04:53 < h0dgep0dge> i'd try traceroute instead of ping, it's great for diagnosing multihop issues
04:55 < ALowther> h0dgep0dge: It's getting lost at 3.1
04:55 < dnanib> ALowther: where is the trace starting from?
04:56 < ALowther> .11.x -> .11.1 -> .3.1 -> ****(lost)
04:56 < h0dgep0dge> and what's the destination?
04:57 < ALowther> .88.1
04:57 < h0dgep0dge> okay, so you can talk to .3.0/24 from 11.0/24, but not to 88.0/24?
04:57 < ALowther> Which I have configured on the .3.0 router...{ Destination: 192.168.88.0	, Subnet: 255.255.255.0, Gateway: 	192.168.88.1 }
04:57 < ALowther> As a static route
04:57 < ALowther> Yes
04:58 < h0dgep0dge> can you talk to 88.0/24 from 3.0/24?
04:58 < ALowther> h0dgep0dge: Idk how to test that. Idk if Linksys has built in tools like that.
04:59 < ALowther> h0dgep0dge: Let me see if I can test on a client on the .3.0/24 network
04:59 < h0dgep0dge> many routers have diagnostic tools that allow you to do pings or traceroutes
05:00 < ALowther> h0dgep0dge: Yes, it worked.
05:01 < h0dgep0dge> router #1 isn't configured properly to return packets to 3.0
05:01 < ALowther> h0dgep0dge: I was able to talk to .88.1 directly from .3.0 router
05:01 < h0dgep0dge> okay wait hang on
05:02 < h0dgep0dge> no, i don't think you are. router #3 may be able to talk to router #1, but it's not using .88.1
05:02 < h0dgep0dge> sorry, not using .3.1
05:02 < h0dgep0dge> it'll be using .11.2
05:02 < h0dgep0dge> wait christ
05:03 < h0dgep0dge> this scheme is so confusing
05:03 < fedorauser123952>  needing vpn service- anyone have recommendations?
05:03 < ALowther> h0dgep0dge: Hahahha, on traceroute router #3 is hearing back from router #2, but not router #1. Yet on the router #2 interface I can hear back from router #1
05:04 < h0dgep0dge> okay, i think router #1 isn't configured to return packets to .11.0/24
05:04 < h0dgep0dge> what routes do you have on router #1?
05:04 < ALowther> h0dgep0dge: I've configured none.
05:04 < h0dgep0dge> also maybe we should switch to pm, fedorauser wants to know about vpn
05:04 < fedorauser123952> i can haz vpn plz?
07:16 <+pppingme> Spice_Boy your boy Elon shutting down all sorts of factories..
07:17 < Spice_Boy> how the hell is he my anything?
07:17 < Spice_Boy> who cares
07:17 <+pppingme> his financial house of cards is really crumbling
07:18 < Spice_Boy> again, why are you telling me? I don't care
07:18 < Spice_Boy> why do you care?
07:22 <+pppingme> because I keep an eye on tech and business
07:22 <+pppingme> but then again, elon isn't really business, he's more of a welfare case
08:16 < h0dgep0dge> anyone here familiar with ipfire? i'm playing around with it in virtualbox, looking at different options for installing on a router, but it's proving difficult to get it to do anything
08:44 < k2gremlin> h0dgep0dge, I stick with pfsens
08:44 < k2gremlin> e
09:06 < networking> hi
09:08 < networking> non technical question, how do you replace or keep track of your bookmarks when a large site like reddit changes their way and has two domains/url's going to old and new sites?
09:08 < mos6502> networking: you don't
09:09 < mos6502> alternatively, regular expressions
09:09 < IanTLopp> I've got AT&T Fiber internet running a Pace 5268AC Modem/Router combo (no other option here), and I've got a Netgear R6900v2 router connected to it. I've got most everything setup and working, with the pace working essentially in gateway mode (they don't have a strict gateway mode - I have to set it to DMZplus mode where all traffic is routed to the router)
09:09 < IanTLopp> this gives the netgear router an external IP address.
09:09 < IanTLopp> BUT, as a result of all this, I can't seem to get the netgear on the same subnet as the Pace unit.
09:10 < IanTLopp> I want all my devices following the same 192.168. routine, but Netgear fails connection to the internet every time I set it up with 192.168. as the subnet
09:10 < networking> mos6502: how does regex come into picture?
09:10 < IanTLopp> any suggestions?
09:11 < mos6502> networking: export (not to xml, to something else) and then regex to new url pattern and then import again
09:12 < mos6502> as to why not html or xml
09:12 < mos6502> https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags/1732454#1732454
09:14 < varesa> couldn't you still use regex on for example https://reddit.com/[^<]* even if the bookmarks were in XML
09:14 < varesa> sure, never use it for matching XML (or related) tags
09:17 < detha> hipster solution: export to xml, write an xslt filter, re-import ;)
09:18 < networking> mos6502: ok
09:20 < varesa> IanTLopp: have you enabled NAT on the second router? What's the current working subnet?
09:20 < IanTLopp> the current working subnet on the netgeat is 10.0.0
09:20 < IanTLopp> while the pace is running 192.168.1
09:21 < IanTLopp> I haven't modified NAT on the netgear yet, so it will be whatever is set by default
09:24 < varesa> IanTLopp: Can you clarify what you meant with "gives the netgear router an external IP address"?
09:24 < IanTLopp> it passes an external (seen by the rest of the internet) IP address to the router, the router's IP is not listed as an IP in the subnet of the Pace modem/router
09:25 < IanTLopp> this is necessary for the netgear to function as a router.
09:25 < varesa> so something outside 10./8 and 192.168./16?
09:25 < IanTLopp> I have lan port 1 on my pace connected to the WAN port on my netgear, as well.
09:25 < IanTLopp> varesa: um.. I suppose so?
09:26 < IanTLopp> the actual mask on both is 255.255.255.0, but I have the subnet of the Pace at 192.168.1.xxx and the subnet of the netgear is at 10.0.0.xxx
09:26 < IanTLopp> if I switch the subnet of the netgear, it won't be able to connect to the internet, and then it will reboot itself, and automatically reset to 10.0.0.xxx
09:27 < varesa> I mean, does the WAN address as seen by the netgear begin with something else than 10. or 192.168. ?
09:27 < IanTLopp> yes
09:28 < IanTLopp> I'm sorry if my responses are short, or slow.. I'm presently bleeding from the head for some odd reason.
09:28 < varesa> okay, then the subnet on the pace router shouldn't matter
09:29 < IanTLopp> well I want to be able to have all devices on 192.168.1.xxx, and I want to be able to access the pace while connected to the netgear
09:29 < IanTLopp> it's not absolutely necessary - but I have static IPs for half my devices. makes my firewall rules so much easier to follow.
09:30 < varesa> uhh, that sounds like a pain to setup
09:31 < varesa> do you have one or two connections between the routers?
09:32 < IanTLopp> varesa: what do you mean?
09:32 < networking> IanTLopp: what is this pace device?
09:33 < IanTLopp> I have one line that comes in from the wall to the modem (the fiber line), then one ethernet line from lan port 1 to WAN on the netgear router\, then one ethernet line from lan port 1 on the netgear to my 24port switch.
09:34 < IanTLopp> networking, the pace device is a 5268ac, supplied directly from AT&T for their fiber network. there are NO OTHER OPTIONS (trust me, I've checked), so if I want to have more than 5 wifi devices on at once, or have any control over anything, I have to setup this weird DMZ+ mode that kind of acts like a bridge.
09:35 < varesa> IanTLopp: if the pace gives the netgear an external/public IP it is acting as a dumb bridge which means you can no longer access the pace device from your network
09:35 < IanTLopp> I can actually..
09:35 < IanTLopp> I just can't do so with everything on the same subnet
09:36 < varesa> there must be something in the setup I'm missing as it shouldn't work like that
09:36 < IanTLopp> while my router, and all devices are connected to each other on 10.0.0.xxx, I can type the pace's internal IP address (on 192.168.1.xxx subnet) and it shows me the landing page for the pace.
09:36 < networking> IanTLopp: ok
09:36 < IanTLopp> I'm sure it has to do with that weird DMZ+ mode.
09:37 < varesa> if you have a netgear router that gets an external IP from the ISP and the default gateway also goes to the ISP, any packets to a subnet not known to the netgear device (e.g. the 192.168.1.0/24 subnet) get sent to the ISP
09:37 < IanTLopp> even IF I just wanted to dump the pace's settings, and just have everything else on 192.168.1.xxx, I couldn't modify the pace - it's subnet are set in bloody stone.
09:37 < varesa> unless the pace does something really weird and intercepts the traffic
09:37 < IanTLopp> varesa: again - I'm guessing it's the DMZ+ thingy.
09:37 < IanTLopp> yes, DMZ+ best guess.
09:39 < varesa> yeah... I've never come across something like that. It has either been pure bridge mode (router becomes a dumb modem) or "DMZ address" where the second device gets and RFC1918 address but the first device just basically port-forwards all incoming traffic to that address
09:40 < varesa> but you can't have the same subnet on both sides of a router like that
09:40 < IanTLopp> rfc1918 address?
09:40 < varesa> it should be for example ISP -> Pace <- 192.168.0.0/24 -> Netgear <- 192.168.1.0/24 -> your LAN
09:41 < varesa> RFC1918 are general purpose private addresses, 10.*.*.*, 192.168.*.* and 172.?.*.*
09:41 < varesa> well, rather RFC1918 is the document that defines those address ranges
09:41 < IanTLopp> ahhh
09:42 < IanTLopp> I gotcha
09:42 < IanTLopp> so even in the second example, there's no way to have the two devices on the same subnet? hmm.
09:42  * IanTLopp can't wait to build his pfsense router
09:42 < IanTLopp> heh
09:43 < varesa> routers are basically made to divide networks into subnets
09:43 < varesa> and in a network without NAT a single subnet can only exist once
09:44 < IanTLopp> hmm
09:46 < varesa> so if you don't want to change the subnet the most of your devices are on and want the netgear router in play (was there something you needed it for that the pace didn't do?)
09:46 < varesa> you could try to change the subnet on the pace as that'd be only one address you really care about
09:59 < IanTLopp> sorry for the delay there - had to deal with the bleeding head.
10:00 < varesa> sure, take your time. I'm supposed to be working anyway :)
10:01 < IanTLopp> well I'm done now.
10:01 < IanTLopp> I don't think I can change the subnet of the router
10:01 < IanTLopp> looks like I'm just going to have to deal with 10.0.0.xxx
11:00 < jackbrown> hello
11:00 < jackbrown>  anyone here
11:00 < jackbrown> ?
11:01 < IanTLopp> yes
11:02 < h0dgep0dge> IanTLopp: my router is the same, fixed at 24 bit subnet, absurd.
11:02 < h0dgep0dge> i'm here also
11:03 < jackbrown> f i'd like to upgrade my Laptop Wireless network adapter (MiniPCI of course) which one would you suggest to buy?
11:04 < jackbrown> I just bought a  FRITZ!Box 7490 as main router, anyone knows FRITZ!Box ?
11:05 < varesa> without knowing any better I'd probably buy the latest Intel card you could fit in the machine
11:05 < varesa> be aware though that some systems have a whitelist of supported cards you can plug into them
11:15 < spaces> varesa :D
11:24 < jackbrown> varesa, thanks
11:25 < varesa> jackbrown: that being said I know very little about wireless adapters in general so whatever you find be at least sure to google around for reviews/angry complaints on forums
11:25  * varesa thinks he owns more 10G SFP+ NICs than wireless ones
11:26 < jackbrown> varesa, thanks but I think an Intel one would be fine, the only problem I should check if it's compatible or not with my ASUS N56VZ
11:29 < Apachez> wireless SFP+ nics?
11:30 < Apachez> sposnored by NSA? :P
11:34 < varesa> got to have that 10G wireless
12:34 < kyra_> Hello there! i have a question about network attatched storage devices - anyone here that can help?
12:35 < Jonta> Yes
12:35 < kyra_> fairly simple question - i'm looking for a NASD which i can use multiple drives - hopefully up to four - without implementing RAID? i want each drive to be a seperate, mountable drive, on a single device...
12:36 < light> why would you want that
12:37 < kyra_> well like i said i want each drive to be interchangeable, and i don't really have a need for it to be read as one large drive. doesn't seem necessary to me, and too prone to failure/headaches
12:38 < h0dgep0dge> isn't the point of raid that it's resistant to failure?
12:38 < light> interchangeable?
12:39 < kyra_> not very familiar with raid, but as i understand if one drive fails or is corrupted, it can ruin your whole raid system?
12:39 < kyra_> swappable
12:39 < light> lol
12:39 < h0dgep0dge> i would have thought any NAS machine could be configured without RAID, but that's just a guess
12:39 < h0dgep0dge> nope, the r in raid stand for redundant
12:39 < h0dgep0dge> you can lose a drive, drop in a new one, and you won't have lost any data
12:39 < light> if you're using raid0 you will lose data if a single drive dies
12:40 < varesa> RAID usually is used to sacrifice capacity for availability/resiliency
12:40 < h0dgep0dge> true, but some argue raid0 isn't raid, because it's not redundant
12:40 < light> you want to be able to swap disks in and out of this nas?
12:41 < varesa> I would expect any decent NAS device to support a volume/share per drive if you want the maximum capacity and don't care about loosing for example 1/4th of your data if a disk breaks
12:42 < kyra_> @light - yes
12:42 < varesa> oh, h0dgep0dge already said that. Oh well
12:42 < h0dgep0dge> why do you want to swap disks? are you taking them somewhere?
12:42 < kyra_> looking at the NAS devices it seemed they were designed for RAID, maybe i need to dig a bit harder
12:42 < light> many also support JBOD
12:43 < varesa> RAID is the most common use case but usually not forced
12:43 < light> but I don't see the point
12:43 < kyra_> well for one, if i wanted to upgrade size, but didnt want to upgrade all four, (jbod would work)
12:44 < kyra_> i dont have the $$ to buy four 8tb disks and a NAS all at once
12:44 < light> invest in some decent sized disks now, if you buy small and replace it will cost you more
12:44 < h0dgep0dge> i can understand wanting to avoid a front-loaded cost, even if it winds up costing more
12:45 < varesa> unless the smaller disks can be then used somewhere else
12:45 < kyra_> yeah
12:45 < kyra_> i simply cant afford four 8tb drives, maybe four 2 tb and MAYBE 4tb but thats pushing it
12:45 < h0dgep0dge> how worried are you about losing data?
12:46 < h0dgep0dge> poof and 25% of your data is gone, how bad is that?
12:46 < h0dgep0dge> (or i suppose "25% of your data are gone")
12:46 < kyra_> depends which 25 haha
12:46 < kyra_> not the end of the world, its not proprietary or anything
12:47 < kyra_> and anything REALLY important i would have more than one backup
12:47 < h0dgep0dge> you can use disks of different sizes in a raid array, but AFAIK you can only use the size of the smallest disk times the number of disks
12:48 < h0dgep0dge> so you could start at 2 tb, and progressively upgrade, you just won't get any more storage space until you've upgraded all 4
12:48 < kyra_> see so that makes no sense at all if you expect to have different sized drives, or to upgrade single drives
12:48 < varesa> though since RAID is not a backup I'd say the primary reason for RAID would be uptime/availability, not preventing data loss
12:48 < light> how much are you planning to spend for this setup?
12:48 < kyra_> so what is the advantage of a RAID then? are you protected from data loss if a drive dies?
12:48 < light> yes
12:49 < light> but not if you delete something accidentally
12:49 < kyra_> hah
12:49 < varesa> or there is filesystem corruption or a software bug or ...
12:49 < kyra_> im hoping to spend less than a thousand CAD
12:49 < h0dgep0dge> varesa: i think RAID is only valuable for uptime if you assume backups are already being kept
12:49 < kyra_> preferably in the 400-600 range
12:50 < kyra_> so what are the other alternatives to four seperate drives - raid - jbod - ....?
12:51 < light> jbod is just a bunch of disks
12:51 < h0dgep0dge> i don't really think there are any other options, use parity or don't use parity
12:51 < light> well, there is unraid
12:52 < h0dgep0dge> quick primer on unraid, for the uninitiated?
12:53 < varesa> was that just a RAID type implementation that could take mixed size disks?
12:53 < varesa> s/was that/did it have/
12:54 < light> yeah different sized disks and can expand the array
12:54 < h0dgep0dge> that's what it looks like, seemingly just treats smaller disks as if they're bigger, and pads the missing areas
12:55 < h0dgep0dge> for the purpose of calculating parity, that is
12:55 < h0dgep0dge> is there free software to implement that?
12:55 < kyra_> if i had, say, four drives of equal size, would there be storage loss with raid?
12:55 < h0dgep0dge> you trade off space for resistance to data loss
12:55 < light> depends what raid level you went with
12:55 < varesa> with a RAID level that can tolerate a disk loss, yes
12:56 < varesa> you don't just magically get an extra disk worth of space :)
12:56 < varesa> the capacity hit is at least as many disks as it can tolerate to loose
12:58 < kyra_> ok so say you have 4x2tb drives, you would have 6tb usable space, so that you could theoretically have one drive die?
12:58 < light> if you went with raid5
12:58 < kyra_> hmm interesting
13:01 < kyra_> ooook so answer to my original question is basically - any of them should allow for treating four separate drive as four separate drives, but why would i want that?
13:02 < h0dgep0dge> i can understand why you'd want it, but you should know the pros and cons
13:03 < kyra_> thank you
13:04 < varesa> yeah, as you should have separate backups (unless the NAS is the backup, multiple separated copies anyway) it comes down to if you want the maximum capacity for the money and do you care about spending a day or two restoring a few terabytes from backups
13:04 < varesa> and how many family members will be complaining about being unable to access their music/photos/movies/documents while you're restoring said backups :P
13:05 < h0dgep0dge> maybe, if you want to be able to upgrade in the future without buying 4 new disks, get a nas with more than 4 bays
13:05 < varesa> synology is one of the better brands by the way
13:05 < h0dgep0dge> you could get another disk the same size and add it to the array, or get a bigger disk and use it on it's own
13:06 < varesa> I've not owned one myself (don't have any off-the-shelf NASes) but I know a lot of people who swear by them
13:07  * varesa logs into NetApp AFF200
13:09 < kyra_> yeah i was looking at synology 4 bay... and it led me to my nex question... stock software, or something like openNAS
13:09 < kyra_> ?
13:09 < h0dgep0dge> depends on how much you like having knobs dials and levers to play with
13:10 < varesa> I'd expect the synology software to be good enough
13:10 < varesa> it is good enough that people are trying to run it on their own servers (xpenology) as well
13:10 < kyra_> what KIND of knobs dials and levers? hehe.. i suppose i can just look into that myself though
13:11 < h0dgep0dge> i would assume you can flash new software all day long, try everything out and see what fits
13:12 < kyra_> preach!
13:12 < kyra_> haha that sounds more my style than thinking about it now anyways :P
13:13 < h0dgep0dge> shoot, i would even wager some platforms will install on virtualbox, play around with some virtual drives on there
13:14 < kyra_> gooood idea
13:15 < h0dgep0dge> that's why they pay me the big irc bucks
13:15 < varesa> whaat? I only get small irc bucks
13:16 < h0dgep0dge> you gotta get a brand deal man
13:16 < h0dgep0dge> This IRC Answer brought to you by tide pods. MMMHMMM, tide pods!
13:16 < Jonta> https://irc.com
13:19 < kyra_> hah
13:20 < Jonta> Wonder what their business model is
13:21 < kyra_> dang so many to choose from
13:23 < Jonta> Top 3, gogogo
13:23 < kyra_> couldnt even start
13:23 < kyra_> i'd probably just choose between price point, CPU/RAM specs, and hardware options (hdmi, usb, etc)
13:24 < kyra_> this is really only something i started looking into a couple days ago so i am not yet at the point where i need to choose
13:24 < Jonta> ?
13:25 < varesa> I'm wondering if I should a) build a separate NAS b) stuff an HBA + bunch of disks into one of my hypervisors c) stuff a bunch of disks in my desktop
13:26 < varesa> Separate would be nicest but my apartment is starting to run out of space, need to start scaling vertically, literally :P
13:27 < kyra_> like this one:dual HDMI ports, keyboard mouse connection so its essentially a standalone machine
13:28 < Apachez> d) store everything in the cloud because what could possibly go wrong?
13:29 < light> your data would get wet in the cloud
13:29  * varesa imagines main storage array dying and having to download 10 TB worth of data/VMs
13:29 < JyZyXEL> i calculated it would take around ~930 days to upload my NAS to the cloud :P
13:29 < light> your porno collection is probably already well seeded
13:30 < light> you only need to backup important data like your tax documents
13:31 < JyZyXEL> but apparently sneakernet is available with some providers
13:32 < Jonta> What if JyZyXEL composited their tax documents into the porn, to hide it?
13:32 < varesa> the was an AWS snowball at the office recently, maybe could use that to upload
13:33 < h0dgep0dge> You can get better throughput to the cloud if you tie an external disk to a weather baloon
13:33  * varesa hides his data among work stuff
13:33 < varesa> h0dgep0dge: why not a rocket?
13:34 < h0dgep0dge> i did try that once, but i'm not allowed into those datacenters anymore
13:35 < varesa> but the others still let you use weather balloons in them?
13:36 < h0dgep0dge> those things take forever to go up and come back down, they don't know who caused that damage
13:36 < Apachez> PORN!
13:37 < varesa> the trick is to shoot the rocket at an angle so it lands beyond visual range
13:37 < kyra_> 4x50tb ssd
13:37 < kyra_> or bust
13:38 < kyra_> screw that, 16x50tb
13:38 < kyra_> backup the contents of my lifes google searches
13:38 < light> google already keeps a record of your searches
13:38 < light> you can view it in the top right hand corner
13:39 < kyra_> yeah but i need it for offline access
13:40 < varesa> you need a cluster of 2U shelves with 24x15TB SSDs
13:40  * varesa logs out of the NetApp AFF A200
13:46 < kyra_> hmm i just looked at my google history and apparently i wiped it and turned off storing it so when i created an archive of all my google history it was only 44 items...
13:48 < tempate> Hello. How can I map a local address (i.e. private ip and port) to a specific "domain"?
13:49 < varesa> you can't map a port to a domain (with some specific exceptions)
13:50 < light> tempate: you can redirect with your packet filter
13:50 < varesa> and you can't also directly map a domain you want to be externally accessible to a private IP. You need the map the domain to an external IP of a device that will then port forward or proxy the traffic to your internal stuff
13:50 < tempate> I don't want it to be externally accessible
13:51 < light> what are you trying to accomplish?
13:51 < tempate> I'm just tired of typing 192.168.1.100:8080 every time I want to check out a website I'm hosting there
13:51 < light> why not bookmark it?
13:52 < light> or use autocomplete
13:52 < light> you could use a hosts file entry and a vhost
13:52 < tempate> I mean, yes, I can do that. But still, it would be better if I could simply go with the domain. Also for learning purposes
13:53 < tempate> I'm using a vm running Debian 9, light
13:56 < varesa> tempate: you can map a domain to 192.168.1.100 either by hosting a DNS zone somewhere (internally in a VM or with some external DNS provider)
13:56 < light> or by adding it to /etc/hosts
13:57 < varesa> you'll still need to type domain:8080. Either change the port to 80 or run a reverse proxy on that or some other system (look up for example nginx reverse proxy)
13:57 < varesa> light: yes, I left that out since you already said it + tempate said he wanted to learn DNS
13:57 < tempate> great
13:57 < varesa> but yes, hosts-file can be used to "fake"/override DNS locally
13:57 < tempate> Thank you all very much
13:58 < tempate> /etc/hosts of what machine?
13:58 < tempate> the host, right?
14:06 < tempate> versa: about the reverse proxy, would it be possible to have several of this domains each pointing to a different port?
14:06 < tempate> these*
14:06 < light> you don't need separate ports if you use vhosts
14:06 < tempate> don't I?
14:07 < Apachez> no
14:07 < tempate> mhm
14:07 < Apachez> the server will look at host header to know which directory to servce as document root
14:08 < tempate> I see
14:09 < spaces> big data, blockchain and privacy complaning people, something is not right there
14:10 < Apachez> and more than 24 hours since spaces last visited pornhub, something is definately not right there
14:12 < spaces> Apachez you didn't upload anything new, mate even watching my dog sleeping is better then your cameraskills
14:12 < spaces> Apachez you cannot multitask, you are a man... when you try to focus on the camera... fll in the rest yourself
14:13 < spaces> Apachez and you are not sexy the camera have proven :P
14:14 < h0dgep0dge> template: i don't think anyone answered it before, you need to edit the /etc/hosts file on the client, and it will only work on machines that have it added to their hosts file
14:14 < h0dgep0dge> and the windows hosts file is found somewhere else
14:16 < h0dgep0dge> lol too late. it sounds like they might be going to try changing the /etc/hosts file on the server
15:53 < Apachez> How to cleanup a Data Center: https://imgur.com/gallery/qAJg8Xi
15:55 < dogbert_2> bwhahaha...funny
16:10 < jaelae> my team flew up to our DC and did some work
16:10 < jaelae> i left early cause i was there the previous day and they were going to pull old cables
16:10 < jaelae> i came back a week later to find cables on the floor that im not sure where they came from. and in the wiring runs they just cut the ends of cables and stuffed them banck in there
16:10 < jaelae> on the flipside - there was no outage
16:12 < zenix_2k2> one question, is there anyhow i can get my Public IP instead of going to an online site ?
16:12 < zenix_2k2> and it is not that i don't trust those sites but i wanna know how can those sites get my IP address
16:12 < zenix_2k2> logically, if it can then i can ?
16:14 < light> login to your router and take a look
16:15 < Crypto_Cube> Personally, I just have a browser addon that deals with that.
16:16 < zenix_2k2> so er... sorry but which part of my gateway's page that shows it ? --> https://ibb.co/mQFVVT
16:16 < light> wan
16:19 < zenix_2k2> one more thing, does your IRC client provide any function that you can use to get my IP address ? Because, this site (https://www.whatismyip.com/my-ip-information/) shows 42.113.189.247 but the WAN part shows 100.109.116.44
16:19 < zenix_2k2> and i haven't actually used anything like proxy or VPN
16:20 < zenix_2k2> not currently* :P
16:20 < zenix_2k2> i am not so sure that which IP is the correct one
16:23 < light>  /whois
16:27 < zenix_2k2> but it is kinda weird, if my IRC client shows 42.113.189.247 then what does the "IP address" mean in this situation ?? --> https://ibb.co/cXzFVT
16:27 < tds> zenix_2k2: you're behind cgnat, so without making connections out through that you can't determine the address you'll get nated out via
16:28 < tds> (100.64.0.0/10 is reserved for cgnat)
16:28 < zenix_2k2> oh
16:30 < strixdio> I have a 3560g, I tried "delete flash:vlan.dat" but I still have vlans. any thoughts?
16:31 < light> flash:/vlan.dat
16:32 < Apachez> and reboot
16:33 < strixdio> ah, okay.
16:33 < strixdio> thanks :)
16:36 < strixdio> nope.
16:36 < strixdio> everything is still there. I tried wiping the whole config... makes no sense.
16:37 < light> is the file still there?
16:38 < strixdio> idk
16:38 < light> ._.
16:38 < strixdio> I'm very new to managed switches
16:38 < strixdio> sorry
16:39 < strixdio> I have vlan.dat eah
16:39 < strixdio> yeah*
16:39 < strixdio> also c3560-ipbase-mz.122-35.SE5
16:39 < light> delete the file then check again
16:40 < strixdio> okay it's gone.
16:40 < light> dir const_nvram:
16:41 < strixdio> invalid input at c
16:41 < light> k
16:41 < light> delete const_nvram:vlan.dat just in case
16:41 < strixdio> invalid input for the c (of const) again
16:42 < light> reboot the switch
16:42 < strixdio> I have config.text, private-config.text, and that other file I mentioned earlier.
16:42 < strixdio> still good to reboot yeah?
16:43 < light> yes
16:43 < strixdio> okay. doing so now. takes a few minutes :P
16:43 < light> unles syou want to also delete the configs as well
16:43 < strixdio> I did try that already.
16:43 < strixdio> I think the configs did delete.
16:44 < strixdio> I had to name the switch and provide an IP
16:44 < light> oh, by the way, there are a set of standard vlans that you always have
16:44 < strixdio> Okay. That's fine, but 100% these were custom from the previous owner.
16:44 < strixdio> How do I set a management IP on an interface?
16:45 < light> grab an ios cheat sheet if you're new to cisco
16:45 < strixdio> okay cool thanks!
16:46 < strixdio> light: I'm looking on http://www.skullbox.net/ioscheat.php
16:48 < strixdio> light: so, do I need to set the IP based on the vlan?
16:48 < strixdio> light: omg, the vlans are STILL there!
16:49 < light> you should properly reset the switch if this is from some former owner
16:52 < strixdio> light: that's what I'm trying to do :/
16:53 < strixdio> I held "mode" while powering on, flash_init ... ?
16:58 < strixdio> ah, missed something. trying it again. Thansk
17:38 < strixdio> anyone around?
17:39 < strixdio> I'm trying to set up my cisco switch, but I'm not sure how to get it so I can ssh to it. I'm in the console session.. gave it an IP, told it the default-gateway... ???
17:44 < Jonta> strixdio: Pastebin of all commands and the responses you received?
17:44 < strixdio> Jonta: ??
17:44 < Jonta> /topic
17:45 < strixdio> Jonta: in other words, it was just the two commands, to set ip address and default-gateway
17:45 < strixdio> Jonta: there's no output of them
17:46 < Jonta> Which switch do you have?
17:47 < strixdio> catelyst 3560g
17:47 < strixdio> catalyst*
17:48 < Jonta> Did you try https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swauthen.html ?
17:49 < strixdio> Jonta: I haven't seen this page, but, I'm not even able to ping the device.
17:49 < Jonta> I'd try googling Cisco 3560g can't ping then
17:49 < Jonta> It's faster if you do the googling yourself =)
17:50 < strixdio> ...... \I've been googling......
17:50 < strixdio> I have never set up a switch from scratch before.
17:50 < strixdio> There's probably a lot of config I don't even know about.
17:50 < strixdio> necessary*
17:51 < Jonta> Hm. There's probably a user manual for it
17:51 < Jonta> https://www.cisco.com/c/en/us/support/switches/catalyst-3560-series-switches/tsd-products-support-series-home.html
17:52 < strixdio> https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swipaddr.html
17:52 < strixdio> this is what I followed
17:52 < strixdio> or at least, I am trying to.
17:52 < strixdio> I don't want DHCP
17:52 < Harlock>  did you reset it first
17:52 < strixdio> yes.
17:52 < strixdio> full reset.
17:53 < strixdio> basically what I'm getting at is, what is the minimal that I need to do from a fresh reset so I can start using the switch?
17:53 < strixdio> I thought it was setting the default gateway and the switch IP.
17:54 < Harlock> didn't the config script run after you reset and rebooted the switch?
17:54 < Harlock> i need to run out
17:55 < strixdio> yeah, it did. I set the ip, but in "show run" the IP was nowhere to be found, and it didn't reply to pings
18:03 < strixdio> "no shutdown" was the ticket, I guess.
18:09 < strixdio> and this switch is too old for ssh, sadly.
18:12 < Jonta> Too old for ssh?
18:20 <+pppingme> Jonta yeah, you have to be at leat 18 to use ssh..  same for beer
18:20 < Jonta> pppingme: And that switch is… over 65536 years old?
18:21 < detha> huh? pretty sure there should be a k9 image for 3560
18:24 < detha> strixdio: https://supportforums.cisco.com/t5/wan-routing-and-switching/ssh-version-2-not-supported-on-cisco-3560-g-switch/td-p/2031908
18:34 < dogbert_2> you need IPBASEK9-mz for the switch to support adv features, including SSH
18:45 < kur0mi2> :D
19:00 < strixdio> detha: thanks
19:00 < strixdio> dogbert_2: thanks
19:00 < dogbert_2> nodz
19:00 < strixdio> so, I have a trunk set up with vlans, and I have a ubiquiti AP with 2 of those vlans on it
19:00 < strixdio> when my clients try to join, they don't get an IP.
19:01 < strixdio> do I have to configure anything on the port itself to allow those vlans?
19:01 < dogbert_2> well, the ports need to be in the same VLAN you trying to access...
19:02 < strixdio> the ubiquiti AP has multiple vlans
19:02 < strixdio> how can one port be in multiple vlans?
19:02 < strixdio> unless those have to be trunks also?
19:04 < dogbert_2> trunks connect https://help.ubnt.com/hc/en-us/articles/222183968-Intro-to-Networking-Introduction-to-Virtual-LANs-VLANs-and-Tagging
19:05 < dogbert_2> Trunk: A trunk port is typically considered a member of all VLANs—it will accept and forward traffic on any VLAN ID and is typically configured for the uplink and downlink ports between switches and routers.
19:06 < strixdio> which makes sense
19:06 < strixdio> however, that doesn't say anything about APs
19:06 < dogbert_2> look at tagged/untagged vlans...
19:07 < dogbert_2> https://help.ubnt.com/hc/en-us/articles/204962144-UniFi-How-does-VLAN-traffic-get-tagged-
19:09 < strixdio> uh, okay?
19:11 < Harlock> you can tag how you want on the ap and set up ports on the switch can accept tags as you desire
19:11 < strixdio> Harlock: right, that's basically what I have going on. I'm just trying to figure out how to do that on the cisco switch.
19:12 < Harlock> trunk port like was mentioned, not access port
19:12 < Harlock> unless just a single vlan is ok on the port
19:12 < strixdio> Harlock: okay, so my ubiquiti AP needs to be connected to a trunk port
19:12 < Harlock> then it can be an access port
19:12 < strixdio> needs to be multiple :)
19:13 < Harlock> a trunk port will have a native vlan plus you can set it to accept additional vlans iirc
19:13 < strixdio> going to test now. Thanks :)
19:13 < strixdio> yeah, seems about right.
19:14 < strixdio> I probably didn't word it correctly from the beginning.
19:14 < Harlock> on cisco i mean
19:14 < strixdio> yep
19:14 < Harlock> trunk means a different think on some other manufactures switches
19:14 < Harlock> er thing
19:15 < dogbert_2> yeah, I wish they would standardize that...
19:17 < strixdio> hm
19:17 < strixdio> so, I added the trunk on that port, proper vlans, still no connection.
19:18 < Harlock> have you had it working untagged?
19:19 < strixdio> no
19:19 < strixdio> well, hang on..
19:19 < xingu> strixdio: what model is this thing and what does your config look like (pastebin)
19:19 < strixdio> so, I have had this AP connected to pfSense for a long time, working just fine.
19:19 < strixdio> 3560G
19:22 < strixdio> https://pastebin.com/fwFrRp32
19:23 < xingu> strixdio: what does "show vlan id 20" say?
19:24 < xingu> strixdio: ditto "show vlan id 30"
19:24 < strixdio> not found
19:24 < Harlock> are you running a single lan interface with multiple vlans on pfsense?
19:24 < strixdio> oh jeez
19:24 < xingu> strixdio: boom.
19:24 < strixdio> I didn't realize I had to make them on the switch.
19:24 < Harlock> og you didn;t set up your vlans?
19:24 < strixdio> I guess not!
19:24 < strixdio> Well, I set up one, 255
19:24 < strixdio> I think.
19:24 < dogbert_2> facepalm :P
19:24 < strixdio> yeah I did
19:24 < strixdio> I didn't realize that's required.
19:25 < strixdio> this is my first managed switch and I'm not formally trained.
19:25 < xingu> strixdio: ios(like) bridge instances have a discrete forwarding stage
19:25 < xingu> strixdio: no stp instance, no forwarding.
19:25 < strixdio> sorry that's over my head right now.
19:25 < xingu> strixdio: so tagged frames will be accepted but terminated at ingres.
19:25 < strixdio> oo
19:26 < strixdio> do I have to give each vlan an IP?
19:26 < xingu> strixdio: no
19:27 < xingu> strixdio: just start stp instances; "vlan 20" "name ..."
19:27 < strixdio> stp instances?
19:28 < dogbert_2> stp spanning tree protocol
19:28 < Harlock> they only need ips for intervlan routing but your will most likely  keep your routing on pfsense
19:28 < xingu> strixdio: yes; ios(like) bridge domains resolve to loop-free on a per vlan basis.
19:29 < strixdio> wow I didn't realize how much there is to this.
19:29 < xingu> strixdio: nb, also vtp version 3 and vtp mode off unless you really need it; this will result in the bridge instances appearing in running config, which is a bit nicer from a device recovery perspective.
19:30 < strixdio> <1-2>  Set the adminstrative domain VTP version number
19:30 < strixdio> looks like I don't have 3.
19:30 < xingu> strixdio: do it from enable rather than config mode
19:30 < strixdio> am in enable mode
19:30 < xingu> ah, try config mode then. :)
19:31 < xingu> (depends on hw / sw matrix)
19:31 < strixdio> same thing
19:31 < xingu> fair enough; version 2
19:31 < strixdio> might need to update anyway.
19:31 < strixdio> vtp mode client server or transparent
19:31 < xingu> transparent
19:32 < xingu> and yes, update that thing if you have a support contract, it has control plane bugs for sure. :)
19:32 < xingu> current / recommended MD should be fine, don't get fancy with ED
19:33 < xingu> after switching to transparent mode the vlan NNN should appear in running config.
19:33 < strixdio> huzzah I have wifi back :)
19:33 < dogbert_2> LOL
19:33 < strixdio> just to verify: was it the lack of the vlans on the switch, lack of the port being a trunk, or both?
19:33 < xingu> both
19:34 < dogbert_2> add in some comments as well...
19:34 < strixdio> okay :)
19:34 < Harlock> recommend enablign portfast on access ports
19:34 < strixdio> looking into that now.
19:34 < xingu> strixdio: trunk allowed vlan 1 is a little redundant too
19:34 < strixdio> that's for fast stp?
19:34 < dogbert_2> make sure you write the running config to memory
19:34 < xingu> what he said.
19:35 < Harlock> strixdio yes
19:35 < strixdio> :)
19:35 < strixdio> redundant but doesn't mess anything up right?
19:35 < dogbert_2> also, copy the running config to something like notepad++ as well
19:35 < strixdio> well, I'm in the learning process right now. If I break the config, I won't cry about it.
19:36 < Harlock> which swithc do you have, 3560G-24PS?
19:36 < strixdio> 48
19:36 < Harlock> oh they did make an ios 15 for for it
19:36 < strixdio> oooo!
19:36 < xingu> strixdio: exactly; native pvid is vlan 1, you shouldn't see vid=1 as a dot1q tag in ordinary operation
19:37 < dogbert_2> vlan 1 is typically the mgmt vlan as well
19:37 < strixdio> xingu: so I should remove it?
19:37 < xingu> strixdio: I would, I favour brevity; personal preference.
19:39 < xingu> strixdio: nonobviously "trunk allowed vlan ..." is an egres feature; so if native vlan is in the allowed mask, it's going to get tag stripped during forwarding and then added to the floodlist for that port regardless.
19:39 < xingu> strixdio: hence, "a little redundant"
19:43 < xingu> strixdio: last style tweak, adding "switchport nonegotiate" will disable dtp on that interface for this platform
19:44 < xingu> strixdio: if you don't particularly trust the far end of gi0/1 or gi0/2 I'd recommend as a second line of defence, dtp isn't well audited.
19:45 < strixdio> wow
19:45 < strixdio> as soon as I removed vlan1, I couldn't get any network connections again
19:45 < xingu> strixdio: I'm not talking about the vlan1 svi, I'm talking about switchport trunk allowed vlan 1
19:46 < strixdio> yes, that's what I mean.
19:46 < xingu> strixdio: oh neat
19:46 < strixdio> lol
19:46 < xingu> strixdio: that's probably because spanning-tree mode pvst; try mode rapid-pvst+
19:47 < strixdio> I don't have +
19:47 < elim_garak> quick question - does anyone know how I could look at a pcap and identify an FC initiator?
19:47 < strixdio> but I put it to rapid-pvst
19:47 < xingu> oh neat.
19:48 < strixdio> I need to update my ios I think.
19:48 < xingu> strixdio: leave the angry bear alone, agreed.
19:48 < xingu> strixdio: is vtp v3 and option in "vlan database" (from configure mode) ?
19:48 < strixdio> no
19:48 < xingu> k
19:48 < strixdio> I do need to update ios, and want to...
19:48 < xingu> then update or not, back to you.
19:49 < xingu> no huge risks and these are all style preferences
19:50 < xingu> strixdio: better than likely chance that this thing will leak memory and crash ~annually
19:51 < xingu> file under 37xx stack ring memory leaks are fun
19:51 < strixdio> lol
19:58 < strixdio> So, this is great. Now I can get a few NICs and add them into my server, and my "diskless" pc for better performance
20:00 < Harlock> my 2960S seems stable
20:01 < Harlock> i don't think it has been restarded since the last iso update i did on it, probably 1-2 years ago
20:10 < Fieldy> fix connection
20:11 < strixdio> oh jeez, now I'm considering things I can't really afford :D
20:28 < varesa> oh, TIL that the IOS needs to have the VLANs defined and that I had them defined without realizing that (VTP etc.)
20:28 < varesa> I wonder what was the great idea behind the configuration that doesn't show up in the configuration :)
20:30 < strixdio> anyone, thank you everyone for helping!
20:30 < strixdio> anyway*
20:31 < newpy> hey is tcp-psh a valid keyword for tcpdump, similar to tcp-rst? eg. tcpdump (tcp[tcpflags] & (tcp-rst) == 0)
20:32 < newpy> I tried google but all I got where people using literal bitmasks like tcp[13]&8 != 0
20:32 < newpy> *were
20:32 < Fieldy> the only way i've seen flags expressed is tcp[13] = 0x18 or some such, though that's psh-ack (too lazy to look it up)
20:32 < Fieldy> that'll be the easier route then
20:32 < newpy> yea I'll just look up the ip header again
20:33 < newpy> just easier to make a mistake using literal bit#'s imo
20:34 < newpy> *tcp header
20:41 < ghostboarder> guys, anyone having issues with browsers refusing to go to https sites?
20:42 < ghostboarder> win10 fully updated, browsers latest versions
20:42 < ghostboarder> in this case, firefox and edge
20:57 < tds> ghostboarder: what error are the browsers displaying?
21:05 < IAMfeelings> hi
21:06 < IAMfeelings> any tips to separe guest from my main wifi network
21:07 < compdoc> seperate ports on your firewall
21:10 < IAMfeelings> can I create a vlan on router and trunk with a catalyst 2950 ?
21:25 < wallbroken> hello
21:25 < alexandre9099> *a curiosity question*: What is the max speed over twisted pair cable? is it 10Gb?
21:33 < Kingrat> what kind of twisted pair cable?
21:36 < alexandre9099> let's supose an sftp cat8 cable (i guess that exists? my point is like the *best quality* cable with 4 pairs)
21:38 < Jonta> wallbroken: Hi
21:41 < wallbroken> can i ask you something?
21:42 < jackbrown> hello
21:42 < jackbrown> can anyone help me ?
21:43 < jackbrown> What happen if I connect a second router identical to the 1st as client IP disabling DHPC and Firewall and I use it even as Wireless Access Point ASSIGNING IT THE SAME SSID ?
21:43 < wallbroken> i'm connected to a wifi that allows internet access trough a captive portal adding account credential, but it allows connection to the lan without adding any credentials, so, if i connect my smartphone to the wifi, and i add my laptop ip as default gateway, is possible to make figure that the packets are sent by laptop and not by the smartphone?
21:44 <+pppingme> jackbrown make sure the cable into the "new" device goes into a lan port, and you have your channels at least 5 apart, 1-6-11 work best, and it will simply work
21:44 <+pppingme> wallbroken no, not without some manipulation..
21:44 < jackbrown> pppingme, sorry I got lost, what means "channels at least 5 apart" ?
21:44 <+pppingme> wallbroken and chances are, the AP has ap isolation turned on
21:45 <+pppingme> jackbrown 1 and 6, 6 and 11
21:45 < wallbroken> it's clear what my goal is?
21:45 < jackbrown> pppingme, here is the guide I'm going to follow, will them be on the same subnet ask ?  they will have all address for ex. 192.168.1.X ?
21:45 <+pppingme> wallbroken you don't want to authenticate on the 2nd device
21:45 < wallbroken> AP isolation? i think you mistunderstood the problem
21:46 <+pppingme> jackbrown if you cable it properly
21:46 <+pppingme> jackbrown the 2nd device isn't even involved in ip addressing
21:46 < wallbroken> pppingme, both smartphone and laptop are connected to wifi, and they can ping each other
21:46 < wallbroken> the problem is that only one can surf the internet because an account is needed
21:46 < jackbrown> pppingme, sure the 1st will do anything (DHPC firewall etc.)
21:46 <+pppingme> wallbroken then they don't have ap isolation turned on
21:46 < wallbroken> so i want to use an account for both the devices
21:46 < jackbrown> pppingme, what about using the same SSID for both ?
21:47 <+pppingme> jackbrown thats fine, and common...  devices will grab whichever has the stronger signal when the startup
21:47 < wallbroken> so in some way i want to forward smartphone traffic to laptop and the laptop forward that to internet
21:47 < wallbroken> in this way i can use the account also for smartphone
21:47 < jackbrown> pppingme, isn't that a  MESH Wireless network ?
21:47 < wallbroken> the problem is: how?
21:47 <+pppingme> wallbroken you'll have to nat or something on the laptop
21:47 <+pppingme> jackbrown NO
21:47 < wallbroken> the problem is: how?
21:47 < jackbrown> pppingme, can you explain me easily what is a MESH wireless network ?
21:48 < jackbrown> pppingme, it's like a network with many repeater that you see as one ?
21:48 <+pppingme> usually it means everything is on same channel, and devices communicate wirelessly..  you're running a multiple AP setup with everything on different channels and all wired to a central switch
21:48 <+pppingme> a cabled AP on a diff channel is NOT repeating
21:49 <+pppingme> repeating and "mesh"ing are bad, because they eat up bandwidth
21:49 < jackbrown> pppingme, this second router, identical to the 1st has the repeater function, do you think would be better using that instead ?
21:49 <+pppingme> multiple AP with good channel management doesn't have any wireless overhead
21:49 <+pppingme> NO
21:49 < jackbrown> pppingme, really ? so the AP I'm doing is better ?
21:50 <+pppingme> if you can pull a cable, run it as an AP, NOT NOT NOT as a repeater
21:50 < jackbrown> pppingme, yes sure!
21:50 < wallbroken> in this way i can use the account also for smartphone
21:50 <+pppingme> to over simplify, repeaters cut bandwidth in half, wired AP's double bandwidth
21:50 < jackbrown> pppingme, I'm using by the way 2  FRITZ!Box 7490  do you know this kind of modem router?
21:50 <+pppingme> I've heard of it, never touched one
21:51 <+pppingme> wallbroken I'm only guessing, I don't know what the network you're on is watching for..  you'll just have to experiment
21:51 < jackbrown> pppingme, got it, if i'd like to buy another router to connect as AP what do you think is better ? Connect 2 of them to the main  or connect in cascade  ? Or it's the same since it's always the first connected to the DSL that rules (DHPC etc.)
21:52 < jackbrown> 2 to main   or  main ----- 1 ------ 11
21:53 <+pppingme> bandwidth wise its better if everything is run to your central switch
21:53 <+pppingme> by cascading, I assume you mean use the switch built into the 2nd device..
21:53 <+pppingme> in that case, the first and second device share the bandwidth of the cable between the main switch and 2nd device..
21:54 < jackbrown> pppingme, but if i connect them  main-------1-----------1  isn't the main that rules on the entire network without affecting bandwidth ?
21:54 <+pppingme> describe connect them  main-------1-----------1
21:54 <+pppingme> do you mean run a cable from each AP back to your main switch?
21:54 < jackbrown> pppingme, ok main router has DSL connection and 4 Gigabit LAN Runs DHPC and Firewall
21:55 <+pppingme> ok,e verything is on the same Layer2 (ethernet), doesnt' really matter where dhcp is..
21:55 < jackbrown> pppingme, 1st router is connecte the the 1st Gigabit Lan of the main and has no DHPC and Firewall so it's on the same subnet
21:55 <+pppingme> firewall is obviously on edge between your network and isp network
21:55 < jackbrown> pppingme, third router the same but connected to the 2nd router
21:55 <+pppingme> everything plugged into the common L2 is on the same subnet
21:56 <+pppingme> your best to home-run the cable from the 2nd ap (what you're calling third router, please use correct terms)
21:56 <+pppingme> when you're running these as AP's, they are no longer routers, they are AP's
21:56 < jackbrown> pppingme, sorry Access point, they turn into access points when I disable DHPC
21:57 < jackbrown> pppingme, fine
21:57 <+pppingme> you should only have ONE dhcp server on your network
21:57 <+pppingme> doesn't matter where it is
21:57 < jackbrown> pppingme, they don't route anything since it's the main that route/ rule
21:57 < jackbrown> pppingme, isn't better that the DHPC is on the one that is connectec to the DSL ?
21:57 <+pppingme> it can be on a PC/server, it can be on your main router, I don't recommend it be on any device that used to be a router and you're re-purposing..
21:58 <+pppingme> there is no requirement where dhcp runs as long as its somewhere on the same L2 segment, and it hands out correct parameters
21:58 < jackbrown> pppingme, PC/serve I avoid into an home eviroment since it should be always turned on
21:58 < jackbrown> L2 segment ? sorry
21:59 < jackbrown> Layer 2
21:59 <+pppingme> same physical lan,
21:59 <+pppingme> layer2
21:59 <+pppingme> yes
21:59 < jackbrown> 192.168.0.X
21:59 <+pppingme> somewhere within all of your nonsegmented ethernet switches
22:00 < jackbrown> So I still didn't undestood which configuration is better, the main router that connect via LAN1 and LAN2  2 Access Points
22:00 < jackbrown> or a cascade pppingme
22:00 <+pppingme> I don't know what you're calling lan1 and lan2...  are you referring to swithc ports on your main switch?
22:01 <+pppingme> you should have *ONE* lan, no more, without a good reason
22:01 < jackbrown> pppingme, are the RJ45 Gigabit Output on the Main router that runs DHPC and it's connected to the DSL
22:01 <+pppingme> you have a switch built into what you're calling your "main router"
22:01 <+pppingme> its a switch, nothing more
22:02 <+pppingme> its probably a 4 port switch
22:02 < jackbrown> pppingme, ok
22:02 <+pppingme> (well, technically its probably a 5 or 6 port switch, but we are getting into semantics and technicals)
22:03 <+pppingme> so if thats enough switch ports for you, its best to home run EVERYTHING to this switch
22:03 < jackbrown> pppingme, I just see 4
22:03 <+pppingme> its got at least one internal port that the "router" hooks to
22:04 < jackbrown> pppingme, initially i was tempeted to but this one that is a repeater but since it has an rj45 port it can be turned into an AP too am I right ? https://en.avm.de/products/fritzwlan/fritzwlan-repeater-1750e/
22:05 <+pppingme> if it has an "AP" mode
22:05 <+pppingme> not all "repeaters" can function as ap's
22:05 < jackbrown> pppingme, but if it spread the signal connecting via a LAN cable ? What else should be if not an AP ?
22:06 <+pppingme> some of those devices expect to sync to another AP, if they do, then it won't work as an AP
22:06 < jackbrown> pppingme, so I found this used and it was cheaper too https://en.avm.de/products/fritzbox/fritzbox-7490/
22:07 < jackbrown> pppingme, I did a better choice then
22:07 < jackbrown> pppingme, ??
22:07 <+pppingme> most "routers" can be used as an AP, even if they don't have an "ap mode"..  as long as you can disable the dhcp server built into them
22:08 < jackbrown> pppingme, what I missed on those FRITZ!Box is the OpenWRT support, I can't use them as torrent client or download manager
22:08 < jackbrown> pppingme, that's bad
22:09 < jackbrown> pppingme, if you had to build a wireless into a big house with very think wall (50cm), possibly using Router and AP OpenWRT compatible, what will you use ?
22:09 < jackbrown> pppingme, a wireless network system
22:09 <+pppingme> real AP's, all cabled back to a central switch, and everything capable of PoE
22:10 < jackbrown> Power over Ethernet
22:10 < jackbrown> pppingme, brand models ?
22:10 <+pppingme> depends on budget
22:10 < jackbrown> pppingme, you think that OpenWRT is a good idea?
22:10 <+pppingme> not for AP's
22:11 < jackbrown> pppingme, for the main switch ?
22:11 <+pppingme> in general, stock firmware on AP's have features that allow multiple AP's to work together
22:11 < mgolisch> i like the ubiquiti stuff or aruba
22:11 < jackbrown> pppingme, together what do you mean ? aren't them all connected to the main switch to a different port of the switch?
22:12 <+pppingme> I'm not aware of any PoE switch that supports openwrt, and if there were, I'd expect to lose features, not gain them
22:12 < spare> openwrts just a mips cross compiler you can add any foss source to it
22:13 < jackbrown> pppingme, yeah OpenWRT is very flexible, even if I had a very small experience with it with my old NetGear WND4300, it completely changed
22:13 < jackbrown> pppingme, i can't find this ubiquiti
22:14 < jackbrown> pppingme, https://www.amazon.it/dp/B00HXT8R2O/ref=asc_df_B00HXT8R2O53394062/?tag=googshopit-21&creative=23394&creativeASIN=B00HXT8R2O&linkCode=df0&hvdev=c&hvnetw=g&hvqmt= ?
22:15 < jackbrown> pppingme, you mean for example, since my provider already give us a router fo accessing ADSL, I should use a Switch that is only a switch for example with 8 or 16 ports then connect via lan cables all the AP that I need  ?
22:15 <+pppingme> if that came up right, that particular AP doesn't do true PoE (its a hack) and doesn't do A or AC
22:16 < jackbrown> pppingme, sure I should choose one more updated
22:16 < jackbrown> pppingme, and even the switch need to be compatible with PoE ?
22:17 <+pppingme> if you want the devices to be powered via PoE, then yes, the switch needs to feed them PoE..
22:17 <+pppingme> the switch becomes their power source
22:18 < jackbrown> pppingme, yes I know, why you prefer PoE ? because it's annoying to plug for each AP it's power source (that usually is big and awful?)
22:18 < mgolisch> thats the most common way of doing it, its easier as all you need is one ethernetcable no additional power bricks and stuff where you put your APs
22:18 <+pppingme> I properly mount AP's on ceilings or where ever appropriate, they aren't cheap consumer devices laying around the house..
22:19 <+pppingme> there typically is no power
22:19 < jackbrown> pppingme, on the ceiling I think is the more elegant way!
22:19 < jackbrown> pppingme, are you installer or you work into doing network ?
22:20 <+pppingme> I make to much to screw with installs, I outsource it
22:20 < jackbrown> https://www.amazon.it/WT-GPOE-8B-24v60w-iniettore-dispositivi-Mikrotik-alimentazione/dp/B01N7HISJK/ref=sr_1_1_sspa?s=pc&ie=UTF8&qid=1529785045&sr=1-1-spons&keywords=Ubiquiti+PoE&psc=1
22:21 < jackbrown> pppingme, why they are 16 ? one for the data other for the power?
22:22 <+pppingme> passive PoE is crap, its not really PoE, and fits NO STANDARDS
22:22 <+pppingme> and in many cases not compatible with gig
22:22 < jackbrown> https://www.amazon.it/Ubiquiti-Networks-UAP-AC-LR-access-point/dp/B016K5A06C/ref=sr_1_109?s=pc&ie=UTF8&qid=1529785336&sr=1-109&keywords=Ubiquiti+PoE
22:23 < jackbrown> pppingme, this is better ? https://www.amazon.it/Ubiquiti-Networks-Gestito-Ethernet-Supporto/dp/B004BQCKXO/ref=sr_1_124?s=pc&ie=UTF8&qid=1529785386&sr=1-124&keywords=Ubiquiti+PoE
22:23 <+pppingme> I don't use any equipment that does "passive PoE", period..
22:24 <+pppingme> and I don't allow it on any networks I manage
22:24 <+pppingme> too high of risk of damage
22:24 < jackbrown> pppingme, the second one ? has still passive PoE ?  I didn't know that there were different kind of PoE
22:24 <+pppingme> Real PoE is negotiated, it doesn't just start shooting power that can damage equipment
22:24 < jackbrown> pppingme, which is the difference within passive and active PoE
22:24 < jackbrown> pppingme, can you link me an example of a switch with active PoE ?
22:25 < jackbrown> pppingme, https://www.linkedin.com/pulse/what-difference-between-poe-passive-jason-chesla
22:25 < spaces> I want to bitschslap someone
22:25 <+pppingme> 802.3af defines PoE..  802.3at (aka PoE+) is the higher wattage version..
22:26 <+pppingme> if your devices require higher wattage, you MUST use an at switch, if all your devices can deal with af, you can use either kind of switch
22:27 < jackbrown> pppingme, ok so if I find a switch and an AP  802.3af compatible it means that they have active PoE
22:27 <+pppingme> it means it has real PoE
22:27 <+pppingme> and that PoE is negotiated and not randomly shot onto the wire
22:28 < spaces> pppingme erm a switch is PoE or not
22:28 <+pppingme> and it won't damange non-PoE equipment
22:28 <+pppingme> spaces kinda..  some PoE switches may only do PoE on some ports..  my 48 port switches only support it on 24 ports for example
22:28 < jackbrown> pppingme, so this   https://www.amazon.it/UBIQUITI-Networks-US-8-60W-Ubiquiti/dp/B01MU3WUX1/ref=sr_1_9?ie=UTF8&qid=1529785663&sr=8-9&keywords=802.3af+ubiquiti
22:29 < jackbrown> pppingme, plus this https://www.amazon.it/Ubiquiti-Uap-Pro-1300-Mbit-Ethernet-Supporto/dp/B079DSTX99/ref=sr_1_4?ie=UTF8&qid=1529785663&sr=8-4&keywords=802.3af+ubiquiti
22:29 < spaces> pppingme yeah that is fine but why AT then ? your switch does less because of the power it requires
22:29 < spaces> pppingme I always use old dell 3448's for it, they are great!
22:29 <+pppingme> jackbrown the swithc you just linked is an 8 port swith but only four ports do PoE
22:30 <+pppingme> MAKE SURE your ap's only need 802.3af, if they need at, that switch isn't strong enough
22:30 < jim> can you do nat in ipv6?
22:30 < jackbrown> spaces, this beast ? http://www.itinstock.com/dell-powerconnect-3448-48-port-fast-ethernet-network-switch-k0670-8089-p.asp
22:30 <+pppingme> many dual band ap's need the extra power
22:31 < jackbrown> pppingme, ok so there are two standard of active PoE  af  and at   at requires more energy and of course a proper compatible at switch
22:31 <+pppingme> and is backward compatable..  an at switch can power anything..  af and at devices
22:32 <+pppingme> an af switch will not power an at device
22:33 < jackbrown> pppingme, do you know of any accesspoint that can be installed near or up to the chandelier?  I think that the mid position of the chandelier should be the best one to spread the signal (intead of putting the AP near the wall)
22:33 < Dagger> jim: it's of course /possible/, but you should generally never actually be doing it
22:33 <+pppingme> almsot all single band ap's use the lower power, many dual band ap's need the extra power, cams vary, there's other PoE devices as well
22:34 <+pppingme> shouldn't be close to power, especially if LED's are involved, just cause noise
22:34 < jackbrown> pppingme, so if an AP is 2.4/5GHz  it will probably need more power and it will be at standard compatible ?
22:34 < jackbrown> pppingme, ok
22:34 < Dagger> there may be some special cases where it's useful, but you shouldn't be routinely NATing like you do in v4. you should have enough address space that it's unnecessary
22:37 <+pppingme> jackbrown maybe, I have seen dual band ap's that work on .3af, but they tend to be cheaper ones
22:37 < jackbrown> pppingme, got it
22:38 < jackbrown> pppingme, what about Linksys ?
22:38 <+pppingme> I don't even know if they have any PoE ap's
22:39 < jackbrown> pppingme, got it, anyway you prefer PoE just for aestetical reason, there are no other reason right? (I agree anyway)
22:39 <+pppingme> cheaper to install
22:39 <+pppingme> with PoE I have to pay someone to pull network cable, with a powered device I ALSO have to pay someone to pull power
22:39 < jackbrown> pppingme, easier and less time, you don't need necessarly a power source where the AP camme
22:40 < jackbrown> pppingme, great!
22:40 <+pppingme> and with separate power, its probably not on a UPS, so now I need to hang a cabinet for that
22:40 <+pppingme> the cost per device is easily in the hundreds..
22:40 < jackbrown> pppingme, so you confirm that I have to AVOID MESH(it) or Repeating  ?
22:40 <+pppingme> thats all bad
22:40 < jackbrown> pppingme, ok!
22:41 <+pppingme> mesh might be good for a low bandwidth application, like neighbors all sharing a few neighborhood cams or something.. beyond that, its crap
22:41 < jim> Dagger, I should never be doing nat on ipv6? why not?
22:41 < jackbrown> pppingme,sorry I got lost in the last sencente you wrote "and with separate power, its probably not on a UPS, so now I need to hang a cabinet for that"
22:42 < jackbrown> pppingme, I'm not a native english speaker sorry
22:42 <+pppingme> whats the question? statement seems clear to me???
22:42 < jackbrown> pppingme, what does that mean ?
22:42 <+pppingme> it means i would have to put up a cabinet to hold a ups..  so that the ap keeps working through power outages
22:43 < Dagger> jim: the question is more "why?" -- you should have enough address space to not need to do it
22:43 < jackbrown> pppingme, ah ok you mean with PoE you don't need an UPS each AP since you can use one just for the switch( that powers all the AP)
22:43 <+pppingme> jim with rare exceptions, there is no need for nat on ipv6, after all, every subnet has 2^64 ip's
22:43 <+pppingme> jackbrown right
22:44 < jackbrown> pppingme, anyway thanks you give me a good idea, for the AP and the switch brand I have to check ar UBIQUTI and do you have other suggestions ?
22:44 <+pppingme> anything that supports real PoE is probably already in a better class of equipment..  get all the same brand and model..
22:45 < jackbrown> pppingme, ok you mean what supports real PoE is designed for high end/ professional use so should be good
22:45 <+pppingme> thats a bit of an overstatement..
22:45 <+pppingme> even tp-link makes PoE supported ap's
22:46 < jackbrown> pppingme, ceiling is the best solution anyway ?
22:46 <+pppingme> generally, then you can optimize location compared to the space
22:47 <+pppingme> and users dont' hardly see them.. they blend in like a smoke detector
22:47 < jackbrown> pppingme, great even for estetical reason they seems fine
22:51 < spaces> pppingme can we have some physical interaction ?
22:52 < jim> pppingme, you can't set the size of a subnet?
22:53 <+pppingme> jim thats the definition of a mask
22:53 <+pppingme> or prefix length
22:54 < jim> I'm not sure I understand that...
22:55 < jackbrown> pppingme, last thing: those are that fake/passive PoE  that I have to avoid ?   https://www.amazon.it/DSLRKIT-Active-Splitter-Ethernet-Raspberry/dp/B01H37XQP8/ref=sr_1_15?s=pc&ie=UTF8&qid=1529787041&sr=1-15&keywords=PoE%2B
22:57 <+pppingme> thats a splitter, it takes PoE and splits it off for devices like a PI
22:57 < spaces> some people on OFTC are even worse then Freenode, wtf, are this nerds ?
22:57 < Dagger> jim: you should generally be using /64 for everything. you should have enough space to not need to go smaller, and there's certainly no reason to go bigger
22:57 < Dagger> and SLAAC requires a /64 anyway
22:57 <+pppingme> they are good for mounting tablets on walls and stuff like that
22:57 < jim> in ipv4, I could carve up subnets any way I wanted... I can't do that in ipv6?
22:58 < Dagger> you don't *need* to. a /64 is fine for everything
22:58 <+pppingme> jim standard ipv6 practice is to give everything a /64..  you want another subnet? get another /64
22:59 <+pppingme> in general, isp's are generally giving at least a /60..  if you ask..  so that gives you (64-60)^2 potential networks
22:59 < Dagger> you don't need to ask yourself whether 256 hosts is enough or whether you need to make it /23 or if you can get away with /25... you just use /64, which fits however many hosts you like
22:59 <+pppingme> many are giving /56's
23:00 < jim> I don't necessarily want to put those subnets directly on the net
23:00 < Dagger> you can split up and route your /56-or-whatever-it-is like normal, it's just that you should be winding up with on-link subnets that are /64
23:00 <+pppingme> jim who's your isp?
23:00 <+pppingme> define "directly"
23:00 < jim> without nat
23:00 <+pppingme> you do realize nat offers NO protection at all, right?
23:00 < Napsterbater> Jim, its called a firewall..
23:01 < jim> that's what I'm building :)
23:01 <+pppingme> an appropriately configured firewall does all you need
23:01 < spaces> pppingme in some way it does
23:01 <+pppingme> in all ways it does
23:01 < Dagger> spaces: no, it does sod all
23:01 <+pppingme> again, nat is not security
23:01 < Dagger> spaces: in fact it's worse than nothing, because it's usually used to make outbound connections possible when they otherwise wouldn't be
23:01 < spaces> pppingme it closes at least the ports you don't NAT
23:01 <+pppingme> no, a firewall does
23:02 < Dagger> your computers would be a lot more secure if they couldn't connect to random internet hosts
23:02 <+pppingme> you start your firewll with a block all inbound rule
23:02 <+pppingme> then you allow rules as needed, if needed (not needed for most consumers)
23:02 < spaces> yeah I know what you mean but try a loadbalancer in front of it, it NATS as well
23:02 < Dagger> spaces: no, NAT doesn't do that at all. NAT applies to outbound connections. any inbound connection that was possible before you started NATing outbound connections will still be possible after you start NATing outbound connections
23:03 < spaces> and deos block the rest of the ports you have services running on
23:03 <+pppingme> some load balancers do, not all
23:03 < spaces> most
23:03 < spaces> actually if it doesn't, it's a shitty LB-er
23:03 <+pppingme> read this 1000 times, if you still don't get it, read it 1000 more times, repeat as needed:  NAT IS NOT SECURITY, NEVER HAS BEEN, NEVER WILL BE..
23:04 < spaces> no it's not but it helps :D
23:04 < ellyacht> why can't I seem to shake this innate feeling that someone for the last 8 or so years, has been monitoring/manipulating/dictating whatever I do via the internet?!!?! no matter the medium used...
23:04 <+pppingme> you're assuming one method of load balancing, there are many
23:04 < Dagger> spaces: uh, as I just said... it doesn't help
23:04 < spaces> Dagger I only NAt using LB-ers, it does then
23:04 <+pppingme> and no, nat does not even "help" with security
23:04 < Dagger> take a network. add NAT to the network's outbound connections. it'll have exactly zero impact on the inbound connections for that network
23:04 <+pppingme> never has, never will
23:05 <+pppingme> nat is EASY to bypass if there's no stateful firewall surrounding it
23:05 < spaces> Dagger I'm only talking about inbound
23:05 < spaces> I don't touch outbound mostly because I don't care
23:05 < jim> pppingme, ok, so what you're saying, has got to be that if I have a nost behind a nat it's (1) discoverable, and (2) enterable?
23:06 < jim> host
23:06 < Dagger> jim: what we're saying is that NAT has no impact on those things
23:06 < Dagger> if people can connect inwards to your hosts, then they can do it regardless of whether or not you're NATing outbound connections from those hosts
23:07 < jim> isn't that a big if?
23:07 < Dagger> sure? but it's one that doesn't depend on NAT
23:08 < bjorn`> Is there such a thing as a latency algorithm that can precisely measure latency in each direction of a link, in the case of async routing?
23:09 < Dagger> the point of all this is that you already need a firewall for security reasons, and that NAT contributes nothing to your security. hence, you don't need to NAT to get security -- you're only NATing because you're out of address space
23:09 < jim> let me just ask this... if NAT is irrelevent in ipv6, is it also irrelevent in ipv4?
23:10 < tds> if you can afford public v4 addresses, then yes
23:10 < tds> but for most people that isn't the case
23:10 < Dagger> for security purposes, yes. you're only doing it in v4 because your ISP hasn't given you a big enough IP allocation for your network
23:11 < Dagger> or "no allocation", as is common for almost all ISPs
23:11 < spare> ill open a free root shell on my box behind isp resi nat right now if you can ping it you can have it... its definitly the only thing right now stopping a hole heap of stupidity being exposed to the internet
23:11 < jvwjgames_> are ipv6 addresses portable
23:11 < spare> isps shouldnt be shipping any un authenticated upnp or routable address by default
23:13 < Dagger> spare: that's probably going to be tricky for us. it's just that it's important to realize /why/ it's going to be tricky for us
23:13 < spare> i get its not a security feature but it literally stops people just automating nmap and popping the whole host of old boxes or wrongly configured boxes that arent exposed right now
23:14 < Dagger> no, it doesn't
23:14 < spare> so you can nmap my desktop from behind router nat right now and tell what its running ?
23:14 < Dagger> I've /tested/ this. applying NAT to your outbound connections does absolutely nothing to your inbound ones
23:15 < Dagger> depends. does it have an IP I can reach, and are there any firewalls in the way?
23:15 < Napsterbater> It is not NAT protecting your devices, it is the lack of a route in most cases.
23:16 < spare> thats what i just said isps shouldnt be shipping unauthenticated upnp on v4 or exposing v6 by default
23:17 < Napsterbater> nothing to do with UPNP.
23:17 < Dagger> they /should/ be shipping routable addresses. it's just very difficult to do that in v4 because there aren't enough
23:17 < spare> same problem different formats
23:17 < spare> resi addresses dont need wan facing lan
23:18 < Dagger> if resi wants to be connected to the internet, then resi should be using globally-unique addresses
23:18 < Napsterbater> spare: using global addresses on LAN dosn't make it "WAN facing"
23:18 < Dagger> if you /don't/ want to connect your network to the internet, then fine, but most people do
23:18 < Napsterbater> again, firewall.
23:18 < spare> most of the iot stuff just gets plugged in asks for upnp and gets a wan listener
23:19 < spare> default residential routers have sucky setups
23:19 < tds> most of the iot stuff I've seen doesn't bother with upnp, just makes outbound connections (because people actually bother with firewalls) back to some central control system
23:20 < Napsterbater> One reason why I kinda laugh at people who make such a HUGE deal abourt UPNP being enabled, yet let EVERYTHING outbound go unchecked.
23:21 < spare> ive got uid:gid locked outbound rules if your building a botnet listeners are harder to track than a reverse tcp connection your forced to hardcode domains in them
23:23 < spare> if you have a listener you can randomize the port and timeout to respond to stop quick scans its alot harder to hide a c&c that needs a hardcoded phone home in it
23:25 < spare> thats why i dont think adding more routable address to networks that have no need for them is stupid : /
23:34 <+catphish> spare: no idea what you mean by "wan facing lan", LANs have to be routable to and from the internet since people want to browse their cat pictures, the issue is purely that systems should be adequately firewalled, and most likely consumer devices should be firewalling inbound connections by default
23:35 <+catphish> ie if i send an unexpected packet to someone's home PC, their router should reject / drop it
23:35 < spare> listening ports on lan being forward to lan no authed upnp any drive by malware can port forward if it was sensible by default tracking reverse connections is easier
23:36 <+catphish> i also agree wholeheartedly that upnp should be properly secured so that firewall exceptions shouldn't be made unauthenticated from outside
23:36 <+pppingme> jim yes
23:36 < spare> i just cant see ipv6 roll out not making this a thousand times easier by default because of the stuff thats already acceptable as default
23:36 <+pppingme> unless there is a stateful firewall in place
23:37 < spare> is that what was going to be shipped by default ?
23:37 <+catphish> one benefit of ipv6 is that it makes people less lazy with firewalls
23:37 < spare> given upnp for ipv4 is literally default on for every isp box ive ever had
23:37 <+catphish> upnp is fine, as long as it can only be activated from inside the LAN
23:38 <+catphish> and it's pretty useful for consumer devices that need to open inbound connections on the firewall
23:38 < spare> nah should be admin locked to the router if anything can just request it then you havent bottled necked listening devices to a gateway
23:38 <+catphish> what?
23:38 < spare> you can turn upnp off and open port forwarding on the devices web interface
23:39 <+catphish> yeah but most people don't want or need to do that, the just want their inbound connections to work automatically
23:39 < spare> every isp box ive had shipped just runs a upnp deamon that allows any one that asks to port forward
23:39 < jim> pppingme, can a stateful firewall be implemented as iptables rules?
23:39 < tds> jim: yes
23:39 <+pppingme> yes
23:39 <+catphish> spare: no, they only allow it from inside the network
23:39 <+pppingme> and typically is in an ipv4 environment
23:40 <+catphish> which is fine, its only a problem if they allow it from outside, i know some did on occasion :(
23:40 <+catphish> jim: yes
23:40 < spare> thats still the problem it lets any malware open a listener rather than phoning home to a domain which is harder to track than a payload being forced to drop a domain or ip in the source
23:40 < Napsterbater> If you have malware on you LAN, you already lost.
23:40 <+catphish> spare: if you have malware on your lan you've lost, it's moot
23:41 < jim> ok, so with such a firewall running, nat is then not irrelevent? what if the nat is implemented by the iptables rules?
23:41 < spare> its not in terms of pushing a domain blacklist and that no longer working rather it just sitting listening untracked with a whole host of ways to avoid being scanned remotely : /
23:41 <+catphish> phone home is so trivial that there's no point in crippling a useful feature to avoid what you're describing
23:41 < tds> anyway, how does listening on a port and unfirewalling it help if you're not phoning home?
23:41 < tds> it's not like it's easy to scan the whole of v6 space to find your listeners
23:42 <+pppingme> nat is and has always been irrelevant, the firewall just happens to be a convenient place to do it..
23:42 <+catphish> nat isn't relevent to the security
23:42 < Dagger> jim: which rules are we talking about here? the iptables rule that you use to do NAT is separate from the rules used to do firewalling
23:43 <+catphish> but there's definitely a legitimate argument about where firewalls should be implemented, and whether end users should be allowed to manipulate them
23:43 < Dagger> jim: and as I tried to explain, they serve different purposes. one controls which connections are permitted, and the other rewrites the apparent source address on outbound connections
23:43 < jim> so if both were present, then you'd have something reasonable?
23:43 <+catphish> but you should not confuse any of this security with NAT
23:43 <+pppingme> if both what?
23:44 <+pppingme> the firewall is whats reasonable in controlling traffic to/from your network..
23:44 <+pppingme> nat is a hack that has nothing to do with security
23:44 < tds> if you mean both stateful firewalling and nat, then yes, that's what I'd expect of most home v4 routers
23:44 < jim> and if you didn't have them present, having the subnets would be useless, as nothing would be there to route to the exit?
23:44 <+catphish> spare is correct though i don't believe that it's worth trying to fight malware that already controls your PC
23:45 < Dagger> jim: using NAT when you don't need to use it isn't reasonable
23:45 < wpwpwpwp> hi
23:45 < wpwpwpwp> so I am behind a double NAT probably
23:45 < wpwpwpwp> well
23:45 < Dagger> in v4 you frequently do need to use it, but that's not the case in v6
23:45 < spare> not on about from a personal use case if someone drops something that infects a million end points and they start hammering a dns server if its a listner you cant kill if its doing phone home you can literally stop it recieveing updates and kill the netowrk
23:45 < wpwpwpwp> thing is that I read that there may be ways around it without using a tunnel-relay thing
23:45 <+catphish> i can see the argument that sometimes domain blacklisting might work sometimes
23:45 < wpwpwpwp> like letting the router/internet modem use the NAT gateway of ISP directly?
23:46 < wpwpwpwp> how that? ppoe? how does that work?
23:46 <+catphish> wpwpwpwp: i feel like you need to do some googling and come back with a coherant question
23:46 < jim> Dagger, yeah, I'm probably not interested in that point of view; sorry
23:47 < spare> having a botnet run by push updates you can distribute to hide source or having a single point of failure is common sense : / opening more device to the internet will do more damage than good
23:47 <+catphish> jim: what?
23:47 <+catphish> jim: you don't believe in *not* using NAT?
23:47 <+catphish> are you mildly insane, or did i miss something?
23:47 <+pppingme> what point of view?
23:48 < wpwpwpwp> catphish: I did! http://www.practicallynetworked.com/networking/fixing_double_nat.htm
23:48 < wpwpwpwp> catphish: bridge mode in router? is that ppoe?
23:48 < tds> a network without nat? what? surely that can't exist!
23:48 < wpwpwpwp> I got a huawei router thing for LTE
23:48 < wpwpwpwp> tds: it can, ipv6 - in an ideal world that sadly never came...
23:48 < jim> that nat is unreasonable always no matter what
23:48 < tds> wpwpwpwp: i know, I was joking :)
23:48 < jim> which is what he seems to be saying
23:48 <+pppingme> there's few actual use cases to justify nat..  and most are highly technical, none have anything to do with security
23:48 <+catphish> wpwpwpwp: it seems unlikely to me you can avoid double NAT if your ISP already does NAT and only gives you a single address
23:49 < Dagger> jim: I didn't say that. I said using it "when you don't need to use it"
23:49 < tds> wpwpwpwp: it's an ideal world that's already here, I'm typing on a computer that doesn't have a v4 address :)
23:49 < wpwpwpwp> tds: a public ipv6 address it got?
23:49 <+catphish> jim: nat is a hack, it's a good idea when it's absolutely necessary
23:49 < tds> wpwpwpwp: yes
23:49 < wpwpwpwp> catphish: would PPOE allow the router to become the only NAT?
23:49 < wpwpwpwp> catphish: if not, I guess, there is no way adding port forwarding because I got no login for the NAT of my ISP, right?
23:49 <+catphish> wpwpwpwp: pppoe isn't something you choose
23:50 <+catphish> either you're already using it, or you can't use it
23:50 < wpwpwpwp> catphish: let's say the router offers this option, could I enable it - and hope it works then?
23:50 < wpwpwpwp> catphish: it is a router with LTE modem
23:50 < wpwpwpwp> would it be worth a try? using LTE over PPOE?
23:50 < tds> if your isp is doing cgnat (which many mobile networks do), there's very little you can do about it
23:50 <+catphish> wpwpwpwp: your only option would be to get rid of the router and connect one PC direct to the LTE modem, but you wouldn't gain anything
23:50 < wpwpwpwp> tds: I want to connect from the outside to an ipcamera from time to time
23:50 < jim> Dagger, this is what I'm interested in doing: I have a set of scripts that calculate a nat/ipmasq firewall/router given the ips and attributes of how the interfaces are set up
23:50 < wpwpwpwp> catphish: so I still have no port forwarding then? :(
23:51 < wpwpwpwp> damn, some articles I found say it is easy "just enable bridging or PPOE" and then there is no double nat anymore
23:51 <+catphish> wpwpwpwp: you'd only have one NAT, but i can't think how you'd benefit, your ISP would still be doing a NAT you don't control, so no port forwarding
23:51 < Dagger> most people should be getting sufficient v6 space from their ISPs to not need to NAT. as such, they generally shouldn't be NATing
23:51 < wpwpwpwp> lol, then there is a single ISP NAT without configuration
23:51 <+catphish> wpwpwpwp: IMO if the ISP does NAT, there's nothing you can do
23:51 < Dagger> "I need security" is /not/ a reason to be NATing (and NAT won't help you with security anyway)
23:51 < wpwpwpwp> catphish: OK, so let's say I want to connect to an ipcam behind the NAT (double NAT) - how can I do that?
23:51 < tds> you could try sending upnp at their routers, but they'll likely ignore it
23:52 < jim> they work fine in IPv4, I'm interested in extending that set of scripts so they cover IPv6
23:52 <+catphish> jim: well sure, just don't do NAT
23:52 < wpwpwpwp> catphish: Let's say I got a mobile phone with LTE/3G mobile internet - is it likely that it got no Double NAT and one could connect to it from the outside?
23:52 < jim> what do you do instead?
23:52 <+pppingme> jim change your -j MASQUERADE to -j ACCEPT and you're done, assuming the rest of your rules are reasonable
23:52 < tds> jim: just plain routing, you'd typically get a subnet route to you via dhcpv6 prefix delegation
23:53 < tds> s/route/routed/
23:53 <+pppingme> wpwpwpwp its likely your mobile provider is doing nat before it even gets to you..
23:53 <+catphish> jim: ipv6 is different, you need some IPs, you need PD, you need SLAAC, several things
23:53 < jim> you're welcome to look at them, they're on github
23:53 < Dagger> or just drop the `-j MASQUERADE` rule, that chain is usually set to policy ACCEPT anyway
23:53 <+catphish> jim: you just don't need NAT
23:53 < Dagger> you also need to pick the LAN subnet based on a DHCPv6-PD request to your upstream router
23:53 < Dagger> that's pretty much it
23:54 <+catphish> some ISPs just blindly route a whole /56 or /48 to your router, no PD needed :)
23:54 <+catphish> in that case it's MUCH easier
23:54 < wpwpwpwp> pppingme, catphish: OK, so I need a VPN in the middle, the box behind double NAT has to connect to that VPN server at the outside, then the smartphone can also connect to it and form a connection
23:54 < wpwpwpwp> what is a cheap / free shell/vpn/cloud instance service I can use for this?
23:54 <+catphish> wpwpwpwp: yes thats a good way
23:55 < wpwpwpwp> are there cheap/free providers for VPN servers that I can use as middleman?
23:55 <+pppingme> wpwpwpwp does this vpn server have a real ip?
23:55 < Dagger> catphish: PD is still the only automated way to find out what the /56 or /48 is
23:55 <+catphish> wpwpwpwp: normally the best option is to rent a chea VPS and learn how to use openvpn
23:55 <+catphish> Dagger: makes sense if its not static
23:55 < wpwpwpwp> pppingme: I guessi t has, right? otherwise the smartphone / natted box wouldn't be able to find it
23:55 <+pppingme> then you're done..
23:55 < wpwpwpwp> catphish: could you recommend me a VPN that is very cheap and good that I can try for this?
23:55 < Dagger> catphish: even if it is static, it's still the only automatic way to get that info
23:56 <+pppingme> nat isn't generally a factor for oubound traffic (client trying to reach server), its more a factor for inbound (you are the server)..
23:56 <+catphish> wpwpwpwp: see my previous message
23:56 < wpwpwpwp> pppingme: hm, public IPs are the most expensive part of a server?
23:56 <+pppingme> no, hardware and power ios
23:56 <+pppingme> no, hardware and power is
23:56 < wpwpwpwp> catphish: "normally the best option is to rent a chea VPS and learn how to use openvpn"
23:56 <+catphish> yes
23:56 < wpwpwpwp> catphish: and what cheap VPS would you recommend? :)  I just want to try this
23:57 < Apachez> cooling is pretty expensive too
23:57 < wpwpwpwp> Apachez: so we need optical computing :P
23:57 <+pppingme> you can find vps's all over the place for $5/month
23:57 < wpwpwpwp> pppingme: can it be even cheaper?
23:57 <+catphish> wpwpwpwp: i can't recommend something, since there are different providers in different countries, and my experience is normally with more expensive high quality ones, maybe look at linode
23:57 < Apachez> wpwpwpwp: how would that help?
23:57 < wpwpwpwp> Apachez: light would be faster and no cooling
23:57 <+catphish> wpwpwpwp: probably isn't going to be less than $5
23:57 < tds> just try to pick a provider who's not too new/small, otherwise you may find your vps disappear in a few months ;)
23:57 < wpwpwpwp> ah I see
23:57 < Apachez> wpwpwpwp: not true
23:58 < wpwpwpwp> what is the cheapest VPS I could get? :P
23:58 < Apachez> its the computing who cost power, not the eletrons on the bus itself
23:58 <+pppingme> you could always peer up on something like dn42, but thats probably beyond your tech level
23:58 < tds> oh yeah, dn42 is a neat suggestion
23:58 < tds> plus then it would have an actual use!
23:58 < wpwpwpwp> oh, dn42 is a bit like blockchain, no? :P
23:58 <+catphish> no
23:58 < tds> no
23:58 <+catphish> wpwpwpwp: actually, you could just get a free ipv6 tunnel from HE then use ipv6
23:59 < tds> catphish: no luck with 6in4 behind nat though :(
23:59 < wpwpwpwp> catphish: HE = Hurricane electric?
23:59 < jim> so I take it there are no unroutable subnets (like 192.168.*, 172.(16-31).*, 10.*)?
23:59 < Dagger> catphish: so long as you have a public v4 address to run the tunnel on, of course...
23:59 <+catphish> wpwpwpwp: yes
23:59 < wpwpwpwp> ah found it
23:59 <+catphish> Dagger: i hoped it could run over UDP, not sure though :(
23:59 < tds> iirc he only support 6in4, not udp
23:59 <+catphish> wpwpwpwp: might not work if you don't have a public IP :(
23:59 <+pppingme> correct, about HE
--- Log closed Sun Jun 24 00:00:11 2018