--- Log opened Tue Jul 10 00:00:12 2018
--- Day changed Tue Jul 10 2018
00:00 < E1ephant> eh, it's good for the price/prosumer level, not quite enterprise but they are making progress now
00:00 < xamithan> dell has all that force10 stuff. Its pretty good if you get the enterprise stuff
00:00 < dimino> hey, does the value 127 ring any bells for anyone with regards to connection timeouts?
00:01 < Maarten> tds, the consumer brand netgears - at least some of them - can be managed.... but unlike the larger devides that come with their own built in web interface you have to use some crappy software to manage them. Other than that, solid switches imho
00:01 < Maarten> https://www.amazon.com/dp/B00MPVR50A/ref=sspa_dk_detail_0?pd_rd_i=B0000BVYT3 - these are cheap simple unmanaged.... and pretty good for the cheapness of them. You still get the classic metal box :)
00:01 < tds> Maarten: ah right, the netgears I've seen have had management over a web ui/telnet/ssh/serial, I'm sure there are some far worse ones out there though ;)
00:02 < E1ephant> for that price you can get managed though?
00:02 < Maarten> https://www.amazon.com/dp/B00M1C0186/ref=sspa_dk_detail_0?pd_rd_i=B0000BVYT3&th=1 --- managed one.
00:03 < Maarten> I have like 4 of those 8-porters spread around the house lol
00:03 < E1ephant> https://mikrotik.com/product/RB750UPr2
00:04 < E1ephant> managed and poe for the same pricepoint
00:04 < E1ephant> stupid cheap: https://mikrotik.com/product/RB750r2
00:07 < Maarten> E1ephant, stupid cheap maybe, also stupid slow.... test tab reveals it only routes up to 490-ish Mbps. And a LOT less if you enable any features.
00:08 < Maarten> besides, I built my own PFSense firewall, works fine and routes 1 Gbps in both directions.
00:16 < ali1234> 490Mbps is pretty good considering it only has 10/100 ethernet
00:19 < Maarten> ali1234, well that explains why :P
00:20 < ali1234> apparently the non-lite version has 10/100/1000
00:20 < ali1234> it claims 1972Mpbs
00:20 <+catphish> i'd say 490Mbps was not entirely possible on 10/100 :)
00:20 < ali1234> i don't understand how that's possible, but whatever
00:20 <+pppingme> you aren't getting 490mb/s on a 100 mb/s nic
00:20 < ali1234> https://mikrotik.com/product/RB750Gr3#fndtn-testresults
00:21 <+catphish> that's got gig ports
00:21 < ali1234> and they claim 2 gig throughput?
00:22 <+catphish> sure
00:22 <+catphish> why not
00:22 < ali1234> all ports at once?
00:22 <+catphish> only 2 ports
00:22 <+catphish> it has 5 total
00:22 < ali1234> what exactly are they claiming?
00:22 < Maarten> so 1 Gbps up, and 1 Gbps down at the same time..... that's not uncommon anymore in residential internet these days
00:23 <+catphish> they're claiming it can bridge 2gbps across any of its ports
00:23 < Maarten> maybe they can do port bonding? If you have a compatible dual port intel card....
00:23 <+catphish> maybe 1G on 2 ports maybe 500M on 4 ports :)
00:23 <+catphish> it doesn't matter
00:23 <+catphish> 2G total
00:23 < ali1234> so 1G in and 1G out again?
00:24 < ali1234> (on a different port)
00:24 <+catphish> oh routing too, it can route at 2Gbps nice
00:24 <+catphish> there's no "in" and "out"
00:24 < Maarten> its a switch, so the switch can process 2 Gbit/s.... that could be 1 Gbps flowing through port 1 and out of port 4, and another 1 Gbps flowing into port 2 and out of 3
00:24 <+catphish> it can handle 2G total, ie 2 G of traffic from any combination of ports
00:25 < Maarten> right what he said
00:25 <+catphish> actually its a router too, it can route 2Gbps
00:26 <+catphish> it has 5 ports so there are 5 directions traffic can come from, not just "in" and "out" think of it more like a roundabout than a stargate
00:26 <+catphish> but sure, if you only use 2 ports as "WAN" and "LAN" then it can do 1G each way
00:27 <+catphish> (at the same time)
00:27 < ali1234> i see. so that's not terrible then?
00:27 <+catphish> not at all
00:27 <+catphish> that's a very very impressive spec for a cheap device
00:27 < rhineheart_m> hello guys! Can you recommend GPON for 2 KMS FOC install?
00:28 <+catphish> rhineheart_m: i think more info would be needed, one would never use gpon for a *single* install
00:29 <+catphish> for a point to point link you just use ethernet
00:29 < rhineheart_m> it's for a community of like 50 endpoints
00:29 <+catphish> ok, then maybe gpon makes sense, though i still prefer ethernet
00:30 < rhineheart_m> what if the reason for this is just to avert the effects of surges made by lightning strikes
00:30 <+catphish> reason for what?
00:31 <+catphish> lightning doesn't affest fiber afaik, so that can be igored
00:31 < rhineheart_m> aside from bandwidth concerns
00:31 < rhineheart_m> it is not that susceptible than a copper run
00:31 <+catphish> much less so i'd think
00:32 <+catphish> first of all, you would never install a 2km copper run in 2018
00:32 <+catphish> don't even entertain the idea unless it's essential for some reason
00:32 <+catphish> you always want fiber ethernet or gpon if possible
00:33 <+catphish> 2km of copper is not going to give speeds people need these days
00:33 <+catphish> even with VDSL2, it sucks at that distance
00:33 < JazzyDude> it probably won't affect fiber the medium itself, but something else in the datapath may be affected by it
00:33 <+catphish> well sure
00:33 < JazzyDude> something that doesn't use fiber, I mean
00:34 <+catphish> rhineheart_m: anyway, you want to know if you should use gpon over other fiber options? or looking for advice on how to deploy it?
00:40 < rhineheart_m> it's not a single run..
00:41 <+catphish> you said, 50 endpoints
00:41 < rhineheart_m> yeah. I just mentioned it again. Somehow you miss it.
00:41 <+catphish> ?
00:42 < spaces> anyone doing caching networks ?
00:42 < spaces> so lots of traffic
00:42 <+catphish> you said it was for 50 endpoints, i said gpon might make sense for that kind of deployment
00:42 < rhineheart_m> or perhaps the better inquiry is... what benefits I can get over gpon than other foc deploys on 50 endpoints
00:43 <+catphish> you have 3 options: 5 separate runs, a switch, or PON
00:43 <+catphish> *50
00:44 <+catphish> PON is likely the cheapest and most inferior option
00:44 <+catphish> but it's popular because it's cheap and requires less hardware to be installed overall i believe
00:44 < rhineheart_m> got it, catphish. Thank you!
00:45 < rhineheart_m> in our place... just 2 days.. the cost of a rent is equal to the cost of the machine :D
00:46 < rhineheart_m> I am referring to a splicer/fusion machine
00:47 <+catphish> if you're installing fiber i assume it's worth buying a splicer
00:48 < rhineheart_m> especially if you do the maintenance
00:48 < rhineheart_m> any trusted brand to recommend?
00:48 < rhineheart_m> I am looking on this..  https://www.amazon.com/OrangeA-Splicer-Automatic-JW4108S-Digital/dp/B071J65SCT/ref=sr_1_1?ie=UTF8&qid=1531170588&sr=8-1&keywords=splicer+fiber
00:49 < rhineheart_m> another one.. which is from china :D  https://www.aliexpress.com/item/English-menu-Fiber-Fusion-splicing-machine-DVP-760H-Fiber-Optic-Fusion-Splicer-DVP-760H-FTTH-Optical/32809172061.html
00:50 <+catphish> i'm afraid i have no direct experience with it
00:50 <+catphish> i can only share what i know of the general concepts
01:03 < hfp> E1ephant, Maarten: the thing is... I don't know what to do with a managed switch, I'm not using VLANs because I don't understand them (yet) or what they're for
01:04 < Maarten> yeah I wouldn't worry about it then.... I don't really use them either by the way, but I may play with it to separate my IoT devices from my regular network.
01:14 <+catphish> i sleep nonw
01:16 < hfp> Ha, I found some GSM7312 switches, 20$ for one, 60$ for 4. It looks like they're managed gigabit switches. Worth it?
01:24 < E1ephant> hfp: a managed switch can help get traffic metrics on a per-port basis
01:25 < E1ephant> they can also lead insight into port errors or link status, advanced sw/hw will do TDR down copper lines
01:31 < Apachez> TDR ?
01:31 < Apachez> hfp: you do the math?
01:32 < Apachez> there might be a reason why these are thrown out for $20? ;)
01:50 < spaces> E1ephant stay FAR AWAY from Apachez, he thinks he is a Helicopter or a Webserver... it can get worse with you!
01:50 < spaces> hph^ ^:P
01:51 < Apachez> E1ephant: wanna hug?
01:54 < spaces> Apachez you didn't pay your license fee for that
01:59 < nojeffre1> Is the general conscensus among networking pros to not use STP for redundancy?
02:02 < E1ephant> nojeffre1: if it can be avoided, yes.
02:02 < E1ephant> it does have use cases though, campus comes to mind.
02:03  * spaces waves :) 
02:04 < spaces> ok, back to work, later guys!
02:04 < E1ephant> sick individuals
02:10 < nojeffre1> E1ephant I see, thankyou
03:10 < forgotmynick> can someone explain to me why randomly throughout the day and night every access point on channel 6 disappears? https://i.imgur.com/67TCVC9.png
03:17 <+pppingme> could be literally anything non-wifi thats using 2.4ghz.. there's an incredible amount of stuff thats on or near the same frequencies as wifi.
03:17 <+pppingme> How long does it disappear? On average how often does it disappear?
03:30 < spaces> why do we work ?
03:30 < spaces> we should get some more free
03:32 <+pppingme> spaces thats wht the democrats believe..
03:32 <+pppingme> until they run out of other people's money
03:34 < spaces> pppingme ment 60 hours work instead of 100 hours :P
03:44 < forgotmynick> pppingme: anything from a few minutes to 10 minutes the highest I've seen. i first noticed this when my ring doorbell 2 was being a piece of shit and ring kept telling me to reset it. in the UK, houses are much more closer together and streets are much narrow compared to the US (assuming you're from there) so it's perfectly normal to see a lot of access points around but smart things aren't popular here, especially
03:44 < forgotmynick> not in my city and it being around 2am, it's weird for there to be any interference now
03:44 < ahyu84> hey hey guy
03:44 < ahyu84> would like ask u all few question
03:44 < ahyu84> My company is expanding till china
03:44 < ahyu84> would like using fortigate firewall
03:44 < ahyu84> and setup site-to-site vpn to malaysia datacenter
03:45 < ahyu84> but I heard china blocked all VPN
03:45 < ahyu84> does my site to site not working from malaysia to china and vice versa?
03:45 < forgotmynick> i'm thinking it may be something to do with smart metres these electricity companies are wanting to put into every home? I've rejected it for my house but maybe neighbours have had it installed and that's causing this? it's really bizarre man
03:46 < ahyu84> we mainly want to access datacenter only
04:11 < CoolerZ> is it possible to view the path of a url in a https connection?
04:11 < CoolerZ> by a man in the middle attack
04:11 < CoolerZ> it seems my university's network is blocking any url that contains the word 'proxy' in it
04:12 < CoolerZ> even if it is only in the path part of the url
04:12 < CoolerZ> maybe i should ask in #security
05:05 < pennTeller> Hi guys I have a question regarding vlans. If I have let's say a 3 port switch with 3 diferent vlans (one per port) do the devices connected to such ports remain in the same overall network but cant talk to each other? or does each port become something like 192.168.1.0/24 antoher 192.168.2.0/24 and another one 192.168.3.0/24?
05:10 < BenderRodriguez> vlan is a layer 2 construct while networks are a layer 3 construct
05:10 < BenderRodriguez> so technically, I guess you should be able to have the same subnets in multiple vlans
05:10 < BenderRodriguez> but i don't think that's something sane people would do
05:10 < BenderRodriguez> nor would there be a reason to
05:11 < BenderRodriguez> no would some switches be able to support without issues
05:11 < pennTeller> BenderRodriguez but how? if the default gateway is let's say 192.168.0.1 how can you have a vlan that is let's say 192.168.3.0/24?
05:11 < pennTeller> or to rephrase, what ip's are assigned to devices in vlans?
05:12 <+pppingme> if its a layer3 switch, its implied that it will **route** between vlans
05:13 <+pppingme> even if its a L2 switch, its typically impled that some router belongs to all the vlans and is able to route between them..
05:13 <+pppingme> assuming access rules and firewall rules don't interfere
05:13 < pennTeller> +pppingme then where is the aliviation that comes from having vlans if you can still talk to devices in other "networks"?
05:14 <+pppingme> vlans have different goals..  sometimes (as your last question imples) its about security, other times its about controlling segment size
05:14 < pennTeller> +pppingme but where is the security if the switch will still "route" as you say?
05:14 <+pppingme> think of an office with 10,000 employees, but not real security concerns..
05:15 <+pppingme> you can setup access lists on the switch to block said routing
05:15 < pennTeller> +pppingme I see
05:15 <+pppingme> or you can slap a firewall between vlans
05:16 < pennTeller> but these vlans would still be part of the main network right? in the sense that they cannot talk to each other (due to switch rules) but the computer connected to the switch are all still lets say in the 192.168.1.0 network
05:16 < pennTeller> is this correct?
05:16 < pennTeller> computers*
05:16 <+pppingme> depends on how you define "network"
05:17 <+pppingme> its implied that every vlan will be on its own ip subnet
05:17 < pennTeller> so lets say I have a network now with my gateway being 192.168.1.1
05:17 < pennTeller> +pppingme I see
05:17 <+pppingme> and of course each subnet will have its own gateway
05:17 <+pppingme> and how you setup that gateway will determine what talks, and what doesn't talk
05:18 < pennTeller> so one vlan would be 192.168.1.0 another would be 192.168.2.0 ...etc?
05:18 <+pppingme> potentially, although personally, I'd fire anyone using 192.168 in a corporate environment
05:18 < pennTeller> +pppingme why so?
05:19 <+pppingme> it shows laziness, it has high potential to conflict with future work, workers working from home, etc..
05:19 < pennTeller> +pppingme I see... so to finish bothering you one last question if you dont mind.
05:19 < pennTeller> In this hypothetical vlan setup does each vlan have a sort of "virtual gateway" ?
05:21 < BenderRodriguez> pennTeller: https://i.imgur.com/HV6KTs1.png
05:21 < BenderRodriguez> this is my home network, each network is segregated to its own vlan with a virtual subinterface going from the router into that vlan
05:22 < BenderRodriguez> e.g. eth1.30 for vlan 30, eth1.20 for vlan 20 and so on
05:22 < BenderRodriguez> so each vlan has its own layer 3 gateway to do inter-vlan routing
05:23 < pennTeller> BenderRodriguez that helps clarify a bit
05:23 < pennTeller> thanks guys
05:42 < dogbert2> found a memory leak in BIND :)
05:44 <+pppingme> write a patch to fix it
05:45 < dogbert2> I already did, pppingme  :P
05:46 < dogbert2> submitted as a bug report (2nd one I've sent in today)
05:48  * dogbert2 spins Ram Jam - Black Betty
06:08 < pennTeller> Hi guys I have a question about voip. Can one simply setup a freepbx server at home and call normal numbers?
06:23 < Apachez> in short yes
06:23 < Apachez> but you need to find a way from your pbx into a pbx thats connect to POTS
06:23 < Apachez> usually through a sip trunk with a phonecompany
06:26 < Harlock> just get a sip provider
06:27 < Harlock> doesn't even have to be a sip trunk
06:30 < Goop> Does a postfix relayhost go both ways? Send and receive?
06:30 < light> Can do, but not necessarily
06:31 < light> Depends on the domain of the email
06:31 < light> The question is vague though
06:33 < Goop> I'm using G Suite and I want to have some control over my stuff, so I wanted mail to go through my own server. I put relayhost = ASPMX.L.GOOGLE.COM:465 in main.cf
06:34 < pennTeller> Apachez but I dont understand how there can be a "provider" if it is voip
06:35 < pennTeller> can one call "voip only" phones without having to go through a provider?
06:49 < Goop> light, here's my config: http://paste.ubuntu.com/p/vCHGmg97rN/
06:54 < scientes> pennTeller, yes, using a SIP address
06:54 < scientes> then it goes directly through the internet
06:55 < scientes> pennTeller, but you still need a sip server, and often people use the same provider that is providing a phone number to do that
06:55 < scientes> cause setting up a  SIP server is non-trivial
06:56 < ||cw> pennTeller: phone numbers don't just exist on the internet, they are provided by phone companies, aka, providers
06:57 < ||cw> you can technically direct dial SIP addresses, but you need to know the server IP and the phone's account name.
06:57 < light> well, they can exist in the same way you can run your own dns servers
06:57 < ||cw> and most phones don't have a way to dial that
06:57 < scientes> ^^^^
06:58 < ||cw> light: sure, you could setup a private phone network
06:58 < scientes> and software like telegraph, and google duo just use phone numbers to look people up
07:07 < Harlock> pennTeller you can do direct sip if you know how to reach the other end
07:07 < Harlock> and they are allowing direct sip calls
07:23 < Goop> How do I make sure I can use my mail server to proxy mail for G Suite? Here's my configuration for Postfix: http://paste.ubuntu.com/p/vCHGmg97rN/
07:40 < pennTeller> thanks guys it makes sense to me now :) I appreciate the POTS explanation
07:44 < scientes> Goop, yeah I do that so I can use my private domain with gmail
07:45 < scientes> Goop, i juse use /etc/aliases, with scientes scientessemailat@gmail.com
07:45 < scientes> and no relay host
07:46 < scientes> I can paste it if you want me to...
07:46 < scientes> Goop, also you have to set up reverse dns properly
07:47 < scientes> otherwise google won't accept your mail
07:47 < XATRIX> Hi can you advice ? what's the best method to provide PAT ? I have a tons of ports to forward. I don't think that forwarding 'one port per line' is a good idea, for hundreds of. My config file will come to endless...
07:47 < XATRIX> i tried to use access-lists with port range + route-map
07:47 < XATRIX> But my cisco 4300 doesn't want to apply second rule which describes the second access-list and ip nat rul
07:48 < XATRIX> https://pastebin.com/nP7tNZS5
07:48 < XATRIX> I have only one public IP, so i don't need pool actually , if i understand correct
07:48 < scientes> XATRIX, you mean NAT46?
07:49 < XATRIX> nope. standard one
07:49 < afidegnum> hello, in order to improve security i have blocked most of the used ports to allow few common ones. but i noticed i can't access the web... port 80  here are my ip tables https://hastebin.com/ugakavagoy.hs
07:49 < scientes> XATRIX, oh you spelled it wrong
07:49 < scientes> you said "PAT"
07:50 < afidegnum> firewall rules... mvn
07:50 < XATRIX> sorry... i thought i was correct :)
07:50 < XATRIX> need port translations
07:50 < scientes> oh i c that makes sense
07:51 < scientes> it is sometimes called NAT44 to contrast with NAT46
07:51 < XATRIX> i need to forward multtiple ports to multiple hosts... that's it :)
07:51 < afidegnum> what am i doing wrong? what can be corrected?
07:51 < scientes> XATRIX, you need something like this -A FORWARD -d 10.66.3.3/32 -p tcp -m tcp --dport 38540 -j ACCEPT
07:52 < scientes> specifies both host and port
07:52 < XATRIX> scientes: was it for me ?
07:52 < scientes> ooo port ranges...idk
07:53 < scientes> can your security allow NAT-PMP/uPNP?
07:53 < scientes> I always use that (with miniupnpd) except this was through wireguard, which doesn't work with those protocols
08:14 < afidegnum> hello, any insight for my issue ?
08:17 < ellyacht> so I tried to use my android phone tethered to my RT-N16 and it changed the routers ip and now I can't connect to the GUI... I can see that the gateway however is the same?..
08:18 < Harlock> it's set to auto use bridge or nat modes?
08:19 < Harlock> might be called router, repeater and AP modes
08:21 < ellyacht> ?
08:22 < Harlock> it automatically chnages the ip in repters or ap mode iirc
08:23 < Harlock> looks liek it defaults to dhcp in AP mode
08:25 < ellyacht> automatically to what tho?
08:26 < Harlock> whatever it pull from the phones via dhcp
08:29 < ellyacht> harlock that's just it. it didn't pull anything from the phone. usually when I tether other devices it pulls it but the router didn't
08:29 < ellyacht> is there a terminal command I could run on my phone to see what ip addresses it dhcp'd out?
08:30 < Harlock> looking at the manual it looks liek you have to put it into ap mode manually
08:30 < Harlock> if you haven't done that the router ip shoudl still be the same
08:30 < GlenK> hey there.  sorta have centos set up as a router.  I can do mtr and ping from private machines on my network
08:30 < GlenK> but if I try and telnet to port 80 of somewheres then it tells me no route to host.   any ideas?
08:31 < GlenK> I suppose I have firewalld set up wrong?   I set my private interface to be the internal zone.
08:31 < ellyacht> that's just it the router ip is still the same but my web browser won't connect to it. it keeps saying routers ip address changed refreshing your browser now
08:33 < afidegnum> hello, any help?
08:34 < GlenK> ha, crap.  now my roommate came back
08:34 < GlenK> guess I'll have to switch back to the sucky netgear thingy
09:03 < Atro> lol
09:16 < FightingFalcon> SHALL I MOVE ALL MY IMAGES TO COOKILESS DOMAIN !!!!!!!!!!!!!!!!! ?
09:18 < light> WHAT IF THEY GET HUNGRY AND NEED A SNACK !!!! ?
09:18 < FightingFalcon> huh
09:19 < Atro> lol
09:36 < squ> !catgif
10:43 < MitteM112358> is NAT a rule or protocol?
10:44 < Emperorpenguin> it's a workaround
10:45 <+xand> a bodgearound
11:01 < TandyUK2> NAT is evil
11:01 < TandyUK2> a horrible bandaid for the fact we didnt start deploying ipv6 over a decade ago
11:04 < epitamizor> NAT works fine
11:04 < epitamizor> just have to know encapsulation
11:06 <+xand> NAT works fine at breaking end-to-end connectivity
11:06 < epitamizor> lol
11:06 < epitamizor> how else are they supposed to spy on you then?
11:07 <+xand> eh?
11:16 < MitteM112358> if a device support IPv4 most of time it can support IPv6 correct?
11:17 <+xand> err maybe?
11:17 < bezaban> "it can"
11:17 < MitteM112358> i am trying to think of examples on the top of my head for those that cant
11:17 < MitteM112358> and i blanked out for some reason
11:17 < bezaban> tending towards incorrect
11:17 < MitteM112358> then i thought.. okay a printer?
11:19 <+xand> any "IoT" thing where you don't have a "normal OS"
11:20 < MitteM112358> AH
11:20 < MitteM112358> And this is for the fact of simple math / RISC cpu?
11:20 <+xand> no?
11:20 < MitteM112358> where as the ipv4-to-ipv6 /// ipv6 hex addressing on an OS?
11:20 <+xand> no it's due to developers of such devices not bothering with IPv6 support mostly
11:21 <+xand> not a hardware issue
11:21 < MitteM112358> I'm saying, if a smart fridge supports IPv6
11:21 < MitteM112358> ah okay i understand your example
11:21 < MitteM112358> more as the implementation of such/etc ?
11:21 < MitteM112358> not actual technical capability
11:21 <+xand> yes
11:22 < bezaban> and availability
11:23 < MitteM112358> ok, thanks that really cleared my head and helped me view this better
11:23 < bezaban> they prefer organizing in botnet like structures ;)
11:26 < bezaban> been looking at wifi weather stations, there seems to be one main contender by 'netatmo'  - but they have an incident of sending wifi password and ssid back to their c&c servers.  Anyone used any of these and know if they'll function without / allow you to disable the cloud component?
11:26 < bezaban> or alternatives
11:28 < djph> never looked into that, sorry.  Firewall prohibiting it from leaving your network not good enough?
11:28 < bezaban> djph: if it will still work then that would be fine
11:28 < djph> yeah, dunno :*
11:28 < djph> :(
11:28 < bezaban> 'Initializing, error can't connect to cloud, please restart your router'
11:29 < djph> heh, yeah, it'd probably do that
11:29 < bezaban> they look good in every other aspect, can poll them with a python open source project
11:49 < Yamakaja_> Hey, does anybody know about LDP daemons for linux?
11:51 < Roq> MPLS LDP? LDPd is available but i never used it
11:51 < Yamakaja_> Yes, MPLS LDP
11:53 < Yamakaja> Roq link? :D
11:53 < Yamakaja> Oh wait, quagga-ldpd?
11:54 < Roq> Yeah i think so, is that the BSD port?
11:54 < Yamakaja> yes
11:55 < Roq> Yeah that should be available for linux, but like i said i never used it
11:59 < Yamakaja> I see, i was hoping to avoid quagga xD
12:00 < Roq> Fair enough. What do you want to use it for? Labbing?
12:00 < Yamakaja> Yep
12:00 < Yamakaja> And maybe running an MPLS backbone in dn42 :D
12:01 < Roq> I'm not familiar with dn42
12:01 < Yamakaja> It's basically a darknet simulating the internet
12:02 < Yamakaja> Peers connect with tunnels, not direct links. Then they peer like you'd peer in real life / etc.
12:03 < Roq> I see, and MPLS is required to connect?
12:03 < Yamakaja> No
12:03 < Yamakaja> But i'd like to run it within my AS
12:04 < Yamakaja> See https://wiki.dn42.us/Home
12:04 < Roq> I would suggest some MPLS capable routers over a Linux port in that case
12:05 < Yamakaja> Uh, that's not really an option with my budget ^^
12:05 < Yamakaja> Linux actually supports basic mpls routing
12:05 < Yamakaja> Or VPP for that matter
12:06 < Yamakaja> (https://wiki.fd.io/view/VPP)
12:07 < Roq> I think mikrotik support MPLS functionality, if budget is a concern
12:07 < Yamakaja> Yeah, but i can't easily run that in a DC like i can with a linux vps
13:14 < gtr> test'
13:15 < djph> test failed.
13:16 < gtr> how can i remove duplicate queries in wireshark from a .cap file to see dns requests? for example i have multiple lets say dddd.com how can i see it only once ?
13:16 < djph> only query for it once?
13:16 < gtr> i know of statistics - resolved addresses
13:16 < gtr> but none of the domains are resolved there
13:17 < kubast2> Does MMS protocol allows sending any type of file over? And 2nd question ,If I were to manually reencode a video with a high quality codec like VP9 will the video get sent with or without transcoding If I were to make it fit the max size requirment?
13:18 < gtr> djph, how can i query for it ? i m not looking just for 1 domain i need all but not like duplicated
13:19 < gtr> i have domain1.com then domain2.com then domain1.com then domain3.com i need to see only domain1, domain2, domain3 if this explains
13:19 < kubast2> I got a manual transcode(with libvpx9 and libopus) and an automated one(with AAC and h.264[but baseline profile])
13:20 < kubast2> as in is the transcoding done by an application/phone or by the infrastructure of a telecome company ?
13:21 < detha> gtr: tcpdump/tshark | awk '{....}' | sort -u
13:21 < kubast2> Like theoretically you could cram up a couple of secs 1080p video with reasonable quality with reasonable quality of audio under 300KB
13:22 < kubast2> vs a half full hd video that barerlly doesn't have any sort of artifacts
13:22 < kubast2> or worse
13:22 < tcpdump> @detha yes, I can run.
13:25 < djph> kubast2: I would imagine the phone, or the remote end. Telco is just the carrier, I think...
13:28 < almostdvs> I have a dhcp pool on a catalyst 4500 that won't hand out IP addresses.  Any tips on troubleshooting this?
13:28 < djph> you run out?
13:29 < almostdvs> I don't believe so
13:32 < OliverUK1> Could anyone give some recommendations for firewalls to put in at home that would do web filtering so to help keep kids safe?
13:33 < almostdvs> OliverUK1: untangle
13:33 < compdoc> pfsense is great, but requires a pc
13:33 < almostdvs> requires a pc?
13:34 < tehjanos1h> OliverUK1, what you are actually looking for is a proxy with web content filtering
13:36 < tehjanosch> OliverUK1, depending on the size of your network you could either try out pfsense or sophos utm (if they still have their free version) - but you would need separate hardware or a vm for that :)
13:36 < OliverUK1> compdoc: I am looking at putting something physical between the internet and our internal network anyway
13:36 < compdoc> linux/bsd firewalls require a computer to run on
13:37 < compdoc> you looking for a small, plastic, consumer based firewall?
13:37 < almostdvs> that's a weird statement
13:37 < almostdvs> OliverUK1: you can look into Open
13:39 < djph> UBNT Edgerouters have basic webfiltering -- although you'd probably be better with a layered approach - your filter plus opendns umbrella (if it's still free for home use), etc.
13:39 < djph> on a separate VLAN for the kid(s).
13:44 < Atro> i didnt even have internet till i was 9, now kids get VLAN's ?!?!?!?!
13:44 < Atro> preposterous
13:45 < almostdvs> Ok, some progress.  ACL in on the vlan interface was presumably blocking the dhcprequest packet.  I assumed the dhcp server address would be the same as the vlan interface but that is allowed in the ACL.  what is the dhcp server?
13:48 < djph> Atro: I never said *when* they'd be getting a VLAN.
13:48 < djph> DHCP requests are broadcast
13:48 < djph> src 0.0.0.0 / dst 255.255.255.255
13:49 < djph> and L2 -> src (PC-MAC) / dst FF:FF:FF:FF:FF:FF
13:49 < OliverUK1> Thank you for all of your help :-)
13:50 < OliverUK1> I don't mind paying a bit for a quality solution though, doesn't have to be free, you get what you pay for
13:52 < djph> eh, the "paid for" oDNS umbrella was just more features (e.g. more users, individual PC addresses - if you have nonRFC1918 space, ofc; somewhat more fine-grained control over the filters ... nothing really special for "residential use" IMO)
13:52 < almostdvs> djph: no dhcpdiscovers are broadcast
13:53 < almostdvs> I'm talking about dhcprequests
13:53 < almostdvs> wait your right
13:53 < djph> ;)
13:54 < Roq> request is also broadcast, to let the other potential DHCP servers know which one was selected
13:54 < almostdvs> even stranger
13:54 < almostdvs> taking the ACL out allowed dhcp to work
13:54 < djph> dhcpdiscover -> dhcpoffer -> dhcprequest -> I forget.
13:54 < Roq> ack
13:55 < almostdvs> so it must be the ack
13:57 < almostdvs> ok, so does the dhcp server on a cisco switch send the ack from the vlan interface address?
14:00 < spaces> woei! all networks sexy ?
14:14 < tehjanosch> 13:41:17 < Atro> i didnt even have internet till i was 9, now kids get VLAN's ?!?!?!?! <- :D
14:14 < tehjanosch> i guess you have used a dialup connection back then :P
14:14 < tehjanosch> good ol' times
14:19 < Sout> dling off napster, and hogging up the phone lines :D
14:19 < almostdvs> feeling nostalgic about old technology on the internet
14:19 < almostdvs> good times
14:19 < squ> !catgif
14:24 < lbrun> Hi, I need to do a MPO24 trunk connection for some 10G and 40G stuff (multimode), does anyone here have some experience with polarity in these systems?
14:25 < djph> fiber has *polarity* ?
14:26 < lbrun> TX has to go to RX
14:26 < lbrun> if you have MPO12/24 connectors (12/24 fibers in one connector), this becomes a non-trivial thing
14:26 < djph> well, yeah, but I wouldn't call that "polar" ..
14:27 < djph> I mean, i guess it works ... but .. IDK
14:27 < lbrun> Most companies call it that from what I've seen
14:31 < wind_swept> i've heard it called polarity also
14:32 < wind_swept> i don't think you can change the polarity on the 40g MPO connectors, but on the 10G if they're the LC-LC connector you can pop off the clip and switch the polarity as necessary
14:34 < lbrun> wind_swept: True, but 40G-SR4 uses an MPO12 connector
14:34 < wind_swept> looks like the "Fiber Optic Association" calls it polarity also: http://www.thefoa.org/tech/ref/install/polarity.html
14:35 < wind_swept> lbrun right, but it only uses 8 of the fibers
14:35 < lbrun> I know
14:35 < wind_swept> i guess i missed the question
14:38 < lbrun> Basically the plan is to route 2 40G-SR4 (and some misc 10G) using MPO12 -> 4 LC-LC Type B onto a MPO24 cassette, trunk it to another location some 30m away, terminate into another MPO24 cassette and again use 4  LC-LC -> MPO12 Type B cables to connect to the transceivers.
14:40 < wind_swept> sounds like it would work.  i've not done that but it seems like you'd just need to crossover the LC connectors on one end or the other, but keep the pairs in the same order
14:42 < lbrun> Yeah, the question is more if I can avoid to actually use crossover connectors. I can choose the type of trunk cabling (Type A, B, or C), but I have only straight-through key-down cassettes.
14:43 < wind_swept> is running the mpo24 cable cheaper than running two mpo12 ?
14:43 < lbrun> no, but there is no  space
14:43 < lbrun> I can't run two MPO12
14:44 < lbrun> The cable runs through some very old building parts where making the holes bigger would be very expensive
14:46 < wind_swept> gotcha.  seems like a pretty straightforward problem. diagram it out and you can figure out which cables go where.  or just be ok with futzing with LC connectors :D
14:48 < italian_power> WE ARE THE ITALIANS OF ITALY
14:48 < wind_swept> no we aren't
14:48 < italian_power> WE ARE TIRED OF BEING RULED AND TAXED BY THE JEWISH 1%ERS
14:48 < spaces> italian_power good, stay there
14:49 < lbrun> wind_swept: Yeah, I think I'm going to that. I guess there is actually not that much that can go wrong.
14:49 < wind_swept> lbrun: https://www.fs.com/polarity-and-mpo-technology-in-40-100gbe-transmission-aid-475.html
14:49 < wind_swept> as long as everything terminates in LC connectors you can swap pairs
14:51 < lbrun> True, even the 40G-SR4 still go over LC connectors before going into the trunk, so even if I get the trunk wrong I can just swap. Thanks!
14:51 < wind_swept> sure thing :)
15:09 < afidegnum> hello, i can't have access to port 2022, using nmap on -p 2022 i have 3033/tcp filtered unknown error
15:50 < wind_swept> afidegnum: bummer
15:50 < wind_swept> did you have a question?
16:18 < UncleDrax> (guess not)
16:20 < wind_swept> ¯\_(ツ)_/¯
16:30 < Asnm> hello guys
16:50 < CoolerZ> i am just looking at some network traffic in wireshark
16:50 < CoolerZ> why does wireshark report tls v1.2 when its version 1.0
16:54 < CoolerZ> https://imgur.com/ltWS9M9
16:58 < lbrun> CoolerZ: That's the version of the TLS handshake protocol, different from the TLS record protocol (which is 1.2)
16:58 < CoolerZ> lbrun, so what is the 1.0 version shown there?
17:00 < lbrun> CoolerZ: There is an excellent answer here: https://security.stackexchange.com/questions/29314/what-is-the-significance-of-the-version-field-in-a-tls-1-1-clienthello-message
17:11 < purplex88> what is NIDS?
17:12 < djph> probably network intrusion detection system.
17:12 < purplex88> is it windows firewall, or my anti-virus?
17:12 < djph> neither
17:13 < purplex88> but my bitfender total security has advanced threat defense feature
17:13 < djph> and?
17:14 < purplex88> why is it not intrusion detection system?
17:14 < djph> because it isn't.  That's like asking why a pickup truck isn't a semi.
17:17 < purplex88> so what does it.
17:17 < purplex88> ..
17:18 < djph> a NIDS is a (more or less) comprehensive monitoring system for a network to detect intrusion (e.g. foreign PCs / APs / etc.)
17:19 < purplex88> i thought my advanced bitdefender solution can do it
17:19 < purplex88> e.g. block threats
17:19 < djph> no.
17:19 < djph> that's _antivirus_.
17:20 < djph> specific to a singular machine.
17:20 < purplex88> e.g. it can block bad ip addresses
17:20 < purplex88> if it detects port scan
17:22 < djph> sounds like a firewall.
17:23 < purplex88> also wifi security, vunerability scan, randsome ware protection..?
17:23 < djph> I mean, each of these components may make up a NIDS ... but they themselves are not one.
17:24 < purplex88> is NIDS a hardware box or a software i can download and install?
17:25 < djph> could be either
17:26 < djph> though, I doubt "download and install" would be that simple. It's probably more "pay a fuckton of money, then download & install"
17:32 < saul> i'm curious: how common is it for a company culture to include IT configuring users' e-mail signatures for them?
17:32 < purplex88> but the question is what will it be protect me from?
17:32 < purplex88> as i never heard someone installing them
17:34 < djph> saul: zero.
17:34 < djph> purplex88: it's to monitor a NETWORK for something getting through that shouldn't have - an extra PC, wifi APs, random other garbage, etc.
17:35 < djph> or something generating "weird" network traffic, etc.
17:35 < purplex88> ok, the entire network.
17:54 < inire> saul i've seen legal demand a specific end phrase
17:54 < inire> but it's mostly just handwaving bullshittery
18:08 < yn> https://blog.malwarebytes.com/security-world/privacy-security-world/2018/07/mother-is-blocking-ads-so-why-arent-you/
18:19 < pokmo> hi
18:20 < pokmo> i'm not sure if it's just me, but 'curl https://www.zomato.com' times out. it works fine in a browser though
18:20 < pokmo> does it happen to anyone else?
18:22 < Sout> yes, pokmo. curl https://www.zomato.com returns Access Denied
18:23 < pokmo> hmm i don't get a response at all
18:23 < pokmo> Sout do they have a firewall or something that checks the user agent?
18:23 < pokmo> i get SSLREAD() return error -9806
18:26 < pokmo> curl -A "Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5" https://www.zomato.com/ gives me Access Denied
18:27 < pokmo> beside UA, what else could a server/firewall check?
18:47 < kottt_> somebody sanity check me here: site has a network that goes: our gateway router -> their LAN Switch -> two wireless routers. The LAN was crashing and burning periodically, as frequently as every 10-15 minutes. disconnecting their second wireless router fixed their problem
18:47 < kottt_> from LAN Switch to second wireless router: should they have been plugged into WAN or LAN port on it?
18:49 < kottt_> honestly not sure how the wireless routers were configured, whether AP/Router/Wireless Bridge/etc, so I guess that's what would make the difference. hm.
18:50 < Poster> it's not entirely clear what "router" means aside from passing IP between two or more interfaces, is there NAT, DHCP, etc?  Do they have unique IP spaces behind them?
18:51 < kottt_> tbh, my assumption here has been that they were two regular consumer routers with minimal configuration, with their WAN sides getting addresses in a firewalled public address space
18:52 < Poster> if they're both on the same IP address and both handing out IP addresses in the same VLAN that could cause quite a bit of trouble
18:53 < kottt_> from our gateway, what we were seeing was that traffic would just completely stop making it upstream from their switch, which was brand new, having been replaced the first time the issue presented itself.
18:54 < tpr> hm, what tool could I use to do dhcp information request messaging?
18:55 < kottt_> we thought there might have been a switch loop or something but we had them trace every cable in the building (small library) and found nothing problematic
18:55 < tpr> whatever that even is. wikipedia just lists "DHCP information" and says "A DHCP client may request more information than the server sent with the original DHCPOFFER. The client may also request repeat data for a particular application. For example, browsers use DHCP Inform to obtain web proxy settings via WPAD." without providing any source :P
18:55 < kottt_> i guess you could be a REAL HACKERMAN and just do it by hand in C
18:56 < kottt_> sorry, i dont have an actual productive suggestion
18:56 < kottt_> <3
18:56 < tpr> :|
18:56 < tpr> oh, it's actually called DHCPINFORM <3
18:58 < tpr> and dnsmasq's contrib ships dhcp_lease_time :-)(
19:00 < tpr> /* Explicitly request the lease time, it won't be sent otherwise:
19:00 < tpr>      this is a dnsmasq extension, not standard. */
19:00 < tpr> höh
19:37 < Apachez> pennTeller: yes, you dont need a phoneprovider if you just want to call to other voip boxes connected to the same pbx
19:38 < donguston> anyone here speak russian? Is the English to Russian Google Translate as good/accurate as the Russian to English? Are there any better translation APIs to use for English to Russian?
19:52 < Apachez> I think its close enough
20:06 < hfp> Hi, I am confused with IPv6. I seem to be getting a /56 from my ISP (not sure how to confirm that, I set prefix hint to /56 and I can ping ipv6 addresses over the internet, but I can't with /48). How do I confirm my prefix? If I ifconfig on my OPNSense router, all I see is a /128 with my ipv6 on the wan interface. But my laptop gets a 2xxx ipv6 and when I visit testipv6.com, it shows my laptop's ipv6
20:06 < hfp> address, not the router's. As a corollary, does that mean that every single host in my LAN now gets a public IP? Will the firewall still prevent the internet from accessing my hosts using their 2xxx public ipv6 addresses?
20:07 < Dagger> yes, your hosts get public IPs, and yes, firewalls still block connections
20:07 < Dagger> as for the prefix... the router is doing a DHCPv6-PD request, and the response to that includes the size of the prefix
20:08 < Dagger> I don't know how you'd go about seeing what that size is in OPNSense though. I'd expect it to mention it somewhere in the admin interface
20:10 < hfp> Dagger: Thanks
20:11 < hfp> So every host having a publicly routable ipv6 simply means that if I ever want to publish a service on a host, I tell my firewall to let the communication through and it saves me from having to use my only ipv4 over nat, right?
20:13 < Dagger> yup
20:16 < Dagger> assuming your clients have v6 too, mind, otherwise you'll need to work out some way for v4 clients to connect (and the easiest way of doing that is probably to continue doing it the way you're already doing it)
20:26 < hfp> yes they all have ipv4 and ipv6 addresses
20:27 < hfp> I know the fe80 is a local address only, but they're also getting two 2xxx ipv6. I remember that one is random for privacy, and used on the internet; but how to tell which is which?
20:28 < Dagger> the one which changes when you restart or reconnect is the temporary one
20:28 < Dagger> the non-temporary one may have "ff:fe" in the middle of the right-hand 64-bits, but (due to RFC 7217) it might not
20:30 < Dagger> there's usually some kind of flag on the privacy addresses too (e.g. on Linux they have the "temporary" flag in `ip a`, on Windows they're listed as "Temporary IPv6 address" in `ipconfig`)
20:37 < hfp> I have ubuntu, ip a shows both addresses the same, the only thing that changes is the ip obviously but everything else looks the same
20:40 < streuner> i can't do port forwarding in my router
20:41 < streuner> i've set static ip in dhcp options and i have forwarded right ports
20:43 < Dagger> hfp: I guess keep an eye on the addresses then, and see which one stays the same
20:44 < Dagger> hfp: I've seen people with both normal and RFC7217 SLAAC addresses recently. I guess if you were having that problem and you also had privacy addresses disabled then you'd end up with two addresses with the same flags
20:45 < Dagger> (Ubuntu's problem is that it uses one of those fancy network management daemons that take over RA processing, and they often end up doing funky things with IPs. the in-kernel RA client is a bit easier to understand)
20:45 < CSA> HI! I  have two isp uplinks. Im advertising my four /24s via ebgp. One link has 300 Meg and another  have 1024 Meg/s capasity.
20:45 < CSA> How do I advertise a /22 to the 300 Meg/s link and four specific /24s towards the 1024 M/s link?
20:55 < fly_agaric> hello guys, I have 2 HPe 5406Rzl2 core switches. and i tried to configure vrrp. can you look at the config on pastebin? https://pastebin.com/z9VqH5qC
20:55 < fly_agaric> iam not sure if this is all i need
21:07 < fly_agaric> if i enter show vrrp vlan 582 it says that core is master
21:07 < fly_agaric> and core 2 is Backup
21:08 < fly_agaric> how does vrrp know which switch is master?
21:08 < fly_agaric> does it follow the spanning tree configuration? because core 1 is root bridge
21:11 < djph> VRRP is a *router* protocol ...
21:15 < fly_agaric> djph: do you know if important thing for real world vrrp are missing in my pastebin config?
21:16 < ManDay> Hi, any idea why an apple device (MacBook Air from the dhcp name of it) gets 5 IPv6 addresses? Is that some apple shit?
21:16 < lbrun> ManDay: Could be IPv6 Privacy Extensions
21:18 < djph> fly_agaric: "routers" ?
21:18 < djph> fly_agaric: although, I guess if your "core switches" are actually acting as routers ...
21:18 < fly_agaric> djph: 2 core hpe switches not routers but layer 3 switch
21:18 < djph> are they acting as routers?
21:18 < fly_agaric> yes
21:18 < ManDay> lbrun: that's a pure host thing, right? it sounds as if this were anticipated in IPv6
21:19 < S_SubZero> ManDay: do you expect different behavior?
21:19 < ManDay> S_SubZero: It's not my device, a neighbour I share my internet with
21:19 < lbrun> ManDay: What do you mean by pure host thing?
21:20 < ManDay> lbrun: The dhcp or anyone but the host that gets those adresses doesn't know about it.
21:20 < ManDay> it's just that the host gets those adresses to get extra privacy
21:22 < lbrun> ManDay: Yes, that's the case
21:26 < S_SubZero> apparently multiple IPv6 addresses are a common thing. https://unix.stackexchange.com/questions/181539/why-do-i-have-so-many-ipv6-addresses-for-a-single-ethernet-card
21:27 < ManDay> lbrun: thanks!
21:28 < hfp> Dagger: Yes, I'm thinking of moving away from ubuntu because of all the magic it does and which I don't need. Is Manjaro a better option?
21:28 < kenrin> magic?
21:29 < kenrin> Manjaro is cool if you want arch but are lazy and don't care about stability
21:31 < hfp> kenrin: yes, ubuntu uses netplan which I don't care for, it uses 127.0.0.1 as a nameserver to do some caching and some magic (which has bugs), I use i3 as my wm so I don't care for ubuntu's unity or what have you... It seems like ubuntu does too much for what I need
21:31 < hfp> kenrin: better go with arch then?
21:31 < kenrin> You know you can change all that right?
21:31 < hfp> yeah but it's a lot of work, why not use a distro that doesn't do that in the first place?
21:31 < kenrin> If you like arch, sure.  I don't like random updates breaking my system every month though
21:32 < kenrin> Debian is always good choice
21:33 < hfp> I might be wrong, but my experience was that debian uses older versions of everything. sometimes much much older, whcih results in missing features that have long been released. It would work for a server but not as my daily driver because of that
21:33 < kenrin> Thats why you use debian sid or debian testing
21:34 < E1ephant> or just avoid debian
21:35 < E1ephant> because the packages fart dust they're so ancient
23:43 < GoopAway> I am writing a research paper for English 101 and the topic is Net Neutrality. I wanted to know if I might be able to either get some good advice where to look, or do an online interview from a networking professional or a business professional that has experience in the area of creating an ISP.
23:44 <+pppingme> you should write about the scam that liberals called net neutrality, which ultimately was dumped..
23:46 < GoopAway> pppingme: what is your professional background in this area, and may I interview you online?
23:46 < purplex88> whats the meaning of network security policy?
23:47 < purplex88> is firewall rule can example of this?
23:48 < GoopAway> purplex88: I'm rather ignorant in that subject. It sounds like you need to Google it.
23:48 < vexe> irritate the employees :)
23:49 < ||cw> purplex88: yeah, a firewall would be part of it
23:51 < purplex88> ||cw: policy = creating rules of what you can access / do / view etc?
23:51 < ||cw> like, timeclock policy, vacation policy, bathroom break policy
23:52 < ||cw> door locking policy
23:52 < ||cw> think higher level.
23:52 < purplex88> i rarely used the term 'policy' so i'm unfamilar
23:53 < purplex88> okay so what are all these policies you said are for? are these rules?
--- Log closed Wed Jul 11 00:00:33 2018