--- Log opened Thu Jun 28 00:00:16 2018 00:00 < rtmataeu34> im good im just scanning some trafficks man 00:00 < rtmataeu34> im too noob to ask for anything fancy just yet :D 00:01 < rtmataeu34> android_ see above^ 00:01 < E1ephant> uhhhhh 00:12 < Zedax> hello, do you know any known issues with pppoe that decrease the speed a lot? so i'm trying to connect to my isp fiber on ppp, instead using their router, i'm using rp-pppoe, using the kernel ppp modules (in theory), however is laggy and slow, i'm getting only 90Mbps, i should be getting about 650, cpu usage is low 00:14 < drac_boy> hi 00:15 < drac_boy> anyone here into wwan hardwares? 00:16 < de-facto> I'd like to understand lnx behaviour/rationale: Assume I got two physical network interfaces, say eth0 (with dhcp client in a network) and eth1 (static ip from same subnet, but just for a local device). It seems the host answers ARP requests on eth0 for the static IP of eth1. That causes of course confusion in the network of eth0. For what scenario is that "ARP flux" useful and how can I avoid it? 00:23 < E1ephant> de-facto: don't have two interfaces with IPs in the same subnet 00:24 < E1ephant> if you want multiple interfaces with IPs in the single subnet, you want to bond the interfaces first in linux 00:24 < E1ephant> then apply those multiple IPs to your single bonded interface 00:29 < de-facto> scenario would be: take a device out from same subnet, put in on the second interface (eth1 with static ip) for debugging. then that "arp flux" can cause collisions on eth0 network for eth1 ip address 00:30 < de-facto> E1ephant, do you have a link to read more about that bonding option you mention for that scenario? 00:32 < E1ephant> de-facto: https://wiki.linuxfoundation.org/networking/bonding 00:33 < E1ephant> why the second interface though? 00:33 < E1ephant> instead of just changing eth0 config from dhcp to static? 00:34 < E1ephant> smells like http://xyproblem.info/ 00:35 < drac_boy> hm anyway wwan aside just curious re if its not that too unusual to try have two different boxes where one basically handles the dhcp but the other box is the one doing the ports switching instead 00:37 < de-facto> i'd just like to understand why linux "lies" to ARP requests: assumed eth0 got 192.168.0.23 (via dhcp request) and I put eth1 to 192.168.0.10 (static), why does it reply to "who got 192.168.0.10" on eth0 network with the "lie" of eth0 MAC address? does it assume gateway scenario or such? 00:38 < E1ephant> how is that a lie? 00:38 < E1ephant> you can reach that IP 00:38 < E1ephant> from that interface 00:40 < de-facto> so it answers to 192.168.0.10 on eth0 (which has 192.168.0.23 via DHCP) then? 00:40 < E1ephant> if that is what you're seeing, sure? 00:42 < de-facto> i didnt try that, i just know it will cause that arp flux problem and id like to understand it further. i wont use that scenario anymore though 00:42 < E1ephant> given you have two interfaces, with the same subnet, how do you make that deterministic? especially if you want to reach that IP when the interface is down. 00:42 < de-facto> i naively assumed ip addresses are bound to physical interfaces only, which obviously is not the case 00:45 < E1ephant> it looks like there are two kernel options that can change this behaviour 00:45 < Whiskey`> de-facto: even if they were, why would you break ip like that? 00:45 < E1ephant> yeah it's just general bad practice/not allowed on lots of platforms, to assign the same subnet to two different layer3 interfaces 00:46 < E1ephant> seems well explained in https://netbeez.net/blog/avoiding-arp-flux-in-multi-interface-linux-hosts/ 00:46 < de-facto> E1ephant, yes i already read that, thank you :) 00:46 < E1ephant> yeah so is arp_ignore not exactly what you're asking for? 00:47 < E1ephant> (barring bad design) 00:48 < de-facto> yes i know its bad design, and i wont use it in real network, id just like to understand why that "arp flux" collisions are the default behaviour and for what scenario this default config is useful 00:48 < E1ephant> ah, if you want to understand linux network design decisions 00:49 < E1ephant> you're asking for insanity :) 00:49 < E1ephant> I think put politely, it's misguided. 00:49 < E1ephant> or just designed from a purely systems mindset 00:50 < de-facto> i mean i already convinced that scenario is bad design, but id like to gain further background knowledge to avoid similar bad designs 00:51 < E1ephant> just keep picking up books and reading :) 00:51 < E1ephant> idk I am partial to books and RFCs over videos but everyone has different preferences 00:52 < E1ephant> CCIE R&S courseware/books are excellent reference I find 00:52 < de-facto> yeah, but for what exact keyword? "ARP flux"? "ARP/IP designs"? 00:53 < E1ephant> errr 00:53 < E1ephant> why would you deep dive into bad design? 00:53 < de-facto> just to know what patterns to avoid and point out worst case scenarios in advance 00:53 < E1ephant> I mean you told me the poor undeterministic behviour yourself, seems you understand it no? 00:54 < de-facto> what it does i think, but not really why 00:54 < E1ephant> be explicit, don't assume would be good patterns :) 00:55 < E1ephant> yeah I mean I think understand why linux made a certain networking decision is going to be poor information 00:55 < E1ephant> but that is imho 00:55 < E1ephant> understanding even 00:55 < E1ephant> they make end-system designs, not network focused designs 00:55 < E1ephant> despite their best effort to be well rounded 00:56 < E1ephant> mailing lists and commit logs are where I think you would find such info 00:56 < E1ephant> but yeah, to what end? 00:56 < de-facto> hmm yeah, probably true 00:56 < E1ephant> when there is an abundance of good networking knowledge to pool from 00:57 < E1ephant> would be kinda curious how bsd acts, but meh :) 00:59 < de-facto> actually i dont know, but would be interessting what their default behaviour would be. I guess in an optimal world it would boil down to their assumed "most common" scenario, and it seems for linux its "end-system" for debian 00:59 < bray90820> I have a raspberry pi that is setup for a music server at a .local address if I were to take that pi to a different location like a friends house or something would the same .local address work? 01:00 < E1ephant> yeah sounds reasonable 01:02 < E1ephant> bray90820: you using mDNS I suppose, not squatting on that TLD with an actual dns server? 01:03 < E1ephant> I haven't seen mDNS in motion, but sounds like if the pi does resovle its name via multicast, sure? 01:03 < bray90820> Not 100% sure but it doesn't work on android so I would assume it's not a DNS server 01:04 < mgolisch> yeah thats mdns then 01:04 < mgolisch> it will not work on windows either i think 01:04 < bray90820> It does work on windows 01:04 < mgolisch> maybe they do that now 01:04 < bray90820> Was working on windows 10 just a few minutes ago 01:06 < bray90820> It actually does work on android if I use the IP instead of the .local address 01:06 < E1ephant> hehe 01:07 < bray90820> I was just wondering if I could convert this old radio that I am converting into a music server with a PI and take it places and it looks like I can thanks 01:08 < E1ephant> on the good ship lollipop! 01:08 < bray90820> Hahaha 01:08 < E1ephant> :D 01:18 < de-facto> E1ephant, I also found a nice compact summary with an example, but yean nothing really new in it: https://chrisdietri.ch/post/preventing-arp-flux-on-linux/ which cites from https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt 01:19 < E1ephant> ah awesome! 03:04 < FozzWorth_> bray90820, Interesting. I've never been able to discover .local on my win10 and figured Microsoft's postition was netbios or ding off. You may have Bonjour installed, which enables discovery for iTunes and the like. Just something to keep in mind if someone's machine can't discover your Pi. 03:06 < FozzWorth_> someone's win machine. Macs run it as standard 04:59 < war> IRC SERVER ====> /server -m irc.heckmann.top 05:18 < linux_probe> wow, looking at specturd cable forums, I see everyone crying about ipv6 being broken 05:18 < meingtsla> Weird, I didn't get the memo 05:19 < linux_probe> the forum claims it's known to all their tech support 05:19 < meingtsla> My IPv6 works just fine :P 05:19 * linux_probe and some other arse pipe on older plain modems are working fine :) 05:19 < linux_probe> someone with the nick "kludge" has an sb6141 modem also 05:20 < linux_probe> everyone whom upgraded to their new shit/speeds is kaput on ipv6, sounds like some modem config issue 05:27 < linux_probe> 64 bytes from ord36s01-in-x0e.1e100.net (2607:f8b0:4009:80c::200e): icmp_seq=10000 ttl=53 time=35.1 ms 05:27 < linux_probe> 10000 packets transmitted, 10000 received, 0% packet loss, time 10012892ms 05:27 < linux_probe> rtt min/avg/max/mdev = 33.456/35.580/90.158/2.460 ms 05:27 < linux_probe> 90.x seconds ewww 05:34 < haz_> are there any cross-platform alternatives to Python's WSGI calling convention? 05:49 < potatoe> does anyone know if UDP/TCP checksums can be fooled by 1 or 2 bit flips in the data segment? 05:49 < light> they aren't perfect 05:50 < potatoe> light of course, but I wanted to check if theres a n bit flip that can somehow bypass the check 05:50 < potatoe> my math aint too good though :( 05:51 < light> finding hash collisions is not so easy 06:11 < Whiskey`> potatoe: it should be pretty hard to get a single bit flip that passes crc 06:11 < Whiskey`> its kinda the point of CRC's 06:11 < potatoe> Whiskey` is it CRC though? so i may be wrong but I thought that n bit crc should catch anything below n/2 bitflips 06:19 < Whiskey`> ah right its complement sum 06:51 < Matt|home> yo .. silly question, are network printers a thing still? like if you have a LAN you could theoretically print from any node to a printer, or do the modern ones not have that support anymore 06:51 < Matt|home> it's been a long time so i dunno 06:54 < Matt|home> hm it looks like you have to buy one that specifically supports it. okay 06:54 < android> no u matt|home 06:54 < ahyu84> guy 06:54 < ahyu84> I got peplink load balancer 06:55 < Matt|home> android - hm ? 06:55 < android> you buy for me 06:55 < ahyu84> how do I do wan 1 and wan 2 speed combined? 06:55 < ahyu84> like 10mbps with 10 mbps become 20mbps 07:14 <+pppingme> Matt|home its pretty much a standard feature, with most printers having both a wired ethernet and wifi nic built in 07:15 < Matt|home> ah cool 07:16 < Matt|home> pppingme , can you use them on a multi OS network? 07:16 <+pppingme> sure, most printing protocols are widely supported, and most of those printers support at least 1/2 a dozen of them 07:17 < Matt|home> awesome. i think my printer only has a USB port, i didn't see anything that looked like ethernet 07:17 < Matt|home> but it's a cheap pos 08:40 < potatoe> i'm chasing some weird UDP corruption issues 08:40 < potatoe> rx-checksumming is fixed off in my NIC 08:40 < potatoe> can this be a cause? 09:12 < Wixy> Hey all, quick question 09:12 < Wixy> https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI 09:13 < Wixy> How can you have more than one IPv4 address per network interface? how does that work? are them public or private addresses? 09:14 < grawity> well, why *couldn't* you have more than one? 09:14 < grawity> what technical limitations do you imagine? 09:14 < Wixy> it depends. are they talking about public or private addresses? 09:15 < grawity> possibly both, but it doesn't matter in the slightest, they all work the same way 09:15 < reitnorF_> i wonder what is amazon's definition of "network interface" 09:15 < grawity> private addresses usually get translated before the packet leaves the LAN – but the host isn't aware of that happening 09:16 < grawity> so again, to the host both kinds look the same 09:16 < Wixy> in an scenario with one net interface, one private and two public addresses 09:17 < Wixy> how do you choose what public address to use when establishing a connection? 09:18 < Wixy> the only way I know of having multiple public ips is associating them with different net interfaces. so then you can choose what net interface to use for a connection setting the local address 09:18 < grawity> hmm 09:18 < Wixy> but my networking knowledge is limited, if there are other ways let me know 09:18 < grawity> first it seemed like you were asking about how the OS chooses the address automatically 09:18 < grawity> now it seems like you're asking about how the app chooses the address manually 09:18 < Wixy> oh no, I always meant an application 09:19 < Wixy> not the OS 09:19 < grawity> BSD sockets API has actually always used addresses, not interfaces 09:19 < grawity> you want a specific local IP address and/or port, you call bind() specifying that address and/or port 09:20 < grawity> and the OS decides what interface to use for outgoing packets 09:20 < grawity> not the other way around 09:20 < grawity> (though yes, there's a sockopt to choose an interface as well, but that's secondary) 09:21 < grawity> most apps don't bind to any specific address by default, though 09:21 < grawity> they just let the OS choose that as well 09:21 < Wixy> right, that's what I'm doing. I bind() with the address of the network I want, and that way I decide what public IP will be used 09:21 < h0dgep0dge> the public ip isn't decided by the machine initiating the connection 09:22 < Wixy> but I didn't know one net interface could have more than one public ip 09:22 < h0dgep0dge> (usually) 09:22 < grawity> h0dgep0dge: it is, when the IP belongs to the machine itself 09:22 < grawity> I mean, we *are* talking about servers. 09:22 < h0dgep0dge> oh right, aws 09:23 < h0dgep0dge> i didn't think aws gives the server instance the public ip? 09:23 < mAniAk-_-> it's possbile in aws 09:23 < grawity> I think you can obtain those if you want 09:23 < grawity> just probably not by default 09:23 < grawity> so AWS is kind of mid-way 09:23 < mAniAk-_-> you can have public ip subnets 09:23 < h0dgep0dge> right, all my aws instances have always been behind nat, never had a need for anything different 09:24 < grawity> (and tbh I haven't yet used AWS or other cloudy VPS systems, just traditional ones with a permanent public address) 09:24 < Wixy> for your information, the problem behind these question is I'm trying to setup multiple public ips on one instance, and then I want to be able to request a site or another using different public ips 09:24 < h0dgep0dge> have you got the instance running? 09:25 < grawity> well, if the public IPs get assigned directly to the machine (i.e. you can see them in `ip addr`), then bind() will work just fine 09:25 < h0dgep0dge> `ip addr` will give you your addresses 09:25 < Wixy> yes, and I'm already doing so by attaching multiple elastic ips to different net interfaces on that instance 09:25 < Wixy> but now it looks there may be an easier way? 09:25 < grawity> the gateway is still the same, I assume 09:25 < Wixy> ie, attach multiple elastic ips (or just normal ips?) to the same network interface 09:25 < grawity> so it doesn't make any difference whether the interfaces are different or not 09:26 < h0dgep0dge> if aws supports assigning it you can, it's technically possible to assign more than one ip to the same interface 09:26 < grawity> though don't be surprised if `ifconfig` won't show those IPs 09:26 < Wixy> so it doesn't make any difference whether the interfaces are different or not 09:26 < grawity> nobody has updated it to the *cough* "new" API 09:26 < Wixy> it makes a difference ^ 09:26 < student111> not sure if off topic... I've tried downloading a (I think famous) backup software and I'm being redirected to a malware that disgusises as this software 09:26 < grawity> use `ip addr` if it's Linux, end of story 09:26 < Wixy> you have limited number of network interfaces per instance type 09:26 < grawity> Wixy: that's AWS-specific, nothing to do with bind()'s behavior 09:27 < student111> anyone knows how I can tell if it's DNS hijack or the software company is compromised? 09:27 < Wixy> ip addr shows 3 interfaces (lo eth0 and eth1). what should I be looking for? 09:27 < h0dgep0dge> it only makes a difference if the different source ips need to be routed differently, but it doesn't sound like they would be 09:28 < grawity> Wixy: well, literally, after you configure multiple addresses on the same interface in AWS, you should see them under the same interface in `ip addr` 09:28 < grawity> it's a pre-emptive answer to "hey I keep trying ifconfig and it doesn't show my addresses" 09:28 < Wixy> so I decide what public ip I use by setting the correct local address? 09:29 < grawity> yes 09:29 < student111> can anyone replicate this? It's from EaseUS backup software, the seemingly compromised link is this: (WARNING POTENTIAL MALWARE DON'T EXECUTE) http://down.easeus.com/product/tb 09:29 < h0dgep0dge> what environment are you using? getting access to the unix api may not be drivial 09:29 < grawity> if `ip addr` shows 12.34.56.78, and you pass 12.34.56.78 to bind(), that socket will use 12.34.56.78 as the local address 09:29 < h0dgep0dge> trivial* 09:30 < Wixy> ok, and I'm guessing there's a 1-1 correlation between private and public IPs. meaning I can't have more public than private IPs? 09:30 < Wixy> but I may have more private than public IPs 09:30 < Wixy> right? 09:30 < h0dgep0dge> student111: that link downloads tb_free.exe, that's all i can tell you about it 09:30 < grawity> Wixy: I dunno if that's the case in AWS 09:30 < grawity> h0dgep0dge: redirects to a really shady domain though 09:30 < grawity> Wixy: but it's definitely *not* the case in general 09:30 < Wixy> oh, interesting 09:30 < grawity> Wixy: I mean, I'm still not quite sure how public IPs work in AWS, specifically 09:31 < Wixy> I'll check that, but in general if you have 1 private and 2 public ips, how do you decide which one to use? is it up to the OS? 09:31 < squ> student111: check with virustotal.com 09:31 < h0dgep0dge> Wixy: you call bind() 09:31 < grawity> Wixy: it depends on what's assigned to the actual eth* interfaces 09:31 < grawity> Wixy: if the public IPs are directly assigned to eth0/eth1/eth..., then just use bind() 09:32 < grawity> Wixy: on the other hand, if eth0/... only have a private IP, and the provider's gateway NATs it to public IP A or B, then the machine doesn't really *have* a choice 09:32 < Wixy> yeah that I know. what confuse me is bind() only let you specify a local address, but there are two public IPs associated to it 09:32 < grawity> the gateway makes the decision 09:32 < Wixy> is my question clear? 09:32 < grawity> Wixy: sounds like with AWS it's the latter situation 09:33 < grawity> I mean, let's say you give the VM a public address 09:33 < grawity> what shows up in `ip addr`? 09:33 < Wixy> you have private IP A, and public ips B and C. you can bind(A), but then what is used? B or C? 09:33 < grawity> I just answered that 2 minutes ago 09:34 < student111> grawity, yes it's redirecting to www.tapiffghelega.com here. I guess they're compromised, will stay away... 09:34 < h0dgep0dge> if you call bind(A) it will use A lol. 09:34 < h0dgep0dge> whether or not an upstream router applies NAT is another question 09:34 < student111> the executable (the malware version) has a signature but it's not from the EaseUS company 09:35 < Wixy> h0dgep0dge, I should have said, what public IP will see a 3rd party server to which I establish a connection? 09:35 < grawity> Wixy: see above answer: if those IPs are handled by the gateway, then the gateway makes the decision 09:35 < h0dgep0dge> that's up to the router that does the nat, presumably aws has a way to configure and control that 09:36 < Wixy> got it 09:36 < Wixy> I've never seen a public IP being assigned to an interface in AWS 09:37 < Wixy> but not much experience here so don't know 09:37 < h0dgep0dge> then there's a router applying nat, and you can't use bind 09:37 < grawity> that's why I was asking about how AWS does it... 09:37 < h0dgep0dge> which is how i thought aws worked 09:37 < Wixy> don't know really 09:37 < Phil-Work> AWS does 1:1 NAT 09:37 < Wixy> ip addr only shows private IPs 09:38 < grawity> Phil-Work: so in the AWS case, if you have two public IPs, eth0 will have two private IPs? 09:38 < Wixy> grawity, yeah, I think so. the way to have 2 public IPs is by using two "elastic ips", which must be attached to a different private ip each, so you need two 09:38 < grawity> makes sense 09:39 < Phil-Work> yeh 09:39 < h0dgep0dge> it sounds like those private ips map onto your public ips, so you want to bind() to those 09:40 < Wixy> cool, so I was underusing my setup. I can have twice the number of public IPs by adding a new private IP to each interface :) 09:40 < dminuoso> Hi. What's the easiest way to sniff an SSH connection from my local machine to a network device (that is not completely under my control)? 09:40 < dminuoso> I essentially want to debug the SSH protocol itself 09:40 < grawity> use protocol logging features in your SSH client 09:40 < Phil-Work> you want to see the payload or just the protocol? 09:41 < grawity> (IIRC, PuTTY/plink has far more extensive logging than OpenSSH) 09:41 < dminuoso> grawity: I really dont want to rewrite libssh2 to gain the logging capabilities I need. 09:41 < dminuoso> Phil-Work: The protocol 09:41 < dminuoso> Im writing a libssh2 based client, but for inexplicable reasons its not behaving the same way as the `ssh` binary. 09:41 < Wixy> thanks guys, appreciated 09:41 < grawity> dminuoso: I believe you'll have to do that anyway though 09:42 < grawity> but I mean, how did libssh2 developers do all their debugging 09:42 < grawity> https://www.libssh2.org/libssh2_trace.html seems pretty extensive 09:43 < nojeffrey> Need some help with MST, I have the following: 3 Ubiquiti's and a Cisco 3750, in a square topology all connected via 10G: https://i.imgur.com/rDZT1D7.png 09:44 < nojeffrey> All with same instance(1), same name, and same revision, but I have 2 root bridges, 1 Ubiquiti, and the Cisco 09:44 < h0dgep0dge> squares are a weak shape, try a triangle 09:45 < nojeffrey> circle best topology, OK it's now a circle 09:45 < grawity> squares are just bent circles anyway 09:46 < h0dgep0dge> circles are great for holding pressure, you can cram many users in there 09:47 < h0dgep0dge> anyway i know nothing about ubiquiti, interested to google what mst is though 09:59 < ktwo> Hi, following situation: Raspberry connected via WiFi to Public-IP gateway. Now i want to connect to VPN via openVPN (which works), and then attach a client to the Pi via ETH0/RJ45. How can i make the client's internet go over VPN? 09:59 < ktwo> Whats the theory what do i need, a bridge? a DHCP server? 10:01 < dminuoso> ktwo: The Pi needs to act as a router. 10:01 < grawity> if your OpenVPN connection uses a 'tap' adapter, then tap0 and eth0 could be bridged 10:01 < grawity> but for the most common 'tun' mode, the pi needs to route between them 10:01 < grawity> a DHCP server is not necessary for that, but certainly makes client attachment easier 10:02 < dminuoso> grawity: This is getting frustrating. I enabled trace through the FFI, but nothing happens.. :| 10:02 < ktwo> grawity, so the easiest way is to run a DHCP server and a bridge? 10:02 < grawity> no 10:03 < ktwo> But will the Pi then get its Wifi IP adress still without issues? 10:03 < grawity> yes 10:03 < grawity> okay since the part about tun/tap modes got completely ignored, I'm just going to assume it's using tun 10:04 < squ> and then try again assuming its tap 10:04 < grawity> start with making the Pi a router: configure a brand-new subnet on eth0, set up DHCP on it, enable IP forwarding, enable NAT (masquerading) 10:07 < ktwo> grawity, how can i check tun/tap? 10:16 < Wixy> does anybody happen to know what "high" network performance means for Amazon? 10:16 < Wixy> I see some the options are: Very Low, Low, Low to Moderate, Moderate, High 10:17 < ktwo> grawity, in the connection log i see TUN/TAP device tun0 opened 10:17 < Wixy> but then some instance types show instead of that label "10 Gigabit" and "25 Gigabit" 10:21 < h0dgep0dge> ktwo: then you have a tun device. you'll need to enable ip forwarding and source nat 10:21 < Wixy> actually what I want to know is whether "High" is higher than 25 Gb, or that "25 gigabit" is kind of "Higher than High" 10:22 < h0dgep0dge> echo 1 > /proc/sys/net/ipv4/ip_forwarding 10:22 < h0dgep0dge> iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE 10:22 < grawity> */proc/sys/net/ipv4/conf/all/forwarding 10:23 < h0dgep0dge> mine is wrong, but I know there's another way besides the conf/all/forwarding file, because i never used that 10:23 < h0dgep0dge> but i haven't had to write that line in years 10:24 < grawity> yeah, net/ipv4/ip_forward, but I mean, why learn two locations for ipv4 and ipv6 if you can learn one 10:24 < h0dgep0dge> pfft, ipv6 who needz it? 10:25 < h0dgep0dge> on a related note, I'm incredibly depressed my isp offers gigabit fibre, but doesn't support ipv6 T_T 10:25 < ktwo> actually i see in the browser that my ipv6 ip is being leaked, while the ipv4 is the vpn one 10:26 < ktwo> so maybe i should disable ipv6 for the pi alltogether 10:26 < h0dgep0dge> maybes, perhapsies 10:26 < grawity> maybe you should push a default ipv6 route via the vpn 10:27 < grawity> doesn't much matter whether the vpn server itself has IPv6 or whether it responds "destination unreachable" for everything 10:27 < bobblehead> is it cool if i post kinky lesbian BDSM fetish porn video links here? 10:27 < c|oneman> only if you dance with me 10:27 < c|oneman> https://www.youtube.com/watch?v=8w_lwezZDUw&list=LL_uMXNHcbmuZ8ymPS-2Az4w&index=96&t=0s 10:27 < h0dgep0dge> the other thing you'll need to do is configure your client, which can be done manually or by dhcp. dhcp makes attaching the client easier, but requires it's own configuration that may be more difficult than just configuring the client 10:28 < c|oneman> lol 10:28 < ktwo> h0dgep0dge, hm if i can configure it manually - since it will be a TV 10:31 < h0dgep0dge> so you can just pick some nice memorable local addresses, I favour the 10.0.0.0/8 subnet, the convetional choice would be 10.0.0.1 for the pi and 10.0.0.2 for the tv, and give the tv the pi's local address for the default gateway 10:32 < h0dgep0dge> ktwo: you get that last message? 10:32 < ktwo> h0dgep0dge, repeat please, i was just disconnected since i disabled ipv6 10:33 < h0dgep0dge> "so you can just pick some nice memorable local addresses, I favour the 10.0.0.0/8 subnet, the convetional choice would be 10.0.0.1 for the pi and 10.0.0.2 for the tv, and give the tv the pi's local address for the default gateway" 10:34 < ktwo> h0dgep0dge, wait so what is the first step now, eth0 is disconnected. How do i start ? 10:34 < grawity> to summarize, "make everything go through the VPN" is just the very last step 10:35 < grawity> everything before that is the same as setting up a regular Linux router+NAT 10:35 < h0dgep0dge> okay, so the order is really arbitrary 10:35 < ktwo> ah okay 10:36 < h0dgep0dge> i guess cable from the pi to the tv, configure your addresses, check you can ping back and forth 10:36 < h0dgep0dge> then the iptables command, then enable forwarding 10:36 < ktwo> ah okay but that wont mess up the wifi connection right? 10:36 < h0dgep0dge> in what sense? 10:36 < ktwo> as its a headless pi and i need the connection working the whole time 10:37 < h0dgep0dge> shouldn't do 10:37 < ktwo> Yea my doubt was that once eth0 is connected wifi will turn off thinking it has connection over wifi 10:38 < ktwo> *lan 10:38 < h0dgep0dge> well, i can't really account for the behaviour of any network managment software running on the pi 10:38 < ktwo> sudo ifconfig eth0 192.168.0.1 netmask 255.255.255.0 10:38 < ktwo> this should do? 10:39 < ktwo> my home IP range is 192.168.178.x so i guess it will work 10:39 < h0dgep0dge> as long as both networks are on 24 bit subnets 10:40 < ktwo> hm both subnet mask would be 255.255.255.0 - thats a problem ? 10:40 < grawity> why would it be 10:40 < ktwo> yea was not sure about this :) 10:41 < h0dgep0dge> if they're both 255.255.255.0 then youre fine 10:41 < grawity> yea find out what a subnet mask *is* 10:41 < grawity> anyway, looks good in general 10:41 < zenix_2k2> one question, so i have a client and 2 different ways of establishing the server but i don't really know why they are different because the IP from both ways was printed differently, here --> https://pastebin.com/3JAA8N5W 10:41 < ktwo> thoguht each network needs to have a different submask 10:41 < grawity> that's not how subnet masks work, no 10:41 < zenix_2k2> so why they printed different IP address from the client ? 10:41 < grawity> the *network address* itself (after combining it with the mask) needs to be unique, etc. 10:43 < h0dgep0dge> grawity: that is to say, the first X bits of the address needs to be unique, where X is the length of your netmask? that's my understanding 10:43 < grawity> hmm, pretty much yes 10:47 < zenix_2k2> so hi ? 10:47 < h0dgep0dge> hi, let me take a look here 10:48 < h0dgep0dge> yeah, i have no idea what i'm looking at 10:49 < ktwo> ok i have now connected the client with eth0 192.168.0.5 , and the Pi has 192.168.0.1 10:49 < ktwo> and can ping it 10:49 < h0dgep0dge> and the default gateway is set? 10:50 < ktwo> yeah to 192.168.0.1 and DNS too 10:50 < h0dgep0dge> what did you set the dns to? 10:50 < zenix_2k2> well i NAT my server so 10:50 < ktwo> but it has no internet, but i guess this is right as there is no NAT yet 10:50 < zenix_2k2> oh wait, not me :P 10:51 < h0dgep0dge> yeah you'll need source nat and ip forwarding, but what did you set your dns to? 10:51 < grawity> make sure 1) the pi has routing (IP forwarding) enabled, 2) the pi has SNAT (iptables masquerade) enabled, and 3) the pi's firewall isn't blocking forwarded packets, and then your clients should have *some* internet access 10:51 < zenix_2k2> are you talking to me ? 10:51 < ktwo> to 192.168.0.1 (but i can change that 10:51 < h0dgep0dge> that won't work unless you have a dns server running on the pi, set it to 8.8.8.8, which is google's dns server, or the public dns resolver of your choice 10:51 < ktwo> ah ok 10:51 < grawity> and of course if your clients try to use 192.168.0.1 as their DNS server, then there needs to *be* a DNS server there 10:51 < grawity> like dnsmasq or unbound 10:52 < ktwo> im using 8.8.8.8 that is probably easier :P 10:54 < h0dgep0dge> grawity pointed out something, you'll want to check that the pi isn't dropping packets by default 10:54 < ktwo> can i just disable the firewall for this? 10:54 < grawity> no 10:54 < grawity> because 1) lol no 10:54 < grawity> and 2) the firewall also handles SNAT/masq, which you do need 10:54 < ktwo> heh ok :P 10:54 < h0dgep0dge> just run sudo iptables -L 10:55 < ktwo> its empty 10:55 < grawity> you can disable the 'FORWARD' chain, by 1) emptying it with -F, and 2) setting its policy to accept by default with -P 10:55 < h0dgep0dge> i was going to suggest -F, but if the policy is set to drop it might just kill the ssh session 10:55 < h0dgep0dge> but if the output from iptables -L is empty you should be all set 10:55 < ktwo> ok then i just need to enable routing i guess? 10:56 < h0dgep0dge> source nat first 10:56 < grawity> yeah I was talking about -F'ing just that one chain, not the whole table 10:56 < grawity> doesn't really matter if you do nat or routing first, won't work until you have both 10:56 < h0dgep0dge> yeah i wasn't sure if -F works on a specific chain or the whole table 10:56 < grawity> if you specify the chain... 10:56 < zenix_2k2> er guys, so i had a question, why does the IP address that the server gained from accepting the connection varies from non-port-fowarded ( iptables ) to port-forwarded ? 10:57 < h0dgep0dge> anyway, sudo iptables -t nat -F POSTROUTING -o tun0 -j MASQUERADE 10:57 < ktwo> im finding so many different guides for doing that -.- 10:57 < h0dgep0dge> zenix_2k2: just hang out for a minute dude 10:57 < ktwo> h0dgep0dge, where do i specify that this is valid only for eth0? 10:57 < zenix_2k2> ok then 10:58 < h0dgep0dge> only valid for traffic coming from eth0? 10:59 < ktwo> basically the wlan0 connection should still be working within the internal network 10:59 < h0dgep0dge> it doesn't matter, you want to masquerade all traffic going out the tun0 interface 10:59 < ktwo> ah okay 10:59 < ktwo> illegal option -j with this command 10:59 < grawity> uh, -I, not -F 11:00 < h0dgep0dge> oh shit, -F is definitely wrong, but shouldn't it be -A? 11:01 < h0dgep0dge> time to hit the manual 11:01 < grawity> it should be "don't blindly add rules without knowing the current state" 11:01 < ktwo> at least this command with -I didn't change anything :) 11:01 < grawity> -I is 'insert at the top', -A is 'append at the bottom' 11:01 < ktwo> but iptables -L is still empty oO 11:02 < h0dgep0dge> that's the filter table 11:02 < h0dgep0dge> iptables -t nat -L 11:02 < grawity> iptables-save tbh 11:02 < ice9> how to test wifi stability and find out if there is packet delay or loss? 11:02 < ice9> i'm on Linux! 11:02 < h0dgep0dge> wow it's goddamn rush hour 11:03 < h0dgep0dge> please take a number good sir 11:03 < h0dgep0dge> sir, madam, or other 11:03 < ktwo> ice9, i usually just do a ping and see if latency is good and if there are drop packets :E but probably not the most professional way 11:04 < h0dgep0dge> is there any particular problem you need help with, or is it just curiousity? honestly seems like a google question to me 11:05 < h0dgep0dge> ktwo, got your nat rule in place? 11:05 < ktwo> https://superuser.com/questions/689239/route-internet-from-eth0-to-openvpn-to-eth1 this seems pretty much what i need 11:05 < ktwo> but am not so sure about the commands 11:05 < ktwo> do the look okay? 11:05 < ktwo> just with eth0 and tun0 11:05 < grawity> not quite 11:06 < grawity> well, they're good in the sense that they enable regular SNAT 11:06 < grawity> but they're literally the same commands as h0dgep0dge gave you earlier 11:06 < ktwo> well first probably i need to revert that -I change i made? 11:06 < ktwo> since it didnt work 11:06 < grawity> the important point is that -o / --out-interface does not *decide* the interface 11:06 < grawity> it *checks* the interface that had been already decided for the packet 11:06 < h0dgep0dge> if it's not working you probably haven't enable forwarding 11:07 < ktwo> Chain POSTROUTING (policy ACCEPT) 11:07 < ktwo> target prot opt source destination 11:07 < ktwo> MASQUERADE all -- anywhere anywhere 11:07 < grawity> iptables -L -v 11:07 < grawity> iptables -S 11:07 < grawity> iptables-save 11:07 < grawity> well, -t nat for the 1st and 2nd 11:07 < grawity> do not assume that -L shows you everything, because it DOES NOT 11:07 < ktwo> ok saved 11:08 < ktwo> ill retry on the client 11:08 < h0dgep0dge> saved? lol 11:08 < ktwo> doesnt iptables-save save? :P 11:09 < grawity> no 11:09 < grawity> `iptables-save > /etc/iptables/something` would save 11:09 < grawity> `iptables-save` just dumps the entire ruleset to screen 11:09 < grawity> which is really a very good way of checking what's in iptables right now 11:09 < ktwo> # Generated by iptables-save v1.6.0 on Thu Jun 28 11:09:26 2018 11:09 < ktwo> *nat 11:09 < ktwo> :PREROUTING ACCEPT [186:14944] 11:09 < ktwo> :INPUT ACCEPT [186:14944] 11:09 < ktwo> :OUTPUT ACCEPT [83:10058] 11:09 < ktwo> :POSTROUTING ACCEPT [25:5173] 11:09 < ktwo> -A POSTROUTING -o tun0 -j MASQUERADE 11:09 < ktwo> COMMIT 11:09 < ktwo> # Completed on Thu Jun 28 11:09:26 2018 11:09 < ktwo> # Generated by iptables-save v1.6.0 on Thu Jun 28 11:09:26 2018 11:09 < ktwo> *filter 11:09 < ktwo> :INPUT ACCEPT [31200:3589374] 11:09 < h0dgep0dge> this is fun 11:09 < ktwo> :FORWARD ACCEPT [0:0] 11:09 < ktwo> :OUTPUT ACCEPT [35615:23910743] 11:09 < ktwo> COMMIT 11:10 < squ> h0dgep0dge: don't interrupt please 11:10 < ktwo> # Completed on Thu Jun 28 11:09:26 2018 11:10 < ktwo> did you get the output? 11:10 < h0dgep0dge> everything is fine, you just need to enable forwarding 11:10 < djph> y'know, it's unfortunate that there aren't websites where you can throw multi-line text output ... 11:10 < ktwo> sorry 11:10 < ktwo> thought it will auto-linebreak :P 11:11 < h0dgep0dge> so enabling ip forwarding! echo 1 > /proc/sys/net/ipv4/conf/all/forward 11:12 < h0dgep0dge> (pending path approval from grawity) 11:12 < ktwo> why all? 11:12 < ktwo> note that wlan0 is client to a different DHCP server 11:12 < ktwo> and should stay like this 11:12 < ktwo> should i change /all to eth0 ? 11:12 < grawity> no 11:13 < h0dgep0dge> in that case, use echo 1 > /proc/sys/net/ipv4/ip_forward 11:13 < grawity> h0dgep0dge: those two do literally the same thing 11:13 < h0dgep0dge> sshh sshhhhhh 11:13 < grawity> enabling forwarding won't do anything to your precious DHCP 11:13 < ktwo> good :P 11:14 < grawity> it's ... what's the word, 'orthogonal' probably 11:14 < ktwo> not that something terrible happens, but if i lose connection i need to get hdmi cable, mouse keyboard to get the pi access again :P 11:14 < grawity> the reason I generally suggest using conf.all rather than conf.{eth0,tun0} is because these work completely differently between IPv4 and IPv6 11:15 < grawity> so if you ever need to do both, IMHO it's a bit less confusion if you stick with conf.all.forwarding 11:15 < ktwo> huh i get permission denied even if i do it with sudo 11:16 < grawity> because you don't really do "echo 1 > /proc/sys/net/ipv4/ip_forward" with sudo 11:16 < grawity> you run "sudo echo 1" basically 11:16 < moonman_> anyone with experience using `struct tcpcb` in C? 11:16 < grawity> shells do the redirection *before* the command 11:16 < h0dgep0dge> oh shit, forgot about that 11:16 < ktwo> done with nano :P 11:16 < moonman_> i want to make a tcp stream follower and i dont know if that structure could help 11:16 < grawity> good enough 11:17 < ktwo> Now it should work :>? 11:17 < h0dgep0dge> you could also use echo 1 | sudo tee /proc/sys/net/ipv4/conf/all/ip_forwarding 11:17 < h0dgep0dge> now it should work, horray 11:17 < grawity> `sudo sysctl net.ipv4.conf.all.forwarding=1`, etc 11:17 < grawity> ktwo: now it depends on where your pi's default (0.0.0.0/0) route points 11:17 < grawity> over the vpn, or over wlan0? 11:18 < bezaban> such patience :) 11:18 < ktwo> yea it doesnt work :D 11:18 < sandman13> if my current IP is 10.10.10.10, and I am sending traffic to this server, how is it not looped? 11:18 < ktwo> how can i check? 11:18 < grawity> run `ip route` 11:18 < h0dgep0dge> ip route, look for "default" 11:18 < h0dgep0dge> it'll say "default via XX.XX.XX.XX" 11:18 < ktwo> https://pastebin.com/raw/i46U3EQd 11:18 < sandman13> I thought TTL on IPv4 but capturing packets show that TTL hasn't changed 11:19 < grawity> sandman13: do you mean, from 10.10.10.10 to 10.10.10.10? 11:19 < h0dgep0dge> wow, looks like openvpn is screwing with your routes 11:19 < sandman13> grawity: yes 11:19 < h0dgep0dge> openvpn is over my head, i'm out! 11:19 < ktwo> :E 11:19 < grawity> sandman13: well, why should it loop 11:19 < grawity> sandman13: 1) the computer sends a packet over loopback 11:20 < grawity> sandman13: 2) the computer receives the same packet back 11:20 < h0dgep0dge-andro> Changing clients here guys, going mobile! 11:20 < grawity> sandman13: 3) the computer sees "hey it's sent to 10.10.10.10 and it's my own address, I'm going to consume it" 11:20 < grawity> sandman13: there's no reason why it should forward again at step 3 11:21 < moonman_> its like i am a ghost here 11:21 < moonman_> can anybody see what im typing? 11:21 < h0dgep0dge-andro> I can't 11:21 < moonman_> hahahah 11:21 < grawity> moonman_: no paid prioritization here, I'm afraid 11:21 < grawity> ktwo: I hate those /1 routes, but it looks like they should work 11:21 < grawity> ktwo: i.e. all outgoing traffic should go through tun0 11:22 < ktwo> grawity, yea on the Pi itself yes 11:22 < ktwo> but on the client connected to eth0 11:22 < moonman_> i actually started using IRC yesterday 11:22 < ktwo> no internet 11:22 < moonman_> thats why i was asking 11:22 < squ> moonman_: hello 11:22 < moonman_> i dont know if i need to have some priviledges or something to write here 11:22 < moonman_> no idea 11:22 < grawity> ktwo: so investigate where things go 11:22 < moonman_> squ: hi 11:23 < squ> moonman_: I've your question but I have no answer to it 11:23 < grawity> ktwo: let's say the client is trying to ping 8.8.8.8 (or some other raw IP address) 11:23 < h0dgep0dge-andro> I would get an actual computer connected to the pi, try some pings and traceroutes 11:23 < sandman13> grawity: Okay. Thanks. I think I am kind of lost because of keepalived and Direct Routing :( 11:23 < ktwo> yea thats a good idea will check with a laptop 11:23 < ktwo> once that works in can retry with the TV 11:23 < moonman_> squ: ah, thank you. i guess its back to the textbooks now 11:23 < grawity> ktwo: your pi should see that packet incoming via eth0, and according to the routing table, it should go out through tun0 – with the source IP altered 11:24 < grawity> ktwo: use tcpdump to check (or Wireshark if you have a graphical screen) 11:24 < sandman13> My current setup has MASTER sending traffic to BACKUP, and I am trying to figure out what happens in that scenario 11:24 < ktwo> tcpdump on the pi? 11:24 < ktwo> but i have wireshark too 11:24 < grawity> ktwo: well yes, you're going to examine eth0 and tun0 on the pi after all 11:24 < grawity> you *could* start at the client's ethernet interface, but probably safe to assume it works 11:25 < h0dgep0dge-andro> I would capture some traffic with tcpdump, then download and analyse with wireshark 11:25 < grawity> sandman13: and 10.10.10.10 is a VRRP address? 11:25 < sandman13> yes 11:25 < grawity> hmm 11:25 < sandman13> VIP 11:25 < grawity> from what little I know about keepalived, I believe the virtual IP is *only* assigned to the current master 11:25 < sandman13> yes 11:25 < grawity> so backups will communicate using some *other* address 11:26 < sandman13> their real IP 11:26 < grawity> yes 11:26 < sandman13> but direct routing is used which doesn't change src/dst ip address 11:27 < grawity> and why should it change 11:27 < sandman13> it shouldn't, I am just stating it :) 11:28 < ktwo> interesting i cant ping to 192.168.0.1 from the laptop 11:28 < grawity> ktwo: where's the laptop 11:28 < ktwo> connected to eth0 on the pi with 192.168.0.8 as IP 11:28 < ktwo> its windows though ill disable the Firewall just to be sure 11:29 < sandman13> grawity: What are the criterias that lead to acceptance of packet by a server? If MAC is same? 11:29 < sandman13> s/server/network stack 11:29 < grawity> if MAC is the same, it's passed up to the IP layer 11:30 < grawity> if IP is local, it's passed to a matching socket (as opposed to being forwarded/rejected) 11:30 < sandman13> will it route to different server if IP is different? 11:30 < grawity> if routing is enabled 11:30 < grawity> on regular servers it usually isn't 11:30 < sandman13> oh 11:30 < ktwo> eth0 lost it's ip settings i did before o_O 11:30 < sandman13> then it makes sense, IPVS does routing on BACKUPs 11:31 < h0dgep0dge> ktwo: remember when i was talkin about a network manager messing with your network interfaces? 11:31 < ktwo> yea 11:31 < grawity> not sure if IPVS does quite the same kind of routing, but yes, it probably does that 11:32 < sandman13> it does load balancing grawity 11:32 < sandman13> at least that's what I know for now 11:33 < ktwo> im now changing the static ip in /etc/network/interfaces on the pi. Should i set a gateway ip? 11:33 < ktwo> or isnt it necessary as this is the gateway 11:34 < h0dgep0dge> nope, no gateway for eth0 11:35 < ktwo2> goddamn why did ip link set dev eth0 down kill my wifi -.- 11:35 < h0dgep0dge> dunno 11:36 < djph> wifi bridged to eth0? 11:38 < h0dgep0dge> nope, raspberry pi is routing between eth0 and wifi 11:38 < h0dgep0dge> well, no, routing between eth0 and a vpn tun interface 11:41 < ktwo2> ok messing with that file was not a good idea 11:42 < ktwo2> it didnt boot the network propery and disabled all interfaces 11:46 < h0dgep0dge> sounds like you've got a bit of a clusterfuck over there 11:47 < ktwo2> well i guess i have messed up the Pi for good -_- i guess time for reinstall :E 11:48 < ktwo2> wifi0 wont get IP from DHCP and eth0 does not keep the setting 11:57 < moonman_> anyone knows a good paper on tcp sniffing 11:58 < moonman_> but not with wireshark or tcpdump 11:58 < moonman_> i mean programatically 12:02 < grawity> libpcap's docs then 12:06 < sandman13> they have an article explaining basic howto for packet capturing, requires knowledge of C though 12:08 < moonman_> gonna check that out 12:08 < moonman_> thanks 12:16 < ktwo2> ok i fixed the connections for the Pi, and started wireshark, any idea how i should go on with the investigation of getting the internet (over tun0) of eth0-connected client to work ? 12:16 < grawity> ping stuff 12:16 < ktwo2> yea.. ping 8.8.8.8 for example 12:16 < grawity> if packets arrive on eth0, check whether they come out through tun0 or wlan0 12:16 < grawity> and whether they have the SNAT correctly applied 12:17 < ktwo2> for example i see Source 192.168.0.8 (client) destination 8.8.8.8 on the Pi's wireshark log 12:18 < grawity> for which interface? 12:18 < ktwo2> eth0 12:18 < grawity> normal 12:19 < grawity> what do you see on tun0? 12:20 < ktwo2> nothing :E 12:20 < grawity> what do you see on wlan0? 12:21 < ktwo2> a lot of vnc stuff let me see how i can filter 12:22 < grawity> capture filter "not port 5900", or display filter "!(tcp.port == 5900)" 12:26 < ktwo2> hm nothing 12:26 < ktwo2> about that ping 12:26 < grawity> are you sure net.ipv4.conf.all.forwarding is enabled? 12:26 < ktwo2> ill check again 12:27 < zenix_2k2> so hi ? can i be available now pls 12:27 < zenix_2k2> so i had a question, why does the IP address that the server gained from accepting the connection varies from non-port-fowarded ( iptables ) to port-forwarded ? 12:28 < ktwo2> wtf it was set to 0 again 12:28 < ktwo2> ill set it in /etc/sysctl.conf 12:29 < ktwo2> there is a line #uncommend the next line to enable packet forwarding for ipv4 12:29 < ktwo2> net.ipv4.ip_forward = 1 12:29 < ktwo2> thats it right? 12:31 < zenix_2k2> ok, not yet 12:31 < grawity> kfour: yeah that's close enough 12:31 < grawity> old name for the exact same setting, but it still works 12:33 < ktwo2> argh, ssh fails to reconnect after reboot 12:38 < ktwo2> Soon ill set up a windows machine to do that job :E can't believe that this is so hard :E 12:38 < djph> probably a case of "trying to run before you can walk" ... 12:47 < Pretheist> Can you put a switch between multiple routers? 12:47 <+catphish> yes 12:47 < grawity> sure, why not 12:47 < Pretheist> Gahhhh 12:48 < Pretheist> I had been thinking of network structures as gradually ascending in the OSI model, which I guess is foolish 12:48 < Pretheist> Switching routers seems silly 12:48 <+catphish> Pretheist: that is how they work, but it happens at every hop 12:48 < grawity> sometimes it's more like the complete opposite 12:48 <+catphish> but yeah, as a whole, the OSI model doesn't represent a network, no 12:49 < grawity> often illustrated as reaching up to level 7 at the endpoints, then level 4 or whatever at gateways in between, and even lower layers between those gateways 12:49 < grawity> I mean, you can put a layer 1 cable between layer 3 routers, can't you 12:49 < Pretheist> grawity: that was another bit I was thinking about 12:49 <+catphish> Pretheist: yeah don't try to equate those things 12:50 < Pretheist> catphish: how will I ever learn how networks are usually laid out at the ISP level? they're huge dicks and don't let me know about the infrastructure, sadly. 12:50 <+catphish> Pretheist: what do you want to know? 12:50 < djph> grawity: no, you have to use layer3 cables :P 12:51 <+catphish> at its simplest, an ISP is a series of routers (they operate at layer 3), but use layer1+2 to physically get the packets to the next router 12:52 <+catphish> so each router is interested in looking at the IP destination, then uses ethernet (l1+l2) to get the packet to the next router according to that destination address 12:52 <+catphish> for a simple ISP, that's all there is to it 12:52 < Pretheist> catphish: do ISPs usually implement stateful firewalls for clients, or any sort of client isolation? Can you actually see anything as a client that the internet can't see when it comes to anything beyond your own network? 12:53 <+catphish> Pretheist: that all comes down to how you're physically connected to your ISP 12:53 < grawity> stateful firewalls would be somewhat surprising to see, at least if you've got a public IP address 12:53 <+catphish> stateful firewalls, no 12:53 < djph> they firewall their corporate stuff (and access to the routers themselves), but the rest of it is quite likely wide open (hence you needing firewalls, etc. at home) 12:54 <+catphish> client isolation is often provided by each client having their own physical connection to the ISP, only that clients packets are send down that connection 12:55 <+catphish> other times, you have a shared connection, like a coaxial cable, in which case clients can see each other's data (though these days ISPs use encryption to avoid this problem) 12:55 < grawity> do ISPs generally allow clients to reach one another at L2, or do they implement proxy-arp to avoid this? 12:55 < Pretheist> djph: Is it more likely that an ISP has misconfigured their management interfaces to be accessible from the customer side of things? I don't know how the configurations usually work. 12:56 < Pretheist> catphish: Current WISPs are probably fucked in terms of client isolation then, right? 12:56 <+catphish> grawity: totally depends on the infrastructure, generally you can assume you have your own isolated vlan 12:56 < djph> Pretheist: no ... 12:56 < djph> Pretheist: no to both, actually. 12:56 <+catphish> Pretheist: they use WPA which achieves this perfectly 12:57 < Pretheist> WPA doesn't seem to do that at all--unless you're saying they use EAP 12:57 < Pretheist> ? 12:57 < Pretheist> That seems like a big "if" 12:57 < grawity> catphish: asking because my home ISP configures the public address as a /18 or /19 12:57 < grawity> which would make a pretty big subnet otherwise 12:58 <+catphish> WPA stops people sniffing each others packets, you can probably assume that they're not doing a shared l2 network 12:58 < Pretheist> WPA doesn't stop clients on the same network from sniffing each other's packets, to my knowledge. 12:58 < grawity> WPA2 has pairwise keys, the only problem is that knowing the PSK lets you grab keys from other clients' handshakes I think 12:59 < Pretheist> Knowing the PSK is literally how you connect to the same network 12:59 <+catphish> generally they probably want to iusolate the clients to stop people screwing their neighbours by confuguring each others IPs 12:59 < Pretheist> So I don't see how this doesn't make it a problem for WISPs 12:59 < djph> pppoe on top 12:59 < Pretheist> I'm unfamiliar with pppoe, but there are no attacks against it when you're on shared meida? 12:59 <+catphish> WPA prevents sniffing if you don't use a PSK 12:59 < Pretheist> media, even? 12:59 < Pretheist> catphish: so you mean with EAP? 13:00 <+catphish> yes 13:00 < Pretheist> Isn't that the only other option 13:00 < Pretheist> ah 13:00 <+catphish> though afaik most don't bother with that 13:00 < Pretheist> but EAP has attacks available too, right 13:00 <+catphish> Pretheist: i seriously doubt it 13:00 <+catphish> anyway, none of that really matters, internet traffic isn't private 13:00 < Pretheist> evil-twin attacks are pretty commonly cited for WPA2 enterprise 13:00 < grawity> but they're not even close to the same kind of attacks 13:00 < Pretheist> Certainly not private, but I think it's WAY WORSE to be on a shared medium comparatively 13:00 < grawity> and only possible with misconfigured (incompletely configured) clients 13:01 < djph> Pretheist: you're on a shared medium right now 13:01 <+catphish> its just a matter of who is sharing 13:01 < Pretheist> djph: most people sitting at their house in this valley don't have a shared medium with me. 13:01 < Pretheist> i'm simply stating that buying service from a WISP seems higher-risk 13:01 <+catphish> higher risk of what? 13:02 < Pretheist> especially since WISPs are typically run on smaller budgets (and run by smaller groups of people) 13:02 < djph> Pretheist: I'm saying "The Internet" is a shared medium. 13:02 < grawity> wat 13:02 < Pretheist> djph: certainly 13:02 < Pretheist> speaking of, does my home router use BGP? 13:02 < grawity> no 13:02 < djph> no 13:02 <+catphish> no 13:02 < grawity> though I've heard of home routers which use RIP (docsis stuff?) or occassionally OSPF 13:02 < Pretheist> So how does the routing table get updated on cpe? 13:03 < djph> they don't 13:03 <+catphish> it doesn't 13:03 < grawity> in all other cases the cpe probably has it statically configured or updated by PPP, I guess? 13:03 <+catphish> it just sends everything to the same place 13:03 < djph> you have one route, either set statically, or via DHCP. 13:03 < Pretheist> Weird. Do they have the capability to have more than one route? I suppose not, which is why it only has one WAN port, right 13:03 <+catphish> Pretheist: it just has a static routing table, one route for the LAN and one for everything else 13:04 < grawity> oh, the CPE? right 13:04 <+catphish> yes 13:04 <+catphish> you can manually configure other routes on most routers 13:04 < Pretheist> Hmm. So how do ISPs differ? Do they use switches to aggregate links to a single router, then? 13:04 <+catphish> but since they have only one WAN, there's not much to configure 13:04 <+catphish> what links? 13:05 < Pretheist> customer<--->WAN links 13:05 <+catphish> depends on the medium 13:05 <+catphish> some customers have ethernet direct to an ISP router, others have cable, which is shared, then goes to a router 13:05 < grawity> most CPEs *technically* could have multiple routes just fine, often the web UI has static routing features – only useful for LAN routing though, there's no point in different routes to the Internet 13:05 <+catphish> others connect to a shared switch, which then goes to a router 13:06 <+catphish> then there's DSL, where there's lost of lines that go into a "DSLAM" which converts them to ethernet then it goes into a router 13:06 < Pretheist> Also, are LTE and GSM layer-2 protocols? 13:06 < Pretheist> Or do they even fit into the model? 13:06 <+catphish> personally, i have VDSL, which is a copper line, which goes to a roadside "DSLAM", then fibre back to a router 13:07 < grawity> a lot of things don't fit into the model, including (I've heard) even the OSI protocols themselves 13:07 < Pretheist> catphish: i thought DSLAMs were usually at the office, not on the side of the road? 13:07 <+catphish> well LTE and GSM clearly cover layer 1 13:07 < grawity> I think LTE covers a few different layers 13:07 <+catphish> then they also clearly cover layer 2 13:07 <+catphish> after that it gets more hazy 13:07 < grawity> just like Ethernet is L1 *and* L2 13:08 <+catphish> Pretheist: DSLAMs can be anywhere, in the UK they have ADSL DSLAMs in the telephone exchange, and VDSL ones at the side of the road which are much faster 13:08 < h0dgep0dge> i have vdsl in nz, but no idea where the dslam is 13:08 < grawity> my ADSL DSLAM is ... not quite "roadside" but it's in a small cabinet ~1km away 13:09 <+catphish> h0dgep0dge: well somewhere within 1km hopefully, if you're that close to a telephone exchange it could be there, else it'll be a cabinet 13:09 < grawity> makes sense, anyway 13:09 < grawity> anywhere farther than that and the link would be even worse than it already is 13:12 < Pretheist> Is fiber really cheaper to maintain? I assume that it's easier because you have less signal repetition required, but are the materials much harder to manufacture than simply drawing copper? 13:12 < djph> yes 13:13 < djph> well, yes cheaper to maintain. 13:13 < Pretheist> Then why the HELL do we not have it yet 13:13 < djph> because it's more expensive to install 13:13 <+catphish> Pretheist: because copper is already there 13:13 < djph> ^ also that 13:13 < grawity> installing *any* new cables is more expensive than not installing new cables 13:13 < Pretheist> catphish: slowly rotting, right? 13:13 <+catphish> Pretheist: copper lasts a very long time 13:13 <+catphish> as does plastic 13:14 < Pretheist> grawity: if the old cable was installed properly, couldn't you just pull new cable really carefully? Now I'm curious how they pull it through in the first place. Is there conduit all the way to the demarc? 13:14 < Pretheist> catphish: I guess it does when it's underground in a tube 13:14 <+catphish> in the UK we run DSL over nearly hilariously old phone cabling :) 13:14 < grawity> ...tbh for phone lines there might not even be one 13:14 <+catphish> but it works, and internet is cheap, nobody wants to pay to upgrade it 13:14 <+catphish> though its gradually starting to happen now 13:15 < djph> just got FTTH here like 2 years ago 13:15 <+catphish> my house has fibre because i paid to install it 13:15 <+catphish> yeah me too 13:15 < djph> although it's GPON, which makes it slightly less cool. 13:16 < Pretheist> Also, when fiber to the road is put in, how do they know how many links they're going to need? Doesn't each cable have to run back to the routing equipment? 13:16 < Pretheist> Or how do they bond links for fiber? 13:16 < djph> switches 13:16 < Pretheist> layer 1 is nuts 13:16 < grawity> I imagine they 1) install a lot of spare capacity upfront because it's cheap, and/or 2) DWDM 13:17 <+catphish> you just run bundles of fibre to where they're needed, like if there's 20 houses, you might run a 50 core fibre there 13:17 <+catphish> or a lot less if you plan to use GPON and split it 13:17 < djph> here they put in tons of spare capacity - every block hanging on the new fiber runs (yes, they're aerial) has at least 8 breakouts. 13:17 <+catphish> the cost of fibre is a lot less than the cost of installing it 13:18 <+catphish> so they tend to put in plenty spare 13:18 < Pretheist> Can fiber be used from a switch to an AP? 13:18 <+catphish> Pretheist: sure 13:18 < grawity> it could 13:18 < djph> sure, if the AP supports it. 13:18 < Pretheist> cat5e/6 is probably cheaper, but hmm 13:18 <+catphish> depends where the AP is 13:18 < fr00die> hi 13:18 < Pretheist> Now that I think of it, does fiber come with higher latency than other media? 13:18 < grawity> I think I've seen ubiquiti sell some 10G or 40G APs with SFP slots 13:18 < djph> downside to that is you still need power 13:18 <+catphish> i did AP installs city wide, they had fiber to them, with a media converter at each site 13:18 < Pretheist> djph: good point 13:18 < djph> grawity: yeah, their airfiber stuff has SFP ports 13:19 <+catphish> cool 13:19 <+catphish> you need power anyway though, so a media converter isn't a big deal 13:19 < Pretheist> Also, quick question on the shady side 13:19 <+catphish> though for an outdoor install its better not to need the extra device 13:19 < djph> yes, those were really pictures of your mom. 13:19 < Phil-Work> :D 13:19 < Pretheist> It's super likely that all of my neighbors with the same ISP have IP addresses in the same subnet that I do, right? 13:20 < djph> or close enough 13:20 <+catphish> Pretheist: who knows 13:20 < grawity> it's common, but not guaranteed 13:20 <+catphish> depends how they route / allocate them 13:20 < grawity> depends on ISP 13:20 <+catphish> i certainly wouldn't assume my IP was a secret though 13:20 < Pretheist> And how they purchased their blocks, right? 13:20 < grawity> and that 13:20 < dminuoso> Pretheist: the overhead of latency on fiber optics is negligable. 13:20 < djph> and whether they're paying extra for a biz account / static IPs / etc. 13:20 < Pretheist> djph: True. That's interesting 13:21 < djph> catphish: mine's 127.0.1.1 13:21 <+catphish> dminuoso: tell that to the link between the US and north america :) 13:21 < dminuoso> Pretheist: though on very long cables fiber optics can incur some latency penalties in DCF. 13:21 < Pretheist> Can't a router only provision IPs from its subnet, thougH? 13:21 < Pretheist> You can't have disjointed allocations, right? 13:21 < djph> catphish: er, I think you meant the UK 13:21 <+catphish> Pretheist: a router can route any number of subnets 13:21 < dminuoso> catphish: yeah DCF is an issue. :) 13:21 <+catphish> djph: indeed, UK 13:21 < Pretheist> dminuoso: that's interesting. the speed that these things run at is bonkers. 13:21 <+catphish> we really need to find a way to transmit light faster 13:22 < djph> catphish: indeed. 13:22 < Pretheist> catphish: Wait, really? So is this just a limitation of home-gamer gateways? 13:22 <+catphish> Pretheist: its not even a limitation of those 13:22 < Pretheist> Also, regarding faster light transmission, we just need to replace glass with vacuum 13:22 < dminuoso> catphish: Haha I think the CTO or CEO of the German Telekom publically said that "light is not fast enough, they need better technologies" 13:22 <+catphish> Pretheist: your home gateway will route any number of IPs 13:22 < dminuoso> And he was serious. 13:22 <+catphish> dminuoso: ha 13:22 < grawity> dminuoso: I've heard that microwave *does* have slightly lower latency than fiber 13:23 <+catphish> dminuoso: introduce him to einstein 13:23 < idnc_sk> hi 13:23 < djph> Pretheist: catphish with the obvious "limitation" that you typically can only set it up to route between two networks. 13:23 <+catphish> grawity: yeah its faster in air than glass 13:23 < djph> but it's a little less difficult to keep it contained in glass. 13:23 < Pretheist> catphish: Perhaps I'm losing my mind. Is it DHCP that uses a pool, then? Could I, for instance, have both 10.0.0.234 and 192.168.1.232 served to machines from the same router? I know this is possible with liar-liar-pants-on-VLAN, but I didn't know it was otherwise possible. 13:24 < dminuoso> catphish: https://www.heise.de/newsticker/meldung/Telekom-Chef-hat-das-Jammern-satt-3947391.html (google translate seems to do a good enough job) 13:24 <+catphish> djph: sort of, you can have more routers on the LAN side though with static routes 13:24 < dminuoso> catphish: its downright hilarious. 13:24 < djph> Pretheist: sure 13:24 <+catphish> Pretheist: yes that's totally possible, just mostly pointless 13:24 < djph> catphish: well, yeah, but I was specifically talking about a *single* router setup 13:24 < grawity> Pretheist: a router can have as many subnets as it needs; as many subnets per interface as it needs; as many DHCP pools as it needs; but most "home gamer" users don't *need* those features 13:24 < Pretheist> So it's a matter of the software running, I presume? 13:24 < grawity> yes 13:24 <+catphish> routers can all do this, they just tend not to offer features people don't need in their UIs 13:24 < djph> Pretheist: I mean, I have my ER-4 hosting 192.168.10/24; 10/22, and 172.22.0/23 13:25 < Pretheist> What's the 10.0.0.1 range commonly called? Is that a /16 or a /8 13:25 < djph> 10/8 is the whole range. 13:25 <+catphish> Pretheist: its whatever size you want it to be up to /8 13:25 < grawity> the whole *reserved for private use* range is a /8 13:25 <+catphish> ^ this 13:25 < grawity> but the range you configure is whatever you want, up to /8 13:25 < djph> although you can carve that up into chunks as small as a /32 13:26 < Pretheist> I think one of the local school districts has one router for their entire multicampus topology, and it serves from all of the private IP spaces + some public ones 13:26 <+catphish> you can have one huge /8 or 2x/9, etc 13:26 < grawity> Pretheist: yeah that's perfectly doable 13:26 < grawity> (until the router falls over) 13:26 < djph> 65535 /16 ... 13:26 < Pretheist> Apparently it's so the netadmin can run his content filter on specific nets or something 13:26 < grawity> 65536 /16's surely 13:27 < grawity> could do the same with multiple routers really... 13:27 < djph> makes sense, if they're running say MPLS or something between the various buildings. 13:27 <+catphish> lots of reasons to lay networks out in different ways 13:27 < Pretheist> grawity: So if I'm on a network and it says my address is 10.0.0.3 and the subnet is /24, does that necessarily mean that there are no devices on my side of the router that are in 10.0.1.0/24? 13:27 < djph> Pretheist: no. 13:28 < Pretheist> Is there a way to poll a router for all of its subnets? 13:28 < djph> well, that depends on what you mean by "your side" of that router. 13:28 < djph> yeah, login. 13:28 < djph> now, if you don't control the router, then 'no'. 13:28 < grawity> SNMP, but you won't find a router which exposes this publicly 13:29 < Pretheist> Unless misconfigured, right? But there's really no way to probe that? No "destination unreachable" or something like that for at least the private nets? 13:29 < djph> Pretheist: not really, no. 13:29 < grawity> not without an exhaustive search at least 13:29 < grawity> also https://tools.ietf.org/html/rfc4620#section-6.3 :D 13:30 < grawity> nobody sane supports Node Information packets either 13:30 < djph> too much effort ... and if you tried that on my networks; the router would nuke your connection pretty quick. 13:30 < djph> hooray firewalls 13:30 < Pretheist> So what happens if I send an icmp echo to 10.0.1.254 and that's not in the router's routing table? I assume that the router says something like "I HAVE ROUTES FOR X SUBNETS" and then checks the address via a bitmask, right? And then it just checks the routing table--but if there are no routes, what's the response? 13:30 < grawity> Pretheist: if that's not in the routing table, it responds with "Destination unreachable" 13:30 < Pretheist> djph: the router itself? couldn't you just switch macs and reconnect? 13:30 < djph> it'll either drop the packet, or route it on. 13:30 < Gollee> what grawity said 13:30 < mAniAk-_-> Pretheist: usually there's a default route 13:31 < grawity> of course, the router might have a 0.0.0.0/0 route that covers everything 13:31 < Pretheist> Ah so that's when it says "destination unreachable." 13:31 < Pretheist> Those bastages. Why would they do that? 13:31 < grawity> why wouldn't they 13:31 < Pretheist> Won't it eventually come back with a destination unreachable from the next router down the line, though? 13:31 < grawity> it will, yes 13:31 < grawity> once you reach a router in the DFZ 13:31 < grawity> with only BGP routes in it 13:31 < djph> Pretheist: i mean, you could, but then you'd get dropped again when you start that nonsense. I mean, I don't really *care* if you try pinging the entirety of 10/8 ... but well, "quality of service" to everyone ... so dump the noisy client. 13:31 < grawity> but that might be quite a few hops away 13:31 < Pretheist> Ah, okay. I thought that you might tell me that they routed 0.0.0.0/0 as a last resort to the trash can 13:32 < grawity> well, some do that instead of returning ICMP errors, yes :( 13:32 < Pretheist> Is that why I get request timed out on this net when I'm pinging 10.0.0.1 on 192.168.1.1/24? D= 13:32 < Pretheist> Instead of ICMP, could I just try with handcrafted TCP packets? 13:33 < Pretheist> Oh, it has to be an icmp error 13:33 < grawity> not necessarily 13:33 < grawity> and ICMP errors don't depend on what protocol caused those errors 13:33 < djph> Pretheist: yup, your router (or your ISP) is simply dropping the packets 13:33 < Pretheist> I'm pissed 13:34 < grawity> I mean, for example, a router might directly be in the 10.0.0.0/24 subnet (on-link), but unable to get an ARP response for the .1 host 13:34 < grawity> (though that often also results in ICMP unreachable, after a delay) 13:34 < djph> I mean, I drop all outbound from my edge that's trying to hit RFC1918 or RFC6598 13:34 < Pretheist> djph: Why? D= 13:34 < djph> Pretheist: why send requests to my ISP for bogus IP addresses? 13:35 < grawity> more like why drop as opposed to ICMP Fuck Off 13:35 < Pretheist> To incentivize the ISP to get better hardware 13:35 < Pretheist> (Since you can cross your fingers and hope some executive doesn't listen and thinks you can't just drop the traffic yourself) 13:35 < djph> grawity: because it's not just ICMP that I don't want to send out to my ISP? 13:36 < grawity> djph: wouldn't the ICMP errors be inbound 13:36 < grawity> if the bad packets are outbound 13:36 < Pretheist> I'm reading about MPLS; is this a common tech? 13:36 < grawity> very common, and I have no clue about it 13:36 < RtMF> ICMP unreachable messages are visible to the outside world, dropped packets lead to connections hung open (tcp, other stateful protos) that sit there and wait for their FIN or a SYN+ACK that isn't coming, or just an ACK.... 13:37 < djph> grawity: I'm talking about "outbound" as in "leaving the building", not "some jackass on the inside sending stupid packets" 13:37 < Pretheist> grawity: I assume it's mostly used for ISPs, not necessarily companies running large networks themselves, unless they want to act like an ISP? 13:37 < grawity> I don't think it depends much on "acting like an ISP" 13:37 < grawity> (and once a company grows large enough...) 13:38 < djph> grawity: mainly a "why send requests to the ISP to ssh to 10.x.y.254, because someone's a dumbass and typed "10.y.x.254" 13:38 < grawity> djph: right I got that part 13:39 < djph> as for all the ICMP stuff, inbound I'm lenient -- IIRC 5-10 in a minute from a single IP before they get rejected. 13:39 < Pretheist> Also, I've been in situations where a UDP traceroute took me really far outside of the network (to the full internet) before bringing me back in to a local IP address, while a TCP traceroute routed just fine--is this evidence of a stateful firewall? 13:40 < djph> s/rejected/dropped/ 13:41 < Gollee> Pretheist: routing doesn't care if its UDP or TCP 13:41 < Pretheist> Gollee: So it has to be the firewall modifying the route...? 13:41 < Gollee> sure 13:42 < Pretheist> Do traffic shapers also modify which ports things are sent out on, or do they simply build priority queues, etc? 13:42 < Gollee> they usually don't alter the packet more than tagging it in the ip header or ethernet header 13:43 < Pretheist> Gollee: They being traffic shapers? Intereting 13:43 < Pretheist> Interesting, even. 13:43 < grawity> well, routing *might* care 13:43 < Pretheist> That's fooking insane that we have these racks full of boards that are just taking in packets and slightly modifying them before they're passed on 13:44 < grawity> I think a default UDP traceroute will use a series of different destination ports, while telling it to use TCP will use just one port 13:44 < Pretheist> Like an assembly line. 13:44 < grawity> and that can affect where traffic goes if you reach like an ECMP route 13:44 < ice9> is there away to find out the ADSL version/type other than asking the company's support? 13:45 < Pretheist> ecmp is non-deterministic, right? or does it usually err deterministically/prioritize arbitrarily-but-consistently 13:45 < Pretheist> ice9: pull up your modem's manual and see if it says it's ADSL 13:45 < Pretheist> or ADSL2 13:45 < Pretheist> and if your speeds are above a certain threshold, it's probably vdsl, if I recall correctly 13:45 < grawity> from what I was told, it has to be deterministic because splitting a single TCP connection across several paths would end up causing packet reordering, which then ruins TCP performance 13:45 < Pretheist> confirm everything i'm saying; i'm only going from baby boy memory 13:46 < Pretheist> grawity: good point 13:46 < grawity> so it's based on a hash of just the IP addresses or addresses+ports 13:46 < Pretheist> i still haven't gotten the whole "tcp packet" thing 13:46 < Pretheist> a packet is what shows up in wireshark, right? unless you do the session trace? 13:47 < Pretheist> I'm just double-checking to make certain I've been thinking of the situation properly. Does wireshark ever do layer-1 analysis, or is it limited to frames as the lowest level of analysis? 13:47 < ice9> Pretheist, i don't mean the router, i'm talking about the provided service on the phone line 13:47 < mcdnl> Pretheist: by packet you mean a tcp/udp datagram or a ip packet? 13:47 < Pretheist> mcdnl: scheisse. 13:47 < grawity> Wireshark can't really see electric signals, so it's mostly limited to L2 13:47 < Pretheist> I had no idea they were different. 13:48 < Pretheist> grawity: Good point. I guess the card makes that hard 13:48 < grawity> and you'd probably need a completely different UI to present them understandably, anyway 13:48 < mcdnl> a tcp/udp datagram is the payload of an ip packet 13:48 < grawity> I mean there are actual "signal analyzers" 13:48 < Pretheist> See, I thought that TCP had packets and UDP had datagrams. 13:48 < Pretheist> I wonder where that misconception came about. 13:48 < mcdnl> l2 frame, l3 packet, l4 datagram 13:49 < mcdnl> kinda 13:49 < mcdnl> xD 13:49 < Pretheist> mcdnl: Is it l1 signal, then? 13:49 < grawity> candygrams are at which layer? 13:49 < grawity> Pretheist: TCP calls them "segments" IIRC 13:49 < grawity> because they don't really act as standalone packets 13:49 < djph> grawity: l8 or l9. depends on whether or not she's naked. 13:49 < mcdnl> grawity: good point 13:50 < mcdnl> Pretheist: you could say something like that i guess 13:50 < Pretheist> Is this all in the youtube series commonly linked here? Maybe I should get to watching instead of just learning through IRC 13:50 < Pretheist> Though this channel's always super helpful 13:50 < mcdnl> practice makes the master 13:50 < mcdnl> build a lab and test things out 13:50 < djph> vids are crap for learning. 45 minute video with 5 minutes of actual learnin' 13:51 < mcdnl> gns3 is pretty good for this but afaik its not super-easy 13:52 < Pretheist> mcdnl: What does building a lab entail? 13:52 < Pretheist> djph: books can be equally bad, and they're not very engaging, either 13:53 < djph> Pretheist: yeah, but at least with books, you can skim over the "I know this crap already" sections pretty easily. 13:53 < Pretheist> mcdnl: thanks for the tool recommendation. I'll still try it out 13:53 < grawity> buy a router or two 13:53 < Pretheist> djph: I used to think that, but then think to myself "fuck, what if there's something I don't know" 13:53 < mcdnl> Pretheist: if you have the physical devices, it's probably easier to tinker 13:54 < djph> Pretheist: hence "skimming" the text. 14:06 < ice9> which ADSL routers that supports 100Mbps? 14:08 < Gollee> ice9: what do you mean, ADSL itself does not support 100Mbps 14:09 < ice9> Gollee, the ISP supports upto 100, so what is that type? 14:09 < Gollee> VDSL 14:13 < ktwo2> grawity: it seems raspbian has serious problems with static ips : https://www.raspberrypi.org/forums/viewtopic.php?t=191140 i'm going for a different OS now.. maybe this helps, i think the reason was i kept losing the static IP after 5-10seconds 14:13 < Spice_Boy> since when? 14:14 < JadedJJ> Where can I learn about the basics of the TCP 3-way handshake 14:14 < Gollee> wikipedia 14:14 < Gollee> books 14:14 < Gollee> the internet 14:16 < JadedJJ> Any books you recommend? 14:17 < Pretheist> Right before I head out, I just ran an nmap scan on the "next hop up" on my traceroute, and it first told me that the network distance was 3, and then I reran it--the network distance has decreased to 2. Is that normal? 14:17 < djph> O'Reilly probably has published something on TCP itself ... 14:19 < Pretheist> Back later! 14:24 < Lope> How many unshielded cat5e cables can fit inside 16x16mm trunking? 14:25 < Lope> Looks like I should be able to fit at least 3? 14:25 < djph> that's what, about half-inch conduit? 14:25 < ice9> what's the maximum speed of ADSL2+ and ADSL2+M ? 14:26 < Lope> djph, 0.63" 14:26 < djph> Lope: close enough :) 14:26 < Lope> significant'y bigger than 1/2" :p 14:26 < Lope> ly 14:26 < Lope> So how many cat5e in there? 14:27 < Lope> https://scoop.co.za/ega-trunking-16mm-x-16mm.html 14:27 < djph> limit (at least in the US) is 40% fill. It depends somewhat on how large the cable actually is; but 5 sounds about right 14:27 < Lope> alrighty. Why is there a limit for cat5e cable? 14:27 < Lope> Like who cares if it's full? 14:27 <+catphish> ice9: see https://en.wikipedia.org/wiki/Asymmetric_digital_subscriber_line#ADSL_standards 14:27 < Lope> djph, ^ 14:27 < djph> 0.75" conduit can carry seven (7) cat5e (provided it's under 0.19" in diameter) 14:28 <+catphish> ADSL2+ and ADSL2+M are both max 24Mbps down 14:28 < Kingrat> if you ever need to replace one you would care, any more than 40% and you have to pull it in all at once 14:28 < djph> Lope: Not entirely sure -- it's PROBABLY because here it falls under the national electric code, and that's what mandates conduit fill parameters. 14:29 < Kingrat> i can tell you ive done 6 cat6 in a 3/4 (21mm) and 8 cat6 in a 1" (27mm) and they both needed lube to get in, no chance of ever replacing any of the cables without ripping them all out and repulling the whole thing 14:29 < Lope> Kingrat, fair enough. This is just a home install. Trunking is easier to install than gluing the wire along the wall painstakingly along it's whole length with hotglue, trying to glue it straight and breathing the hot glue fumes. With trunking I can just knock 2-3 nails in the trunking and I'm done. 14:29 < djph> ... and rather than treating lowvoltage separately than mains, they just stuck with the same fill capacity. 14:30 < Lope> Kingrat, what kind of lube did you put in the trunking and how did you apply it? 14:30 < Lope> I'm not planning to pull any cable thru the trunking. I'm planning to just push it into the trunking and then close the lid over it. 14:30 < djph> Lope: it's just cable-pulling lube. Can (typically) even get it at a home improvement store 14:30 < Lope> I've never heard of cable pulling lube. 14:31 < Lope> I guess it's relatively non-flammable and non-conductive? 14:31 < UncleDrax> need more icky pick 14:31 < compdoc> its a thing 14:31 < Kingrat> they have different kinds of lube for pulling cable, clear stuff, yellow stuff, you just hose it down with the stuff and pull it in, if you are feeling frisky you can spread it with your hands 14:31 < djph> if you're using wiremold or similar, you probably don't have to worry abou it. 14:31 < Lope> Could wear gloves and do it. 14:31 < UncleDrax> yeap, do not want abrasion when you're trying to pull 100kg worth of cable through a hole 14:31 < Lope> I dunno what wiremold is 14:31 < djph> https://www.homedepot.com/p/Klein-Tools-Wire-and-Cable-Lube-Synthetic-Polymer-51015/100647818 14:32 < Lope> But This is a basic install. Yeah sounds hardcore. 14:32 < compdoc> Ive seen cable lube dry out and cause cables to be stuck inside conduits so they cant be pulled out 14:32 < djph> they're a brand name (here) for wall-mount counduit / raceway / channels 14:32 < Kingrat> compdoc, probably too tight in the conduit which is why they had to use lube in the first place 14:32 < compdoc> no 14:33 < Lope> compdoc, I suppose that's the downside of non-oil based lube. Could the lube have absorbed dust and become tacky that way? 14:33 < Lope> You could theoretically get airflow carrying dust through a conduit if there's a pressure differential on the ends of the conduit. 14:40 < Wang> can anyone explain to me why Iam not able to see 10.40.192.242 in the ARP table (interface NOT in any VRF) https://pastebin.com/wbfkk1Nv 14:44 < djph> you haven't ARPed for it? 14:45 < Wang> djph; I ran, sh ip arp, so yeah, I ARPed for it 15:35 < noonien> hello 15:35 < mercxry> hi 15:36 < noonien> is there any software akin to TeamViewer that allowed creating vpn connections? i would prefer to be able to run the server on a machine, have a token, and be able to use the token to connect to that machine's network 15:37 < mercxry> Well you can setup a private network then use VNC to connect to that machine 15:38 < grawity> but that's kind of the opposite of what was asked 15:39 < detha> zerotier was made for that sort of setup. 15:39 < HrStiefel> try anydesk 15:49 < ||cw> noonien: maybe heroku? 15:49 < ||cw> there are some OSS peer to peer VPNs, but they all need port forwarding 15:50 < ||cw> which I assume is what you're trying to avoid 15:51 < noonien> yeah 15:51 < noonien> i don't mind setting up a server as a proxy in case p2p is not available 15:52 < noonien> i just want to avoid having to setup everything on new machines, just want an easy way to connect 15:52 < noonien> can't find anything that matches what i need, i'll probably have to setup something myself 15:58 < Calinou> if it's TCP-only, you could set up a SOCKS proxy using ssh -D 15:58 < Calinou> (i.e. if you don't need UDP support) 15:59 < Calinou> that requires having a SSH server on the machine, which may be difficult on Windows (but perhaps it would work with https://github.com/euske/pyrexecd) 15:59 < spaces> Calinou not difficult on windows 16:00 < Calinou> I mean, if the machine hosting the proxy is on Windows 16:00 < Calinou> it's easy if the client is on Windows 16:00 < spaces> Calinou aslso not difficult 16:06 < noonien> what's a good way of setting up vpns nowadays that's also cross-platform? openvpn? 16:06 < jackbrown> Hey guys what do you think about the In-Wall AP? they seems a very clean and elegant solution to me 16:07 < noonien> jackbrown: it would make it pretty hard to maintain, you could just hide it somewhere instead of embedding it in the wall 16:07 < jackbrown> noonien, hard to mantain ? what do you mean? 16:07 < jackbrown> noonien, which kind of mainteinance they require ? 16:08 < noonien> jackbrown: what do you mean by "in-wall"? embedded in the wall? 16:08 < jackbrown> noonien, yes 16:08 < jackbrown> noonien, for example https://it.aliexpress.com/item/TP-Link-300-MBbps-AP-Wireless-Access-Point-Parete-Interna-Incorporato-WiFi-Router-Wireless-ripetitore-TL/32871472677.html?spm=a2g0y.search0104.3.34.1a284812ofX9ej&ws_ab_test=searchweb0_0%2Csearchweb201602_3_10152_10151_10065_10344_10068_5722815_10342_10343_10340_5722915_10341_5722615_10696_10084_10083_10618_10304_10307_10820_10821_10302_5722715_10843_10059_306_100031_10103_10624_10623_10622_ 16:08 < jackbrown> 5722515_10621_10620%2Csearchweb201603_6%2CppcSwitch_5&algo_expid=3759d5e5-2876-420b-804a-6d156fe8b551-5&algo_pvid=3759d5e5-2876-420b-804a-6d156fe8b551&transAbTest=ae803_2&priceBeautifyAB=0 16:08 < noonien> how would you change the cables/power source/it in case something breaks? you break the wall? 16:09 < jackbrown> noonien, they are like a common wall plug, and most I'm looking for PoE In-Wall AP 16:09 < noonien> ah, that one looks ok 16:09 < jackbrown> noonien, what do you mean for in-wall instead ? 16:09 < noonien> i was thinking you wanted to completely hide it *behind* the wall 16:10 < jackbrown> noonien, no of course this one is from UniFi (both WiFi and wired ) https://www.amazon.it/dp/B01DRM5VAG/ref=asc_df_B01DRM5VAG53503414/?tag=googshopit-21&creative=23390&creativeASIN=B01DRM5VAG&linkCode=df0&hvdev=c&hvnetw=g&hvqmt=&th=1&psc=1 16:11 < jackbrown> noonien, this one from UniFi is one of the fastest it has also the cable plug beneath and it's PoE https://store.ubnt.com/products/inwall-ap 16:12 < noonien> sorry, i have no experience with WiFi APs. i believe that if you have decent coverage/line-of-sight it should be ok 16:12 < noonien> depends on what kind of performance/quality you want 16:13 < noonien> i personally wouldn't go with one, but maybe someone who has experience with them can help you out 16:13 < jackbrown> noonien, thanks 16:14 < jackbrown> Anyone here has experience with In-Wall AP? What would you suggest me ? In-Wall AP or ceiling mounted AP ? 16:16 < pagios> Hello, does anyone know of any opensource DNS load balancer? Idea is to have a certain domain.com that resolves everytime to a different origin ip address thus load balancing the traffic. appreciaite if someone can point me to a good opensource project i can rely on 16:25 < noonien> pagios: i'm pretty sure most servers can do that, you just have to setup multiple A(AAA)s 16:25 < pagios> but i need to do that based on the origin feedback, say origin returns that it is high on cpu i need to inform dns to resolve to another host 16:26 < noonien> pagios: i don't recommend doing feedback based load balancing using DNS since DNS responses are usually cached 16:27 < noonien> i'd maybe have 2-3 fixed LBs in front depending on your usage, that are balanced using DNS, then those can balance according to whatever scheme you want 16:29 < pagios> noonien, what b/w would be used on the LBs? 16:29 < pagios> how many users can they take? we are talking about livestreaming here 16:29 < noonien> as much as you need 16:29 < noonien> the point is, you shouldn't rely in DNS for dynamic load balancing, round-robin? sure 16:31 < noonien> another option for load balancing is to do it client-side, especially when you can control the client's source url 16:33 < Whiskey`> oh pagios you came over here 16:33 < Whiskey`> and got the same answers 16:34 < wpwpwpwp> can I configure my router to help non-windows machines/smartphones to resolve Windows computer names? 16:34 < wpwpwpwp> pass-through DNS server? 16:34 < wpwpwpwp> some other mechanism that is well supported? 16:35 < noonien> pagios: client load balancing is pretty great, you can have a service that provides the source urls for your content, and have that service decide what servers they should to 16:38 < noonien> should point to* 16:40 < FatalFUUU> Does any one have experience with BT's FTTC-GEA circuits? I thought it would be just like VDSL but im being told there is no auth and I cannot get any further (they provide equipment modem+router, but messing with our own) 16:41 < Zedax> hello there, i'm having some doubts about mtu, i have to use pppoe with my provider, and their size (maximum) is 1492, now since the standard in all devices is 1500, should i adjust the mtu in the home switches and other devices to 1492, or lower? (since for example icmp won't go out at more than 1464), does if matter if in my lan i have a way higher mtu (like if i enable jumbo of 4k?) will the router frament and qeue the packets fo 16:41 < Whiskey`> Zedax: no, your router should handle that for you 16:42 < Whiskey`> Zedax: you do not want to lower it for the LAN, the router should do MSS clamping on the WAN 16:42 < Whiskey`> Zedax: this is why end to end ICMP matters, PathMTU discovery. 16:56 < Zedax> Whiskey`: thanks, so i guess i'll leave it as it is, yes the ppp0 using wan is clamped at 1492, you mean like setting /proc/sys/net/ipv4/ip_no_pmtu_disc to 1 ?, but does pathmtu work if is only enabled in one end? 16:58 < Zedax> Whiskey`: but what i was thinking is since the standard is 1500 and the exit is 1492, the router will have to be fragmenting everything going out, does this matter in gigabit speed? 17:08 < Whiskey`> Zedax: if your isp is giving you a gige and not using large ppp mtu support, they suck. yes some packets will need fragmented 17:08 < Whiskey`> hell, any isp using pppoe on anything but a dialup connection (pots, dsl) is stupid 17:09 < Whiskey`> they do it cause they do not know any other way to do AAA 17:23 < Abbott> I just got 3 velop mesh network routers for my house. I had only a FiOS-G1100 router before. How do I figure out if I want the g1100 as my main router or the mesh network? What are the factors to consider? 17:25 < cousin_luigi> Greetings. 17:25 < cousin_luigi> How do I avoid verifying certificates only for certain hosts using the openssh client? 17:27 < cousin_luigi> I keep forgetting this small detail... 17:31 < zenix_2k2> so one question, is there anyhow to forward all traffics from a port to another port using iptables but the source port still remains the same ? 17:31 < zenix_2k2> like i tried "iptables -t nat -D OUTPUT -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 5000" but it printed out my private IP on "sock, (IP, port) = socket.accept()" 17:34 < coconut> I changed my dns server setting; and now i question myself if i really have to put a DNS-server ip adress on every single device inside my network? (1. modem, 2.router, 3.Wifi router in bridge, 4.pc's and other devices) 17:35 < Zedax> Whiskey`: yeah :/ most isp around use ppoe for fiber, and yes is close to gigabit, 700Mbps, they claim any larger packet will be fragmented in their routers 17:35 < xirg> If I am using a virtual machine which uses NAT to share the host ip, can I join it to my own domain at home even though the host machine is joined to my work domain? 17:36 < xirg> i'm at work, using windows 10, joined to my work domain 17:36 < xirg> i have ubuntu running on a VM using NAT as my NIC 17:36 < zenix_2k2> so hello, anyone ? 17:36 < CustosLimen> coconut, can't you just change your router ? 17:37 < xirg> can I join my ubuntuVM to an entirely separate domain (my home domain) while the vm's host is joined to my work domain 17:37 < CustosLimen> xirg, probbably yes 17:37 < CustosLimen> xirg, but I doubt this is right place to ask 17:37 < CustosLimen> SAMBA is not really networking 17:38 < xirg> CustosLimen, i've been searching for an Activedirectory channel but I can't seem to find one 17:38 < xirg> any suggestions? 17:38 < CustosLimen> xirg, try #samba 17:38 < xirg> ok ty 17:39 < coconut> CustosLimen: you're saying that putting the dns adress in my router alone will be enough? 17:39 < Zedax> Whiskey`: is not even a small city isp, is huge company, they also give you a ipv6 /64.. and the ipv6 routing doesn't even work, they have it disabled i guess, but it the only option for fiber around, at leats is not that expensive, 40 something 17:39 < CustosLimen> coconut, well - how I have my router set up is I run DNS server on it which redirects to other DNS servers 17:40 < CustosLimen> coconut, basically DNS proxy 17:40 < CustosLimen> coconut, so each device gets router IP for gateway and dns 17:40 < CustosLimen> coconut, on router I can then maunally set where this goes to - so I can send it to 8.8.8.8 and 1.1.1.1 or something 17:40 < CustosLimen> coconut, most routers should be able to do it 17:41 < CustosLimen> coconut, but another option is to just change the dhcp settings on your router to give each dhcp client 1.1.1.1 as dns ip 17:43 < coconut> ok,thanks. I have changed it in every device here at the moment. 17:43 < electricmilk> Anyone recommend open-source/free network diagram drawing software? I see several options but wanted to get input from those experienced. 17:46 < coconut> CustosLimen: what happens when a destination is not found from the dns proxy? Will my router detect that and try to invoke on the outside dns server? 17:47 < detha> electricmilk: http://asciiflow.com/ 17:48 < electricmilk> detha, Thank you. Looks cool but I can't add images. hmmm 17:48 < electricmilk> (Obviously as its an ascii tool) 17:49 < CustosLimen> coconut, what router are you using? 17:49 < detha> that's the point. images detract from design 17:49 < CustosLimen> coconut, if the router provides a DNS proxy then yes - it will route to external dns you configure 17:49 < CustosLimen> coconut, or should 17:49 < CustosLimen> coconut, if you tell router to just give external ip as dns then dns request will just go there (via router though) 17:49 < coconut> CustosLimen: and is it wise to put my preferred dns server ip configured on my laptop, when i would be outside on a public wifi somehere? Would this work to override the settings in town somewhere else? 17:50 < CustosLimen> coconut, well I dunno what you do on your laptop 17:51 < CustosLimen> coconut, if you use networkd then you can override dns coming from dhcp easily 17:51 < CustosLimen> coconut, and then yes it will work 17:51 < CustosLimen> coconut, I dunno how to do it with other things but this is generally possible yes 17:52 < coconut> CustosLimen: for this example it's just a Macbook 17:53 < CustosLimen> coconut, okay I dunno how to do anything with mac - but it should be possible - best to ask in channel for mac though 17:54 < coconut> Will do that, thanks a lot. 17:55 < coconut> CustosLimen: is there a time standard too for the cache getting remembered inside the dns proxy of routers, or are all different? 17:56 < station> if I get an POE Injector are there also adapters to get it out or hass the equipment to be compatible with POE til the end of hardware POE support 17:57 < coconut> I assume no standard myself, just wanted to be sure... 17:57 < station> POE over 35m for a router without POE 17:57 < djph> station: what? 17:58 < CustosLimen> coconut, generally a DNS entry has a TTL 17:58 < CustosLimen> coconut, and if you run a dns proxy on router it will honour this 17:58 < station> I presume only standard poe goes so long efficient (standard is the af max52v?) 17:59 < CustosLimen> coconut, most routers use this: https://en.wikipedia.org/wiki/Dnsmasq 17:59 < djph> station: WHAT?! 18:01 < station> Im lacking their names but there is POE with 4 wires 100mb 2 for ground and 2 + with this setup for 35meter and 24v on the other end i could only measure max 7v 0.002ah 18:01 < djph> station: you're not making any sense. What is it you're trying do do? 18:01 < station> so I need something more efficient 18:01 <+catphish> station: yes you can extract power from a PoE line 18:02 < station> cant find the extractor 18:02 < djph> also, if you're losing that much voltage over 1/3 the max distance, there's something wrong with the cable. 18:02 < station> for af POE 18:02 <+catphish> https://www.amazon.co.uk/TP-LINK-TL-PoE10R-TL-POE10R-PoE-Splitter/dp/B001PS4NWW 18:03 < station> so would it function with this 18:03 <+catphish> with what? 18:03 <+catphish> that will extract 5v, 9v or 12v from 802.1af 18:04 < station> il add later 2 CCTV without POE to the router with 4-2-2POE on sort distance cable 18:04 < station> https://www.google.com/search?q=LACPI30-EU&client=firefox-b&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjYl6a01_bbAhVSKywKHaZhBjMQ_AUICigB#imgrc=DvhnY-Q-WxTXsM: 18:04 <+catphish> if you want long distance, you want to use 802.3af because the high voltage will cover more distance 18:04 < electricmilk> Is having an inventory of all devices on the network in a network diagram recommended? Or do you guys use something separate? I tried SpiceWorks Inventory software but was not impressed. 18:05 < electricmilk> I suppose having a diagram and inventory software would be ideal. 18:05 <+catphish> station: that device i linked to can come with its own injector, but it'll support any 802.3af injector 18:05 <+catphish> station: that LACPI30 is 802.3af so it'll work with the splitter i linked 18:06 < station> super thanks guys / gils // 18:06 <+catphish> good luck 18:08 < coconut> CustosLimen: yes i have used dnsmasq once on a dd-wrt router. 18:31 < coconut> CustosLimen: is there any cli tool for testing whether i use my custom dns server? 18:49 < aloevera> The notion of free will. At high speeds what is stopping you from jerking the steering wheel and rolling over to your death? 18:57 < RustyJ> my will to live...and or my new car not getting dents and me getting a wheelchair for life? 18:58 < RustyJ> lol off-topic and nonsense, didn't realize which channel i scrolled by. 19:35 < station> repacing router antenas can increase range? 19:36 < Sout> yes... 19:37 < Aeso> Sometimes. There's a lot of potential causes for limited range that buying larger antennas for the router won't fix. 19:37 < Sout> all it will do is refocus / better optomise the rf energy, thus increasing the range. (assuming your talking about passive antenna's) 19:37 < Sout> yep ^^^ 19:38 <+pppingme> In most cases, multiple AP's is a better answer, especially if you have lots of users 19:40 < coconut> pppingme: any brand you can recommend for AP's? (i hear ubiquity i great myself) 19:41 < Aeso> coconut, depends on what your requirements are. Are we talking SOHO? Small business? Enterprise? 19:41 < coconut> No just home, but i do like when it's great though. 19:42 < ||cw> and single AP or multiple? does you need SIP to switch over between APs? 19:42 < Aeso> coconut, Ubiquiti is plenty capable for a home environment. I run one msyelf. 19:42 <+pppingme> Thats almost a religious question, but I will say this, get AP's that are geared toward working in a multiple AP situation, don't just throw random stuff at it 19:46 < coconut> what's SIP? I have to short range with my AP currently, so i guess i need two... although i am on 802.11N AP now, so i can't say. 19:47 < electricmilk> coconut, Its a protocol used for voice. 19:48 < ||cw> if speed isn't important a repeater is probably fine. unifi APs are pretty great for the price though 19:48 < coconut> Oh, like VoIP. 19:48 < ||cw> but if you use a voip app on your cell phone, the call will drop when you switch APs 19:48 <+pppingme> no, no, no, no, never use a repeater, never, ever, never 19:48 < coconut> lol 19:49 < goldstar> anyone setup a ipsec tunnel between a linux box (Strongswan in my case) and a zyxel usg ? The tunnel is up, the child_sa established, but no traffic is being sent from each endpoint 19:49 < ||cw> eh, it's fine for the home users wanting to check email 19:50 < electricmilk> coconut, Yes SIP is one of the specific protocols that enables VOIP 19:50 <+pppingme> goldstar can you ping between devices using the endpoint ip's? 19:50 < goldstar> pppingme: no 19:51 <+pppingme> goldstar remove any fw rules, access lists, etc and re-test 19:53 < coconut> pppingme: would i be better to buy an ubiquity AP with longer range, or just buy two and connect those? 19:55 < goldstar> pppingme: no luck 19:55 <+pppingme> coconut_away how many users? 19:56 < ||cw> coconut_away: depends on why your range is short, and what you have now, and what range you expect. the ratings are "ideal" ratings, in most environments you get far less, especially if your house has lathe and paster walls 19:59 < coconut_away> base of three users, sometimes 4/5... with an exception of 6 or more when there are visits. 20:01 < coconut> I have an (not latest) airport extreme currently. 20:02 < coconut> Range is basicly just too short for the balcony and bedroom. 20:04 < coconut> Lots of plaster and wood here. 20:05 < ||cw> so compare that devices range ratings with the unifi's 20:06 < coconut> Range should be like 5 or 6 meters better on these places i guess. And then there is the garden where i would like to have wifi too. 20:06 < ||cw> also exterior walls, or walls that used to be exterior but aren't anymore due to an addition, will have more drop. 20:06 < coconut> Yes i should just check first. 20:08 < bytechanger> I want to setup a application server, that hosts for example a video player. Once the user connects through Remote Desktop Connect and launches the video player and requests a video off the internet. I'd like the bandwidth to just go through his connection. So it doesn't gobble up all my limited bandwidth. DOes this make sense? Is it possible? I'm thinking not because the video player 20:08 < bytechanger> still has to display the content... 20:09 < meth> hello there 20:10 < meth> Do you guys know if the tech is something now or not, I was thinking about using a VDSL modem that plugs into PCIe instead of using a standalone modem 20:10 < meth> is that something now or in the past? 20:12 < lordvadr> meth: There were ADSL PCI cards back in the day, but I don't think anything like that exists anymore. 20:13 < lordvadr> I stand corrected: http://www.draytekusa.com/vigornic-132-series 20:14 < meth> that's good 20:15 < meth> it has RJ11 port which is brilliant 20:16 < meth> $400 :O 20:16 < lordvadr> And you can get it with SFP. I don't know if it's just a "router on a card" or if it exposes an interface to the host as well (I would assume it would?). 20:17 < lordvadr> Yeah, there's some cost to it. 20:33 < funabashi> hey guys, u are geeks. and i have issue. my browser chrome sucks. alsys "waitng on chache" and i have clean it.. whats they next steeps geeeks? 20:36 < funabashi> https://i.imgur.com/ZcwNiUk.png 20:39 < lordvadr> funabashi: Do you think coming in here and attempting to insult us is going to get you help? 20:39 < sncr> ^ 20:39 < sncr> rephase the question and try again 20:45 < jackbrown> Anyone here has experience with In-Wall AP? What would you suggest me ? In-Wall AP or ceiling mounted AP ? 20:45 < Dalton> what kind of space are you trying to cover with the wifis? 20:45 < lordvadr> jackbrown: In-wall? There are plenty that can be mounted above a drop cieling for example. 20:46 < jackbrown> lordvadr, drop cieling ? 20:46 < Dalton> in wall is a UBNT only thing, i believe 20:46 < lordvadr> ceiling, yeah, the kind of ceilings you find in a lot of offices. What exactly are you trying to accomplish. 20:47 < jackbrown> lordvadr, I mean this https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTsTfnxYMbQNsB5JquYgNhRlW6MDyGqsbOnpUaICf1ixDCAxARy 20:47 < lordvadr> Oh, I've seen those. Either way, I don't know what you're tyring to accomplish, so I can't make a recommendation. 20:47 < jackbrown> lordvadr, it's for a home lan and I'm trying to find the best solution for aestetic reasons, so I was thinking that the wall mounted AP it just confues withn all the plug, plus it has an accessible RJ45 plug for cable connection too 20:48 <+catphish> well those are cool 20:48 < jackbrown> lordvadr, or this too (RJ45 ethernet port ar above not in front in this model) https://www.balticnetworks.com/media/catalog/product/cache/1/image/9df78eab33525d08d6e5fb8d27136e95/u/a/uap-ac-iw.jpg 20:48 < lordvadr> A lot of decent AP's look pretty sharp wall-mounted. 20:48 <+catphish> you just aren't going to get the range you do with a large ceiling mounted device 20:48 < jackbrown> lordvadr, can you suggest me something else than Unifi for example ? I'd like to compare prices and specs 20:49 < lordvadr> I need to know what you want to accomplish. Is this a new install? Can you run new cable? Are you comfortable configured an AP? 20:49 < jackbrown> catphish, because you can install the ceiling one in the middle of the room so it will have a better range ? 20:49 < lordvadr> s/configured/configuring/ 20:50 <+catphish> because it has more space for antennas 20:50 < jackbrown> lordvadr, yes to all, i'm refitting my personal home so I have some aestetical needs too since it's an ancient building and a ceiling unit maybe could be a little bit inappropriate 20:50 <+catphish> its shape is designed to suit the antenna placement instead of being constrained into a wall socket 20:50 < jackbrown> catphish, any AP unit you can suggest me so i can che specs ? thanks 20:50 <+catphish> also wall sockets are likely metal backed, that's gonna make a mess of any signal 20:51 <+catphish> jackbrown: i have no idea of your requirements 20:51 <+catphish> (or budget) 20:51 <+catphish> so no 20:51 <+catphish> personally i use Unifi AC LR 20:52 < jackbrown> catphish, budged around 100€ each AP and my needs as I said is for an home lan, preferibly I'd like to have a dual band 2.4 5Ghz WiFi 20:52 < jackbrown> catphish, ok I think that I'll buy Unifi then, everybody sugggesting me that 20:52 <+catphish> the unifi ac lr meets your budget, it's ceiling mounted though 20:53 <+catphish> i believe you need a server to manage them, or a https://www.ubnt.com/unifi/unifi-cloud-key/ 21:10 < ||cw> they are a pain to manage without a server, but you don't have to leave the server running for them to work 21:14 < derpingit> hi guys.. i've succesfully setup a zone based firewall on my ubiquiti edgerouter.. i was wondering if i could have someone look at my firewall rules and tell ime if they're optimal and secure , and if it's even safe to post my current configuration 21:15 < jackbrown> catphish, ||cw what do you mean for a server ? 21:15 < derpingit> you know.. security through obscurity 21:15 < jackbrown> catphish, ||cw a router ? a switch ? 21:15 <+catphish> no, a server 21:15 < ||cw> jackbrown: their server software, to configure and manage them it's pretty great stuff actually 21:16 < ||cw> and it runs in a linux VM just fine 21:16 < jackbrown> ||cw, never heard of server, the same the is used for record their camera ? 21:16 <+catphish> yes, i think so 21:16 <+catphish> it may run on a windows pc, i'm not sure 21:17 < jackbrown> this one ? https://www.ubnt.com/unifi-video/unifi-nvr/ 21:17 <+catphish> i have no idea about that 21:17 <+catphish> i mean i don't know if you can use that to control access points 21:18 <+catphish> i suspect not 21:18 < jackbrown> Anyway I already know about UBNT products (Unifi and ubiquiti) I think that they are a good choice for budged and specs, BUT I'd like to compare them with other brand. 21:18 < ||cw> this one https://www.ubnt.com/software/ click unifi 21:18 < jackbrown> Is there another brand that fits my need so I can compare ? Here seems that everybody knows just Ubiquiti 21:18 <+catphish> well you can look at tp-link, and mikrotik for starters 21:19 < jackbrown> catphish, ok thanks 21:19 <+catphish> i might try out fs.com access points some time 21:19 < ||cw> ah, looks like they have an app now, so should be easy without the server 21:20 < ||cw> tp-link's OK, it's consumer grade. mikrotik can be pricey 21:20 < jackbrown> yes but I think it's too much for an home enviroment, I tought that once the AP were connected to a good assisted switch that already has it's own software I was done 21:21 <+catphish> https://help.ubnt.com/hc/en-us/articles/115012360487-UniFi-Getting-Started-with-the-UniFi-Mobile-App#configuration%20scenario 21:21 <+catphish> looks like you can configure the APs directly 21:22 <+catphish> ||cw: that's handy to know 21:22 < jackbrown> catphish, yeah usually it's always that way, plus if you have an assisted switch (That I want to buy) you can manage all the PoE Rj45 ports where those AP and Camera will be connected 21:23 <+catphish> these look cool https://www.fs.com/products/20013.html 21:24 < tds> neat, I didn't realise fs.com did their own brand aps as well 21:24 < jackbrown> catphish, Unifi Ubiquti ? 21:24 <+catphish> tds: they do a few random things, mostly high end swicthes 21:24 < Apachez> yeah 21:25 <+catphish> but also a few random bits, they have some nice cheap CCTV stuuff 21:25 < tds> yeah, I've seen their switches and wdm gear before, just didn't know they did APs 21:25 < Apachez> they dropped their 10G switches with $800 yesterday or something :) 21:25 <+catphish> i was looking yesterday to see if they did a budget 10G switch 21:25 <+catphish> they don't 21:25 <+catphish> i guess https://www.fs.com/products/29127.html is cheap for what it is 21:26 < tds> iirc they do some fancy whitebox switches? 21:26 < Apachez> hell they even have cat8 cables now :D 21:26 <+catphish> but that's the cheapest 10G switch 21:26 < Apachez> tds: they do both https://www.fs.com/c/ethernet-switches-3079 21:27 < Apachez> https://www.fs.com/products/69404.html S5800-8TF12S 12-Port 10GE SFP+ L2/L3 Switch with 8 Gigabit RJ45/SFP Combo Ports for Hyper-Converged Infrastructure $1899 21:27 <+catphish> https://www.fs.com/products/35290.html 21:28 < Apachez> https://www.fs.com/products/72275.html S5900-24S 24-Port 10GE SFP+ L2/L3/MPLS Managed Switch $1999 21:28 < jackbrown> look at this, it's like like firealarm sensor (chinese stuff) https://www.aliexpress.com/item/300Mbps-RJ45-Wifi-Adapter-POE-Supported-Ceiling-Access-Point-Wireless-WiFi-AP-Routers/32543886509.html? 21:28 < Apachez> https://www.fs.com/products/69226.html N5850-48S6Q (48*10GbE+6*40GbE) 10GbE ToR/Leaf Switch Preloaded ONIE $2999 21:28 < Apachez> https://www.fs.com/products/69341.html N5850-48S6Q (48*10GbE+6*40GbE) 10G SDN Switch with L2/L3 ICOS $4419 21:28 <+catphish> Apachez: getting pricey there :) 21:29 < Apachez> I wouldnt count https://www.fs.com/products/29127.html as a 10G switch 21:29 < jackbrown> Anyway Unifi seems the best choise, plus it doesn't seem that it has competitors because it's the only one that produces everything I need, I mean AP and Cameras, Am I wrong ? 21:29 < Apachez> thats a 1G switch to me (who happens to have 10G uplinks) 21:29 <+catphish> Apachez: oh, my bad, i thought it was all 10G! 21:29 <+catphish> considering its listed under 10G switches 21:29 <+catphish> yeah their switches aren't cheap :( 21:30 < Apachez> ubnt ES-48-LITE can be an option then 21:30 < Apachez> 48x1G + 2x10G SFP+ 21:30 < Apachez> catphish: no it wasnt, 21:30 < Apachez> https://www.fs.com/c/10g-switches-3256 ohh right 21:30 < Apachez> prob a mistake 21:31 <+catphish> yeah 21:31 <+catphish> this one makes more sense https://www.fs.com/products/72275.html 21:31 <+catphish> not a bad price 21:31 < Apachez> ES-48-LITE goes for $375 21:32 < Apachez> or this puppy https://www.ubnt.com/edgemax/edgeswitch-16-xg/ for $600 21:32 <+catphish> Apachez: much better value :) 21:33 <+catphish> i don't think i'd entrust that with my SAN thouh 21:33 < Apachez> or if you want bgp and shit then this one https://www.ubnt.com/edgemax/edgerouter-infinity/ for $1450 21:33 < Apachez> well if you want to throw money and have high reliability then go for allied telesis gear 21:33 < tds> i've heard very mixed things about that ubnt switch and support for sfp+ modules 21:34 < tds> I think mikrotik have a very cheap 16 port 10Gb switch, if you don't care about L3 on the switch 21:35 * catphish awaits open source 10G switch 21:35 < Apachez> like these http://www.alliedtelesis.com/products/xs900mx-series or these http://www.alliedtelesis.com/products/switches/x550-series 21:35 < Apachez> tds: ubnt will accept any sfp+ modules as long as they follow the MSA standard or whatever the sfp standard is called 21:35 <+catphish> "in theory" 21:36 < tds> catphish: there are the whitebox ones with cumulus if you want something debian-like, I think that still has some binary blobs to talk to the actual switch asics though 21:36 < Apachez> they have accepted all the sfp's I have found at work and thrown at it 21:36 < Apachez> yeah cumulus would be accepted as a good whitebox solution 21:36 < tds> hmm, I think they may have improved things in firmware updated more recently, I just saw quite a few complaints in forums a while ago 21:36 < Apachez> downside is that it will cost shit anyway 21:37 < Apachez> its not like you can get a 24 int sfp+ l3 switch for like $100 and then throw ubuntu at it and it will work out of the box 21:37 < tds> lol 21:37 <+catphish> tds: it's a total mystery to me why switch makers are so secretive about their APIs :( 21:38 < Apachez> also you will have much more attackvectors with whiteboxes 21:38 < Apachez> specially those who backends a regular os as mgmtplane 21:38 <+catphish> tds: can't even get a 1G switch with more than 5 ports and an open api 21:38 < Apachez> I prefer my switches and routers do what they are supposed to do and thats it 21:38 < Apachez> not start to use docker and vm's and shit 21:38 < Apachez> thats what servers are for 21:38 <+catphish> well indeed 21:38 < Apachez> HPE have started that shit too 21:39 < tds> then you can get your switch compromised and have people start mining on it ;) 21:39 < Apachez> with the 54xx series 21:39 < Apachez> I get it if you want EVERYTHING in like 2 RU space 21:39 < Apachez> but those cases are really limited 21:39 <+catphish> the stupid irony is thet traditionally these device have been woefully lacking in cpu/ram 21:40 <+catphish> why can't they find a midde ground, something that has enough cpu/ram to do routing protocols fast 21:40 <+catphish> without feeling the need to also be a server 21:40 <+catphish> something like a 1GHz dual core arm with 4GB RAM would be lovely 21:41 <+catphish> instead we have to choose between a crappy mips, or a 6 core xeon :) 21:42 < tds> hmm, I wonder what specs those fs.com switches from earlier have 21:42 < tds> oh yeah, they're 4GB RAM + a little quad core x86 chip 21:46 < Apachez> prop a MIPS on that broadcom chip 21:46 < Apachez> ubiquiti are heavy users of cavium chips 21:47 < Apachez> those are brutal (well there are several models available but the highend chips will give even girls a boner ;) 21:48 < Mr_Roboto1> Apachez: I wonder if it's for the SDN people 22:09 <+catphish> i'm not a fan of cavium any more, pointless api secrecy, random packet corruption, not my cup of tea 22:39 < Apachez> funny name: check, website: check, logotype: check - https://alter-attack.net/ 22:50 < tds> somehow that site seems to have lots of words without really saying much, or is that just me? :P 23:00 < ||cw> tds: seems to say enough. it's meant to be high level. 23:16 * spaces tries to love Apachez 23:16 < spaces> catphishcavium ? 23:16 < spaces> catphish cavium ? 23:20 < npgm> I need to talk two servers on identical subnets with identical ip addresses (these networks are physically separated). I can't change anything on these networks. How can I configure a machine with 2-3 nics to be able to address these hosts uniquely? 23:22 < npgm> Because I can connect to it on a switch, I was thinking that I could assign static arp mappings to disambiguate the hosts. Can a host respond to TCP packets whose IP does not correspond to the hosts IP? 23:24 < fryguy> add SNAT rules on your router and do a VIP type setup, basically redefine what the IPs are on your internal network and then route out to each one via SNAT 23:25 < npgm> I have no control over these networks unfortunately. Do you mean I could introduce a router to sit between me and these networks? 23:25 < fryguy> so if the IP is 192.168.100.100, add a snat rule for 192.168.99.100 and 192.168.98.100, each one rewrites the IP to 192.168.100.100 and goes out the corresponding interface of your router 23:26 < fryguy> your router could be your actual machine here (anything with multiple NICs) 23:27 < npgm> yes, that would be good. but first, what do you think of the static arp idea? I want the most reductionist approach possible. 23:27 < fryguy> not sure how static arp helps you 23:29 < npgm> I was hoping I could come up with my own IP's mapped to each host's mac address to disambiguate the hosts 23:29 < npgm> or will that break layer 3 comm? 23:29 < fryguy> the host will drop the packet on the way in because the IP won't match 23:29 < tds> I mean you can do that with static arp, hosts will ignore traffic to their mac address if it's for an ip not bound to an interface though 23:30 < npgm> tds: no way around that I'm guessing? 23:30 < npgm> these are windows boxes - but again, no ability to control the boxes 23:31 < tds> some kind of nat mess would likely work as fryguy suggested 23:31 < tds> if you can, doing this in isolated network namespaces/containers/vms/whatever would be a far nicer solution in my opinion 23:32 < npgm> tds: I don't have enough context to understand how that would help 23:32 < npgm> afk for a bit 23:33 < fryguy> npgm: tldr; instead of having 2 nics on one machine, have 2 machines with 1 nic each (via VMs) 23:33 < tds> if you just need to be able to connect to two different networks with the same subnet, but with different applications, isolating them with namespaces/whatever would be a nicer solution than NATing in my opinion 23:33 < tds> ^ that 23:35 < julius> hi 23:35 < Aeso> hi 23:44 < dunnousername> Is the latency between Wi-Fi devices on the same network measures in microseconds or milliseconds, or tens of milliseconds? How does it compare to ethernet? 23:45 < dunnousername> like if the devices are 1 meter apart 23:46 < Wixy> Hey all! Do you recognize this output? https://imgur.com/a/RXv4Xvq 23:46 < tds> in terms of order of magnitude, I'd expect rtts of ~1ms for wifi and ~0.1ms for a plain wired rj45 ethernet connection 23:46 < Wixy> What generates something like that? 23:46 < E1ephant> tds: why, isn't energy slower through copper than air? 23:46 < Wixy> Looks like the log of a standard tool, not sure what 23:46 < E1ephant> in terms of actual media, air will be faster no? 23:47 < E1ephant> serialization might be slower 23:47 < dunnousername> tds, I wanted to network a cluster of devices, and not get a huge switch 23:47 < E1ephant> lol 23:47 < dunnousername> is that a bad use case? 23:47 < dunnousername> *how bad 23:47 < E1ephant> like an office? 23:48 < E1ephant> you need to define your use case with more detail 23:48 < dunnousername> A bunch of raspberry pi-like devices 23:48 < dunnousername> in a small space 23:48 < E1ephant> and the difference between 1ms and 1 microsecond matters? 23:49 < dunnousername> Maybe... 23:49 < E1ephant> (tbh I don't think IP or ethernet will satisfy this.) 23:49 < dunnousername> Not 1 microsecond though 23:49 < dunnousername> more like 100 microseconds 23:49 < dunnousername> Just not a hundred ms ping 23:50 < E1ephant> 100 ms or 100 microseconds? 23:50 < E1ephant> kinda huge difference 23:50 < ||cw> E1ephant: well, in a "silent" environment with a 1:1 raw transmission, sure, air might be faster. in reality there is a lot of noise and overhead i the wifi spectrums 23:50 < dunnousername> My acceptable range is 0.1 to 10 milliseconds 23:50 < dunnousername> so 100 microseconds to 10 milliseconds 23:50 < ||cw> it's like shouting at someone across a convention floor vs whispering into a sound tube 23:50 < E1ephant> ||cw: is that why microwave use is popular when latency is a concern? 23:51 < ||cw> wifi is microwave 23:51 < E1ephant> yes 23:51 < E1ephant> and it's used extensively as a faster median than fiber 23:51 < ||cw> but you mean point to point microwave, which is focused to reduce noise, and has less overhead 23:51 < E1ephant> in financial trading, and similar activities that have actual low latency use cases 23:51 < dunnousername> Will things break if I have that many wifi devices (dozens maybe) in a confined space? 23:52 < Aeso> yes, especially if you care about latency 23:52 < Aeso> dunnousername, the big problem here is the shared medium of a PTMP wireless system 23:52 < E1ephant> ||cw: exactly, you're getting closer to the right questions 23:52 < ||cw> idk about faster than fiber, but it's certainly easier to deploy in a metro 23:52 < dunnousername> So I pretty much need to use ethernet? 23:52 < Aeso> dunnousername, yes. 23:53 < E1ephant> under what justification? 23:53 < dunnousername> One more question then - are there any standard form factors for switches smaller than 19-inch rack mount 23:53 < E1ephant> if you hav e 24 devices, on a single AP 23:53 < E1ephant> are you guys seeing 100ms+ latency? 23:53 < E1ephant> I see less than 10 23:53 < Aeso> You can't control tail latencies due to interference, unless you want to build a giant faraday cage around your setup 23:53 < ||cw> E1ephant: depends on how many are actually transferring 23:53 < dunnousername> I think I'm confusing everyone, or maybe I'm confused 23:53 < Aeso> so inevitably some of your RTTs will spike 23:54 < E1ephant> you guys haven't even asked about noise 23:54 < ||cw> there is always noise 23:54 < Aeso> also consider: when one device is transmitting, no other device can also be transmitting (MU-MIMO aside) 23:54 < ||cw> dunnousername: I'm sure you have at least 2 wifi devices around, just test it. 23:55 < E1ephant> dunnousername: so far you haven't listed a requirement that precludes 802.11 as far as I can see 23:55 < Aeso> so you may be able to achieve <10ms median latencies, but your tail latencies will be atrocious 23:55 < E1ephant> there any many many people operating environments with 25 to 40 devices per AP without issues. 23:56 < Aeso> ||cw, HFT trading companies often use purpose built, ultra low latency 60+GHz PTP gear because it's faster than fiber 23:56 < josh461_> having trouble passing traffic over site-to-site vpn. can anyone help shed some light? 23:57 < E1ephant> josh461_: just ask/pastebin, don't ask to ask :) 23:58 < ||cw> E1ephant: I'm currently seeing 1-3ms on a ping, but I have very little wifi traffic and only 8 devices connected. 23:58 < josh461_> i've got two opnsense firewalls. trying to setup site-to-site ipsec vpn. the ipsec tunnel comes up fine and i can ping each firewall but not anything on the remote network. i have firewall rules on the ipsec interface to allow traffic from ipsec > lan. any ideas? --- Log closed Fri Jun 29 00:00:15 2018