--- Log opened Wed Apr 18 00:00:49 2018 00:01 < Dagger> and also with v4 for the past two decades or so 00:02 < wiresharked> Dagger: Should I block UPNP on my firewall? 00:02 < Dagger> didn't you want to know about PXE? how is UPNP relevant here? 00:03 < wiresharked> Dagger: What would a server be loading with RPL? 00:04 < wiresharked> In the context of being related to PXE 00:05 < Dagger> I don't know what "RPL" refers to here 00:05 < wiresharked> Dagger: Remote program load 00:06 < Dagger> which is what, exactly? 00:07 < lupine> aye, communism already won on the internet 00:07 < wiresharked> Dagger: "A protocol for starting a computer and loading its operating system from a server via a network" 00:08 < mniip> I'm trying to troubleshoot my IPSec setup with racoon 00:08 < wiresharked> mnlip: What is your issue? 00:09 < mniip> for some reason I can't get any packets back 00:09 < Dagger> wiresharked: that quote is from a page that answers your other questions about it 00:09 < wiresharked> Check your inbound firewall configuration 00:09 < mniip> I can see the NAT-T-encapsulated packets going client to server 00:09 < mniip> but for some reason the server doesn't reply with the same NAT-T-encapsulated packets 00:09 < wiresharked> mnlip: OK, so your outbound traffic is fine 00:10 < mniip> it seems to reply in cleartext, or at least that's what tcpdump on the server is telling me 00:10 < wiresharked> Sounds like HTTPS may not be configured correctly then 00:10 < mniip> sounds like what 00:12 < Dagger> mniip: FWIW I'm pretty sure he's trolling, hence all the time-wasting questions 00:12 < Dagger> unfortunately this is the kind of troll that IRC ops never want to ban, so we're just all expected to put up with the waste of time 00:30 < wiresharked> energizer: Are you going to upgrade to 802.11ax? 00:37 < Dagger> ^ see? 00:39 < Dagger> nobody will ban because "802.11ax is on-topic", but I'd still put "asking random people about random stuff that noone, not even the asker, cares about the answer to" as somewhere under the trolling label 01:17 < drac_boy> hi again 01:42 < drac_boy> hmm very un-chatty network tonight :-> heh 02:57 < xamithan> is show interface description a real command? I can't find it on packet tracer 03:26 < cyberbob> Hi All, I'm working as a remote contractor and have to dial in VPN (openvpn) to access the client network and work. 03:26 < cyberbob> Some of the customer apps are accessible globally (as of yet atleast) but right now they have whitelisted a few IPs for that (mine is not part of that for sure) and if sometimes I forget to dial in to openvpn or it get disconnected somehow my IP is blacklisted (being not part of whitelisted IPs) and I've to request them for white listing which is becoming a bit of embarassement. 03:27 < cyberbob> and client doesn't feel good for that at all 03:27 < cyberbob> I'm planning to have a dedicated (small) device to dial into openvpn server and use that device as an AP so that when my machine connects to that AP all traffic is routed through the openvpn interface. 03:28 < cyberbob> can you guys recomend such device with such capability ? 03:29 < lupine> APU2 03:29 < lupine> I use one for exactly that 03:30 < quint> Anyone familiar with the DNS zone editor in cpanel? 03:31 < quint> Need to set two values under one TXT, what's the proper way to delimit values in cpanel? 03:31 < cyberbob> lupine: which one are you using and which distro (pfsense ? ) 03:31 < lupine> APU2C2 and debian stretch 03:31 < lupine> or maybe it's the b2 03:31 < lupine> doesn't make much difference 03:32 < lupine> the ECC ram isn't worth the extra moola for consumer use 03:33 < cyberbob> lupine: how much power that consumes ? 03:35 < lupine> about 15W? 03:35 < lupine> more than my ISP-supplied router, but not *much* more 03:35 < lupine> it gets ~90 minutes out of the mini UPS 03:36 < cyberbob> lupine: Thanks, but that is above my budget ~400$+ in AU :( 03:36 < cyberbob> unfortunately .. 03:36 < lupine> mine cost ~200GBP all-in 03:36 < cyberbob> I used raspberri pi 3B but that is not that much stable (atleast that is what my experience is with that) 03:37 < lupine> surely the exchange rate isn't *that* bad? 03:37 < cyberbob> yeah that is but the project is not that long, so not sure if I can put that money on this proj :) that is the only concern 03:38 < cyberbob> rpi3 crashes OS sometiems (out of sudden) on reboot . . 03:38 < tds> if you want something cheap, openwrt on a cheapo ap would run openvpn fine 03:38 < lupine> openwrt < debian 03:39 < cyberbob> tds: I've TL mr-3420 v3 but none of these opwrt, ddwrt doesn't support v3 :( 03:39 < cyberbob> But looking for some other cheap router which can do the same 03:40 < tds> lupine: I agree (and my personal routers all run debian), I was just suggesting it as a potentially cheaper alternative 03:40 < lupine> I had a buffalo router for ages that did openwrt really well 03:40 < lupine> it was <£100 03:42 < cyberbob> thanks lupine tds :) will search for some router for that else will buy some apu2 or something similar for running pfsense (if I've to spent that much budget will go for that as have some good experiene with pfsense) 03:43 < lupine> there is so much good about the APU2 03:43 < lupine> I run my mail server on mine, in addition to my website, vpn client, etc 03:46 < orlock> Anybody know what port tcp 64946 is? 03:51 < cyberbob> lupine: thanks for sure will look into this (If i've to go above my budget) 04:54 < zhangj__> Hello everyone, may I ask who understands the socket5 agent? 04:56 < zhangj__> How to set up a socket agent on both sides, or when to close the socket? 04:58 < zhangj__> A Clients -> open Socket5 -> B Service -> open socket -> 04:58 < zhangj__> Forwarding data 04:59 < zhangj__> A Clients -> open Socket5 -> B Service -> open socket -> Forwarding data 05:00 < zhangj__> I know when to open socket forwarding data, I do not know when to close the established socket 05:01 < zhangj__> I do not understand socket5's rfc1928 specification. Can anyone help me? 07:02 < Sircle> Hi 07:02 < Sircle> I want to buy ssl cert. Any suggestions on vendor? 07:03 < mniip> Letsencrypt? :p 07:18 < Sircle_> I want to buy ssl cert. Any suggestions on vendor? 07:28 < detha> letsencrypt 07:30 < frankzinger> https://letsencrypt.org/ just in case there was some confusion 07:30 < detha> unless one is a bank/financial institution or otherwise swimming in money, and needs EV certs, one does not 'buy' certs. One gets certs. 09:31 < be2pal> Hi there all 09:31 < be2pal> need help with cisco managed switch 09:32 < be2pal> do we need to always connect to it with subnet mask even after first setup ? 09:33 < be2pal> setting up Cisco sg300-28pp first time 09:33 < Roq> No, you can use a console cable for direct physical access 09:33 < be2pal> using ethernet cable 09:33 < be2pal> I dont know about using console cable to connect to computer 09:33 < Roq> With an ethernet cable you need IP connectivity 09:34 < Roq> Connect the console cable to the switch, and connect it to the serial interface on your pc 09:34 < be2pal> yes. Roq the system led is blinking even though i set dynamic ip address 09:35 < be2pal> Basically, I am not able to access ip camera POE with default camera ip. Not pinging 09:36 < be2pal> Using a laptop. Unfortunately console cable is out of reach now 09:36 < be2pal> using wireshark to scan out ip address though 09:43 < mustu> guys, I'm brainstorming on how to weed duplicate packet when mirroring traffic. 09:45 < be2pal> I am not clear of this Roq. If switch and computer is on same subnet mask, does the IP camera needed to be same subnet ? 09:45 < mustu> I have multiple segments that interconnect via a firewall. I want to target only two zones. I want everything exchanged between those two and to/from the Internet. However, I want to weed out any traffic to/from the other zones that I don't want to tap. 09:45 < mustu> how to achieve that on switch 09:50 <+xand> mustu: unlikely port mirror on a switch is going to filter that 09:50 < mustu> xand yeah.. need to verify my thoughts and see if there is a workaround 09:51 <+xand> you can do the filtering on what's receiving the mirrored traffic... assuming this is like a one-off for debugging something 09:51 < vmnewb> Hello everyone, I have a virtual enviroment and I reset the VMs to a previous snapshot where everything should have worked. I have a server which does mss2016 dc/dns/routing wich has 2 NICs IP 10.151.0.212/17 GW/DNS: 10.151.4.1 - LAN and 10.151.210.1/28 DNS: 127.0.0.1 GW: none - Virtual Network. I have a few VMs in the Virtual Network and they have the IPs: 10.151.210.2(vm1),3(vm2)/28 GW/DNS: 10.151.210.1. Now I need to read a t 09:52 < mustu> xand yep that's the last resort... to drop packet based on destination IPs 11:08 < leonarth> PCI-DSS auditor is asking to implement an IDS/IPS solution for outgoing traffic, I was thinking about setting up a NAT gateway and put Snort or Surricata on it - what would you guys suggest? 11:10 < detha> leonarth: in-line? hmm. 11:14 < Sircle> I want to buy ssl cert. Any suggestions on vendor? 11:17 < Sircle> what type of ssl is advised for a shopping cart site? 11:17 <+xand> none, you should use TLS 11:20 < Sircle> xand, what do you mean? 11:21 < Sircle> Transport Layer Security (TLS) is the successor to SSL 11:21 < Sircle> xand, so where do I buy that? 11:22 < be2pal> Sircle: TLS 11:22 < frankzinger> Sircle, once again: https://letsencrypt.org/ 11:22 < Roq> Sircle: check out letsencrypt 11:22 < be2pal> Letsencrypt - absolutely free and open source 11:23 <+xand> hmm 11:25 < be2pal> a tech associate suggested to setup cisco switch from telnet via lan. 11:26 < be2pal> I find web gui has many options to get started. But I couldnt connect without being in particular subnet 11:26 < TotallyNotKim> be2pal: you'll learn to hate the web gui in a matter of seconds 11:27 < be2pal> :) kind of started already 11:27 < be2pal> Wheres the resource to dig about console or telnet operating. 11:28 < be2pal> By the way, switch hasnt enable telnet by defaulf 11:31 < Sircle> be2pal, which vendor gives tls? this is not ssl cert the usual EV SSL? 11:32 <+xand> SSL is the wrong term to use, it's TLS now 11:32 < Sircle> frankzinger, Roq letsencrypt is free. Don't have problems in browsers that are free certs? 11:32 < Sircle> xand, of so the EV cert is actually TLS cert and still named SSL? 11:33 < Sircle> xand, so these are TLS? https://www.namecheap.com/security/ssl-certificates/ 11:35 < be2pal> Sircle: major web browsers with latest version accept this particular free cert 11:36 < be2pal> TLS replaces ssl. And since you are beginning, may start with letsencrypt. 11:36 < be2pal> and you continue this without commercial cert 11:36 < Sircle> be2pal, I have shopping cart sites. will letsencrypt suite or at least an ev cert? 11:37 < be2pal> Letsencrypt suits 11:37 < be2pal> how u hosting shopping cart ? Vps ? 11:37 < Sircle> so these are TLS? https://www.namecheap.com/security/ssl-certificates/ 11:37 < Sircle> be2pal, hm 11:38 < Sircle> be2pal, letsencrypt will show the green bar? 11:39 < be2pal> I am not sure of green bar 11:39 < be2pal> but letsencrypt will give your secure site. 11:41 < be2pal> Commercial vendors try to sell you with something like green bar is better or assure visitors security 11:41 < Sircle> be2pal, I see its hard to get started with letsencrypt. It wont just register and get the certs downloaded 11:42 < be2pal> I believe you are just starting shopping cart at initial stage. Please focus on other aspect on the site. So ssl/tls, letsencryption is good. 11:43 < be2pal> Sircle: follow the instruction. its not like commercial where you click to buy. Download the cert and upload to cpanel 11:43 < frankzinger> Sircle, once again: https://letsencrypt.org/ 11:43 < frankzinger> woops, didn't mean that 11:43 < frankzinger> wrong window 11:43 < be2pal> Letsencrypt has fairly simple instruction 11:44 < be2pal> Sircle: check your hosting provider. Cpanel may has option to obtain letsencrypt cert 11:44 < vlt> Can letsencrypt.org issue EV certificates? 11:45 < frankzinger> vlt, no 11:45 < be2pal> Only domain-validated certificates are being issued, since they can be fully automated. Organization Validation and Extended Validation Certificates are not available.[15] 11:46 < be2pal> https://en.wikipedia.org/wiki/Letsencrypt 11:46 < vlt> Thank you. 11:47 < be2pal> Sircle: if you are not advance webmaster, its time to brush off 11:47 < Sircle> be2pal, k 11:49 < be2pal> Shopping cart can be demanding as growing bigger 11:49 < Sircle> I cant just place the cert files to new server once I have generated them? Why certbot is required to be placed where website is hosted? 11:50 < be2pal> Sircle: there r two options. Its depend what type of hosting 11:51 < be2pal> You can automate cert. Renewal with setting up online 11:51 < djph> Sircle: are you literally asking why you have to put the certs on the server that's hosting your website? That's like asking why you have to put fuel in your car, or the key in the ignition (barring, ofc, one of the start-button-radio-keys) 11:51 < be2pal> Or setup locally to renew manually then upload 11:52 < be2pal> djph: I understand tech but not cars ;) 11:52 < frankzinger> djph, i think he meant "and leave it be" 11:52 < Sircle> djph, no, I was asking why not just put certs in apache and why install certbot on each hosting server ? 11:52 < djph> Sircle: ahhh 11:55 < be2pal> Sircle: letsencrypt needs renewal on 3 months period. Installing certbot can auto renew without admin 11:59 < Ta-moko> hi, shopping for network cables, i don't want to assume too much, but may i assume CAT6A cables are basically same port shape and pins as CAT6E? 11:59 < Ta-moko> (thanks ahead of time) 12:02 < djph> Ta-moko: they'd better be, what with copper standardizing on 8p-8c connectors 12:03 < be2pal> Category 6e is not a standard, and is frequently misused because category 5 followed with 5e as an enhancement on category 5. Soon after the ratification of Cat 6, a number of manufacturers began offering cable labeled as "Category 6e". Their intent was to suggest their offering was an upgrade to the Category 6 standard 12:07 < djph> IIRC, it was "pre-standard" for 6a 12:07 < djph> 5 -> 5e / 6 -> 6e ... but then they decided "6a" was less confusing 12:09 < Sircle> be2pal, I just installed it. What it does now is while loading it says "secure" on the bar and when the site loads, it says this site is not encrypted 12:14 < Sircle> be2pal, nevermind 12:15 < be2pal> Sircle: does it says unencrypted 12:18 < well0ne> hello, i am having a routing problem . https://pastebin.com/QwFd2Tp5 iam inside the 192.168.0.0 subnet and cannot assecc the 10.* ranges . can anyone help to set the right routes 12:19 < djph> on your 10.* gateway, set a route to 192.168/16 via 10.whatever 12:20 < Sircle> be2pal, there were few images fetched from outside. Maybe thats why. I will remove them and review again 12:20 < djph> assuming, of course, the 192.168 subnet is not being NAT to 10.whatever 12:20 < well0ne> okay, so i have to work with iptables? 12:21 < lolusux> Hi, I'm going to get a 42U server rack, out of which approximately half of it will be used to install various devices, I'm afraid I will have a heating problem because the rack will not have a separate room with AC, how do I determine whether I will have a heating problem at all and if so what kind of cooling solution should I look for? 12:23 < light> you can look at the manual for your servers to find the heat load 12:23 < be2pal> Sircle: best wishes for your shopping site 12:23 < light> you will want air conditioning 12:26 < well0ne> @djph so i need to use iptables to solve this problem`? 12:26 < be2pal> I hate managed switch. :( 12:27 < djph> be2pal: just thing of how much worse it'd be if it was a dumb switch. 12:27 < djph> well0ne: iptables is a packet filter, not a routing engine 12:29 < be2pal> djph: i like to configure but its not even start working. 12:30 < well0ne> okay, so what would be appropriate to try? 12:31 < light> well0ne: draw a network diagram and label the ip, netmask, gateway and routes for each device 12:38 < purplex88> why does my network ping decreases when I download stuff? 12:38 < purplex88> only download speed should decrease isn't 12:38 < purplex88> it 12:40 < well0ne> okay 12:41 < djph> purplex88: you mean the ping times increase? 12:41 < djph> be2pal: RMA as DOA? 12:41 < purplex88> ah, yes sorry increase 12:42 < light> congestion 12:42 < djph> purplex88: well, ICMP packets have a size. Think it through. 12:42 < purplex88> i mean is it normal? 12:42 < purplex88> or just me 12:42 < light> yes 12:43 < purplex88> ah 12:43 < purplex88> makes sense i guess 12:43 < purplex88> icmp packets have to get through the crowd of other packets 12:44 < purplex88> but latency increases 12:44 < purplex88> its not just ICMP packets.. I experience lag in chat too 12:45 < light> yeah.. 12:45 < bcjdk> Holy shit 12:45 < djph> funny how saturating your connection with porn means the other stuff can't get through 12:45 < purplex88> e.g. my download speed is 1 MB/s and I download stuff at 500 KB/s 12:46 < purplex88> why it still causes delay? 12:46 < purplex88> can it? 12:47 < Stryyker> It could be many things 12:47 < light> how much increase in ping times are you seeing? 12:47 < light> is your link symmetric? are ACKs getting delayed? 12:48 < purplex88> 34 ms to ~400 ms 12:48 < purplex88> it happens in context of torrenting 12:48 < purplex88> ADSL 12:48 < Stryyker> torrenting also has uploads 12:49 < djph> torrenting uses as much bandwidth as it can - in both directions. Limit your upload speed 12:49 < purplex88> yes i use upload at the same time too 12:49 < purplex88> if i use all my upload speed, does it mean i can't download at full speed? 12:50 < purplex88> guess that what asymmertic thing means? 12:51 < Stryyker> a part of downloading is uploading information to say you got the packet. If you saturate downstream or upstream you'll see the increase in latency 12:51 < light> ADSL has poor upload bandwidth that's easy to saturate 12:51 < purplex88> i see ACKs 12:52 < Stryyker> that is why 2 decades ago some of the P2P guides had some rough guides on how to limit up/down speeds to keep things smoother. 12:53 < purplex88> what the difference in link being symmetric or asymmetric? 12:53 < Epic|> It's literally in the definition of the words 12:53 < bcjdk> Holy shit^2 12:53 < bcjdk> I can't even 12:54 < light> a symmetric link is the same speed both directions 12:54 < light> an asymmetric link is not 12:54 < purplex88> means upload doesn't impact download speed? 12:54 < light> no 12:54 < purplex88> in case of? 12:54 < light> wat? 12:54 < purplex88> symmetric 12:55 < light> you've lost me 12:55 < Stryyker> you're conflating things and adding in stuff people are not saying 12:56 < djph> purplex88: "symmetric" connection -> you can upload and download at the same speed (e.g. 10 mbps). "asymmetric" means one direction is slower than the other (e.g. DSL with 5/1) 12:56 < light> If you're on 1 mbit down ADSL I imagine your upload is even lower 12:57 < djph> probably 256k 12:58 < purplex88> but if I use all my upload speed then to download at full speed isn't possible 12:58 < purplex88> upload impacting download 12:59 < purplex88> i guess its true in both cases symmetric and asymmetric 12:59 <+catphish> technically speaking, uploading should not affect download speed, but... downloading with TCP requires some data to be uploaded (ACK), so maxing out upload can break this process 12:59 < purplex88> as we said because of ACKs 13:03 < aaa_> lol.. 13:03 < purplex88> thanks understood 13:03 < purplex88> so this tells me "upload" link was the cause of i was experiencing latency 13:04 <+catphish> saturating upload is a common cause of terrible connectivity on residential links 13:04 <+catphish> 1) they usually have small upload speeds 2) they usually have large buffers, so if the buffer is full stuff can get really delayed 13:09 < cu_cucambur> Why does linux bridge has an ip assigned? 13:09 < cu_cucambur> have* 13:09 <+catphish> cu_cucambur: the host itself is connected to the bridge, that's the hosts's IP on its own port on the bridge 13:12 <+catphish> so if you have a bridge for example br0 that has 2 physical ports connected: eth0 and eth1, it also always has an invisible extra port than connects to the local host, this allows the host itself to communicate with that network 13:13 <+catphish> if there was no IP on this port, the host would have no way to talk to this network (the one connected to eth0/eth1) 13:15 < djph> catphish: so you could make a linux box a dumb switch... 13:16 <+catphish> you could, or a reasonably smart one, it supports STP and VLANs 13:16 <+catphish> and filtering 13:17 < djph> well, yeah - but I meant by dumping the IP address on br#, it'd act as a dumb switch for the interfaces attached to it 13:17 <+catphish> well by putting the interfaces in the bridge at all, it acts as a bridge 13:18 <+catphish> the IP just determines whether you want to connect the host itself to the network or not, i geuss the difference between a l2 switch and a l3 switch :) 13:18 < djph> yeah, that's what I was trying to get at ... and poorly 13:18 < tbcsj> Hi all - I've got a future situation where I have an access switch receiving .1q frames over n trunk ports, and I want to push a 2nd tag onto them to a northbound PE 13:19 < tbcsj> One of the .1q vlans is management that needs to terminate on the northbound PE 13:19 < tbcsj> Whereas the other VLANs traverse the MPLS network using t-ldp tunnels 13:19 < djph> so tag it on another port and send it over to that "northbound PE", and terminate it there. 13:20 < tbcsj> djph: I can either do selective q-in-q on the northbound switch 13:20 < tbcsj> Or use the vlan-tags outer [outer] inner [inner] on the PE 13:20 < tbcsj> s/northbound/access 13:21 < tbcsj> needs to be on the same trunk on the switch and on the same uplink port to PE 13:21 < djph> is not punctuation. 13:22 < tbcsj> Ok 13:22 < detha> tbcsj: you could do tricks with native vlan 13:23 < tbcsj> detha: I think I want to do one of the options I mentioned 13:23 < tbcsj> But I was wondering whether one solution is better than the other? 13:25 < detha> that probably depends on what equipment you have at hand, and which bugs in it you hit. 13:27 < drathir> mornin/evenin... 13:27 < djph> heyo drathir 13:27 < drathir> djph: hi, hi ^^ 13:41 < drathir> lol amazon making android browsers ;p 13:46 < Apachez> nasdaq have been down for more than 6 hours... due to "fire related issue", their disaster recovery site is still not up and running... 13:48 < djph> Apachez: "all that DR stuff is too expensive, we haven't had a problem in my time here ever, budget denied" 13:50 < Apachez> I doubt it since they deal with stock exchange 13:50 < Apachez> money is not an issue :) 13:50 < djph> Apachez: I take it you've never worked with MBAs then 13:51 < Apachez> I have been in the financial world previously 13:51 < Apachez> but sure the prioritization can be fun at times 13:57 < dogbert2> hey djph Apachez 14:00 < Apachez> hi 14:04 < Apachez> they even fail to maintain their homepage online https://www.nasdaqomxnordic.com/ 14:05 < Spice_Boy> I just tried out sslstrip for the first time, and it seems to work for https web sites to show passwords, but that's not really what I'm after. I have a device that does a port 443 VPN to somewhere, and I'd like to see what's in it. Is this at all possible? 14:05 < Apachez> Spice_Boy: maybe 14:05 < Spice_Boy> do tell 14:05 < Apachez> depends on the client and server software 14:06 < dogbert2> bwhahaaha...Jim Carrey doing Welcome to the Jungle in the Dead Pool 14:06 < Apachez> if they verify each other and use perfect forward secrecy (aka diffiehellman or such) then you wont be able to use sslstrip on that ssl vpn 14:06 < Spice_Boy> but is sslstrip even the right tool for a non-browser thing? 14:06 < Apachez> but if either part doesnt verify the other one (like if the client can be reconfigured to trust your sslstrip cert instead) then you can decrypt the session 14:06 < Spice_Boy> I looked up the server, and the cert seems to be signed by their company root ca 14:06 < Apachez> sslstrip just strips ssl 14:06 < Apachez> as far as I know 14:07 < Apachez> I might be wrong 14:07 < Apachez> another method is to run stunnel in debug mode 14:07 < Apachez> but the thing is again on how the client and server verifies each other and if perfect foward secrecy is being used or not 14:08 < Spice_Boy> I'll have to check that out 14:08 < Spice_Boy> just need to see about the tools first 14:09 < Spice_Boy> on a browser I get the cert error warning, but that's because it's signed by their own CA 14:17 < Spice_Boy> Apachez: this mentions some DHE stuff https://pastebin.com/VYEVfsyL 14:19 < Spice_Boy> if I just go to the address on a browser, I get the nginx/1.10.1 messages (403) 15:47 < Apachez> https://www.youtube.com/watch?v=Q1TXk7ZdiQE 16:21 < conjunctivitis> i just installed a new os (avlinux, based on debian stretch) and i can connect successfully to my vpn as a client, and ping the server, but can't ping 8.8.8.8 or reach the internet 16:22 < conjunctivitis> if i launch openvpn via command line everything works normally, so i think it's a permissions problem with nm-applet 16:22 < conjunctivitis> any advice would be hugely appreciated 16:24 < compdoc> think theres a setting about using the gateway on the remote, versus not 16:26 < ||cw> conjunctivitis: check ip route with both methods and see what's different 16:27 < jason85> How can I tell from a DNS response that it is an authoritative answer of the requested domain or if it directs me to other nameservers? 16:27 < conjunctivitis> ||cw, can you please tell me exactly what command to use? 16:27 < ||cw> "ip route" 16:28 < ||cw> lol 16:28 < conjunctivitis> ||cw, sorry i'm a beginner, that's why i'm here :-/ 16:28 < UncleDrax> hey now, plenty non-beginners here too :( 16:28 < ||cw> :) guess I should have put it in quotes the first time 16:29 < ||cw> you're looking for a difference in the "default" and for your subnets. post on a pastebin if you like, feel free to mask the public IPs 16:39 < conjunctivitis> ||cw, i'm not sure which ips to mask 16:39 < conjunctivitis> and which ones you need 16:41 < conjunctivitis> the big difference i noticed right away is that the cli one starts with 0.0.0.0/1 via xx.xx.xx.xx dev tun0 16:41 < conjunctivitis> (this one works) 16:42 < conjunctivitis> the nm-applet one starts with this: 16:42 < conjunctivitis> default via xx.xx.xx.xx dev tun0 proto static metric 50 16:43 < conjunctivitis> this one doesn't work 16:44 < drathir> conjunctivitis: bad gateway in dhcp? 16:44 < ||cw> the /1 seems odd, but the metric 50 does as well. when there's a metric it's usually because there's multiple of the same subnet, so the rest of the lines are improtant. 16:45 < conjunctivitis> ok 16:45 < drathir> conjunctivitis: both via are the sam addreses? 16:45 < drathir> sam/same* 16:45 < conjunctivitis> not sure what you mean 16:45 < ||cw> the public IP is all you'd need to mask, the 192.* and 10.* don't really matter 16:45 < drathir> conjunctivitis: in Your masked examples... 16:46 < conjunctivitis> drathir, no, they're different 16:46 < zenix_2k2> one question, why there are so many different protocols of each layer of a networking model ??? ( TCP/IP, OSI model ), isn't 1 of each is enough to establish connections between computers ??? 16:46 < conjunctivitis> i think my vpn queries a dns to get the specific ip when it connects (i don't enter an ip to configure, it uses a dns to request the ip because they have a lot of servers all over the world) 16:46 < zenix_2k2> and sorry if that question is too noob 16:47 < conjunctivitis> guys i have to run, thank you for your help 16:47 < conjunctivitis> i will be back later 16:47 < ||cw> conjunctivitis: so, the issue is the nm is setting up the route wrong. idk how to fix that though since I don't use nm 16:47 < conjunctivitis> sorry, i found this channel after asking for help for about an hour and getting automated bot responses in other channels 16:47 < conjunctivitis> i'll come back later 16:48 < zenix_2k2> um hello ??? 16:48 < drathir> zenix_2k2: udp vs tcp get eg. different usage thats main purpose of differencies i guess... 16:48 < ||cw> zenix_2k2: that is a complicated questions.... 16:49 < zenix_2k2> well yea i suppose it is 16:49 < ||cw> basically, it's for compatibility 16:49 < zenix_2k2> i always wonder why each layer has so much protocols that most of them do the same jobs ( with just some minor differences ) 16:49 < zenix_2k2> but pretty much they can do each other task ( on the same layer ) 16:51 < ||cw> the 100baset layer 1 and the wifi layer 1 and the fiber layer 2 are all very different. but at layer 2 the frames are similar 16:51 < zenix_2k2> OSI model or TCP/IP you mean ? 16:52 < ||cw> then you add in things like dialup modems and SLIP links that are different all the up to layer 3, but at layer 4 all things can start talking 16:52 < ||cw> osi model 16:52 < zenix_2k2> how about TCP/IP ??? i am into it more than OSI model 16:53 < zenix_2k2> since OSI model is kinda out-dated to most of people 16:55 < kepler> zenix_2k2: tcp/ip operates within the layers of the osi model, they aren't comparable 16:55 < ||cw> ip ls layer 4, tcp/udp/whatever is 6, http/imap/irc/etc. are layer 7 16:55 < ||cw> there are other things that can run on these layers too 16:56 < ||cw> it's all about flexibility and comparability 16:56 < zenix_2k2> but WHAT IF each layer only has 1 protocol, can connections between computers still accomplish ??? 16:56 < Roq> What? no. IP is layer 3, tcp/udp is layer4 16:56 < kepler> zenix_2k2: no, you need the full stack 16:56 < mAniAk-_1> ||cw: no.. 16:56 < ||cw> oh, right, subtract 1 16:57 < mAniAk-_1> still wrong 16:58 < Roq> zenix_2k2: The OSI model isn't outdated, it's the standard 16:58 < ||cw> not just the standard, it's the fundamentals of how the Internet works at all 16:58 < zenix_2k2> well, but why people don't usually talk about it anymore ??? 16:58 < zenix_2k2> but TCP/IP Instead 16:58 < kepler> actually understanding the osi model will help you troubleshoot more than just about anything else 16:58 < mAniAk-_1> anyway, think of it as layers of encapsulation, the tcp/ip and osi models can help you visualise it, but all protocols do not fit neatly in one layer so it's just a guide 16:58 < kepler> tcp/ip operates within the OSI model 16:58 < Roq> Then you're talking to the wrong people, or about different subjects 16:59 < ||cw> zenix_2k2: it's just a model. what we talk about are the implementations 16:59 < zenix_2k2> kepler: what does it mean by "operates within the OSI model" 16:59 < kepler> that they are different, they aren't comparable 17:00 < zenix_2k2> if they aren't comparable, how can they operate within each other ??? 17:00 < kepler> well, you operate on planet earth, are you comparable to planet earth? 17:00 < ||cw> zenix_2k2: when you're doing spectrum analysis to see where wifi and microwaves conflict, you'd working on layer 1 in the model. when you're certifying ethernet cables for cross talk, also layer 1. 17:00 < zenix_2k2> well, as a part of it, i think i am somehow 17:01 < kepler> OSI is required for tcp/ip to work. tcp/ip is not required to maintain the OSI model 17:01 < zenix_2k2> well, that is more cleared 17:01 < mAniAk-_1> wtf? 17:01 < kepler> tcp/ip was developed within the OSI model 17:02 < mAniAk-_1> what are you even talking about 17:02 < zenix_2k2> models and protocols 17:02 < Budd> Is there any way to assume a mapping between some link-local IPv6 addresses and MAC addresses, to avoid neighbor discovery? 17:03 < mAniAk-_1> zenix_2k2: i know what they are, but youre both just speaking nonsense now 17:03 < Gollee> why do you want to avoid neighbor discovery? Budd ? 17:03 < zenix_2k2> ||cw: so what protocol that is used to analyze the conflict between wifi and microwaves ??? 17:03 < tds> Budd: yes, there's an algorithm for it, iirc you flip a bit and put ff:fe in the middle 17:03 < kepler> mAniAk-_1: comparing tcp/ip to the osi model wrong, how is that nonsense, one is a model for running networks, one is a protocol developed within the model 17:04 < Budd> Gollee: just curious because babel uses multicast instead of unicast in some cases to avoid ND. But I think wireless multicast goes at a lower bitrate. 17:04 < ||cw> zenix_2k2: RF radio. 17:04 < mAniAk-_1> kepler: what? Both OSI and tcp/ip have their own protocol stacks, neither are just a model 17:05 < ||cw> zenix_2k2: layer 1 is how the elections move on the wire, or the lights flash in the fiber, or the radio waves... uh, wave... 17:05 < mAniAk-_1> kepler: osi has it's own ip, tcp, udp, etc, equivalent 17:05 < kepler> mAniAk-_1: he is refering to osi model 17:05 < Dagger> its* 17:05 < Dagger> c'mon >.> 17:06 < zenix_2k2> ||cw: so for an example, when my mobile turns on its flash light, it also means it is using one of the protocol from layer 1 ? 17:06 < zenix_2k2> as far as i know, layer 1 is about hardware 17:06 < zenix_2k2> but as you said, it sounds a bit farer than i thought but not sure if i thought is correct 17:06 < ||cw> is turning on a flashlight a network operation? 17:06 < zenix_2k2> so what do you mean by "or the lights flash in the fiber" ??? 17:06 < ||cw> is there a systems interconnect there? 17:07 < zenix_2k2> i always confuse that part 17:07 < UncleDrax> ||cw: these days, I wouldn't be suprised if there is some Internet-Cloud managed Flashlight solutions out there. 17:07 < tds> Budd: it's worth keeping in mind that you can't always rely on that, though (eg I think network-manager generates its own ll addresses, rather than using the mac address) 17:07 < ||cw> fiber connections work by shining LEDs or lasers into a fiberoptic tube 17:07 < Budd> tds: yes - I suspected as much. 17:07 < drathir> zenix_2k2: why not if reciver understand flash blinking ? ^^ 17:07 < ||cw> they blink them really fast to represent bits 17:08 < tds> and you can do other similar things manually if you want (eg I have some routers with static link local IPs) 17:08 < Budd> tds: what's the point in picking a random LL, though? It's not like you're obfuscating your MAC. 17:09 < drathir> tds: or just uls... 17:09 < drathir> ula-s* 17:09 < zenix_2k2> drathir: sorry but i didn't get what you mean 17:09 < zenix_2k2> i am not good with english metaphors or networking metaphors in english 17:10 * UncleDrax randomly headdesks because adding support contracts on vendor sites is a thing that seems overly complicated. 17:11 < Dagger> Budd: SEND? 17:12 < jason85> How can I tell from a DNS response that it is an authoritative answer of the requested domain or if it directs me to other nameservers? 17:13 < tds> Budd: I've no idea why network-manager does that, I guess the reasoning is probably documented somewhere though 17:13 < djph> it'll say it's an authorative answer 17:13 <+xand> nslookup tells you 17:14 < djph> or rather it'll say if its non-authorative 17:16 < drathir> zenix_2k2: < zenix_2k2> ||cw: so for an example, when my mobile turns on its flash light, it also means it is using one of the protocol from layer 1 ? 17:16 < drathir> zenix_2k2: if reciver understand that blinking why not ? 17:17 < ||cw> sure, if you're blinking a light and some receiver understands those blinks, that could be a layer 1 17:17 < zenix_2k2> well, fair enough 17:21 < ||cw> that's also the basis of free-space optic networking 18:12 < wtflux> is DNS and stuff like that discussed here? 18:13 < lupine> sure 18:15 < wtflux> ok i've got what i hope is a simple dns issue here, but im trying not to be long winded tho it will require some explanation 18:16 < wtflux> im supporting a co-workers website at nearlyfreespeech.net and transferred my domain to their Nameservers and created DNS records 18:17 < wtflux> they created the A records and several others automatically, i created an alias record to www.hostname.com which points to hostname.com which points to host.nfshost.com (the SOA i think?) anyways, when people visit www.hostname.com it redirects to hostname.com and the site is a wordpress site so when she gives people links to her blog posts they always want to append www. to hostname.com/wordpress/blog.php which doesnt work upon 18:18 < wtflux> i dont quite understand whats going on here, i've never had to make cname records or aliases for www usually the nameservers just "worked" but not so with this host 18:19 < wtflux> in plain terms i wish www.hostname.com would stop redirecting to hostname.com and remain www in the address bar 18:19 < wtflux> but i think something about the way nearly free speech's setup their nameservers prevent this from happening because hostname.com is the A record, rather than the www alias 18:21 < wtflux> this host's nameservers seems to do the exact opposite of what every host i've experienced in the past, and all websites do... when you visit amazon.com you are redirected to www.amazon.com in your browser, and the address stays www.amazon.com, my site is doing the exact opposite 18:22 < wtflux> if you visit renchispace.com (my coworkers website) you'll be redirected to renchispace.com and this is where the problem lies 18:22 < wtflux> er, www.renchispace.com redirects to renchispace.com 18:23 < wtflux> sorry if that explanation was confusing im doing my best here, im not thoroughly DNS savy 18:24 < wtflux> never in my life have i needed to create a cname record for www 18:25 < ||cw> wtflux: I'm sure there's providers that automatically make www records, but that is not inherent to DNS. something has to add it. 18:26 < wtflux> ok thats understandable but what exactly am i dealing with here? 18:26 < ||cw> the redirect is in the web server config. 18:26 < wtflux> i just want my friends site to be viewable as www.renchispace.com 18:26 < wtflux> and it seems like this host's nameservers/DNS are setup to NOT do that 18:27 < wtflux> i've poured thru the host's DNS documentation and its rather ambiguous, it says to create the records, which i've done, but nothing about the redirect issue 18:27 < tds> assuming both the A/AAAA records point to the same web server for www and the root domain, that's fine, you just need to configure the web server to do a redirect from root -> www 18:27 < ||cw> right, the redirect has nothing to do with dns 18:27 < ||cw> it's in the web server 18:28 < wtflux> ok thanks i didnt realize that 18:28 < ||cw> dns only resolves names, nothing more 18:28 < wtflux> this is shared hosting so that probably wont be an option 18:29 < tds> most decent shared hosting systems should support redirects 18:30 < wtflux> tds: but that is something the hostmaster would have to fix right? 18:30 < tds> looks like they support it with a plain htaccess file: https://faq.nearlyfreespeech.net/section/customization/forwardsite#forwardsite 18:31 < ||cw> yeah, it's just set backwards 18:31 < wtflux> tds thanks this seems like it will help. 18:31 < wtflux> ||cw what exactly is set backwards? something on my end or his? 18:33 < tds> ah, I only just remembered you said this is a wordpress site 18:33 < ||cw> wtflux: it's redirecting www to tld, you want tld to www. 18:34 < tds> wordpress by default will do redirects to whatever URL it thinks the site is hosted as (eg adding/removing www as required) 18:34 < ||cw> so it's in the wordpress config then? 18:34 < wtflux> i'll check there as well 18:34 < wtflux> and adjust accordingly 18:34 < wtflux> one thing im getting confused about, the CNAME record www.renchispace.com for renchispace.com would mean that renchispace.com is canonical correct? 18:36 < tds> dns only controls what web server the request goes to, the actual redirect is down to whatever is returned by that web server 18:36 < tds> both of those resolve to 208.94.117.240, so that looks fine 18:37 < tds> (but you should really add aaaa records as well, since it looks like nearlyfreespeech support ipv6 :) 18:37 < wtflux> yeah im just getting confused about which is the canonical name, im reading a blog here, which discusses the .htaccess info you linked to tds, and its saying to use the www. as the canonical name, and not the hostname.com 18:38 < ||cw> it doesn't matter 18:38 < wtflux> and im like ok how is that possible when they created the A record which would be the canonical name 18:38 < wtflux> and this is a NFS blog post, that seems to contradict their own info from the .htaccess FAQ 18:38 < wtflux> https://blog.nearlyfreespeech.net/2006/11/17/forwarding-sites-url-rewriting/ 18:40 < ||cw> wtflux: the "best practice" preference is that the tld has the A record and the www is a cname. but it doesn't really matter, and has zero effect on the redirect 18:41 < ||cw> you could have both as A, or both as cname to something else and it would work the same 18:42 < tds> "both as cname" - worth keeping in mind a cname on a root domain isn't valid (unless you can persuade the tld to put it in their zone) 18:42 < Apachez> A server00494 1.2.3.4 18:42 < wtflux> So this .htaccess file in the root is a common thing and is how its done professionally? 18:43 < Apachez> www CNAME server00494 18:43 < wtflux> and it only goes in the root? no where else, or copied multiple times? 18:43 < Apachez> define "professionally"? 18:43 < Apachez> "professionally" you harden your webserver which means you DONT allow .ht files at all 18:43 < Apachez> all config is made by root prev of the httpd.conf directly 18:43 < Apachez> allowing .ht files is a common rookie mistake 18:44 < wtflux> well heck 18:45 < wtflux> i have a xampp install im gonna look in the httpd.conf and see how mine could differ from theirs 18:47 < ||cw> Apachez: AllowOverride can control what can be done from htaccess, but it's still generally to be avoided. shared hosting uses it a lot though 18:47 < wtflux> Apachez: would the configuration you alluded to be the "alias_module" config? 18:49 < wtflux> Apachez: or, if you'd be so kind, you can tell me what the proper setup would be, so i can know how to do it correctly in the future when im running my own LAMP at some point so idont make the same mistake? then i'll go with the htaccess file since its not my show 18:53 < Apachez> wtflux: disable everything and start from there? 18:53 < ||cw> wtflux: I think Apachez is saying that the proper setup would be a control panel that takes validated config and generates the server conf file directives from it. 18:54 < ||cw> using htaccess is the easy way out in shared hosting, with some trade offs. 18:56 < wtflux> oh i see, i was just curious what the particular configuration apachez was referring to perhaps he wasnt alluding to a specific one 18:57 < wtflux> ||cw: the RedirectPermanent directive, mentioned in that FAQ, it says to setup a forwarding site i dont understand what they mean by that 18:59 < wtflux> nevermind im gonna use mod_rewrite since it seems no second site is required to set it up. 18:59 < Apachez> wtflux: I was "alluding" to how you are supposed to configure stuff nowadays 19:00 < Apachez> disable everything and ONLY enable the features you really need 19:00 < Apachez> not the other way around (enable everything by default and then get surprised that your server got hacked) 19:03 < philwong> Hey guys. If you do a hard reset of a phone, will your phone number still be saved when you go into the "About Device" section of the phone? 19:04 < philwong> I'm referring to an Android 19:05 < Quatermass> try #android 19:06 < Quatermass> and the phone number is in the simcard 19:06 <@pppingme> philwong yeah, that comes from the sim card, not affected with a reset 19:06 < philwong> Ok 19:07 < philwong> But what if the sim card gets disabled by my phone provider, would it still show my number? 19:07 < Quatermass> sigh 19:08 <@pppingme> thats up to the provider 19:08 <@pppingme> depends on "how" they disable the sim card 19:11 < djph> we use a small thermite charge. takes out the card, phone, and hopefully the user's hand. 19:13 < philwong> So when a simcard displays the information in your phone, it is actually through a signal and not something saved in the simcard? 19:14 < philwong> The reason I ask is I had my phyone stolen a few weeks ago 19:14 < philwong> Although I had nothing on the phone and did a hard reset when he stole it, I didn't want my phone number showing on the phone 19:15 <@pppingme> you managed to do a hard reset on the phone as it was being stolen? 19:15 < philwong> No 19:15 < philwong> I did a hard reset before. Coicidently 19:17 < philwong> the only thing is, it was possible I left my old sim card in thre but the sim card was not activated and disabled 19:17 <@pppingme> did you report the stolen sim to your provider? 19:17 < philwong> It was already disabled 19:17 <@pppingme> why do you care if this guy finds your number, was the phone hot or something? 19:17 <@pppingme> your story seems to be falling apart 19:19 < philwong> I care because he can post it anywhere and spam it 19:19 < philwong> or who knows 19:19 < skyroveRR> Hi pppingme 19:19 < philwong> Thats why I wanted to know if a phone number still shows on a disabled sim card 19:19 <@pppingme> unless you've pissed this guy off, or there's something crooked about the transaction, why would he do that? 19:20 < philwong> There is always a chance, and I like to be safe, thats all 19:20 <@pppingme> then change your number 19:21 < philwong> yeah I guess I could 19:21 < tds> also, it's probably worth reporting the phone stolen anyway, as the network should be able to blacklist the IMEI of the device 20:18 < Sircle> be2pal, when certbot installs certs, it asks to redirect http to https. If I choose that, it does not do it. I also added `Redirect permanent "/" "https://mysite.com"` but it again does not do it. What could be the reason? 20:21 < ||cw> Sircle: did you reload the server config? 20:21 < Sircle> ||cw, yes 20:21 < ||cw> do you have rewrite enabled? 20:22 < Sircle> ||cw, how to check? 20:22 < ||cw> depends on what web server. likely best answered in that software's channels 20:24 < Sircle> Loaded Modules: 20:24 < Sircle> rewrite_module (shared) 20:24 < Sircle> ||cw, ^ 20:25 < be2pal> Sircle: use server configuration rather than .htaccess 20:25 < Sircle> I have it in server config 20:26 < be2pal> http://stackoverflow.com/questions/4083221/ddg#21798882 20:27 < Sircle> IS the part needed? I have it running without the :443 part. Just cannot redirect it. https://pastebin.mozilla.org/9083346 20:30 < be2pal> Isnt better to use RewriteRule than Redirect Perment 20:31 < be2pal> https://serverfault.com/questions/664768/redirect-permanent-http-to-https 20:34 < Sircle> be2pal, I read it, add both. Not working 20:34 < be2pal> remove permant redirect and try ? 20:35 < be2pal> Just with rewrite rule 20:36 < Sircle> hm 20:36 < Sircle> ok 20:40 < Sircle> be2pal, now I have https://pastebin.mozilla.org/9083349 and reloaded 20:40 < Sircle> not restarted though 20:52 < Sircle> be2pal, any clues? 20:54 < be2pal> Sircle: not sure now. Need to take a look at config file. 20:54 < be2pal> Maybe somebody will try to assist you today. I am dosing off now. Bye for now 20:54 < Sircle> k 20:54 < Sircle> thanks be2pal 20:58 < be2pal> Sircle: join telegram group for networking hep://t.me/Teck_N00bs 20:59 < apb1963> I'm not sure if my DNS is working or not... dig seems to say yes... mxtoolbox.com says no. 20:59 < be2pal> Sircle: https://t.me/Teck_N00bs_Networking 20:59 < UncleDrax> prob an Apache/web-server IRC channel 21:00 < Sircle> ok 21:01 < be2pal> Sircle: like what UncleDrax said, much better chance at apache channel 21:05 < Sircle> k 21:06 < conjunctivitis> ||cw, you still around? 21:08 < conjunctivitis> anyone here who can help me troubleshoot openvpn on linux? 21:08 < Guddu> I have a receipt printer which is connected to Network cable but is still not discoverable in the Ethernet Utility that the manufacturer provides. What could be the reason? 21:08 < Guddu> I have Firewall disabled. 21:08 < Guddu> Printer model is this http://www.citizen-systems.com/en/printer/pos/ct-s4000 21:09 * UncleDrax runs away from Printer talk 21:10 < ||cw> conjunctivitis: I don't really know much more about it 21:10 < electricmilk> Guddu, Is the printer in the same subnet? 21:10 < ||cw> Guddu: is your dhcp giving it an ip? 21:10 < conjunctivitis> ok i made a mistake before with ip route 21:10 < conjunctivitis> i was using 2 different servers in different countries 21:10 < ||cw> Guddu: that doens't seem to be a network printer.... 21:10 < conjunctivitis> would it be revealing if i show you the updated ip route? 21:11 < Guddu> electricmilk, ||cw That's what i don't know i it has a IP. I tried printing a config label but that does not have any networking details/ 21:11 < conjunctivitis> working vs not workinng? 21:11 < electricmilk> Guddu, Lame. You could check DHCP leases 21:11 < Guddu> ||cw, I have it connected using network cable. There is a variant which comes with ethernet card. 21:11 < electricmilk> Guddu, Or even use Nmap to discover it 21:11 < ||cw> oh, there's the options. doens't say lan up top, but does later 21:11 < Guddu> electricmilk, How do i check DHCP Leases? I am on Windows 21:11 < electricmilk> Guddu, Do you know what you are using for a DHCP server? 21:12 < electricmilk> This a home network? 21:12 < Guddu> electricmilk, It is a modem provided by my service provider. 21:12 < Guddu> electricmilk, Yes. Home Network. 21:12 < ||cw> Guddu: open the dhcp admin program and sort by lease expiration. newer leases will have later expirations 21:12 < electricmilk> Ah okay. So login to your box and it might tell you what IP's it has leased 21:13 < ||cw> oh, home router doing dhcp, check it's admin page 21:13 < electricmilk> Guddu, Super lame your printer doesn't print out network settings...I'd check the manual to confirm this...its pretty standard 21:13 < electricmilk> Guddu, Sometimes you have to hold down a button to have it print 21:14 < electricmilk> Guddu, Since its a home network you likely don't have that many devices...personally I just use nmap with the -A option to discover devices. 21:14 < Guddu> electricmilk, I preseed feed while pressing power. That's all it says it has. 21:14 < ||cw> electricmilk: with the inconsistencies on that product page I'm not very surprised 21:14 < electricmilk> lame 21:14 < electricmilk> Does the printer have ethernet lights when you plug in the cable? 21:15 < electricmilk> And is this printer new? If its used it likely has a static IP set. 21:16 < Guddu> electricmilk, Yes. Light are blinking. Not sure if it might have a static IP but don't have a way to see that either. 21:16 < Guddu> This is my network map...None of them is the printer http://prntscr.com/j71oq9 21:17 < electricmilk> Guddu, Once the printer has an IP you could likely connect to it through your browser to configure 21:17 < electricmilk> Guddu, I'd read the manual inside out...there has to at least be a way to reset the config on the printer 21:18 < electricmilk> You could also try swapping out the ethernet cable in the off chance the cable is bad 21:20 < conjunctivitis> my openvpn connects via nm-applet but i can't get to the internet. pinging 8.8.8.8 doesn't work. if i launch it from the command line using the same config, it works fine. can anyone help? 21:21 < ||cw> Guddu: if it comes with a static IP you either need to factory reset it, or use its docs to see what the factory static address is. then you need to set your PCs ip to a static in the same subnet so that the config tool can find it 21:23 < tds> conjunctivitis: if you run "ip a" and "ip r" while you have openvpn connected via running it manually and via nm-cli, is there any difference? 21:23 < electricmilk> ||cw, Ah yes I forgot about checking to see if the factory static IP is in a different subnet 21:24 < conjunctivitis> tds, ill check that, just to make sure i'm doing things right i'll go through what i've done so far 21:24 < conjunctivitis> to launch openvpn from cli i use these commands: 21:24 < conjunctivitis> sudo service openvpn start 21:24 < conjunctivitis> then sudo openvpn /path/to/server.ovpn 21:25 < conjunctivitis> neither of these works withoutt sudo 21:26 < tds> you shouldn't need to mess with the service if you're then manually running openpvn like that 21:26 < tds> the service just automatically starts/stops instances of openvpn with the config files in /etc/openvpn 21:26 < conjunctivitis> tds, so should i do sudo service openvpn stop? 21:26 < tds> it doesn't matter, the server probably isn't doing anything anyway 21:27 < tds> s/server/service/ 21:27 < conjunctivitis> iirc openvpn by itself didn't do anything until i started the service 21:27 < conjunctivitis> in the sense that i tried to check if it was in my path by pressinng tab and it didn't complete until i started the service 21:28 < electricmilk> Anyone know if it is possible to have a SonicWALL configured so that if our wireless p2p go down it will swap over to VPN? 21:29 < electricmilk> I imagine all I have to do is configure the AD for the routes 21:29 < tds> conjunctivitis: hmm, that doesn't sound right 21:29 < conjunctivitis> i may be mistaken, i've been beating my head against this for a few days 21:30 < conjunctivitis> maybe i'll reboot and try what you asked and come back with some results? 21:30 < conjunctivitis> will you be around for a few minutes? 21:37 < conjunctivitis> dps 21:38 < conjunctivitis> tds, you still here? 21:43 < tds> conjunctivitis: yes 21:44 < conjunctivitis> i checked, ip a is pretty much the same (i presume we're interested in the tun0: entry?) 21:44 < conjunctivitis> ip r is different 21:46 < tds> conjunctivitis: yes, tun0 is likely the interesting part, what's the difference with ip r? 21:47 < conjunctivitis> tds, just a second, i'm making a pastebin 21:48 < conjunctivitis> tds, https://pastebin.com/bF9qhwLn 21:51 < tds> conjunctivitis: ah, so openvpn is adding two /1 routes to override the default route, while network manager is using metrics 21:51 < tds> either of those approaches should work, though 21:53 < conjunctivitis> but one is not 21:53 < conjunctivitis> would it be useful to see the same output from another computer using a previous version of the os where it's working correctly via nm-applet? 21:57 < tds> conjunctivitis: oh, hang on a second, what is the IP of the openvpn server? 21:58 < tds> in both cases there was a static /32 route added via the old default gateway (which lets openvpn route back to the server), but the ip is different between the two configs 21:58 < conjunctivitis> i need to disconnect to check that 21:58 < conjunctivitis> tds, brb 21:58 < conjunctivitis> no, my bad i have it here 21:59 < tds> it's probably either 178.162.222.40 or 178.162.211.114 22:04 < conjunctivitis> tds, i wrote you in a dialog window, did you see that? 22:30 < mawk> I've got a /48 prefix routed to my server 22:31 < mawk> so it would make no sense if I added 2001:db8::1/48 as an address to my WAN interface, it would route unknown subprefixes to the internet 22:31 < mawk> knowing that the prefix is routed to me 22:31 < mawk> so I could add the address as 2001:db8::1/128, but then it's not as cool as having a /48 address 22:31 < mawk> so what I did is adding 2001:db8::1/48 noprefixroute, to not generate the route 22:32 < mawk> but still packets for unknown subprefixes will be routed to the internet, so I added an unreachable route for the whole /48 to block packets for unknown subprefixes 22:32 < mawk> is that the canonical way ? 22:33 < tds> yeah, I'd bind a /128 to loopback and then have a /48 unreachable route for your entire prefix 22:33 < tds> (and then you can have a load of more specific routes for internal stuff as you like) 22:33 < mawk> so overall I do: `ip addr add 2001:db8::1/48 dev eno1 noprefixroute; ip route add unreachable 2001:db8::/48; ip route add 2001:db8:0:100::/64 dev vmbr0; ip route add 2001:db8:0:200::/56 dev wg0; # etc' 22:34 < mawk> I see 22:34 < mawk> you set the /128 on loopback ? why not on the WAN interface ? 22:35 < mawk> I know that with ip forwarding it's kinda the same but morally it makes more sense to me to put it on the WAN interface 22:42 < tds> my routers have various interfaces for transit, peers and links to other internal routers, so it wouldn't make sense to put the router's /128 on any physical interface 23:11 < pi-> Hello people. 23:11 < pi-> I asked this a couple of weeks ago, my mind keeps returning to it. 23:12 < pi-> Suppose I have several thousand users in a crowd; is there any direct way to network them? 23:12 < pi-> So that e.g. if one of them sends a message, all of them receive that message with minimal latency (<20ms say) 23:13 < pi-> I think it's very nontrivial problem. 23:13 < pi-> users = iOS/Android users 23:13 < S_SubZero> well, what assumptions can we make about their network setup 23:13 < pi-> All I can guarantee is that I can design an iOS/Android app and get them all using it. 23:14 < S_SubZero> then no. 23:15 < blawiz_> are there internet modems with routers? (so dont need two boxes for internet) 23:15 < pi-> Maybe certain android users could be 'hubs' .. (I don't know how much of a walled garden Android is) 23:16 < S_SubZero> blawiz_: look for "gateway" devices. I have one. 23:17 < S_SubZero> cable modem, 4-port gig-e switch, 802.11ac in one box 23:20 < blawiz_> S_SubZero: that sounds like a generic description? 23:20 < S_SubZero> well that's what they are called. 23:21 < blawiz_> :] 23:26 < S_SubZero> i was thinking of replacing mine with one with USB ports for home NAS stuff 23:26 < blawiz_> S_SubZero: maybe this works? https://www.nikktech.com/main/images/pics/reviews/linksys/wrt_1900_ac/linksys_wrt_1900_ac_12.JPG 23:27 < S_SubZero> well you'd have to read the specs and make sure it has what you need. Does that have wireless? 23:27 < blawiz_> i think so 23:28 < blawiz_> prob works as modem since it has one(actually two!) of thos connectors 23:29 < wiresharked> blawiz_: What is the manufacturer? 23:29 < S_SubZero> it doesn't appear to have any antennas nor is standing up like internal antenna models do 23:29 < blawiz_> its one of those (famous?) linksys wrt 23:30 < wiresharked> Of course it is.. 23:30 < blawiz_> https://www.nikktech.com/main/articles/peripherals/network/modem-routers/4704-linksys-wrt1900ac-ac1900-smart-wi-fi-wireless-router-review?showall=&start=3 23:30 < blawiz_> wiresharked: wut? iz bad? 23:30 < wiresharked> blawiz_: I know that it's linksys, which is not a bad brand 23:36 < xamithan> I don't see why people buy those things. I've replaced my modem 4-5x more times than the router 23:37 < blawiz_> ive never replaced the modem, also i think the internet company would do it, i think its theirs 23:37 < wiresharked> xamithan: I say to make sure at least one of them has DD-WRT 23:37 < blawiz_> anyway, i need some slp -.- 23:37 < blawiz_> gnite! 23:38 < xamithan> dd-wrt has gone downhill though. I thought everyone was using openwrt 23:39 < wiresharked> xamithan: Or just don't use a linksys router 23:49 < qman> dd-wrt is a bit slapdash in comparison, lots of bugs and regressions 23:49 < wiresharked> qman: Regressions in terms of what? 23:56 < jvwjgames> if i have two subnet assigned to me can i further subnet them down 23:57 < wiresharked> jvwjgames: You probably don't need to. Do you have a subnet mask of 255.255.0.0? 23:57 < wiresharked> And I believe you are talking about supernetting here 23:58 < jvwjgames> no they are 255.255.255.240 and 255.255.255.248 23:58 < wiresharked> jvwjgame: So a /64 then? 23:58 < jvwjgames> yes 23:58 < wiresharked> I think that you have quite a bit of IP address space here 23:59 < xamithan> What? That is /29 and /28. You could subnet them down but they are pretty small already 23:59 < wiresharked> xamithan: Oh, sorry, I thought they were /64 23:59 < jvwjgames> how do i subnet them down do i have to tell the dc to do that --- Log closed Thu Apr 19 00:00:02 2018