--- Log opened Thu Jul 12 00:00:31 2018 --- Day changed Thu Jul 12 2018 00:00 < groupers> Same for residential and business sales 00:01 < groupers> their business support is leave a message and they'll get back to you 00:20 < drac_boy> hi 00:27 < spaces> drac_boy sorry we only do HP ILO :P 00:28 < spaces> but hi! 00:29 < robert45> hey guys, any ideas how to setup a public IP on a HP Aruba 2540 switch? 00:29 < drac_boy> spaces umm what are you talking about? :P 00:30 < spaces> drac_boy where does your name come from ? drac is a remote thingy of Dell 00:30 < spaces> robert45 create a vlan and add it to it and assing it to ports 00:30 < spaces> the WAN ;) 00:30 < spaces> or do it on a port 00:31 < spaces> and make a route for your subnet 00:31 < spaces> etc 00:32 * drac_boy breathes flame out of mouth into spaces' direction 00:32 < drac_boy> that say enough? :) 00:32 < spaces> drac_boy I cannot make a clue about what you are trying to say, but whatever it seems your imagination goes back to your childhood :P 00:32 < robert45> spaces tx for the quick help, thats what I did but its not working for some reason: https://paste.debian.net/1033340/ 00:33 < robert45> my uplink cable is connected on X1 00:33 < spaces> robert45 there is no route 00:33 < spaces> default route 00:33 < drac_boy> spaces well maybe this bigger hint will help :p https://vignette.wikia.nocookie.net/sigil-city-of-doors-nwn2-persistent-world/images/a/ae/Red_dragon_by_caiomm.jpg/revision/latest?cb=20160422211928 00:33 < drac_boy> heh 00:34 < spaces> ip route 0.0.0.0 0.0.0.0 th.e.gw.from.isp 00:34 < spaces> ip route 0.0.0.0 0.0.0.0 the.gw.from.isp 00:34 < spaces> drac_boy never seen such, where do you live ? 00:51 < spaces> robert45 nothing yet ? 01:41 < zhdncpq> hi, i'm having a problem: netfilter-persistent not restoring iptables rules at boot. I spent some time debugging the init file for netfilter-persistent service, and it seems that `sudo service netfilter-persistent start` command is being intercepted by /lib/lsb/init_functions, and the result is empty output. Any alias for `start`, such as `reload`, works perfectly. Where should I continue digging? 01:58 < zhdncpq> any thought about why iptables-persistent might fail to persist iptables rules at boot time? I have a strong suspicion it might be because /lib/lsb/init-functions is doing something weird when getting 'start' command, but maybe someone has other ideas? 01:59 < zhdncpq> init script for iptables-persistent service is basically a switch, which selects based on command in $1. but first it runs `. /lib/lsb/init-functions`. when I run `service iptables-persistent start` it just quietly exits without any output. when I run `service iptables-persistent reload` (which is actually a synonym and included in the same switch branch), it works as it should. what's going on here? 02:03 < robert45> spaces sorry, had some troubles to connect back to the switch, its still not working for some reason, heres the current config: https://paste.debian.net/1033344/ 02:10 < robert45> any ideas? 02:12 < ZedHeadTed|> Can I block ads at the router level? 02:14 < robert45> spaces it worked now! tx so much! 02:16 < spaces> mhh I think he did it all by himself :) 02:18 < ALowther_> ZedHeadTed|: You CAN do almost anything. Are you curious if somebody has already achieved this & released any easy way to implement it? 02:24 < ZedHeadTed|> ALowther_: Mainly just wondering if it's possible. And if it is, I'll find out whether my model supports it. 03:18 < h0dgep0dge> is there anyone who can help with setting up self hosted dns? 03:30 < E1ephant> just ask? 03:34 < fryguy> you download/install a dns server, add records to it, and edit the NS entry upstream so that things point to it. 04:05 < h0dgep0dge> yeah i found some issues that i'm dealing with now, i'll be back if i hit a dead end 04:10 < ThePortWhisperer> hello, any idea why a virtual machine wont get an IP even after setting it to use the same adapter as other VM's and setting it to DHCP 04:10 < ThePortWhisperer> same OS as the other VMs too, nix. 04:11 < ThePortWhisperer> every host on that adapter is supposed to get put into the same subnet 04:21 < jchia> How should the various numbers output from dumpcap be understood? For example here: https://paste.debian.net/1033349/. 462 packets captured, which I see in the output file, but the two interfaces received 464 and 460 packets respectively, which doesn't add up. Also, what do the counts for 'pcap', 'dumpcap' and 'flushed' mean? 05:22 < cpplearner> Which linux manual page mandates that, a more specific route takes precedence over the lesser one? It seems, route(8) does not mention it. 05:37 < meingtsla> cpplearner: That mandate is not specific to Linux. It holds among multiple vendors and OSes. Having said that, ip-rule(8) indirectly references this by describing "the conventional destination based routing table" as being "ordered according to the longest match rule". (It then goes on to describe ways that you can change that.) 05:51 < cpplearner> meingtsla: Thank you for answering. So, it's just a de facto standardised way, but no specific document explicitly mandates it? maybe like ISO, or RFC...? 05:54 < monoxane> theres probably an RFC on it 05:54 < h0dgep0dge> i would think it's just common sense, you need to prioritize them somehow right? 05:55 < meingtsla> It looks like this is codified in RFC1812 05:55 < cpplearner> Yeah. But, I thought having a document saying it explicitly would be great. 05:55 < cpplearner> meingtsla: Thank you! I'll look into it. 05:56 * meingtsla proceeds with printing it out and stashing it in his magazine rack next to the toilet 05:58 < h0dgep0dge> i'm with you meingtsla, i went through a phase when i was a teenager of reading important RFCs 05:59 < h0dgep0dge> i don't know if i'd say it was hugely valuable, but i found it really interesting 06:18 < monoxane> anyone here use Extreme Networks Summit switches? 09:35 < CoJaBo> How do I begin to troubleshoot why this laptop intermittantly loses either IPv4 or IPv6 internet access? 09:35 < CoJaBo> Pinging local IPs always works. Nothing is printed to dmesg when it goes down or when it comes back up 09:37 < bezaban> check the router, routes and dns if you're not pinging external hosts by ip 10:03 < myrat> hello guys how i can install Supermicro Aoc-sgp-i4 4-port Gigabit Ethernet Adapter to linux it cant see it( 10:06 <+catphish> morning 10:09 < h0dgep0dge> anyone care to weigh in on using nsupdate through ssh vs using nsupdate remotely authenticated with a key? 10:10 <+catphish> depends how secure you need it to be i imagine 10:11 <+catphish> ssh is clearly going to be a more secure option, but i believe remote updates can have signing so should be fine too 10:12 < h0dgep0dge> are there any obvious drawbacks to using ssh? considering i already have that set up, and i'd need to reconfigure to use nsupdate keys 10:12 < h0dgep0dge> or rather, keys with nsupdate and bind 10:12 <+catphish> i see no downside to ssh, as long as you already have keys set up 10:13 < h0dgep0dge> choice. wildcard ssl certs here i come 10:14 < bezaban> well you'd presumably need a passhprase less key sitting there if it's for le automation, as opposed to a key that's restricted to editing only one record via a port that's already open 10:15 < bezaban> that's exposing a lot more with a breach on the nsupdate client 10:15 < h0dgep0dge> that's a good point 10:15 <+catphish> that's also true 10:16 <+catphish> the keys can be better restricted with remote updates 10:18 < h0dgep0dge> thanks guys 11:27 < detha> h0dgep0dge: hidden master, and the entire problem goes away 11:29 < _noblegas> Hi 11:30 < grawity> nsupdate uses either GSSAPI or HMAC-SHA256, which is Good (unless your version only supports HMAC-MD5, which is still Good Enough) 11:30 < _noblegas> I have a question, imagine you have a program which downloads somethin from the outside world. And you use wifi network. So when you run the program it says that it cannot find www-someURL. But then you go to the browser - you can open that URL. Now imagine you switched from this wifi to some other wifi - and now both program and browser can reach that URL. How is that possible? 11:30 < Atro> magic 11:31 < Atro> your question is way to vague 11:31 < _noblegas> Ok 11:32 < _noblegas> But in principle, how could it be possible that browser can access certain url, but some program cannot 11:32 < MikeSeth> the program uses a proxy, or doesn't perform DNS lookups correctly 11:33 < MikeSeth> might be ipv4 vs ipv6 11:33 < detha> Either the program ignores DHCP settings, the browser ignores DHCP settings, or the browser uses some proxy 11:33 < grawity> or just in general, the domain points to multiple addresses and the two programs are trying different ones 11:33 < detha> or that 11:34 < grawity> could be that one's IPv4 and one's IPv6 11:34 < grawity> could be a roundrobin of multiple servers 11:34 < _noblegas> Or - I just think browser has proxy settings set up automatically - it's a corporate environment but program tries to connect directly 11:34 < grawity> could be that, too 11:34 < grawity> browsers do automatically get proxy settings from various places 11:35 < _noblegas> Ok, but then if I connect to different wifi network - then both program can fetch the file and browser. 11:36 < _noblegas> So in that case, does the browser automatically disables connecting through proxy as soon as I switch network? 11:37 < _noblegas> And how does it know that for wifi A it should use proxy but fir wifi B it shouldnt 11:37 < _noblegas> I mean is it technically possible? 11:38 < _noblegas> For browser to auto detect the proxy on wifi switching 11:43 < djph> sure - you'd need the DHCP server to provide proxy info. 11:43 < _noblegas> From your previous answer I assume yes 11:43 < _noblegas> Ok, got it 11:44 < _noblegas> Thanks a lot 11:45 < tehjanosch> _noblegas, probably the answer to your question is that from network A the traffic is blocked through a firewall, while it's allowed on network B 11:45 < _noblegas> It all suddenly makes a bit more sense. 11:45 < tehjanosch> and thus your application does not understand or use proxy settings it wouldn't be able to reach the destination on network A 11:46 < djph> er, DHCP or DNS 11:47 < _noblegas> Cool thanks 11:48 <+catphish> doesn't auto proxy config have to come from DNS+HTTP? 11:49 < djph> apparently so, just read up on who supports WPAD via DHCP, and it's practically nobody. 11:50 < djph> (well, in terms of browsers -- but then again, no idea when the last update to the page was) 11:50 <+catphish> i can't think how the browser could even get the data from dhcp 11:50 < _noblegas> But how can then for example fiddler can connect to outside world? Is he also as smart as browser in detecting proxy? 11:51 < _noblegas> But anyway, thanks a ton guys 11:51 < _noblegas> Really you are very helpful 11:51 < djph> catphish: no idea, ask google (on Windows / ChromeOS only though) 11:52 < groupers> Windows gets wpad info, settings are in IE and other browser use that. No idea about other operating systems 11:52 <+catphish> i guess it would work if the DHCP server knew to make the data available 11:52 <+catphish> *DHCP client 11:53 < _noblegas> Yeah I think wpad 11:53 < Atro> ew wpad 11:53 < groupers> IE proxy server settings apply to other browsers on Windows... At least chrome and Firefox 11:54 < groupers> I don't know what other case wpad would be used, probably every other OS just ignores it 11:54 < Emperorpenguin> groupers: firefox... not so much 11:54 < Emperorpenguin> depnds 11:54 < Emperorpenguin> can be configured to merrily ignore windows proxy settings 11:54 < Emperorpenguin> that's why I love it 11:55 < tehjanosch> firefox has it's own settings 11:55 < tehjanosch> that's why it is great for testing but is horrible for any first level supporter :P 12:53 < NeilHanlon> Hey all--I have a probably simple OSPF question (I hope). I'm new to routing in general so please excuse my ignorance, I'm learning. We have a core Juniper stack with multiple VRFs, each with several vlans, and each attached to a single OSPF area that's exported to a few places, including some firewalls, SRX appliances, etc. 12:53 < NeilHanlon> Today we're going to be connecting that Core to our new network over L2 only while we move equipment into our new space. However, there is a management vlan for the new switches that's created on the new network which I'd like to share via OSPF with the core. Does this sound like it'll be a problem? 12:53 < NeilHanlon> From my (novice) understanding of OSPF, if I set up the neighbor relationship in the area I want to share, i should be able to let the new network route for this vlan, and the Juniper core will learn about it via OSPF 12:53 < NeilHanlon> (Also excuse the spam...) 12:57 < AlexCDev> Is there a way of connecting two (ethernet) subnets together with a wifi bridge such that they form a single subnet? 12:57 < AlexCDev> (subnet 1, incl dhcp)-----(Rpi) % % WIFI % % (Rpi)----(subnet2, w/o dhcp) 13:01 < regdude> thats called a transparent wireless bridge 13:02 < c50a326> hey what is addrCanonName in http://hackage.haskell.org/package/network-2.7.0.2/docs/Network-Socket.html#v:addrCanonName 13:03 < c50a326> this must be analogous with some C network programming thing 13:03 < lupine> 'The values of the addrAddress and addrCanonName fields are undefined, and are never inspected by getAddrInfo.' must be 13:03 < lupine> maybe it's the reverse lookup 13:04 < lupine> i.e., the value of the PTR record for addrAddress 13:04 < c50a326> maybe? 13:06 < c50a326> ah it's ai_canonname in getaddrinfo(3) 13:07 < c50a326> if the AI_CANONNAME flag was specified, getaddrinfo() will return the canonical name of the node corresponding to the addrinfo structure value passed back. The return value is an exact copy of the value returned by the name resolution function. 13:07 < lupine> ahh 13:07 < c50a326> well this doesn't tell me anything 13:07 < lupine> it means it'll probably be empty unless you're doing DNS lookups 13:08 < c50a326> what is a canonical name for a network socket, why would it need one... is this not the responsibility of naming services, outside of socket managment... 13:08 < lupine> it's just a case of the addrinfo struct being used in multiple places 13:10 < c50a326> so if it's a local socket should I put localhost ? 13:11 < c50a326> and what's with the word "canonical" 13:11 < c50a326> have you seen the definition of "canonical" ? 13:11 < c50a326> this is horse shit... 13:12 < c50a326> I can't believe C and unix people allowed such a word to be used for this nonsense 13:13 < monoxane> stop being butthurt over people not knowing something and go ask the relevant channels, theres most likely a haskell support channel or group somewhere on the internet that has the answer to your question 13:13 < c50a326> monoxane: yo, this is not a haskell question, it's a networking question, and it's already answered, I get it now but I'm whining that it's stupid the way it is 13:14 < c50a326> I'm allowed to do that and I'm right, freedom of speech 13:14 < c50a326> so learn to actually parse and understand conversation before you be rude 13:14 < monoxane> freedom of speech doesnt meen freedom from being told to shut the fuck up 13:14 < c50a326> lol meen 13:14 < turtle> it's crazy how few people have any idea what that even means 13:15 < c50a326> whatever, it's quiet in here and it's the networking channel, a discussion about this whole "canonical name" thing that network sockets have is most pertinent 13:16 < c50a326> turtle: what what even means? canonical? the word or you mean in the context of a network socket? 13:17 < lupine> c50a326: you don't need to put anything in it 13:18 < lupine> but also, you can both fuck off with your overly aggressive attitude to a stupid fucking question about a stupid fucking piece of fucking cruft you fucking fucks 13:40 < OlofL> What is the key combination to get back to the OA prompt on a blade system c7000 ? i used "connect interconnect 1" but how do I actually get back to the OA-console? 13:51 < Atro> donno try the servers channel 13:58 < Limona> hi 13:59 < Limona> can someone help me with a portforwarding problem 13:59 < Limona> i'm using TL-WR1043ND 13:59 < Limona> set the nat forwarding 13:59 < Limona> but it's not opening my ports up 13:59 < Limona> tcpdump reports nothing 14:00 < Atro> see firewall? 14:02 < compdoc> which port? 14:03 < groupers> Limona try temporarily disabling the firewall on your computer 14:05 < detha> groupers: ehm, tcpdump sees packets before they get processed by the firewall 14:06 < groupers> Didn't know that 14:07 < groupers> Limona what are the first two octets of the WAN IP? 14:10 < Limona> 93.103 14:10 < Limona> groupers fw is off 14:11 < Limona> port 1194 14:11 <+xand> 93.103 is not a port 14:12 < codydh> Hello! Is it germane to ask about WiFi troubleshooting here? 14:12 < Limona> xand Limona what are the first two octets of the WAN IP? 14:13 <+xand> oh. 14:13 <+xand> >.> 14:13 < detha> 1194? talking about udp here? have you told the router to include that? 14:13 < groupers> See the second section on this page https://www.tp-link.com/us/faq-785.html 14:13 < Limona> detha yes, it's on all 14:14 < Limona> groupers sec, let me screenshot 14:16 < Limona> https://imgur.com/a/q2Nz89n 14:16 < groupers> Limona some ISPs block certain inbound ports, if you've verified the router config try running on a different port - you may have luck with higher port number 14:17 < groupers> That's blurry and I have no idea how to configure your router, just follow the troubleshooting guide from the second section is the link I provided 14:18 < groupers> Let us know if it works :-) 14:19 < groupers> And what exactly you had to do to fix it if you don't mind 14:19 < Limona> groupers that's exactly the result of that 14:19 < Limona> groupers excuse me/ 14:19 < Limona> what do you mean what i had to fix? 14:21 < Limona> groupers would port 41194 work? 14:21 < Limona> or is that port one of the dynamic ones? 14:24 < Limona> changed it to 21194 14:24 < Limona> same problem, port is closed 14:26 < groupers> And you updated the port forwarding/firewall config in your router? 14:27 < Limona> yes 14:27 < Limona> it's as show on the screenshot 14:27 < groupers> Send a screenshot of the config again that's higher resolution 14:27 < rhineheart_m> Guys, is it a wise idea to have an own splicing fusion machine? 14:27 < Limona> https://i.imgur.com/nNuDkcy.jpg 14:29 < groupers> ... I'm on mobile, guess Verizon is recompressing images to save bandwidth now, great. I can't read any of the text in that picture 14:29 < Limona> groupers basically it's set to 1194 to ip 192.168.0.105 14:29 < mrtnt> I have a quemu/KVM virtual machine which has its networking set up in a way that physical interface eth0 in host machine is bridged with tap0 interface also in host machine. Is it also possible to create a virtual machine in a way that it is directly using this eth0 physical interface? 14:29 < Limona> and it should work 14:30 < algun|home> Hey, can anyone explain https://krebsonsecurity.com/2018/07/notorious-hijack-factory-shunned-from-web/ to me. These are like domain squatters, right? But what are the chances that without them we would run out of IPv4 sooner? 14:31 < compdoc> mrtnt, maybe with passthru 14:31 < algun|home> Because unlike domains, you can't legitimately claim unclaimed ips right? 14:31 < groupers> Have you tried connecting from within your LAN? 14:31 < lbrun> algun|home: No, they aren't like domain squatters. 14:32 < compdoc> I create a bridge to each additional nic, and sometimes only one guest uses it 14:32 < algun|home> lbrun: Is that seriously all you're going to say? 14:34 < lbrun> algun|home: Basically they straight-up route IPs that belong to somebody else to them. The way that works is by buying transit from big ISPs that don't filter their announcements. If they then announce a smaller IP space out of a bigger one that the legit owner announces it gets routed to them because smaller announcements are weighted higher than bigger ones. 14:34 < codydh> If I want to use a home's unused Coaxial wires to transmit Ethernet, are MoCA adapters the best option? Are these actually any good? 14:34 <+xand> algun|home: domain squatters actually own the domains. in this case they're someone else's IP address space - because IP address routing is mostly trust-based. 14:35 <+xand> +using 14:35 < eirirs> yuk 14:36 < mrtnt> compdoc: thanks, I'll look into this 14:36 < algun|home> lbrun: xand: Why doesn't the owner challenge the announcements? 14:38 < wallbroken> hi 14:38 < wallbroken> 224.0.0.251 14:38 < wallbroken> is pingable? 14:38 < eirirs> looks like multicast 14:38 < wallbroken> yes 14:38 < wallbroken> so? 14:38 <+catphish> algun|home: they're more like actual squatters, they don't pay for the IPs or have any registered ownership of them, they use them without anyone's consent 14:38 < lbrun> algun|home: The owners don't really have good options. You can try to get them disconnected by their transits, but that takes time. Or you can try announcing smaller blocks for your own announcements. But that means you have to have the infrastructure in place to actually split up and merge announcements quickly and detect the attack (depending on how far the routes propagate that is not easy). 14:39 < vavkamil> I need some help with restoring original IP on nginx behind cloudflare 14:39 < groupers> Codydh they work, ISPs use them but I don't think you'll get great does, they add a small amount of latency 14:39 < groupers> *get great speeds 14:39 <+catphish> wallbroken: 224.0.0.251 is mDNS, any host involved in mDNS will respond 14:40 < wallbroken> catphish, only one is responding 14:40 < wallbroken> i have more other mdns devices 14:40 < codydh> groupers: Ah OK. I am trying to solve networking in an apartment with crazily crowded WiFi. I've only got coax and power in each room, and I can't imagine power would be better than coax. 14:40 <+catphish> wallbroken: well then only one host is 1) subscribed to mdns and 2) configured to respond to echo reequests on multicast addresses 14:41 < algun|home> lbrun: But is that what they were doing here? Or were IPs unused by the de jure owner? In which case, much like catphish's squatters, one could argue for "adverse posession". 14:41 <+catphish> on my network (which has lots of OS X) i get 5 responses 14:41 < wallbroken> catphish no, if i ping other devices with its address, they will respond 14:41 < lbrun> wallbroken: Depending on config some kernels either don't respond to pings to multicast, some switches care about IGMP and the pinging machine is not joined 14:41 < mikey_> Hi 14:41 < wallbroken> what do you mean with "subscribed to mdns" ? 14:41 < mikey_> What does the red color packet mean in wireshark? 14:42 < groupers> Codydh it's probably not a bad option then if the adapters are cheap enough. When I had FIOS they used moca from the fiber termination on the outside of the house to the router 14:42 <+catphish> algun|home: the people who own those IPs can't do anyhting, you have to understand IP ownership isn't enforced by law, only by casual agreeement 14:42 < wallbroken> what do you mean with "subscribed to mdns" ? 14:43 <+catphish> algun|home: so it's up to the rest of the internet to enforce it on behalf of the legitimate owner 14:43 < Tegu> mikey_: they seemto be configurable, so you may need to check the configuration https://www.wireshark.org/docs/wsug_html_chunked/ChCustColorizationSection.html 14:43 < codydh> groupers: Looks like they're about $170 for a two-pack, so not super cheap. Weighing that vs. trying a mesh WiFi kit to at least get the access point closer to my main devices, but I've got to dig into whether that could even solve this type of problem. 14:44 <+catphish> you can't physically own an IP address, it's just a number, everyone agrees who can use them, so when someone acts in bad faith, all that can be done is to notice and remove them from the internet 14:44 < groupers> Codydh actually I think all the set top boxes were actually TCP/IP over moca too 14:44 <+catphish> wallbroken: a multicast IP is an IP that can go to multiple hosts, each host that wants to receive packets for that IP subscribes to receive them 14:45 <+catphish> wallbroken: so any host that wants to do mDNS on the LAN "subscribes" to the IP, and will receive packets addressed to that IP 14:45 < algun|home> catphish: ok i'm just saying, there's a lot of black in this image: http://maps.measurement-factory.com/gallery/Routeviews/20080301-s.png 14:45 < codydh> groupers: That makes sense. I'm not sure if it's using the same thing, but my FiOS ONT was originally Coax to the wireless router, so perhaps that was MoCA as well. 14:45 <+catphish> algun|home: right 14:46 <+catphish> algun|home: but nevertheless, everyone's agreed who has a right to those numbers 14:46 < algun|home> apparently not 14:46 < algun|home> i don't really care for the fact that IBM owns a big part of the internet 14:46 <+catphish> it's kinda not that different from physical ownership 14:47 <+catphish> society agrees who owns someting, if there's a disagreement it can be arbitrated, if that fails, it's war, the most powerful majority wins 14:47 < groupers> Codydh yes I must have had the same setup 14:47 < algun|home> catphish: please do not destroy anarchism in a single sentence 14:47 <+catphish> lol 14:48 < groupers> Codydh how big is your apartment? 14:48 <+catphish> "society" 14:48 <+catphish> "society, it works (TM)" 14:48 < algun|home> catphish: Thanks for the chat mate. 14:48 <+catphish> algun|home: :) 14:50 < codydh> groupers: It's 2 bedroom, about 1100 ft2. The networking all comes in at one end, and my office is on the other. The Wi-Fi signal is strong enough (shows as "full bars" on my laptop, RSSI -70dBm, Noise -90dBm), but I get stuttering lag quite often, especially it seems in the evenings when my neighbors are likely using theirs more as well. 14:50 <+catphish> can someone from support help me? i can't ping www.bitcanal.com :( 14:50 <+catphish> :) 14:51 < groupers> Codydh you've checked with some sort of WiFi scanner what surrounding APs are on what channels and their strengths on both 2.4 and 5GHz? 14:52 < groupers> It's also possible the issue is your router, modem, or ISP. Try running hardwired for a couple days during those times and see if you still have the problem before buying anything 14:54 < groupers> It might also be wise to take stock of what other devices might be connected on your end during those times. And of course you should check for bufferbloat http://www.dslreports.com/speedtest?nav=2 14:56 < groupers> That's a small apartment I can't imagine you would need mesh WiFi... The other really easy/fast/free option is relocate your router higher and try changing the antenna orientation 14:58 < groupers> You could always replace the WiFi adapter in your laptop with a newer model if it doesn't support 5GHz provided it's not locked to a certain model from the BIOS 14:58 < groupers> Lots to consider before making any purchases 15:00 < Limona> hey guys 15:00 < Limona> so ip address of 93.103 is public right? 15:00 < Limona> I should be able to connect to my ports 15:03 < ||cw> Limona: it's not reserved range, but that doens't mean it's not firewalled 15:03 < Limona> kk i'll call my isp then 15:03 < ||cw> how are you trying to connect? 15:03 < groupers> Limona yes that's why I asked 15:03 < Limona> via openvpn 15:03 < Limona> udp 15:04 < ||cw> from some other place? are you use it's not blocked from there? 15:04 < groupers> Limona can you connect from within your LAN? 15:04 < codydh> groupers: Yeah, they're pretty evenly distributed, so I've tried setting channels to those that are relatively less used but it doesn't seem to help. And when I'm experiencing the issue (NVIDIA GeForce Now is a great example), I can plug in to Ethernet and the problem disappears. 15:04 < Limona> yes i can @groupers 15:04 < ||cw> schools for example often block VPNs 15:04 < Limona> i get 0 packets delieverd from outside 15:05 < Limona> so it's gotta be either router or isp's firewall 15:13 < detha> Limona: or just no connectivity at all from where you are testing. Can you ping the place you are connecting from ? 15:14 < detha> too late 15:14 < IAMfeelings> hello I have a couple of questions about wireless networking who can help me? 15:16 < lbrun> IAMfeelings: Just ask the questions, somebody will usually answer 15:17 < stemid> I can't figure out the CIDR for 95.101.140.0 - 95.101.143.255 with a subnet calculator. can anyone help me? 15:17 < lbrun> stemid: Isn't that just a /22? 15:18 <+xand> yes. 15:18 < stemid> the calculator I'm using doesn't even let me select /22 right now. but I've been calculating subnets for a couple hours now, including /22. 15:18 <+xand> 95.101.140.0/22 15:18 < stemid> anyone got a recommendation for an online subnet calculator? 15:18 < lbrun> stemid: just use sipcalc 15:18 <+xand> http://www.subnet-calculator.com/cidr.php 15:18 < Aeso> this smells like homework, for the record 15:18 < lbrun> (CLI tool, but works very well) 15:18 < Atro> stemid: http://www.davidc.net/sites/default/subnets/subnets.html?network=95.101.140.0&mask=22&division=1.0 15:18 <+xand> Aeso: thanks, duly noted. 15:19 < stemid> heh I love that someone recommended sipcalc. I used to work with the guy who made it. 15:19 < stemid> thanks Atro 15:19 <+catphish> stemid: do you know how many IPs are in that range? 15:19 < Atro> hella 15:20 <+catphish> http://www.subnet-calculator.com/cidr.php is the obvious choice :) 15:20 < IAMfeelings> if I create a secondary address pool will that allow more people connect to my APs? 15:20 < stemid> catphish: that's always the first one I find on google. but I rather like the one Atro linked because you can link to calculations with the url parameters. 15:20 <+catphish> IAMfeelings: if you've run out of IPs, sure 15:21 <+xand> IAMfeelings: depends what's currently limiting it. 15:22 < IAMfeelings> oh so it's possible great :) 15:22 <+catphish> stemid: try to get a feel for what a /24 looks like, once you know that you can do a lot in your head (including your fairly easy example above) 15:23 <+xand> each time you decrement the number after the /, you double the size of the network 15:23 <+catphish> what xand said :) 15:23 < stemid> thanks, but it's not really my field. I am forced to use a subnet calculator maybe 5 times a year. 15:23 < stemid> and that works for me 15:24 <+catphish> the problem is you'll need to use trial and error, but shouldn't take too long :) 15:24 <+xand> someone here got confused between 255.255.192.0 and 255.255.255.192 and we have overlapping subnets :X 15:25 <+catphish> oops 15:25 <+catphish> xand: stab them with a salad fork until they understand 15:25 <+xand> documentation claims they are the latter... they aren't 15:25 <+xand> catphish: sadly they are long gone. lots of bodged stuff left behind for me to clear up. 15:26 <+catphish> ah 15:26 <+catphish> fun new job? 15:26 <+xand> yeah.... 15:26 <+catphish> they never tell you about the legacy subnets in the interview ;) 15:26 < lbrun> also network mask in ipv4 notation, gah 15:26 <+catphish> stupid legacy IP version 15:27 <+xand> yeah I don't like using subnet masks 15:27 <+xand> I have seen some stuff that uses them with IPv6, wtf. 15:27 < lbrun> WUT? 15:27 < lbrun> how many ffffs in there? 15:27 <+xand> many 15:27 < lbrun> 😀 15:28 < lbrun> I mean here they still teach class-based network sizes, so not surprising that some network people are still stuck in the last century 15:29 <+xand> CCNA has that rubbish in last I checked. 15:29 < lbrun> You'd think that Cisco knew better 15:31 < lbrun> With these big orgs its very weird sometimes, on one side Cisco does their own very advanced processor designs and Tbps of throughput per U and pretty innovative software (in some cases), and then on the training side they didn't get the memo that this has been dead since like 20 years 15:31 < Roq> It's still included in the CCNA yes but only to explain how it use to be and in relation to some routing protocols. You won't get exam questions on classes anymore 15:31 < lbrun> Roq: Ok, that makes it better 15:32 < lbrun> But honestly what routing protocols still care about this? OSPF/BGP and whatever control plane you run MPLS-TE on don't care 15:34 < Aeso> RIP, probably :P 15:36 < Roq> Yes its outdated but it's only said as legacy networking as far as i know. It's in the same breath as hubs, coax, token rings whathaveyou 15:36 < Roq> Besides, with an entry level you don't dive into MPLS right away 15:37 < Roq> entry level curiculum* 15:41 < Apachez> Start level 2 15:41 < Apachez> ... initiating game engine ... 15:41 < Apachez> done! 16:05 < purplex88> is download speed always statistical? 16:05 < skyroveRR> Whatcha mean? 16:06 < purplex88> is it a statistical figure / value? 16:07 < lbrun> explain statistical 16:07 < purplex88> lol 16:07 < lbrun> you mean distributed according to some density function? 16:08 < purplex88> i don't know 16:08 < detha> also, define 'download speed' 16:09 < purplex88> ah maybe by statistical i meant variablity 16:09 < purplex88> changing 16:09 < lbrun> you mean is it normal for the download speed of your internet connection to be variable? 16:09 < purplex88> yes 16:10 < skyroveRR> If you can't define 'statistical' yourself, how can you even expect an explanation? 16:10 < purplex88> what does statistical mean? 16:10 < detha> for consumer-grade internet connections (i.e. oversubscribed to hell): yes. For business-grade with an SLA: no. 16:10 < lbrun> statistical makes no sense in that context 16:11 < skyroveRR> Representation of data is statistics. 16:11 < lbrun> if you're on a shared medium connection (DOCSIS, PON) or a bad analogue connection (ADSL, VDSL, g.fast) then yes 16:11 < lbrun> same for wireless (LTE, HDSPA, or WISP-style WLAN) 16:12 < skyroveRR> purplex88: basically no guarantee that you'll receive a defined speed at all times. 16:12 < purplex88> there is a statistical and non-statistical question.. 16:12 < skyroveRR> Receive or transmit. 16:13 < lbrun> so you mean is the speed distribution governed by a density function? Or is it modelable by one? Is that what you mean by statistical? 16:13 < detha> lbrun: I wouldn't say it like that. There are WISP-style WLAN connections with SLAs, for example. And '1Gb/s Fiber' connections oversubscribed 1:50 16:13 < purplex88> i found this: https://www.illustrativemathematics.org/content-standards/tasks/703 16:14 < purplex88> "A statistical question is one that can be answered by collecting data and where there will be variability in that data." 16:15 < lbrun> I've never heard of that usage of the term 16:16 < skyroveRR> lbrun: in the networking context at least. 16:16 < lbrun> As somebody who has actually taken statistics courses at University/College, I've never heard it there as well 16:16 < skyroveRR> purplex88: so what's the answer to your question then? 16:38 < andrewSC> hi all 16:39 < andrewSC> Looking at some more theory-ish/technical impl. reading material and I've really enjoyed Computer Networking (7th edition) by Kurose and Ross 16:40 < andrewSC> Since I've been borrowing from the library I have to return it soon and would like to purchase my own copy. I noticed there's a paperback version of the same text but it's considered the "Global Edition" 16:40 < andrewSC> Anyone able to provide some insight into the difference between the paperback and hardcover copies? If they're identical I could save myself around $70 which isn't chump change (to me atleast) 16:42 < ||cw> andrewSC: are you sure that's the same book? pearson doens't list a global edition 16:42 < purplex88> skyroveRR: answer to my question is now, "yes" 16:42 < skyroveRR> Thanks. 16:44 < purplex88> because "speed" depends on many factors e.g. router, ISP, wifi, adsl etc. therefore, statistical i.e. there's no single answer 16:45 < detha> purplex88: practically correct, technically incorrect 16:45 < Roq> andrewSC: check the ISBN? 16:45 < ||cw> andrewSC: on amazon? it also says 7th, so it's just the paperback version. if you have a .edu email it looks like you can get a digital version for about $25 too 16:45 < purplex88> theoretically or technically? 16:45 < andrewSC> ||cw: interesting http://a.co/iqBCn0O 16:46 < andrewSC> i do have an edu email! However, I have a hard time consuming digital books personally :( 16:47 < andrewSC> hmmm 16:47 < detha> purplex88: technically. If there are no oversubscribed links between you and where you are downloading from, download speed is a constant, the contract rate of the slowest link in the path 16:47 < ||cw> andrewSC: yeah, that says 7th ed too 16:47 < andrewSC> cool cool 16:48 < Sout> I introduce thrift books. https://www.thriftbooks.com/w/computer-networking-a-top-down-approach_james-f-kurose_keith-w-ross/260997/all-editions/ 16:48 < andrewSC> oh neat! 16:49 < purplex88> never really seen a constant download speed i mean sometimes my speed is 6000 kb/s and sometimes 5999 kb/s 16:50 <+xand> are you talking about the speed your line syncs at? or the number you see in a browser? 16:50 <+xand> the second one will definitely vary. 16:51 < purplex88> number in browser, yes 16:51 < Sout> sadly a quick check of the isbn: there is only the 6th edition andrewSC. but defiantly check out thirftbooks for cheap books. but the k&r bible for like 5 dollars. 16:51 < detha> international edition. "Release Date: January 1910". These guys were way ahead of their time. 16:51 <+xand> it's going to depend on how busy any bit of network between your client and the server is. also on CPU usage both ends, etc. 16:51 < andrewSC> Sout: Yeah I was double checking the numbers too, unfortunate :( Definitely appreciate the share though! 16:52 < Aeso> purplex88, data transfers in discrete packets anyways. What does 6000kb/s even mean without a sample window? At a sufficiently granular timescale, there's either a packet being received or there's not. 16:54 < Aeso> I guess what I'm getting at is that when we talk about bandwidth for a given flow, it looks statistical in nature because we're sampling over a given time frame. 16:58 < AlexCDev> Hi, I'm trying to set up a standalone LAN comprised of two (ethernet) subnets connected through a bridge, and a single DHCP server on one of those subnets. I've set up one side ethernet->wifi (as an AP) but I'm struggling to get the other side working 16:58 < AlexCDev> I'm aware that bridging wifi->ethernet as a client is not possible, but I'm not sure where to go from here 16:59 < AlexCDev> (i should add, I became aware of the fact that wifi->ethernet is not possible when I tried to set it up just now) 16:59 < purplex88> aeso: statistical nature means same what I said earlier? 16:59 < ||cw> AlexCDev: bridging ethernet->wifif->ethernet is possibly, but you need devices that support it. 17:00 < AlexCDev> I'm using a Raspberry Pi 3, which doesn't support WDS :/ 17:01 < Aeso> purplex88, if you can had perfect vision into every piece of equipment and could see every packet in and out of every device in the chain, the behavior is deterministic. It's just software/hardware making decisions. You can trace every packet and the devices will behave predictably. 17:01 < ||cw> last time i did it on consumer kit was dd-wrt and it's client-bridge mode 17:01 < ||cw> AlexCDev: WDS isn't relevant to bridging 17:01 < jvwjgames> i have a question if I askewd my local Data Center where i have colo spcae do you think they would lket me put a Wireless backhaul up on the roof 17:02 < detha> jvwjgames: if you pay them enough, they will 17:02 < Aeso> But the second you start looking at the behavior of lots of packets over a time scale, you're drawing statistical conclusions about those packets 17:02 < detha> (but 'enough' is generally not a low number) 17:02 < jvwjgames> ok cause3 i have ipv6 space from arin and they are advertising it i am trying to start an isp 17:02 < ||cw> AlexCDev: if you're trying to use Pis as a wifi bridge, IDK how to make that go, but I'd assume it possible with the right bridge interface and kernel mode configs 17:04 < ||cw> AlexCDev: it would at the very least involve joining the pi to the wifi, then make a bridge interface between the wifi and the eth. might require not setting an IP on the wifi and eth interfaces and instead set it on the bridge 17:05 < purplex88> aeso: yes makes sense. so "statistical" means change over time 17:05 < ||cw> AlexCDev: assuming the wifi driver even has the support for it 17:05 < AlexCDev> ||cw: I'm using bridgeutils, which blocks me from adding wlan0 when creating a bridge :/ 17:05 < ||cw> better to use a dedicated device, many wifi repeaters can be a bridge too 17:07 < Aeso> purplex88, not inherently. I'm saying that when you take a discrete function and you approximate a continuous function to it, you introduce errors and those errors tend to follow a statistical distribution (which should make sense given that it is by definition noise) 17:07 < ||cw> AlexCDev: then the driver likely doesn't support it. 17:12 < lbrun> AlexCDev: Pi3 wifi is notoriously bad too 17:12 < AlexCDev> I'm going to take a nap and think about this 17:12 < AlexCDev> lbrun: in what sense? 17:12 < AlexCDev> speed? 17:12 < lbrun> very slow 17:12 < lbrun> and bad latency depending on the power state of the SoC 17:13 < AlexCDev> that might be quite relevant, I'm trying to set it up to route a stream of 720p video as an embedded system 17:13 < lbrun> so the whole network goes ethernet -> AP -> Pi -> embedded device? 17:13 < lbrun> or is the Pi the embedded system? 17:14 < AlexCDev> Yep, but the AP is another pi 17:15 < AlexCDev> I don't really have much choice when it comes to hardware 17:15 < lbrun> I cannot think of a way this will give you any reasonable stability 17:15 < lbrun> How much bandwidth is your 720p stream and how much buffering is acceptable? 17:16 < AlexCDev> I'm going to have to lookup the bitrate, it's a version of 'big buck bunny' 17:17 < AlexCDev> iirc someone reduced the bitrate for this system 17:17 < my_mind2> does this channel allow taking about emails? 17:18 <+xand> my_mind: if you wish 17:18 < lbrun> I've done 10Mbps @ 2s Buffer soft-realtime over WLAN, but that was with a fully clean 5GHz 80Mhz channel in DFS (in a region where there is no Radar whatsoever) dedicated to the transfer and a Unifi AP-AC sending and a high-end Intel card. Base speed was 500Mbps up/down. 17:18 < lbrun> AlexCDev: Why do you want to send Big Buck Bunny over a wireless bridge made up of RPis? 17:19 < my_mind> i'm trying to understand why companies don't know about email forwarding. if they pay for a domain at Google Domains, they can get 100 free email addresses,forwarded to real gmail or yahoo email addresses... for the proce of one domain a year 17:20 < lbrun> my_mind: What is the question here? 17:20 < Sout> lbrun, it's a hi res free / cc movie. so it is useful for simulating streaming movies etc.(at why big buck bunny) 17:20 < AlexCDev> lbrun: A company built a system for some kind of proprietary wireless link, and produced a demo showing it off 17:20 < AlexCDev> the long and short is the demo broke, and I'm rebuilding it with different hardware 17:21 < lbrun> Sout: I did know what BBB was, but thanks 17:21 < my_mind> lbrun: is it reliable? Can it be used as a business email instead of paying for each email address for $5 per user per month 17:21 < Sout> ah k :D 17:21 < AlexCDev> the code+hardware is proprietary, so I can't just reuse anything 17:22 < AlexCDev> lbrun: would the bottleneck be in the actual wifi adapter itself? or the processing power of the Rpi 17:22 < AlexCDev> I could probably get my hands on two cheap usb adapters 17:24 < lbrun> AlexCDev: Basically the Pi3 is horrible on IO, since its Broadcom SoC only has one USB2.0 peripheral (for everything, including Ethernet, USB, ...). For the playback you'd need to use a hardware decoder anyways. The Pi3 one works, but is pretty bad compared to a reasonable decoder (like the Rockchip one). 17:25 < lbrun> But your stream is probably low-bandwidth enough that you can still use it. 17:27 < lbrun> AlexCDev: USB adapters would certainly help, you can get ones with much better specs than the rather lousy RPi3 built-in antenna. But you'd really need to test for latency and processing power limitations. Also depending on the external RF conditions of the demo area you're in for some bad latency spikes when anything else sends on your channel (which for 2.4G is always). 17:28 < lbrun> (also note that I'm always talking about a RPi3 or 3+, I wouldn't touch anything like this on the older versions) 17:30 < my_mind> lbrun: so what do you think of that email system? 17:32 < lbrun> my_mind: Is it reliable from a theoretical standpoint: Yes (SMTP ensures that). But in reality you almost never want to do this because the providers you forward to do drop mails, don't offer any support, and get access to all your business email. Depending on the industry there are also legal risks associated. If the 5$ per month is really too expensive, host yourself. It's extremely cheap (a few VPSs 17:32 < lbrun> rented at reputable providers run like 100$ a month) and provide Email for 10'000s of accounts. 17:33 < lbrun> For a few examples why this is bad specifically: Let's say a user looses access to their Yahoo account their company email is forwared to. What do you do now? 17:33 < AlexCDev> lbrun: I'm going to have a break for a bit, thanks for the help 17:33 <+xand> why would you want your business to use a random selection of personal email addresses? 17:34 < my_mind> lbrun: i understant 17:34 < lbrun> AlexCDev: You're welcome. Just mention me if you have another question. 17:34 <+xand> that's about as professional as using mycompanyname@yahoo.com 17:34 < my_mind> xand: not personal emails. gmail addresses for business use only 17:35 <+xand> my_mind: if it's @gmail.com then it's personal 17:35 < my_mind> well it's required to make the email forwarding work 17:36 < my_mind> if the employees had real business email addresses, then they wouldn't need the forwarding system 17:36 < my_mind> but i'm not gonna use it anymore, realizing the the messenge company will have access to all the emails I get and sent 17:37 < my_mind> no so secure at all 17:37 <+xand> the email forwarding system is a bad idea for business use. 17:37 < my_mind> why is it available, then? I'm trying to understand why that service is offered and for who? 17:43 < my_mind> what if I use Google Domains forwarding and Google Gmail together? Would that solve the security issue that the forwarding system reads the emails? 17:44 < my_mind> Email encryption could be used 17:46 <+xand> my_mind: unless you use encryption e.g. PGP, email is not safe 17:46 <+xand> forwarding or not 17:46 < Wastedone_> While testing an app we are creating that has an API for our MS SQL DB we found that If your connected to the local WiFi network nothing works at all but over cellular no problem and if you use an outside WiFi network no problem. We asked the designers of the app if there was an issue with the app, they told us no, the issue must be with the firewall. 17:46 < Wastedone_> Do you know where we can look to try to fix this; should we check the Barracuda web filter or the Cisco router, and what should we be looking for? 17:48 < regdude> should a bridge without IGMP Snooping forward all IGMP messages? Or should it block some? For example, should it forward membership reports even though there is no multicast router 17:50 < spaces> xand PGP has been cracked as well 17:51 <+xand> er no not really 17:51 < regdude> only MIMEs 17:51 <+xand> certain cliemt implementations were buggy... 17:52 <+xand> not related to the actual encryption 17:52 < spaces> and that is weird why multiple had that 17:53 < my_mind> so for a company with 15 employees, it's better to use GSuite or Office 365 and pay the $5 per user per month? 17:53 < spaces> I would setup my own server 17:53 < spaces> simple to do 17:53 <+xand> that is not good advice. 17:53 < regdude> it was more of a logic problem 17:53 < my_mind> the company i'm talking about has an exchange server. 17:53 <+xand> it's simple to setup a server. it is not simple to set one up properly unless you actually know what you're doing. 17:53 < my_mind> it's not acting right, too many issues with CBL blocking 17:55 < spaces> xand lots of projects these days to the tricks for you, including DNS 17:55 <+xand> uhuh 17:56 < spaces> xand don't to that, hot women say the same to me when the try to admit my sexyness 17:56 <+xand> uhuh 17:56 * spaces is getting into his season 17:56 < my_mind> spaces: you're full of spaces 17:56 < spaces> my_mind don't mention my holes please 17:57 < spaces> it are my privates 17:57 < spaces> ^ talking about secure 17:57 <+xand> maybe you should fill them. 17:57 < my_mind> with open source code 17:57 < spaces> with beer and steak, good idea! 17:58 < spaces> my_mind no then they stay open 17:58 < my_mind> hmm... thats what you would call a "loop hole" 17:58 < my_mind> LOL 17:58 < spaces> I always floss that :P 18:00 < my_mind> rackspace.com has the coolest domain name ever 18:01 < Aeso> regdude, why would a client generate a membership report if there isn't a local multicast router creating membership queries? 18:01 < alabaster> I know this is probably not the place to ask but I'm still on a CCNA/P kick mixed with security so in videos I watch for some later CCNA stuff they show wireshark showing the devices on their network and of course my brain is like.. I want to do that on my own network. It's just my extremely long term girlfriend and she's of course in the know.. but as for just starting out. I guess seeing your own devices communicate in a 18:01 < alabaster> more open light really isn't so easily done is it? 18:01 < alabaster> it's me and my* 18:02 < UncleDrax> not sure what you're really asking. 18:02 < alabaster> my situation is I buy another USB WiFi adapter obviously with monitor mode because first step. I see nothing but broadcasts and housekeeping packets 18:02 < UncleDrax> turn on wireshark. see traffic your NIC receives. step3: profit 18:02 < UncleDrax> yeap 18:03 < alabaster> I know my own router pword so that's not the issue 18:03 < alabaster> UncleDrax but I want to see my phone and desktop 18:03 < UncleDrax> oh right for wifi in a promiscious WiFi adapater, you should in theory see all traffic in the air. make sure the WiFi nic is setup appropriately. 18:03 < alabaster> well my desktop is wired so I will hook an old wifi adapter to it 18:03 < alabaster> UncleDrax Monitor mode 18:04 < alabaster> because due to the nature I learned of wired connections obviously my router won't send packets to the desktop to me 18:04 < spaces> my_mind why that ? 18:04 < alabaster> unless I do something intrusive to my own router 18:05 < alabaster> ethernet of course isn't designed to be intercepted unless it's oldschool like a hub 18:05 < my_mind> spaces: slogan could be: "We offer racks... email server racks!" 18:05 < UncleDrax> for switches, you'd have to setup a port-mirror 18:05 < UncleDrax> if the device supports it 18:06 < spaces> my_mind eh ? 18:06 < alabaster> UncleDrax yeah. And no probably not 18:06 < alabaster> spaces sorry thought you were asking me a question 18:06 < my_mind> spaces: i thought you were asking me whty i thought rackspace.com was a cool domain name 18:06 < UncleDrax> but anyway. make sure there's no OS-level requirement/tweak and you're not missing a flag in wireshark. you should be able to see all the traffic in the air 18:06 < alabaster> UncleDrax my router is an old Linksys N router 18:07 < my_mind> gotta go to work, peace! 18:07 < alabaster> I've been trying on the horribly community hated "K" distro of Linux but also tried Ubuntu 18:08 < alabaster> With both "K" Linux and Ubuntu I see more and pick up some really old wifi network bridge scanning my neighborhood 18:09 < alabaster> but I do not care about others ARP broadcasting to me for some odd reason. I assume it's just the nature of that weird device in my area 18:09 < Aeso> alabaster, it could be the windows drivers for your NIC don't support promiscuous mode 18:09 < alabaster> I know I'm only W10 as a daily driver. I'm testing with Linux 18:10 < alabaster> Windows by default doesn't allow room for playing around even with your own network 18:11 < cpplearner> Is there a dedicated linux manaul page for tun/tap? What's the most authoritative one I can find? 18:12 < alabaster> Heres what I learned in essence the only way to to see traffic now-a-days is mostly intrusive or tricking my router either way. Beyond that you won't see much because obviously TLS 18:13 < alabaster> BUT others have had success 18:13 < Aeso> success in what, exactly? 18:14 < alabaster> I'm still learning and I never even see a "GET" one time I got DNS info but it was wrong 18:14 < UncleDrax> What is best in life? Something something about laminating women. 18:14 < alabaster> Aeso just something simple as watching your own networks traffic 18:15 < Aeso> alabaster, trying to sniff and decrypt 802.11 frames out of the air can be a pain and in most cases is more work than the alternative 18:16 < alabaster> Aeso that's what I am learning. 18:16 < Aeso> Port mirroring on any better-than-prosumer equipment (switch/router/etc) is pretty trivial. 18:17 < Aeso> Though you're still right: If the client you're trying to monitor uses HTTPS/TLS, you're not going to have any visibility into the payloads anyways. 18:17 < UncleDrax> not without some serious work anyway 18:18 < alabaster> Aeso in essence what you are saying is even my own network.. The only alternative to learning deep about what's inside network traffic is only to use what would be considered "intrusive" or "exterrior" means 18:18 < UncleDrax> if it's encrypted, sure 18:18 < alabaster> Aeso Port Mirroring is only on mid-tier or enterprise routers right? 18:19 < UncleDrax> pretty much I got a $60 mikrotik that can do it 18:19 < UncleDrax> and any enterprise capable switch made in teh last 20 years would support it, so you could find one used 18:19 < alabaster> What's that UncleDrax? 18:19 < Aeso> alabaster, almost all of the switch ASICs can do it, but whether the manufacturer bothered to support it in their software is another question entirely 18:20 < alabaster> Its a belkin F538233v4.3 18:21 < Aeso> alabaster, no one here is going to be able to tell you off the top of their heads what features your shitty consumer router is going to support :P 18:21 < UncleDrax> I wouldn't expect Consumer-grade gear to support anything like that by default 18:21 < Aeso> yeah, generally the answer is no 18:22 < alabaster> Aeso I know i'm just showing the fact it's a cheap consumer router 18:22 < Aeso> alabaster, sounds like it's time to upgrade, then :) 18:22 < alabaster> Well I am learning Cisco 18:22 < UncleDrax> so pick up a cheap Cisco 18:23 < alabaster> But to learn depth of R and S I am using emulators or Virtual real gear 18:23 < alabaster> which thank you Cisco for virtually allowing your virtualized gear to stay adrift on the internets! 18:23 < alabaster> I am brand loyal now 18:23 < UncleDrax> *shrug*. it's all software 18:24 < UncleDrax> you shouldn't be brand loyal 18:24 < alabaster> well literally it is 18:24 < UncleDrax> most major Manu's have virtual offerings of thier network OSes now a days for x86 platforms 18:24 < Aeso> Cisco's not worth your brand loyalty these days imo 18:24 < UncleDrax> well dunno about most really.. but many do 18:25 < alabaster> UncleDrax I guess not. But I am learning since a friends father is an Architect and after getting Cisco certs I may be able to learn more under him 18:25 < UncleDrax> if it works for you, then rock on sir-and-or-ma'am. 18:25 < alabaster> haha 18:27 < alabaster> Well I guess instead of wasting more time I'll just go back to learning networking. I'm not looking to do any ARP messing around, exploits, or malaware just to watch traffic fly in detail on the fly to learn 18:27 < UncleDrax> most of the CCNA is fundementals, some of it is how to applies those specifically to Cisco gear. If you take the CCNA as a mechanism to learn about STP and OSPF, the syntax to do it will change on JunOS or FastIron or whowever, but the basics are the same. 18:27 < alabaster> I guess that goes into a whole different territory which isn't my intention 18:28 < alabaster> spanning tree, obvious path, Vlans and trunking/tagging 18:30 < alabaster> is STP hard to grasp in better detail UncleDrax? 18:30 < UncleDrax> it's a thing made of other things with many knobs you can tune, and in most cases, you should never touch 18:30 < Aeso> there's not much to grasp, it's pretty basic 18:30 < alabaster> I'm also curious just how much vlan knowledge is needed 18:31 < alabaster> other then just obviously knowing that it exists and the means and what it do 802.1q 18:37 < CuriosTiger> alabaster: STP is one of those things where the concepts are relatively easy to learn but the technology is still hard to master. 18:37 < CuriosTiger> Kind of like chess. 18:37 < UncleDrax> yous should get sufficient knowledge to accomplish the goal you have. like anything else 18:37 < CuriosTiger> VLANs are simpler. 18:37 < alabaster> UncleDrax I need to stop spreading myself to thin.... 18:38 < UncleDrax> alabaster: depends how you learn and what your goal is 18:38 < alabaster> UncleDrax I have other friends going up the chain. And as we all know education and Certs have "PATHS" but they are all telling me the emphasis now a days on while learning more advanced networking still learn advanced 802.11 and still learn advanced SECURITY SECURITY SECURITY 18:40 < alabaster> MAINLY combine CCNP with SECURITY but at the same time I find that you just run into: "Don't mess with TLS" 18:41 < alabaster> Maybe it's just my opinion but you can't have it both ways 18:41 < Aeso> firstly, learn whatever interests you. You'll be happiest in positions related to the shit you find interesting 18:41 < alabaster> CuriousTiger Thanks I just saw your responses 18:42 < Aeso> secondly, I don't know what 'don't mess with TLS' means, but if you like security you definitely need to understand the mechanisms and protocols that drive TLS lol 18:42 < alabaster> Aeso I find it all equally interesting. Well except that now a days 802.11 is so vast and a field of it's own 18:43 < UncleDrax> Bah-Humbug to WiFi 18:44 < alabaster> Aeso it means everyone says learn Security. As in learn the networking and R and S and then ways to secure and break it but don't grey hat it 18:44 < UncleDrax> by R & S you mean 'Route[ing] and Switch[ing]' ? 18:44 < alabaster> yes 18:44 < UncleDrax> just making sure 18:45 < UncleDrax> namespaces and all 18:45 < alabaster> well yeah not the S's and Secs that go along with the protocols 18:45 < Aeso> imo it's not worth learning security until you understand the network, servers, and services security aims to protect 18:45 < alabaster> I understand them. 18:46 < Aeso> you could be a security whiz, but without prior work experience in sysadminning and networking there's no way I'm going to contract/hire you 18:47 < alabaster> That leaves me with another question when I ever I ask architects or even engineers about servers and nodes they all say "Don't focus on that, It's all IP address I see when doing actual work" 18:47 < Aeso> alabaster, that'd make sense if you're talking to _network_ architects and _network_ engineers lol 18:48 < UncleDrax> so an network architect is someone that just plays in Visio all day and not actually touch hardware, and an engineer is just someone that supervises the people that actually do the work are doing what they need? 18:48 < alabaster> Aeso that's what I am asking. I was told to stay on course of Routers and Switching not focus on System administration and Servers just IOS 18:48 < Aeso> alabaster, what is your end goal, here? 18:48 < alabaster> he does both 18:48 < UncleDrax> alabaster: depends what you want to do 18:49 < alabaster> Well you don't start out as an architect so I guess networking engineer or tech 18:50 < UncleDrax> information too general. please try again 18:50 < UncleDrax> How do you feel about... VoIP phones? 18:50 < UncleDrax> How do you feel about... SANs? 18:50 < Apachez> when shit hits the fan https://github.com/eslint/eslint-scope/issues/39 18:50 < alabaster> So I've been upping my Linux game and Routers and Switches and Protocols and subnets, Vlans, etc etc. Like UncleDrax said and maybe you STP. OPFS or whatever and other routing/routed methods 18:51 < Dalton> BGP would be a good one to learn 18:51 < alabaster> Voip no. Cloud later. 18:51 < alabaster> BGP as well 18:51 < Dalton> but might be a bit ahead of you 18:51 < Dalton> for now 18:51 < alabaster> SANS. HELL NO worked in two hosting companies before 18:51 < alabaster> I want to stay as far away from servers as possible 18:52 < Apachez> but servers likes you 18:52 < UncleDrax> alabaster: do you want to be a plumber, electrician, or carpenter. All use a screwdriver. You should not define your goal by the tool you want to use. you should define it by what you, personally, want to do day-in-day-out. 18:52 < Apachez> they wanna cuddle with you 18:52 < alabaster> Metro and lease lines. The WAN Cloud 18:52 < Dalton> hosting websites is way different then servers imo 18:52 < Apachez> put those fibers around your neck while screaming: WHO IS YOUR DADDY!!!??? 18:52 < alabaster> Dalton Datacenter 18:52 < UncleDrax> Apachez: WHO RUNS FIBERTOWN?! CORNING RUNS FIBERTOWN! 18:53 < Apachez> dalton datacenter? 18:53 < Apachez> runned by Acme Inc. ? 18:53 < alabaster> I got paid 12 an hour to do minial work in a datacenter is what I am saying 18:53 < alabaster> and troubleshooting and tech'ing 18:53 < alabaster> EFFF that again 18:54 < alabaster> I want nothing to do with a datacenter again unless I am talking to them by phone telling them what to do 18:54 < Dalton> that was just a shit job. DC stuff is fun 18:55 < alabaster> Cheap hosting companies with their own Datacenters is a dime a dozen. I refuse to go back 18:55 < Dalton> cheap hosting companies don't own their own DC, just renting space 18:55 < alabaster> in fact Dime was in the name where other friends worked if that tells you anything 18:56 < alabaster> Dalton nah 18:56 < UncleDrax> or they define a 'DC' as a conditioned room with racks in it 18:56 < alabaster> this company did a bit of everything except they fell behind because they are refusing to delve into better Cloud services 18:56 < Dalton> UncleDrax: sounds right 18:56 < alabaster> UncleDrax. Large Datacenter 18:56 < Dalton> no UPS/Genset/etc 18:57 < UncleDrax> 'Large' is a relative term. requires more specificity 18:57 < UncleDrax> but tbh, doesn't matter 18:57 < alabaster> about a quarter the size of a mall maybe larger almost a hotel inside 18:57 < UncleDrax> a 10x10 room is 'Large' to someone that runs a single rPi. 18:58 < UncleDrax> a 1mil sqft DC is small to players like Google 18:58 < alabaster> They have a physically and literally large Datacenter 18:58 < alabaster> have/had I don't know now. Everyone quit that worked there 18:58 < UncleDrax> ya fair enough 18:59 < UncleDrax> you do scut work? cabling, remote hands, rack & stack? 18:59 < alabaster> the highest tier support and tech got 20K they cut corners and don't care 18:59 < alabaster> nope 18:59 < alabaster> I'm small I'm surprised I wouldn't have 18:59 < Apachez> https://imgur.com/gallery/nQEtjZt 19:00 < alabaster> maybe cause I wasn't very happy I was not allowed to touch equipment in fear of kicking it to death 19:01 < alabaster> monitoring, keeping things up, things going down. Things not working properly beyond physical layer stuff 19:01 < alabaster> working tix 19:01 < alabaster> the usual 19:01 < alabaster> Usual customer created problems 19:02 < compdoc> Apachez, talented 19:02 < alabaster> This was years ago so forgive my bleaching it from my brain 19:02 < UncleDrax> well the good news is it sounds like you ave the proper level of attitude about customers to advance your career. 19:02 < compdoc> I got some bleach on my brain once. things smelled funny 19:03 < UncleDrax> like oranges? 19:04 < alabaster> Its not their fault 19:04 < alabaster> I'm not trying to sound like an ass 19:05 < alabaster> As I get older my problem solving methods have advanced from obvious reasons to solution than just starting at human error 19:06 < alabaster> or client inaptitude 19:07 < alabaster> compdoc do you smell toast? If you do hopefully it's not an aneurism starting 19:07 < compdoc> it would give mne something to do, at least 19:07 < alabaster> Hey guys what is chat if venting wasn't a safe haven here???? 19:08 < UncleDrax> .. who said anything about this being a safe haven? 19:08 < alabaster> hahahaha 19:08 < alabaster> I like your style 19:08 < ||cw> what about fudge? do you smell fudge? 19:08 < detha> alabaster: you are starting to sound like the stereotypical old mechanic. "No matter what make the vehicle, the problem is always that one nut. The one behind the wheel" 19:08 < skyroveRR> lol 19:09 < alabaster> Everyone starts somewhere isn't the first thing re-onboarding cPanel training and resetting Passwords for clients? or is that just me??? 19:10 < alabaster> detha: my knees hurt. My cain is to stiff 19:11 < alabaster> detha: this walker they sold me is shi* 19:11 < alabaster> I like you guys 19:12 < ||cw> alabaster: lol mine was walking people though setting up windows 95 for dialup, it's a little sad how often I had to explain to people that they had to hang up in order to try connecting to the internet 19:13 < alabaster> anyway you guys are right AS ALWAYS. Back to CCNA/P. Everything else is counter-productive 19:13 < alabaster> I literally just laughed 19:13 < alabaster> cw you made my day 19:13 < alabaster> ||cw: you are a strong man 19:14 < Dalton> alabaster: start with CCENT 1st 19:14 < alabaster> or woman 19:14 < ||cw> ask me about the newsgroup guy some time. 19:14 < alabaster> Dalton: I'd like to think I am beyond CCENT. Even though I know refreshing is always good 19:15 < Dalton> okay - cool 19:15 < alabaster> but I did that. I'm still fairly knowledgeable 19:15 < alabaster> as long as subnetting is still mostly classless I think I might be alright? wait... right? 19:16 < UncleDrax> that question doesn't make sense to me 19:16 < alabaster> I have sat down and messed with emulators. I can still implement (while although it takes me some time) 19:17 < alabaster> well I never subnetted or learned until recently. So I spent a week or two on Class C and asking around most say you won't be doing much of other Classful subnetting if you get Class C down you're alright 19:18 < CuriosTiger> ...you won't be doing much classful anything anymore. 19:18 < alabaster> Although I got on the security kick and subnetting is slightly leaving my brain 19:18 < CuriosTiger> Once you can carve up a /24, you can carve up a /16 or a /8 too. 19:19 < alabaster> CuriosTiger: yes. And guys what he is saying 19:19 < alabaster> my goal was to learn subnetting on the fly w/o paper 19:20 < UncleDrax> you should learn the math.. but if you just want to do it, just memorize a single octet (or if you can work one of those fancy chart thigns ppl come up with in your head, that's fine too) 19:20 < UncleDrax> should vs 'make it work' 19:21 < alabaster> I almost got there. Learn the fundementals and what it is before learning to short cut or cheat sheet 19:23 < alabaster> UncleDrax I think I learned the math. Memorized the numbers and hosts and nets and than memorized charts 19:24 < CuriosTiger> memorization != learning. 19:24 < CuriosTiger> do you understand how to derive one of those charts? 19:26 < alabaster> Its slipping from my brain. But first I learned the knowledge of subnetting and why and whats and then binary powers and math needed 19:26 * CuriosTiger likes to ask subnetting questions during job interviewsw. 19:28 < UncleDrax> alabaster: start counting on your fingers in ^2 19:28 < alabaster> CuriousTiger. I spent a week or two. I went from concept to knowledge to what the internal short cutting was referencing ' 19:28 < alabaster> Yep did that 1 2 4 8 16 32 64 128 255 ++ 19:28 < hagbard> Converting CIDR to netmask? I used to add the leading bits of the incomplete octet until I realized there are only 8 possible values per octet and now I have them mostly memorized by habit. 19:28 < alabaster> and masks and bits 19:29 < hagbard> 128 192 224 240 248 252 254 255 19:29 < alabaster> even went further but I need to refresh it all since I spent the last month on security 19:29 < hagbard> err, I guess there's technically a 0 at the beginning of that list. 19:29 < UncleDrax> all-0s is best subnet 19:30 < alabaster> hagbard: yes the whatever backwards 19:30 < hagbard> At school, when I was a TA, I liked to give students wacky addressing, like I'd tell them to use 172.16.1.0/22 as their gateway. 19:30 < hagbard> or 172.16.1.255/22 19:30 < alabaster> borrowed bits and such and memorizing binary and 19:31 < alabaster> bitwise I mean and visualizing in my head the binary to ocetets or what have you 19:31 < UncleDrax> isnt it still considered bad practice to use those even though antyhig in the last 10+ years should do subnet-0? 19:31 < hagbard> I'd also use 172.144.22.49 often instead of 127.0.0.1 19:31 < alabaster> the equation leave 2 19:32 < alabaster> for broadcast and network 19:32 < hagbard> UncleDrax: I never claimed to be a good TA. I think it's a bad practice to use such addressing, yes, because it can be confusing. I did it to illustrate/reinforce the rules. 19:32 < UncleDrax> fair enough 19:33 < hagbard> I actually had to look subnet-0 up. Updating my earlier example, 172.16.5.0/22 or 172.16.5.255/22. 19:33 < alabaster> I need to rehash though. See guys focus one specialization at a time. Either way. Taking a couple tests only subnetting I was able to on the fly in a minute answer the questions correctly with one or two wrong 19:34 < hagbard> What originally warranted the restriction subnet-0 is overriding? 19:35 < alabaster> but my question always was are tests or real world going to ask you now-a-days to subnet class B or A??? 19:35 < alabaster> like is that many hosts or networks even ridiculously necessary 19:36 < hagbard> I think people only refer to subnets as class A, B, or C as a shorthand for a /8, /16, or /24. Originally, the classes also indicated what range of address space they were allocated from. 19:36 < UncleDrax> yus. but you shoudl avoid using the letter names for subnets 19:36 < Aeso> People subnet 10.0.0.0/8 all the time :) 19:37 < hagbard> UncleDrax: Any particular reason for that? 19:37 < UncleDrax> aside from Classful networking being no longer used, ppl also use them incorrectly. 19:37 < Aeso> hagbard, because every piece of networking equipment made in the last 25 years supports classless networking 19:38 < hagbard> I meant any reason not to use the class designations as a shorthand for the size. I don't think anyone seriously means a classful network when describing a class C. 19:39 < Aeso> hagbard, if you need a more verbose set of terminology to describe all of the subnetting options, why intermix a set of legacy terminology? 19:39 < hagbard> Also, I've long wondered why 127.0.0.0/8 was loopback, yet 191.255.0.0/16 and 223.255.255.0/24 weren't. 19:39 < UncleDrax> a Class C network is explicitly a network that starts with 110... it's nto defined by the number of hosts, rather by the state of the bits in the network portion of the addressing 19:40 < UncleDrax> therefore, I think it'd be incorrect to say 'A Class C network in the 10.x.x.x' space. 19:40 < alabaster> Yes my friends said remember the reserved classes and their address not class. But don't worry about the subnets for the classes it's all classless now and has been 19:40 < hagbard> UncleDrax: Agreed, technically, it's incorrect. That's why I was clear to indicate, "use as a shorthand." 19:40 < UncleDrax> ya true 19:40 < UncleDrax> but it's a bad habit that should die out 19:41 < UncleDrax> and I've seen it confuse new peopel 19:41 < alabaster> UncleDrax: was that a yes or a no? 19:41 < alabaster> to be it seemed you implied a yes and a no 19:41 < varesa> why mis-use classes instead of using /8, /16, etc? 19:41 < Aeso> Imagine talking to a new technician who understands classless subnetting and has never learned the classful definitions. You spend a week talking with him about /18s, /22s, and then bust out 'Class C' network 19:41 < alabaster> varesa: that's the answer I needed 19:42 < Aeso> he's going to look at you like you grew another head lol 19:42 < hagbard> It's not like there are all that many classes. 19:42 < UncleDrax> tbh if you say class D or E space, i'm cool with that. 19:42 < UncleDrax> but A/B/C.. negative. plxstopkthx 19:42 < hagbard> I'm not arguing that it's a good idea, but I don't think it's terribly harmful, on the other hand. There are more egriegous misunderstandings and misconceptions in networking. 19:42 < UncleDrax> that is true 19:42 < alabaster> hagbard if given a technically address of B or A then a person would calculate a ton more hosts/networks 19:43 < hagbard> For example, technically, at layer 2, you should use the terms frames and octets instead of the layer 3 terms, packets and bytes. 19:43 < UncleDrax> most experienced network ppl will know exactly what you mean if you use classful terms 19:44 < arooni> dumb q; does enabling UPnP make my network insecure aF 19:44 < arooni> ? 19:44 < UncleDrax> so it's just a pet peeve 19:44 < Aeso> arooni, generally yes 19:44 < alabaster> Uncledrax: speaking of D and E. Why do people call them reserved when technically A B and C is reserved? 19:44 < arooni> Aeso: it allows any app to set up port forwarding itself? 19:44 < Aeso> arooni, correct. 19:45 < arooni> was trying to figure out why my alexa dot keeps erroring out playing music 19:45 < UncleDrax> alabaster: D & E are reserved because they special use space. D is not just called 'Multicast' space. and E is just.. ya.. here be dragons. don't use it :] 19:45 < arooni> reset it ; and connecting to a 5ghz network now; maybe thatll help 19:45 < UncleDrax> *D is now called 19:45 < Aeso> arooni, your dot should work regardless of uPnP support 19:45 < alabaster> E is for government intervention right 19:45 < hagbard> alabaster: No, E is just reserved adn unused. 19:45 < alabaster> and conspiracy theory tin foil 19:46 < hagbard> It's just a wasted /4. 19:46 < alabaster> D is not used either right 19:46 < hagbard> Yes, D is used. 19:46 < hagbard> Go ahead and ping 224.0.0.1 19:46 < alabaster> for what generally? 19:46 < hagbard> Multicast. 19:46 < alabaster> ahhh I beter right that down 19:46 < hagbard> --- 224.0.0.1 ping statistics --- 19:46 < hagbard> 1 packets transmitted, 1 received, +17 duplicates, 0% packet loss, time 0ms 19:46 < UncleDrax> alabaster: https://tools.ietf.org/html/rfc5735#section-3 it's documented 19:47 < hagbard> Unlike 1/8 and 2/8, there are no plans to un-reserve that space, right? 19:48 < UncleDrax> I'd be super amazed if they do, and I'd be doubly-super-amazed if it works on most people kit after that 19:48 < UncleDrax> v6 19:48 < UncleDrax> and all 19:48 < alabaster> so why do people at whim call A B and C reserved? Is it just an interchangeable term? 19:48 < hagbard> UncleDrax: I disagree. I think the % of devices that will reject 240/4 as a rule has been diminishing steadily for the past 15 years. 19:48 < alabaster> some people* 19:49 < alabaster> I guess they mean public-reserved 19:49 < Aeso> oh, hey 19:50 < hagbard> I honestly don't know what you're talking about when you say that people call A, B, and C reserved. Do you mean the reserved network blocks in class A and B space? 19:50 < UncleDrax> I've never heard someone actually say|type 'a Class A Reserved' network in practice.. so I'd have to see it used to determine context. 19:50 < Aeso> I didn't realize IPv4 had reserved subnets for documentation the way IPv6 does 19:50 < Aeso> that's cool 19:50 < hagbard> 192.0.2.0/24? 19:50 < UncleDrax> 203.0.113.0/24 , 198.51.100.0/24 , and 192.0.2.0/24 19:51 < hagbard> Aeso: oh, neat, 198.51.100.0/24 and 203.0.113.0/24 as well 19:51 < Aeso> yep 19:51 < UncleDrax> which tbh, I should check if i'm martian'ing those 19:51 < hagbard> I wish they'd found easier to remember subnets. 19:51 < UncleDrax> prob made em that way because a previous allocatee screwed up. 19:51 < hagbard> Also, whatever happened to 192.0.1.0/24? 19:52 < Aeso> you mean like 2001:db8::/32 :) 19:52 < hagbard> Aeso: What do you mean? 19:52 < alabaster> I'm going to have to restudy subnetting because obviously it's a big more difficult to grasp than say vlan trunking/tagging and learning IOS better 19:53 < hagbard> I see that 2001:db8::/32 is reserved for documentation, but are you saying there's more of a story behind why that subnet is reserved that way? 19:53 < UncleDrax> alabaster: if you can grasp the concept of seperation of layers/functions, things like VLANs will become clearer. same thing Virtual Machines do really 19:53 < Aeso> hagbard, it looks like it's a tiny /24 of public space sandwiched between two reserved blocks 19:54 < Aeso> also, I just mean that 2001:db8:: is a _lot_ easier to remember than some other IPv6 prefixes they could have chosen 19:54 < UncleDrax> should be dead:dead:dead:: 19:54 < UncleDrax> or ofc dead:beef:cafe:: 19:55 < hagbard> Aeso: 192.0.1.0 doesn't appear to be announced, but it's not declared in whois either., It's ARIN space. 19:55 < E1ephant> yeah it looks unallocated legacy in ARIN 19:55 < hagbard> I had a coworker that used to use 00:00:de:ad:ba:be.. Kind of a weirdo. I didn't miss him when he was fired. 19:57 < UncleDrax> in the interest of completeness, https://tools.ietf.org/html/rfc6890 surperceeds RFC5735 19:57 < Aeso> I laugh every time I see facebook's IPv6 prefix, which starts with face:b00c 19:57 < UncleDrax> i wonder who they had to bribe for that 19:59 < alabaster> so my final question is do I study the calculations of class A or 10. and B ? 19:59 < Aeso> well, it technically starts with some 2000::/8 prefix they were assigned. The first two... hexadecatets(?) they contol are face:b00c 19:59 < UncleDrax> ahh ok 19:59 < UncleDrax> that makes more sense then 20:00 < hagbard> Aeso: sedecatet or sexdecatet 20:00 < Aeso> I'm just going to call them IP address segments, I think 20:00 < Aeso> :P 20:01 < hagbard> I think the official term is field? 20:01 < hagbard> or a hextet 20:01 < UncleDrax> hextets 20:01 < Aeso> Shouldn't a hextet by 6 bits? 20:01 < hagbard> It should be. 20:02 < hagbard> And actually a newer RFC deprecates the use of hextet to refer to a 16 bit value. 20:02 < Aeso> Language is hard, turns out. 20:02 < UncleDrax> "Official IETF documents simply refer to them as "pieces"" 20:02 < hagbard> Also, some more googling suggests that you were correct originally and I was wrong. hexadecatet. 20:03 < hagbard> err, hexadectet 20:04 < hagbard> Oooh, according to a fascinating thread on a mailing list, there's argument as to using greek or latin derived numerical prefixes. Turns out sexdectet is the latin source and hexadectet is the greek derived version. 20:05 < hagbard> Fascinating what becomes interesting when what I should be doing is figuring out international shipping rules. Ie, if Cisco has already type cleared the part I need to ship, how do I declare that? 20:39 < kangarex> any netscreen admins ever come across "User Group Dialup Users cannot be modified" 20:39 < Onionnion> gonna need more details 20:39 < Onionnion> what kind of device 20:39 <+catphish> netscreen? :| 20:40 <+catphish> weren't those discontinued like 15 years ago :( 20:40 < kangarex> Juniper SSG-140 20:40 < kangarex> i think so it is pretty old 20:40 < Onionnion> legacy customers yay! 20:41 <+catphish> that's not a netscreen, that's a juniper ssg :) 20:42 <+catphish> i'm afraid i have no idea anyway, not touched one in such a long time :( 20:45 < brian__> Hi everyone 20:45 < brian__> I have a question regarding spanning tree 20:45 < brian__> can someone help me? 20:46 <+catphish> probably 20:46 < ||cw> only if you ask it 20:46 <+catphish> we won't know until you ask though 20:46 < Onionnion> brian__: read the topic 20:46 < Onionnion> don't ask to ask, ask 20:47 < brian__> ok 20:47 < brian__> I have 2x stacked switches and I want to connect other swtiches to them 20:48 < brian__> https://pasteboard.co/Hu9l1hM.png 20:48 < brian__> from the diagram canI have a loop? 20:48 < Onionnion> looks like it 20:48 <+catphish> yes there's clearly a loop there 20:48 < Onionnion> you're looping a port from the stack back to itself 20:49 <+catphish> oh wait, the top 2 are in a stack 20:49 < Onionnion> there's still a loop 20:49 <+catphish> which means you have 2 loops 20:49 < Onionnion> yeah 20:49 < brian__> yes the above two are stacked 20:49 <+catphish> the best way to fix this is to use LACP 20:49 < brian__> so i just have to turn STP 20:49 < kangarex> you need to port channel them 20:49 <+catphish> assuming your switches support LACP between stack memvers 20:49 <+catphish> *members 20:50 < brian__> ok so the LACP has to be between the stack switches and the other switches? 20:50 <+catphish> brian__: because the top 2 swiches are in a stack you can pretent they are 1 large swiitch 20:50 < kangarex> yes u can do lacp with mode active 20:50 < kangarex> if lacp is not supported just do on for regular lag 20:51 < kangarex> if cisco 20:51 < brian__> They are cisco 3750G they have LACP 20:51 < kangarex> cool 20:51 < brian__> SO let me check if I understood you 20:51 < kangarex> can have each side doing mode active in the channel group 20:51 < kangarex> or one side passive and the other active 20:51 <+catphish> so you do LACP between A+B <-> C and between A+B <->D 20:51 < kangarex> and it will form 20:51 < brian__> I have to pass two uplinks between the stack switch and the switch and configure LACP 20:51 <+catphish> yes 20:52 <+catphish> you connect it the same as in your diagra 20:52 < brian__> and pass all the vlans from LACP 20:52 <+catphish> then the 2 links on the left are one LACP link and he 2 on the right are another LACP link 20:52 < brian__> Yes you have to think as the stack siwtch is a one big switch 20:52 <+catphish> yes, once you have LACP, you make the LACP link into a trunk, and pass all vlans over it 20:52 < brian__> cool 20:53 <+catphish> yes, pretend the top 2 switches are one big switch 20:53 <+catphish> then you have 2 pairs of LACP links, which can carry all VLANs 20:53 <+catphish> this gives you the full combination of speed + resiliance, but also no need for STP 20:53 < brian__> if the other switches are not cisco. for example we have ubiquity switch 20:53 < brian__> and I think they have LA 20:53 < brian__> LAG 20:54 <+catphish> most switches support LACP 20:54 <+catphish> but you'll have to test 20:54 <+catphish> LACP doesn't work properly on netgear switches 20:54 < brian__> OK I will check if they have LACP 20:54 < brian__> we do not have netgear switches 20:55 < brian__> the port channel must be the same number? 20:56 <+catphish> no, don't think so 20:56 <+catphish> only for links on the same switch 20:57 < brian__> and obviously after I create the LACP i have to turn on spannig tree right? 20:57 < brian__> A+B -> C Port channel 1 and A+B -> Port Channel 2 20:58 <+catphish> i already said, you don't need STO 20:58 <+catphish> *STP 20:58 <+catphish> because you won't have any loops once you use LACP 20:59 <+catphish> each pair of links will become one link, then there will be no loops 20:59 < my_mind> Hey 20:59 <+catphish> hello 20:59 < brian__> ok ok but spanning tree is on by default 20:59 < Onionnion> Just portfast everything duh 21:00 < groupers> Why not just leave STP on? 21:00 < brian__> shall I leave it as deafult 21:00 < Onionnion> jk don't do that 21:00 < groupers> What if someone makes a loop 21:00 <+catphish> brian__: yeah default is fine, there's no harm in having it turned on 21:00 < brian__> ok +catphish thanks 21:00 < my_mind> Is it possible to retrieve emails that were received to an exchange server when it was down? 21:00 < groupers> There is probably future pain if you turn it off 21:00 <+catphish> it it was down, it didn't receive them 21:01 < groupers> Hah 21:01 <+catphish> my_mind: you will have to wait until those email are re-delivered 21:01 <+catphish> my_mind: obviously if the server was down, it did not receive the emails 21:03 < my_mind> The exchange server turn off last night. People sent emails to that server. 21:03 < brian__> i just checked and it seem ubiquiti switches has LAG 21:03 < my_mind> I figured there wasn’t a way to get those emails back 21:03 <+catphish> my_mind: if those emails were actually send, they will eventually arrive 21:04 <+catphish> my_mind: if you're talking about emails sent *to* users of that server, they will be waiting on other servers in other places, they will be delivered in the next few hours 21:05 <+catphish> my_mind: if you're talking about emails sent *by* users of that server, these were not sent, the user will have recieved an error when they tried, those emails are lost forever 21:05 < my_mind> So they were just bouncing around in the Internet’s routers looking for the exchange server 21:05 < my_mind> catphish: yes that’s what I meant 21:06 <+catphish> my_mind: technically they are sitting on the server of the person who sent the email, they will try to contact your server periodically until it is back online, then they will be sent 21:06 < my_mind> that makes sense 21:07 < my_mind> catphish: thanks for explaining:) 21:07 <+catphish> there is nothing you can do to speed this up, but it typically takes a few hours 21:07 <+catphish> you're welcome 21:08 < my_mind> We’re not going to receive them then. The server has been up for 7 hours or so 21:08 < my_mind> Too bad. I’m not mad. 21:08 < TandyUK> they can sit in queues for up to 24h, the way it works generally is first failure will wait 1min, second waits 3 min, 3rd 7min, etc up the the point where it might not try till 24h later, before eventually failing 21:09 < TandyUK> note however that they will appear in your inbox when they were sent, not recieved, so dont expect them to pop up on the top of your inbox 21:09 < my_mind> TandyUK: hmm... what’s that process called? I want to learn more about it. 21:10 < TandyUK> if its a 'temporary failure' as it sounds like, it could be 7 days before the sending mailserver actually gives up waiting/retrying 21:10 < TandyUK> no idea tbf, thats how exim mailserver does it, and im sure many others 21:10 < detha> my_mind: exponential back-off 21:10 < TandyUK> smtp retry or something maybe 21:12 < my_mind> Thanks guys 21:16 < wallbroken> how 5353 port is involved in mdns? 21:19 < Apachez> check the rfc for mdns 21:20 < Aeso> wallbroken, I'm not sure I understand the question. 21:20 < wallbroken> Aeso, i want to know why mdns listen for 5353 21:21 < Apachez> because its supposed to? 21:21 < Apachez> since 53 is already taken by a proper unicast dns server? 21:21 < wallbroken> i want to know how the request works 21:26 < Aeso> mdns uses UDP packets because it's a stateless protocol, and those UDP headers have to have some kind of port associated with them 21:28 < wallbroken> Aeso,can you show me some mdns transaction? 21:29 < wallbroken> i want to know the dynamic of a connection 21:29 < wallbroken> i guess the question is still not clear 21:32 < Aeso> when a device that supports mdns comes on the network, it sends an IGMP Membership Report to become a listener for 224.0.0.251, the multicast IP for mdns 21:33 < wallbroken> and what happens when a device wants to check the service online? 21:33 < Aeso> when a client joins the network and is looking for zeroconf services, it sends a mdns query to the same IP address that the services have registered as listeners for 21:33 < detha> wallbroken: image search for mdns comes up with, amongst other things, https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-mobility/119017-config-chromecast-mdns-wlc-00.html 21:33 < Aeso> those services see the request and generate a response (in the form of a resource record) and send it back to the client 21:35 < wallbroken> so when i'm looking for services on a network, i need to send something to 224.0.0.251 21:35 < Aeso> mdns is just one of many ways to identify services on the network, zeroconf or not 21:36 < locsmif> Hi all. Is it normal to see a lot of DUP ACKs in Wireshark when you're DLNA streaming movies from A to B in your LAN? Even over the wire? 21:37 < wallbroken> Aeso, i'm trying to hping 5353 to 224.0..251 21:37 < wallbroken> not an answer 21:38 < Aeso> wallbroken, it sounds like you need to do some reading on how multicast works before you're going to fully understand mdns 21:38 < wallbroken> in my case, there isn't an igmp registration 21:38 < wallbroken> i disabled igmp snooping 21:39 < Aeso> locsmif, lots of duplicate acks in bursts typically indicates the receiver missed a packet 21:40 < Aeso> you should do some tcp sequence number analysis to figure out what's going on 21:49 < Aeso> wallbroken, if you disable IGMP snooping on the switch, the switch should broadcast that traffic to all ports 21:52 < Aeso> but you can't just try and throw a packet at the mdns address and expect a response. It should be a properly formed mdns query or else the service hosts are going to ignore your malformed traffic 21:58 < wallbroken> Aeso, i need it to 5353 port? 22:00 < Aeso> wallbroken, well right: The mdns service running on the hosts has to listen on some subset of ports, in this case 5353 22:00 < Aeso> wallbroken, give this a read: https://tools.ietf.org/html/rfc6762 22:00 < wallbroken> Aeso, in my case is called bonjour 22:00 < wallbroken> it's the same? 22:01 < Aeso> bonjour and avahi both use mdns under the hood, yes 22:01 < wallbroken> there is also a microsoft implementation? 22:01 <+catphish> yes# 22:02 < wallbroken> name? 22:02 < Aeso> Windows 10 uses mdns. I don't know if MS has mdns listeners though 22:02 < wallbroken> for what? 22:03 <+catphish> isn't it mostly just for name resolution? 22:03 < Aeso> catphish, service identification and name resolution, yeah. 22:03 <+catphish> windows 10 definitely has some support, but i don't know the extent 22:04 < Aeso> this section of the RFC has some interesting notes on the different between multicast and unicast DNS: https://tools.ietf.org/html/rfc6762#section-19 22:05 <+catphish> it's quite similar to regular dns then 22:05 < Aeso> yep 22:05 < Aeso> it just doesn't require the network to provide the service, it's all adhoc 22:06 < wallbroken> 5353 is the only port needed? 22:06 < Aeso> Correct. 22:06 <+catphish> yes 22:07 <+catphish> USA people, your president seem to have gotten lost and washed up here, can we send him back asap? 22:08 < Apachez> catphish: only if you include Juncker 22:08 < XCE> as a USA people, you can keep him 22:08 < Aeso> lol 22:08 < Phil-Work> I suspect many don't actually want him back 22:08 < XCE> just do what you guys used to 22:08 <+catphish> about 49% ;) 22:08 < XCE> stranded him on a boat and keep him there 22:08 < Apachez> Juncker makes Jeltsin look like a sober dude: https://www.youtube.com/watch?v=oecvYFq_wi0 22:09 < tds> but "Mr Trump has said that Britons "like me a lot"" ;) 22:09 < Phil-Work> that cracked me up 22:09 < Phil-Work> apparently we like his imigration policy 22:09 <+catphish> ahahaha 22:10 < Phil-Work> though, as someone who hates pretty much all people, more walls sound like a good idea 22:10 <+catphish> i hate people, but i hate them equally :) 22:10 < Phil-Work> exactly 22:10 < Phil-Work> and all of them can have equal walls 22:11 < Apachez> Im not a racist, I hate everybody equally... 22:12 < XCE> hating races doesnt make sense in a globalized world 22:12 < XCE> gotta hate cultures instead 22:13 < locsmif> Aeso: I understand that, but does it indicate a problem with my NIC, a cable or something else? 22:13 < locsmif> Aeso: re: the DUP ACKs 22:14 < locsmif> Should I actually *expect* all these retransmissions? 22:15 <+catphish> XCE: i think most of what's called racism these days is more about culture than race anyway, we just don't have a better word for it 22:15 < Aeso> locsmif, generally, no. But depending on their frequency it may not pose a significant problem for the actual transfer. 22:15 < XCE> its xenophobic but that includes racism too 22:15 < XCE> even if it shouldnt 22:15 < Aeso> err, by which I mean no, under ideal conditions you shouldn't ever see them on a local network 22:16 < locsmif> Aeso: my DLNA streaming used to work a lot better, but for some reason, DLNA streaming started failing. I've tested a multitude of operating systems, streaming servers, cables, movie formats, with or without subtitles, and evntually turned to Wireshark. 22:18 < locsmif> VLC on android sometimes gives me the hourglass, but eventually recovers. However, my set top box upstairs (wired connection) suddenly sends RST and then tells me on screen that I've "lost connectivity to my home network". I used to work for this company and I know the box is shit (I was trained to support it), but what puzzles me is.. it used to work somewhat. Something changed. 22:19 < locsmif> It does, however, work better on Linux with MiniDLNA 22:19 < locsmif> However, Serviio and Twonky on multiple Windows 7 SP1 installations I have don't work properly. I get a few seconds of video at most and then the error. 22:20 < locsmif> However, my smartphone plays vidoes much better from NAS in the same network. 22:20 < locsmif> The same goes for my STB. The NAS runs an old Twonky version. 22:21 < locsmif> My PC's CPU or network capacity aren't overloaded. In short, this is sort of driving me nuts. 22:22 <+catphish> i'm glad the UK is at least interesting for once 22:22 <+catphish> "a flurry of political turmoil and planned protests" 22:23 < E1ephant> in b4 croatia? 22:23 < E1ephant> too soon? 22:23 < compdoc> did they fly that ballon? 22:23 < XCE> may they live in interesting times 22:24 <+catphish> compdoc: i don't think its in the air yet, not sure 22:24 <+catphish> but it's certainly going to be :) 22:24 < compdoc> heh 22:25 < mib_mib> hi all - i've set up an openvpn server instance and another ec2 instance inside AWS vpc - how can i make it so when i'm connected to the VPN, that i can access the other ec2 instance by its internal ip address? I need to do some sort of forwarding i guess with iptables, but not sure how 22:26 < varesa> mib_mib: you need to add (or push from the VPN server) a route to the VPC subnet 22:27 <+catphish> ^ 22:27 < mib_mib> varesa: okay - i'm a noob at this stuff - so even though the vpn server is already inside the VPC, i need to do this? 22:27 < varesa> and you'll have to either masquerade (source nat) the traffic from the VPN server to the VPC or add routes in the VPC to the VPN server for whatever subnet your client gets 22:27 <+catphish> you need to make the traffic for those hosts go from the vpn client to the vpn server 22:28 <+catphish> then you'll need to do masquerading on the vpn server 22:28 < varesa> mib_mib: the VPN server is inside the VPC but your VPN client doesn't know that. It doesn't know that $VPC_SUBNET is reachable through the VPN, hence it needs a route 22:28 < mib_mib> varesa: so is it recommended to do this with like route53 or something? Or just iptables can do it? 22:29 < mib_mib> i see this, which seems to mention what you are saying, of course i dont pretend to understand it: https://serverfault.com/questions/418354/how-to-set-up-openvpn-to-let-the-vpn-clients-to-access-all-the-servers-inside-th 22:29 < tds> iirc route53 is a dns service from amazon, you don't want that 22:30 < varesa> mib_mib: yeah, R53 is DNS and has nothing to do with IP routing. Iptables is not the correct tool either 22:30 < varesa> look up something like "openvpn push route" 22:33 < mib_mib> varesa: do i only need to push from the openvpn to the subnet, but also from the other ec2 machines back to the openvpn server, or to a client? 22:33 < mib_mib> does it matter if client machines are assigned an ip address like 10.x.x.x but the ec2 private ips are like 171.x.x.x ? 22:34 < varesa> mib_mib: you need either two routes (both ways) or route on the client + masquerade on the server 22:34 <+catphish> mib_mib: if you use masquerade you can do it just on the VPN server 22:35 < varesa> mib_mib: and those subnets are fine, though I hope the second one is actually 172.x.x.x 22:35 <+catphish> mib_mib: you just need to push the route and enable masquerading in iptables 22:36 < mib_mib> catphish: actually now that i look its 173.x.x.x 22:36 < varesa> to masquerade or not depends on if you want the servers you're accessing to see the unique client IP (10.x.x.x) or if it is okay to have all the VPN users traffic look like it is coming from the VPN server itself (172.x.x.x) 22:36 < mib_mib> yah doesn't really matter to me at this point 22:36 < mib_mib> if iptables works and thats the simplest i'll just do that 22:36 < varesa> the second option (masquerade) is simpler 22:37 < mib_mib> i already have: push route "173.XX.0.0 255.255.255.0" in /etc/openvpn/server.conf 22:37 < mib_mib> but i guess thats not everything i need 22:37 < mib_mib> does this look right then? 22:37 <+catphish> mib_mib: well you need to make sure whatever you mean by 173.XX.0.0 255.255.255.0 is actually correct 22:38 < detha> do I hear people advocating NAT ? 22:38 <+catphish> yep :) 22:38 < varesa> does that show up in the client's routing table? 'ip route' on linux, something else on win/macos 22:38 <+catphish> then you need to make sure you have a masquerade rule for whatever interface that route goes out through 22:38 <+catphish> yeah, check "ip route" on your client, check it's there 22:39 < varesa> btw 173.x.x.x are not private IPs 22:39 <+catphish> ^ this too 22:39 < mib_mib> varesa: ec2 makes those private 22:39 < mib_mib> varesa: in the default VPC 22:39 <+catphish> really? seems like a huge waste 22:40 < varesa> Really, I find that hard to believe 22:40 < varesa> I'm pretty sure they use 172.x.x.x (I work with AWS as well) 22:40 < qman__> No, aws defaults to using 172 22:41 < mib_mib> qman__: my guess is they ran out of ip addresses at 172 so now they use 173 22:41 < qman__> No, they don't 22:41 <+catphish> mib_mib: that's not how it works 22:41 < varesa> no, doesn't work like that 22:41 < mib_mib> thats true i guess these are private 22:41 <+catphish> they don't own 173.x.x.x 22:41 < mib_mib> well, why would it show in the amazon console as 173.x.x.x 22:41 < mib_mib> under Private IP 22:41 <+catphish> then someone probably made a typo 22:41 < qman__> aws uses standard private address space 22:41 <+catphish> mib_mib: what is the actual IP? 22:42 < qman__> you can manually set it to whatever you want 22:42 < varesa> for one thing, every customer has access to the whole 172.16.0.0/12 range (they're private after all). AWS as a whole won't "run out" 22:42 < mib_mib> yeah sorry thats true 22:42 < qman__> And clearly someone made an error setting up your vpc and subnets 22:42 < mib_mib> well shoot, let me take another look 22:43 <+catphish> 173.x.x.x defintely seems like a typo :) 22:43 < mib_mib> qman__: no, we didnt set this one up, this was created automatically as the 'default' VPC by amazon 22:43 < varesa> and even if they somehow ran out of 172.16/12 they'd jump to another designated private range like 10.0.0.0/8 before they'd even consider misusing someone elses public addresses (which they'll hopefully never do) 22:43 < qman__> Not if it's 173 22:43 <+catphish> mib_mib: i find it hard to believe amazon would use 173.x.x.x as a private IP 22:44 < mib_mib> ah 22:44 < varesa> if they actually did, I'd be opening a support ticket and complaining 22:44 < mib_mib> well, the vpc uses 172.31.0.0/16 22:44 * catphish writes letter of complaint to amazon about their customers idiocy 22:44 < mib_mib> but the assigned private ip was ... 22:44 < mib_mib> qman__: its true, you're right! lol type 22:44 < mib_mib> *typo 22:45 <+catphish> :) 22:45 < mib_mib> 172.x.x.x 22:45 < varesa> there :) 22:45 <+catphish> 173 just isn't a private IP :) 22:45 < tds> there's also relatively little point in censoring those addresses, they shouldn't be reachable from any networks other than your own 22:46 < mib_mib> so, presumably then - this openvpn push route is already in server.conf, so presumably i wont need to use iptables (if openvpn does this for me?) 22:46 < Apachez> the point is to not serve an attacker things on a silverplate 22:46 <+catphish> well amazon is a pretty public network 22:46 < Apachez> ipv4 can only be 0.0.0.0 - 255.255.255.255 22:46 <+catphish> so those IPs while technically private are only private to that HUGE AS 22:47 < Apachez> yet exactly which ip his host got is non of your business 22:47 < aaro> that reminds me watching lans with the range 198.162.x.x ... sighs 22:47 < varesa> mib_mib: the route and masquerade (with iptables) are two different things 22:47 <+catphish> Apachez: realistically is can only be 1.0.0.0 to 223.255.255.255 22:48 < varesa> the first one ensures that your client knows what to do, the second ensures that the target server in EC2 knows what to do 22:48 < Apachez> catphish: na, 0.0.0.0 is perfectly valid but your wintendo stack might puke if sseen :) 22:49 <+catphish> aaro: i used to have the opposite problem, i used to manage a network 192.160.10.0/24 22:49 < E1ephant> perfectly valid and realistic are not the same things 22:49 < mib_mib> varesa: do the commands in the accepted answer here look correct? https://serverfault.com/questions/418354/how-to-set-up-openvpn-to-let-the-vpn-clients-to-access-all-the-servers-inside-th 22:49 <+catphish> Apachez: 0.0.0.0 is not a normal unicast IP 22:50 < Apachez> again ipv4 is 0.0.0.0-255.255.255.255 22:50 < Apachez> still its non of your business which ip his host got 22:50 <+catphish> Apachez: ipv4 is, sure, but not all unicast 22:50 < Apachez> again not the point here 22:50 <+catphish> Apachez: actually it's very much our business when we're being asked about routing 22:50 < E1ephant> errr yes it is? 22:51 <+catphish> especually when it turns out to be incorrect and the cause of the problem ;) 22:51 < varesa> mib_mib: they do 22:51 <+catphish> mib_mib: lots of good info there 22:52 < Apachez> catphish: not really, if its routing then its AS on internetlevel :) 22:52 < mib_mib> so, presumably i just run those - does ipv4 forwarding need to be enabled on the other machines, or only the openvpn machine? 22:52 < tds> just the openvpn server 22:52 <+catphish> mib_mib: you need 3 things: 1) a "push route" in openvpn 2) enable ip routing net.ipv4.ip_forward = 1 3) enable masquerading with -A POSTROUTING -j MASQUERADE 22:52 < varesa> mib_mib: ipv4_forwarding basically makes the system a router (between VPN subnet and EC2 subnet) 22:53 <+catphish> Apachez: something something something internets 22:53 < Apachez> catphish: bork bork bork bork 22:53 < E1ephant> something something something intranets 22:53 < varesa> catphish: and possibly also allow traffic in the FORWARD-chain 22:54 <+catphish> i actually have a new policy, i match the % of redacted information in questions with redacted words in my answers 22:54 < E1ephant> optimal 22:54 < tds> you may also want to add some extra iptables rules to not forward traffic from the wan/external/whatever interface 22:55 <+catphish> similarly, data replaces with random data results in random words and data replaced with the word example... you see where this is going 22:55 < tds> oh, I guess you could actually just disable forwarding on that interface completely, much easier :) 22:55 <+catphish> varesa: you only need to allow data in the FORWARD chain if you already have rules to block pakcets in that chain 22:56 <+catphish> the usual default is to allow all 22:56 < varesa> catphish: which is why I said "possibly" :) 22:56 <+catphish> varesa: sorry, somehow missed that word, yes :) 22:57 < mib_mib> so 22:58 <+catphish> so... 22:58 < mib_mib> my main goal at this point, is to be able to connect to a webserver running on the other machine - using its local ip address port 8787 22:58 <+catphish> makes sense 22:58 <+catphish> over the vpn i assume 22:58 < mib_mib> correct 22:58 <+catphish> thes vpn rules should make that work 22:59 < mib_mib> after setting all of this, i cant access that after all - whats the recommended way to debug? i did netstat -nr while connected to the vpn 22:59 < mib_mib> on my local, not sure what i'm looking for exatly thou 22:59 <+catphish> you need the 3 things: enable routing, push the route, masquerade 22:59 <+catphish> 1) check the route on the client 22:59 < mib_mib> whats the recommended way? 22:59 <+catphish> 2) check iptables on the vpn server 23:00 <+catphish> "ip route" will show you the routes on the client, "ip route" and "iptables-save" will show what's happening on the server 23:00 < varesa> 1) run 'ip route' on the client (assuming linux) 23:00 <+catphish> maybe paste both here if you need help debugging 23:00 <+catphish> yes, that's linux 23:00 < mib_mib> i'm on osx 23:00 <+catphish> "route -n" maybe on OS X 23:01 < mib_mib> well, netstat -rn shows 23:01 < mib_mib> 172.31/24 10.8.0.5 UGSc 0 0 utun1 23:01 < mib_mib> where the first ip is 'destination' and the second is 'gateway' 23:01 <+catphish> well that's good, client is probably fine 23:02 < varesa> yup 23:02 <+catphish> so now check routes and iptabes on server 23:02 < mib_mib> alrighty 23:02 < mib_mib> then on the openvpn machine 23:04 < mib_mib> https://pastebin.com/wNFN24nh 23:04 < mib_mib> that is after running the commands listed in the link 23:04 < OxCEA5ED> high! i wonder how this is happening... i connect to my ISP via pppd/wvdial (under linux, indeed), and i don't usually browse any of their web pages... but today i saw in iftop that a connection has been made to two of their (nameless) servers (185.93.236.11 and *.18) to port 80... 23:05 <+catphish> mib_mib: pls run ip route on the server too 23:05 < OxCEA5ED> i can connect to the server, but it only says something about wrong url and that's all... 23:05 <+catphish> oh, i see no masquerade in that iptables-save 23:05 < OxCEA5ED> is there anything in pppd and/or wvdial, that enables an ISP to "dial home" to some web servers? 23:05 <+catphish> mib_mib: run "iptables -t nat -A POSTROUTING -j MASQUERADE" on the server to enable that 23:05 < tds> those accept rules are also a little useless at the moment, seeing as the default policy on the chain is accept 23:06 < mib_mib> catphish: i ran iptables -S 23:06 < tds> they won't cause any issues to leave in though 23:06 < mib_mib> okay, i did run that, but i'll run again 23:06 <+catphish> mib_mib: that's ok, thet's the same 23:06 < mib_mib> catphish: whats the same? i dont need to run masquerade again then? 23:07 <+catphish> mib_mib: sorry, i mean iptables -S is the same as iptables-save 23:07 < varesa> tds: that -P sets the policy for the chain 23:07 <+catphish> you need to run the command i wrote above to enable the NAT 23:07 <+catphish> "iptables -t nat -A POSTROUTING -j MASQUERADE" 23:07 < mib_mib> catphish: i ran it again 23:07 < mib_mib> but iptables -S still shows the same output 23:07 < unix-pr0n> anyone know if it's possible to host your own email server (MTA and MDA) on a network with a flashed router with a VPN? I wanna route all traffic through the VPN if i can. 23:08 < mib_mib> note i'm running this as root 23:08 <+catphish> mib_mib: can you run iptables-save 23:08 < varesa> ah, you need "iptables -S -t nat" to see that 23:08 < varesa> while I guess iptables-save gets all the tables 23:08 <+catphish> yeah, i think varesa is right 23:08 < mib_mib> clear 23:08 <+catphish> you also need to make sure ip forwarding is enabled 23:09 < varesa> catphish: don't you want to restrict the masquerade to only VPN -> VPC? 23:09 <+catphish> varesa: for simplicity, i usually just enable it globally 23:09 < mib_mib> catphish: i think it is, in etc/sysctl.conf 23:09 <+catphish> mib_mib: you can check: "cat /proc/sys/net/ipv4/ip_forward" 23:09 < mib_mib> okay, i am now seeing multiple lines with -A POSTROUTING -o xxxx -j MASQUERADE 23:10 < mib_mib> looks like duplicates maybe 23:10 <+catphish> mib_mib: duplicates aren't a problem 23:10 <+catphish> also, my command didnt have -o in :| 23:10 < varesa> catphish: that's what I meant 23:10 < mib_mib> -A POSTROUTING -o tun+ -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -j MASQUERADE 23:10 < mib_mib> (on separate lines of course) 23:10 <+catphish> -o restricts it to a specific interface, and i don't know what interface goes to the private network 23:10 <+catphish> ok 23:11 < mib_mib> yours is the last one, without the -o 23:11 <+catphish> well it shoud be thoroughly enabled 23:11 < mib_mib> is it an issue 23:11 <+catphish> no, thats fine 23:11 < mib_mib> that my client appears to get a 10.x.x.x but these machines ahve 172.x.x. 23:11 <+catphish> it's just super enabled :) 23:11 <+catphish> 110% definitely enabled 23:11 < mib_mib> lol 23:11 < tds> you will need to make sure those rules are saved at some point though 23:11 < mib_mib> so cat /proc/sys/net/ipv4/ip_forward returns 1 23:12 <+catphish> mib_mib: so everything is correct 23:12 < turtle> nice i'm differently abled 23:12 <+catphish> your client really really should be able to access that network 23:12 < tds> otherwise it reboots in 6 months, and the rules disappear and you've forgotten how it worked in the first place :) 23:12 < varesa> catphish: won't it try to masquerade the return packets from src=172.x.x.x to src=10.x.x.x? 23:12 < varesa> if you don't limit it in any way 23:12 <+catphish> varesa: i don't think so 23:12 < mib_mib> also, i set net.ipv4.ip_forward=1 in /etc/sysctl.conf 23:12 < tds> varesa: netfilter nat only gets applied to the first tracked packet iirc 23:12 < tds> since it's tied in with conntrack 23:12 < tds> so masqing every forwarded packet should work 23:13 <+catphish> iptables is smarter than that 23:13 < mib_mib> should i post my whole iptables-save 23:13 <+catphish> it should work fine 23:13 < varesa> alright, sounds good then 23:13 <+catphish> yes, please post the full iptables-save and "ip route" from the server 23:13 <+catphish> i can't think what else could be wrong now :( 23:13 <+catphish> the next step is to use ping and tcpdump to see where the packets are going missing 23:13 < varesa> next up, tcpdump on vpn server, web server and client 23:14 < varesa> heh :) 23:14 <+catphish> lol 23:14 < mib_mib> https://pastebin.com/11Lr9VkG 23:14 <+catphish> although also sleep soon, i can has quite alcohol now 23:14 < mib_mib> lul 23:15 < tds> that really is very enabled :) 23:15 < mib_mib> is there anything i need to do on the other machine 23:15 <+catphish> this config looks good to me : 23:15 <+catphish> :( 23:15 < mib_mib> does net ipv4 need to be enabled there too? 23:15 <+catphish> nope 23:15 <+catphish> only on intermediate hosts 23:15 < varesa> no, only on the VPN server 23:16 < mib_mib> setup is mainly based off this 23:16 < mib_mib> https://hackernoon.com/using-a-vpn-server-to-connect-to-your-aws-vpc-for-just-the-cost-of-an-ec2-nano-instance-3c81269c71c2 23:16 <+catphish> the vpn server can access the server right? 23:16 < mib_mib> yes, i can ssh using the private IP address from the vpn server, to the 'webapp' server 23:16 < mib_mib> or rather, being ssh'd into the vpn serer, i can then use the private ip of the webapp server to ssh 23:17 < varesa> are you trying with SSH or HTTP to test from the client? 23:17 < mib_mib> i'm trying to hit the webserver using the private ip address 23:17 < mib_mib> since its open to the world currently 23:17 < mib_mib> using its public IP address works just fine 23:17 < mib_mib> its on port 8787 though, does tha tmatter? 23:17 < varesa> just to check, can you do it from the VPN server using the private address? 23:18 < varesa> curl private_address:8787 23:19 < mib_mib> yep works 23:20 <+catphish> well lets get out the ping and the tcpdump 23:20 < mib_mib> i can post the server.conf if thats helpful 23:20 < mib_mib> for openvpn 23:20 < mib_mib> sure, happy to use tcpdump 23:21 < mib_mib> i also have logging enabled on openvpn server 23:21 <+catphish> the config shoudlnt matter much 23:21 < mib_mib> not sure that will help much 23:21 <+catphish> as long as it connects and the routes are being installed on the client 23:24 < mib_mib> what do you recommend to do using tcpdump? 23:25 < varesa> I'd start with "tcpdump -i any icmp" on the VPN server and then trying to ping the web server from the client 23:26 < mib_mib> curling the webserver you mean? or just pinging the machine? 23:26 < varesa> if you use the filter icmp, then ping 23:26 < varesa> could of course also use "tcpdump -i any tcp port 8787" and curl 23:27 < mib_mib> dang since when does ubuntu not have ping 23:29 < mib_mib> varesa: catphish could this ahve to do with aws security groups? i'm allowing currently inbound tcp 22 to 0.0.0.0/0 - would i need to enable more, i.e. a rule to allow all from local? 23:30 < mib_mib> presumably yes, right? 23:30 < varesa> if it works from the VPN server then it should also work from the VPN clients (that's the masquerade magic) 23:30 < mib_mib> thats true 23:31 < varesa> you probably have some a rule in the SG to allow traffic from the same SG which includes the VPN server 23:31 < mib_mib> i dont, but maybe thats allowed by default or something 23:32 < mib_mib> let me try changing the security gorup 23:32 < varesa> mib_mib: did you run the tcpdump? 23:33 < mib_mib> varesa: yah doing that now 23:33 < mib_mib> varesa: well, after trying to ping it, it wasnt working 23:33 < mib_mib> since i would have had to allow the icmp in the security group 23:33 < mib_mib> i changed it back to the default (allow all traffic) and now ping is working 23:33 < mib_mib> let me just try this now and see what happens 23:33 < varesa> from the client? 23:35 < mib_mib> no, it waasnt even working from the opevpn server to the machine 23:35 < mib_mib> it works now, after changing the security groups 23:35 < mib_mib> on the webapp machine 23:35 < mib_mib> now let me try from the client 23:36 < mib_mib> varesa: https://pastebin.com/5iDrixmD 23:37 < varesa> is that all of it? 23:38 < mib_mib> thats from the client 23:39 < mib_mib> there is no activity on the vpn server 23:39 < mib_mib> ah, i'll have to allow ping in the security group as well 23:39 < mib_mib> let me see 23:39 < mib_mib> let me try removing it on the openvpn server for a sec and see 23:40 < varesa> the security groups shouldn't see the client -> VPN server traffic inside the tunnel 23:40 < varesa> e.g. as long as the tunnel comes up that should be fine 23:42 * catphish zzzzzzzzz 23:43 < mib_mib> varesa: anyway, you saw the output... maybe i should allow ping for the openvpn server security group? 23:43 < mib_mib> i assume thats blocking it? or no 23:43 < varesa> shouldn't be AWS related 23:43 < mib_mib> i see 23:43 < mib_mib> hmmmm 23:43 < varesa> something on the VPN server (or the client) 23:44 < varesa> since the OpenVPN UDP traffic is all the AWS is going to see 23:44 < varesa> they don't know what's inside the tunnel 23:45 < mib_mib> varesa: okay, so ya running "tcpdump -i any icmp" on the openvpn server machine 23:45 < varesa> mib_mib: the VPN server tunnel address was 10.8.0.5 or something like that, right? 23:49 < mib_mib_> ah some success! if on the vpn client i select to put ALL traffic through the vpn (hence my recent disconnect from irc) - then it does work! 23:49 < mib_mib_> that, paired with google chrome caching an invalid page for webserver local ip 23:49 < varesa> the 10.128.128.128 response seemed a bit weird, as if the traffic was not routed towards the VPN at all 23:50 < mib_mib_> varesa: so presumably, its not figuring out properly which routes to send through the vpn and whic NOT to 23:50 < varesa> though I remember a lot of our customers/employees having trouble with our OpenVPNs on macs... 23:52 < mib_mib_> varesa: well, how should it be determining which traffic to send to the vpn 23:52 < mib_mib_> varesa: thanks for your help btw! This is great 23:54 < varesa> mib_mib_: it should use the routes 23:55 < varesa> like 172.x.x.x/24 via 10.8.0.5 would mean that all traffic to that 172... would be sent towards the OpenVPN server, assuming that 10.8.0.5 is the tunnel IP of the VPN server --- Log closed Fri Jul 13 00:00:36 2018