--- Log opened Mon Apr 23 00:00:36 2018 --- Day changed Mon Apr 23 2018 00:00 < Reventlov> well that's already the case 00:00 < Reventlov> But it's implemented by people like google so it's ok. 00:00 < Reventlov> *cough* 00:01 < jim> hi, how can you tell from the output of ip whether an interface is to a single endpoint, like a ppp connection? 00:03 < jim> anyway please hilite me if you want to respond :) I'll check back in a bit 00:08 < tds> jim: I'd expect connections like that to be marked as POINTTOPOINT under the output of ip a (seems to be the case for 4in6/6in4/openvpn site-to-site connections on my systems at least) 00:08 < tds> s/TTO/TO/ 00:09 < Reventlov> 5: wg0: mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 00:09 < Reventlov> I got this for example. 00:22 < drathir> and as always im standing for good ideas eg. decentralized instagram like service creation which soon end and out to public its good thing... 00:23 < drathir> jim: POINTOPOINT 00:23 < drathir> jim: ip addr 00:37 < drathir> any idea what could be that ? ethertype IPv4, IP (tos 0x0, ttl 128, id 7353, offset 0, flags [none], proto UDP (17), length 67) 00:47 < Apachez> any of you who have been using mermaidjs ? 00:59 < dogbert2> hey Apachez...picked up the wireless adapter for the libre computer from the amazon locker...up and running :) 01:04 < Apachez> :) 01:09 < dogbert2> yeah, had to hardcode the IP/netmask/bcast in rc.local via ifconfig (it works that way), so eth0 is 192.168.1.50 and wlan0 is 192.168.1.55 01:09 < dogbert2> MediaTek RT5370 01:09 < dogbert2> - High-performance 802.11n Wi-Fi with antenna diversity switching 01:10 < drathir> dogbert2: lookout of creating loop... 01:10 < dogbert2> drathir...already checked...no issues 01:11 < drathir> guys any opinion about spamsources.fabel.dk isnt a scam/honeypot? 01:12 < drathir> dogbert2: thats nice than... 01:12 < dogbert2> yeah...it's sometimes easier to hardcode a static IP via ifconfig and rc.local than it is using armbian-config :) 01:13 < drathir> dogbert2: maybe check alarm too... 01:17 < dogbert2> drathir...no issues seen...only thing I'm waiting on now is the heatsink for this libre computer, then I can put it in it's case and not worry about it anymore :P 01:18 < drathir> dogbert2: yea good passive coling helps save ears ^^ ;p 01:19 < dogbert2> yeah...I use the heat sink, I can leave the little fan unplugged :) 03:56 < winsoff> Alright, so I've been thinking about that ISP that is double natting everyone on 10.0.0.1/8 (each router is preconfigured to nat again to 192.168.1.1/24) 03:56 < winsoff> each home-router* 03:56 < winsoff> Now, would they really be in deep shit security wise if they just disabled DHCP on every router and stopped the NAT? 03:57 < winsoff> it'd still be segmenting traffic, right? 03:57 < turtle> wut 04:08 < winsoff> turtle, well, if we're considering a bad actor trying to arpspoof, for example 04:09 < winsoff> if they just disabled DHCP on every CPE gateway and handled dhcp at their current higher level nat, it'd be fine, aside from possibly putting every single device in the same problematic space for arpspoofing...? 04:20 < ShapeShifter499> hello 04:22 < ShapeShifter499> I'm slamming my head against this issue for some time now. I'm getting duplicate IPv6 on a few of my devices 04:22 < ShapeShifter499> IPv6: eth0: IPv6 duplicate address fddd:afc7:4fcd::12b detected! 04:23 < ShapeShifter499> The devices in issue are Raspberry Pi Zeros, 4 of them. Two are connected via WIFI and two are connected via USB Ethernet adapter 04:23 < ShapeShifter499> does anyone have any ideas why this is happening? 04:23 < ShapeShifter499> my router runs LEDE/OpenWRT 04:24 < ShapeShifter499> any ideas to fix the issue? 04:26 < winsoff> ShapeShifter499, are they getting their ipv6 addrs from the lede dhcp6 server? 04:38 * linux_probe bets they all have the same MAC address lol 04:38 < Dagger> do they have unique MACs? I know that's not a SLAAC address, but perhaps the DUID is being generated from the MAC 04:39 < winsoff> linux_probe, lolol 04:39 < Dagger> linux_probe: dude, we both took 15 minutes to respond, and you send your response *while I'm typing my response*? -.- 04:39 < linux_probe> jinxy? 04:40 < linux_probe> first I've looked in here for hours 04:40 < Dagger> I'd expect the wifi adaptors to have unique MACs though. it's the cheap ethernet ones that you have to watch out for 04:40 < linux_probe> id not bet on anything being easpberry pi's 04:41 < linux_probe> probably the same "image" ued on all with same MAC set 04:41 < Hooloovo0> mac shouldn't be set in the image 04:41 < Hooloovo0> it should be in the adapter 04:41 < Hooloovo0> you can override it but that's not an extremely common thing to do 04:41 < linux_probe> "shouldn't be and what is, is lol 04:42 < Dagger> Shapeshifter: for that matter, *are* the addresses dupes? the duplicate address detection can give false positives if you somehow receive your own multicast traffic 04:42 < Dagger> ShapeShifter499, rather 04:43 < ShapeShifter499> Dagger: solution provided by a user in #lede-dev. Issue was the IDs were duplicated. /etc/machine-id needed to be regenerated 04:45 < ShapeShifter499> Dagger: so many hours wasted 04:46 < ShapeShifter499> I'm going to reboot the router to be extra sure it's working now. I'll be right back 04:48 < SporkWitch> dollar says he didn't commit changes, config is lost :P 04:48 < linux_probe> LOL 04:50 < Dagger> ah, so the DUID must be generated from the machine ID then 04:54 < linux_probe> thinking he emant the same ID on the pi's, since he only claimed to have one lede 04:54 < ShapeShifter499> Dagger: yes it's working now 04:54 < ShapeShifter499> the same exact ID was in /etc/machine-id on all 4 devices 04:55 < ShapeShifter499> which means now I should file a bug with Arch Linux Arm 04:55 < ShapeShifter499> linux_probe: yes I had only one router doing all the DHCP and IPv4/IPv6 stuff 05:00 < ShapeShifter499> WELL (expletive) (expletive) (expletive) so much time wasted 05:00 < linux_probe> well, lel 05:03 < ShapeShifter499> linux_probe: well at least now the first thing I'll think of next time something like this happens is: are there any possible duplicates in configuration across my devices that could be bad? 06:56 < grawity> all of a sudden, *all* HP PCs at $work are only negotiating 10 Mbps until I reboot them :| 07:56 < detha> grawity: automagic updates? "10 Mb should be enough for anybody" 07:57 < Johnjay> dear god automatic updates 07:57 * Johnjay mourns his limited mobile data 07:58 < detha> Don't mobile things have an option to say 'Only do updates when on wifi' ? 07:58 < grawity> detha: you mean in the sense of updates hogging all bandwidth? 07:59 < detha> grawity: updates in the sense of 'new driver installed' 07:59 < grawity> yeah that's quite possible 08:07 < SporkWitch> detha: depends. i think you can force it in the settings somewhere, but it only PROMPTS you to set it on particularly large applications (android) 08:09 < linux_probe> winderps uphates eats 99999999Gbps if possib;le 08:09 < linux_probe> I raised hell and winderps 10 actualy modified the junk 08:09 < linux_probe> traffic shaping galore and it would take it to it's knees 08:10 < linux_probe> "one" windows 10 machine trying to update 08:11 < grawity> wouldn't it be smarter to keep the P2P thing enabled where it gets updates from other LAN PCs instead of clogging the internet pipe 08:11 < uxfi> helli linux_probe 08:11 < uxfi> Windows 10 spies on you heh 08:13 < grawity> SporkWitch: my android doesn't do updates on mobile data by default 08:13 < grawity> SporkWitch: app updates, that is 08:13 < grawity> SporkWitch: I think I've seen the option you're talking about, though; IIRC it's for blocking individual apps themselves from refreshing stuff 08:14 < linux_probe> lol, teh intertubes spies on jew 08:16 < uxfi> ALl going back to Windows XP LOl 08:22 < SporkWitch> grawity: correct. i believe you can set it individually per app, but it only explicitly PROMPTS you to check the box if the app is above a certain size (gives a checkbox on the installation confirmation screen) 08:23 < grawity> ah no 08:23 < grawity> that's when you're trying to manually install an app, isn't it 08:26 < Sircle> Hi 08:27 < SporkWitch> grawity: it preserves the setting for that app when it updates the app 08:27 < grawity> hmm 08:27 < Sircle> If I have httpS://site.com and httpS://sub.site.com. Later is configured on https and working fine. Do I need new TLS certificate to for sub.site.com? 08:27 < SporkWitch> grawity: unless they added it recently, android doesn't do delta patches; when an app updates, it redownloads the full APK 08:27 < grawity> yes, but my point is 08:27 < grawity> by default, android doesn't do said downloading *at all* while on mobile or metered networks 08:27 < grawity> Sircle: if you already have one, then yes 08:27 < grawity> Sircle: if you don't, then you can get a single certificate for both 08:28 < grawity> Sircle: though I'd only recommend that if they're both on a single server 08:30 < SporkWitch> grawity: is that the default now? or do you mean there's a setting for it? i don't believe that's the default, but i do know there's a setting 08:31 < grawity> maybe it *stopped being* the default in 1st-world countries with cheap 5G 08:32 < Sircle> grawity, what about sites that use subdomains as client id or client's organization id. e.g client1.site.com client2.site.com or something dynamic subdomain like thing. I have seen such before.? 08:32 < grawity> some use a wildcard certificate (*.site.com) 08:33 < grawity> others grab a ton of individual certificates 08:33 < grawity> wildcard is usually cheaper if you have many subdomains, and unavoidable if they're completely dynamic 08:34 < Sircle> grawity, so wildcard certs exist? 08:34 < grawity> yes 08:43 < irwiss> you can grab free domain validation wildcards from letsencrypt these days 08:43 < grawity> how many clients support that yet? 08:44 < grawity> as in, acme v2 clients 08:44 < irwiss> not sure but official one for cloudflare api was trivial to set up 08:52 < tezogmix> do some nics/routers/switches perform better with cat 5e instead of cat 6 (home use) 08:52 < tezogmix> ? 08:53 <@pppingme> tezogmix if you're running 10/100/gig speeds, there should be no detectable difference between 5e and 6 wiring 08:56 < tezogmix> oh OK pppingme , yeah my limits and hardware weren't above 1gb... thanks for the clarification 08:56 < tezogmix> gbps 08:56 < tezogmix> m* 09:03 <@pppingme> tezogmix whats the real question or problem? 09:07 < tezogmix> Oh no problem, I was just in the need of a few more ethernet cables and just wanted to see if it was worth spending more on the cat6 cables (this is for an apartment, for distances less than 10feet/3m) 09:07 < tezogmix> pppingme, ^^ 09:08 <@pppingme> personally, I wouldn't. This isn't wiring you plan to bury in a wall or pass through walls or something is it? 09:08 < tezogmix> The only possible future project down the line I was considering pppingme was building a home nas but I think there's other hardware considerations I would need to research 09:10 < Johnjay> what would you build a nas out of? 09:10 < Johnjay> like, a raspberry pi + 4 usb sticks? 09:15 < tezogmix> I do have a pi3b Johnjay but as for the nas, it's something I was always interested since I've exhausted the patience of having so many external usb hdd's (I have about 30+tb's spread over 10 of those), so will have to do the ground work research and reading on that topic.... 09:15 < tezogmix> something possibly as a project for the latter half of the year 09:16 <@pppingme> tezogmix if speed isn't an issue, jsut hang them all off a usb hub off a pi, and run samba 09:17 <@pppingme> won't be fast, but gives you access to all of it 09:17 < tezogmix> oh yeah speed for data transferring was important, especially if their rar files to extract onto another drive and in the 100+gb range 09:17 < tezogmix> they're* 09:17 <@pppingme> then you want a real pc probably 09:17 <@pppingme> or at least real nas hardware 09:18 < tezogmix> yes, buying/building a new pc was the summertime plan - right now, I have a hp 6300 sff desktop that I'm using on powered usb 3.0 hubs for some of the above and that's been pretty good over usb 2.0 speeds 09:19 < tezogmix> router wise, I have an ac-86u asus and tplink 5port switch (the entry level unmanaged model) 09:22 < tezogmix> The pi3b is running ubuntu-mate and just there as a standalone mini-pc for mainly web browsing via hdmi to 40" tv (firefox-esr, since it ran a lot better speed-wise in comparison to it installed on raspbian os) 09:22 < tezogmix> haven't fully appreciated the pi3b otherwise like what a lot of folks are using it for though 09:23 < Endraya> Not really meant for professional usage though (nor is a tp-link). 09:24 < tezogmix> professional use I suppose is subjective for home users though right Endraya ? what would you have been using or suggesting if it's for personal home? 09:25 < Endraya> For a mini-PC? I suppose something like an Intel NUC or similar. Switches, Cisco Catalyst 2/3000-series. 09:26 < Endraya> Your needs seems to be above normal home users level after all. Refurbished/Refreshed equipment isn't expensive afterall. 09:28 < tezogmix> ah yeah, to a degree that's true , not normal home users like everyone around my apartment community :P, My broadband ISP is ~300Mbps... and probably move around a few TB's a month 09:29 < Endraya> Could be worth a 100 bucks getting an L3 switch with routing as a start ;) 09:29 < tezogmix> but it will definitely for the future, be a solid built desktop pc Endraya , no need for mini-pc builds as of now with the pi3b, I have a few nvidia shield tv units for other media/streaming 09:30 < tezogmix> I do use a vpn service on some of these 24/7 too... 09:30 < Endraya> Can't give the highest bandwidth if it's run on pi's and shields though. 09:34 < tezogmix> I was exploring the pfsense topic for a little while to bypass certain things like netflix/websites that only allow non-vpn IP's... but it was quite overwhelming since this isn't my work/study area and needed a lot more time in getting everything up and running and finding the right/legit 4-port intel nic;s and then the other used cpu-related hardware (medical student)... the shield tv's are mainly for amazon/netflix 09:34 < tezogmix> and running usb hubs powered for the external hdd's for local media playback which has been working pretty nice 09:35 < tezogmix> my current machines are old (from 2011/2012 i5's hp 6300 sff + elitebook over win7-64) 09:35 < tezogmix> both were refurbs I got for under $200 09:35 < Endraya> PfSense is actually quite good (with the right addons and tweaks) but it does require some CPU power to run OpenVPN clients at decent speeds. 09:36 < tezogmix> oh right, with the encryption, I did browse a bit over the subreddit on the pfsense and saved a few diy-links 09:36 < Endraya> It may lack in routing and switching though, but is a cost effective alternative + it can be quite well secured. 09:37 < Endraya> An i3 and you got a quite powerful firewall/IPS/filter/semi-powerful OpenVPN-system. 09:37 < Johnjay> maybe my pi3b is just damaged 09:37 < tezogmix> it was definitely a better build your own option apart from the official pre-builts (way out of my budget for just that item but i may subscribe to the pfsense subscription for their community talks) and the pfsense pre-builts on amazon all had some sort of questionable hardware flaw 09:37 < Johnjay> but i have ubuntu-mate and a raspbian on some sd cards and firefox-esr and chromium both either crash repeatedly or cause IO lock 09:38 < Johnjay> or was it the X server randomly crashing? i can't recall 09:38 * Johnjay is gripped by paranoia about hardware malfunctions and how to detect them 09:38 < Endraya> Intel NIC + low end hardware is enough for the purpose tezogmix. 09:38 < tezogmix> i haven't had any issues with firefox-esr and ubuntu-mate on the pi3b Johnjay - i had to follow a few youtube videos to get the right microsd setup since ubuntu-mate wasn't installing properly by default... 09:39 < tezogmix> cool Endraya , obviously I am use to low-end hardware or at least from a good refurb source :) 09:39 < Endraya> Ebay is always an alternative if the budget is low ;) 09:40 < tezogmix> yes indeed, that's where i purchased the hp laptop from, still running well over the last 4 years 09:40 < Endraya> Not for NIC's though. Highly recommend buying from a known and respectable retailer ;P 09:40 < tezogmix> yeah there was a very good post I saved for the intel NIC's 09:40 < tezogmix> and what to look out for 09:40 < Endraya> Copies in general. 09:41 < Johnjay> why intel? 09:41 < Johnjay> cost? 09:41 < tezogmix> for pfsense intel it was going to be : 09:41 < tezogmix> https://ark.intel.com/products/97455/Intel-Core-i3-7100-Processor-3M-Cache-3_90-GHz 09:41 < Endraya> Stability and reliability? 09:41 < Endraya> Would be more than enough for your needs. 09:43 < tezogmix> and intel i350-t4 nic based on some of the comments and pics from this forum link Endraya : https://forums.servethehome.com/index.php?threads/comparison-intel-i350-t4-genuine-vs-fake.6917/ 09:43 < tezogmix> and the vpn provider I'm using has a guide on how to set up pfsense with their certification configs 09:44 < tezogmix> but definitely not just an overnight buy/build process for me :) 09:44 < Endraya> Well, i recommend just buying genuine NICs. I would not rely on a counterfit china card to say the least. 09:44 < tezogmix> yes it will have to be 100% genuine 09:44 < Endraya> Even Intel CT cards in the 30$ range would be a better choice. 09:44 < tezogmix> what's the CT stand for? 09:45 < tezogmix> I know the asus router I have has pretty good firmware custom (merlin from the snb forums but that requires a bit of active monitoring on updating, and being aware of known-issues) 09:45 < Endraya> I'd guess Copper and base-T (RJ45/G8G8 ethernet, but it might be best to ask someone who uses the consumer cards). 09:46 < RJ45> Endraya: S U C C 09:46 < tezogmix> and it's one of the few routers consumer that has encryption hardware support 09:46 < Endraya> RJ45: huh 09:47 < Endraya> tezogmix: Running OpenVPN on those will severly limit your bandwidth. Those units are not meant for such a demanding protocol. 09:49 < mrtnt> Let's say that I'm downloading a large file over TCP. For example "wget http://hgd-speedtest-1.tele2.net/10GB.zip". It is obvious, that when some of my ACK messages get lost, then servers TCP send window cannot slide to right, i.e server cannot send additional data once it has received acknowledgments for data it has already sent and this affects the throughput. However, how is the download speed 09:49 < mrtnt> affected if some of the packets sent by the server get lost? 09:49 < mrtnt> I guess the effect is the same because the client can not acknowledge data which it has not received and thus again, the server send window cannot slide to right. 09:49 < tezogmix> Endraya or others, are you familiar with rg59/r6 coaxial cables? I have a motorola arris sb8200 docsis 3.1 (https://www.amazon.com/dp/B01N6SKK1G/ref=psdc_284715_t1_B0723599RQ) and have been noticing ever since purchasing it, some out of range levels within a few categories - the apartment is a bit old and the coax cable outlet and cable itself I have is a rg59, not sure if the rg6 double or quad shield would make a 09:49 < tezogmix> difference... 09:51 < tezogmix> oh yeah Endraya , that's why I haven't done that... the router for my budget was pretty expensive at the time... I'm running the desktop clients on those... unfortunately the openvpn tap adapter driver limits downloads at 100-150mbps // i'm able to get ~300mbps+ on ubuntu lts that i have running within vmware as a guest though 09:51 < tezogmix> and tested with a live ubuntu usb to see... 09:51 < Endraya> Not really an expert (or rather i more or less forgot) on the subject. Not really been an active technology here since i can remember. 09:52 < tezogmix> we troubleshooted for several days with the vpn tech team and finally came across a few github issue pages on the topic 09:52 < Endraya> Virtualization will always provide higher bandwidth due to balancing the load on all cores but may come with security concerns if used as an endpoint. 09:52 < tezogmix> and ruled out hardware issues since the linux-distro side wasn't limited 09:53 < tezogmix> oh yeah Endraya , what kind of security concerns are we talking about? it's a broad topic area but just a few highlights to remind/be aware of... I have killswitch options enabled on the virtual/non-virtual for vpn.... definitely not using socks5 proxy options... 09:55 < Endraya> There are certain vulnerabilities to hypervisors that may be exploited in a virtualized environment without anything else as a perimeter defense. Integritywise, it should not be an issue though. 09:55 < tezogmix> but with all the meltdown/spectre stuff, i'm not sure how that goes into the picture with VM (i'm just using the free vm player from the official vmware site), i did update the hardware-os portions of the meltdown/spectre and a few other intel SA patches 09:56 < tezogmix> were those more local-vulnerabilities or something well known in mainstream tech news? I always make sure the vmware is updated before running, and on windows, I update the security semi-monthly manually (based on the askwoody website update comments) 09:57 < tezogmix> I'll check the technology/netsec/privacy subreddits at least twice a month 09:57 < Endraya> Well, the hypervisor itself is an OS and it can be attacked just as any system. But unless already having an intrusion prevention system up and running i would hardly consider those vulnerabilities an issue. 10:01 < tezogmix> oh right Endraya , I see... the only other security-related things I have been using for several years are noscript for firefox/firefox-esr, ublock origin, malwarebytes premium and microsoft security essentials (mse for antivirus on win7) 10:02 < Endraya> Then you don't really need to worry about those kinds of exploits regardless ;) 10:02 < tezogmix> eventually, I'll have to shift to w10 but haven't jumped to that unless absolutely needed (not a gamer so the directx needs that are only offered on w10 isn't a big thing for me) 10:03 < tezogmix> what kind of Os's are you running at home for your personal use Endraya ? 10:03 < Endraya> Don't have any system at home nor network. I get enough of that here + i'm almost never home anyway. 10:04 < tezogmix> learning linux from the command line is another learning goal, for some of what I have, it's mostly just googling/and copy-pasting... 10:04 < Endraya> Do run a customized distro for all uses though. Perimeter defenses at several layers. 10:05 < tezogmix> all the IP's I have are on static IP's with a custom router gateway, ssid's (:P) 10:05 < Endraya> Even though this is quite a bad time to brag of security levels since the entire network and systems are going to be scrapped and replaced with our new infrastructural equipment ;p 10:06 < tezogmix> That's cool Endraya , I imagine you built those distros from source and modified them or are they pre-made distro's that have those customization options easily modified through other documentation/forum guidelines? 10:07 < tezogmix> The ubuntu distro's I have are just the basic LTS's 10:07 < tezogmix> except on the pi3b and ubuntu-mate, sadly it seems it's not as well-supported/updated 10:07 < Endraya> I would not recommend it unless you're searching for an excuse to start drinking tbh. 10:08 < tezogmix> the non-esr firefox still to date can't install on that os build 10:08 < tezogmix> hah ok, yeah was more curious to appreciate than anything Endraya :) 10:09 < tezogmix> I just know bits and pieces that I've picked up over the years but always in awe with what everyone's able to do... 10:09 < Endraya> I did that as a learning exercise + just wanted to get a better option to libreelec to start with. Never expected it to become more than that. Did learn more in a few years than my entire career though. 10:10 < azonenberg> So, base-T Ethernet typically has a capacitor from the center taps of the line side of the magnetics to ground 10:10 < azonenberg> What is the purpose of this cap? And why does it need a 2 kV rating? 10:11 < azonenberg> Is the goal to AC couple the taps to ground while surviving a worst-case ground offset between the two ends of the link? 10:11 < azonenberg> or is it for some kind of ESD/EMI reasons? 10:12 < Endraya> tezogmix: If you're mainly interested in learning more i would suggest trying Arch Linux. It provides a great template for learning (through agony at first i guess). 10:13 < tezogmix> oh yeah, I did look at the arch-topic for noobies (from a few queried reddit topics on learning linux or what's a better-non bloated distro) 10:13 < tezogmix> lot of work to put in for sure... 10:14 < tezogmix> I did briefly look at their arch-official site documentation and it looked like everything was thoughtfully written step by step though 10:14 < tezogmix> but that was only for a few minutes because I had to wake up for a 5am surgery clinical rotation :P 10:15 < Endraya> It's not something i would recommend for entry level but it does give you knowledge about the system + you can tailor it to your needs (more or less). I do not recommend their IRC unless you like insults though. 10:15 < azonenberg> tezogmix: med student? 10:15 < tezogmix> oh yeah just like many linux-irc channels Endraya :), yeah azonenberg - last year about to graduate soon... 10:15 < Endraya> Their wiki is comprehensive and applicable for most distros, but the install guide is not really meant as a useful OS for daily use. It's just a base to continue on from. 10:16 < azonenberg> tezogmix: cool, best of luck on your studies :) 10:16 * azonenberg is a doctor but of computer science, not medicine 10:16 < azonenberg> it's a long road 10:16 < azonenberg> My medical training is first responder level only :P 10:16 * dogbert2 has to be at work in about 3h 45m...wtf am I doing up :P 10:16 < Endraya> Very nice. Soon time to head out for field training (depending on where you live i suppose). 10:17 < tezogmix> yeah Endraya , that's what I kind of concluded to as well... thanks azonenberg and that's awesome - I have a lot of respect for the fellow phD's, I live around many within my apartment community and know how much dedication and time (years+++) and sincere interest one has to have to take on a feat 10:17 < azonenberg> tezogmix: out of curiosity do you have a specialty in mind yet? not sure when in the process you do that 10:17 < Endraya> My first field of study was medicine. Not entirely sure how i ended up in IT ,p 10:17 < azonenberg> or at this point are you still pretty generic? 10:17 < azonenberg> Endraya: lol, i'm the opposite 10:17 < azonenberg> I started out studying EE and comp sci 10:18 < azonenberg> Then joined my local search and rescue team 10:19 < tezogmix> yeah azonenberg , I'm leaning toward general medicine (family medicine), basically allows us to interact and see patients of all ages (including pediatrics), genders, women's health topics, gatekeeper to direct to other specialties if the health problem requires higher-skilled expertise management 10:19 < azonenberg> So now i do embedded systems pentesting by day and rescue lost hikers by night 10:19 < Endraya> Well, i educated myself as a network technician which killed my interest and then spent 8 years in total studying pharmacology, medicine and psychology. Then i got a job offer i couldn't refuse + medicine had it drawbacks. 10:19 < azonenberg> Although i did call out from work earlier this week for a mutual aid response that ended up being 48 hours in the field, lol 10:20 < azonenberg> Told the lead engineer "hey, i just got activated for an out-of-county incident and leave for the staging area in an hour... if you need anything important done you've got 30 minutes" 10:20 < Endraya> Quite noble. 10:20 < azonenberg> then packed up my gear and ran off lol 10:20 < tezogmix> I still love many things related to tech and hoping somehow I could bridge the two worlds (medicine/technology) with my medical degree (doctor of medicine/md) 10:20 < azonenberg> tezogmix: actually there is some crossover for me 10:21 < azonenberg> I do embedded systems security 10:21 < azonenberg> one of $dayjob's major clients is a vendor of medical gizmos you probably know of (NDAs, can't mention any names) 10:21 < Endraya> Neuroscience and nanotechnology are quite combined. 10:21 < tezogmix> with what a lot of you all do with work, especially if ever inclined toward health care oversight, the careers are in high demand and pay well (often more than a general doctor's salary too!) 10:22 < azonenberg> So having basic knowledge of medicine, even if only at the first responder level, helps with understanding how the thing is actually deployed 10:22 < azonenberg> And how things can go wrong if it's abused 10:22 < tezogmix> health care security is huge, especially with all of the mobile-network patient portal routes for the end-user 10:22 < azonenberg> i.e. is this "we leak somebody's xray image online" bad, or "patient gets a 30x OD of morphine" bad? 10:23 < tezogmix> but unfortunately, health care security is on the bottom line and continually overlooked from most health care systems (budget, lack of awareness, etc) 10:23 < azonenberg> tezogmix: yeah, i've only dealt with one hospital system as a customer 10:23 < tezogmix> I feel for our IT-health departments 10:23 < azonenberg> the majority of my work in the field has been software/equipment vendors 10:24 < tezogmix> electonic health records (EHR) + telemedicine are ongoing growth areas 10:24 < Endraya> tezogmix: I lost faith in the profession when i came to grips with having to see patients in terms of "money spent on the invididual or quick fixing with prescriptions" (which often isn't actually help). Didn't want to choose between who got an MRI and who simply got a pat on the back and an SSRI ... 10:24 < tezogmix> and mobile health care apps for android/ios 10:24 < azonenberg> tezogmix: oh god, i've dealt with a few of those 10:24 < azonenberg> some of them even hook directly to hardware and control it 10:24 < tezogmix> and so the network security is very big on those aside from obvious quality general network thoughts 10:24 < azonenberg> PII is certainly a concern 10:25 < tezogmix> phi maybe (protected health information)? 10:25 < azonenberg> but when dealing with "this can kill a patient if it gets hacked" stuff, it gets to a whole other level 10:25 < Endraya> Got tossed out of radiology for my criticism of their use of outdated browsers not long ago ;P 10:25 < azonenberg> oops did i say pii? i meant phi 10:25 < azonenberg> Endraya: I called out my dentist on a HIPAA violation while getting my wisdom teeth drilled 10:25 < Endraya> You love pain? 10:25 < tezogmix> and even then azonenberg , forget health care - your worlds are open to any non-health sector... just every day/week some big company mishap 10:26 < tezogmix> in the news 10:26 < tezogmix> of data lost/stolen 10:26 < azonenberg> Endraya: lol it was after the drilling :p 10:26 < azonenberg> they had left a bunch of scheduling stuff up on a monitor in the treatment room 10:26 < azonenberg> So i had a list of every patient they were seeing that week, full name and DOB, and what they were in for 10:26 < Endraya> Fortunatly health care systems are complex and takes a while to use for such purposes (and it's of little gain). 10:26 < azonenberg> It was behind a screensaver, but the screensaver was the windows "bubbles" one 10:26 < azonenberg> that shows the stuff behind it and just locks input 10:27 < tezogmix> yes, Endraya the ethical and business behind preventing folks from getting proper care is ridiculous, I equally hate it and see it daily on how folks suffer because of legal-rules 10:27 < tezogmix> or law restrictions set forth by insurance companies 10:27 < Endraya> Even show the slightest knowledge of brand names here and you are prompted for a drug test... 10:27 < azonenberg> tezogmix: yeeeah 10:27 < tezogmix> yup Endraya 10:27 < azonenberg> This is something i don't have to deal with much in the pre-hospital care field 10:28 < azonenberg> We do trauma care, stabilization, etc then carry them out to EMS on foot or get a helo in for an airlift 10:28 < azonenberg> at which point it's not our problem 10:28 < azonenberg> And i'm thankful for that :p 10:28 < tezogmix> the other thing I have to say is how some contract companies like dell/HP exploit the health care systems with their equipment and licensing 10:28 < tezogmix> those folks are banking big time 10:29 < Endraya> tezogmix: I saw the physicians (in psychiatry) basicly being dead on the inside because they simply could not help people as they would have liked. Making them addicted to benzodiazepins, prescriptions for SSRI/SNRI which they knew were not going to help was not was most of them signed up for. It's quite sad. 10:29 < azonenberg> Endraya: is that still a thing? i thought CBT was starting to make a comeback, finally 10:30 < tezogmix> yes Endraya , that's the tradeoff for many in the field, choose higher pay salary or just stuck in a contract-workplace where they force you to do that... 10:31 < Endraya> It's an expense here, unfortunatly, for the doctor and that means someone else goes without CBT/ACT/physical investigation. Drugs are the cheap way and that's not what they advertise. 10:31 < tezogmix> CBT (cognitive behavioral therapy) is almost always a required management protocol on top of medication therapy/management for patients who see psychiatrists 10:31 < tezogmix> at least in the more legit/qualified places 10:31 < Endraya> It can take up to two years getting CBT here in the worst regions. 10:31 < azonenberg> Endraya: o_O where is that? 10:32 < tezogmix> that's how it was for my psychiatry clinical rotations (I did one for my 3rd year which is mandatory and did one more in my current 4th year as an elective option which I wanted a little more exposure to) 10:32 < Endraya> Where i live it takes around a week. It's region based unless you pay for it yourself. 10:32 < Endraya> azonenberg: Sweden. 10:32 < azonenberg> A week is a little more reasonable, unless the pt is suicidal or something 10:32 < azonenberg> (which presumably bumps them up in priority) 10:32 < tezogmix> oh yeah Endraya , mental health care is definitely different within different U.S. regions and 100% different in non-U.S. areas 10:33 < Endraya> 150$/45min isn't something most can afford after all especially not since health care is suppose to be free. 10:33 < tezogmix> and even further with countries where health care is free.... 10:33 < thothcastel_> Cisco ASA 5525 doesn't support DMVPN?? 10:33 < tezogmix> that's crazy Endraya (no pun intended!) 10:34 < thothcastel_> how can I get a cisco asa which has various site2site connections to have an additional site connected to it 10:34 < tezogmix> ok all, thanks for the tech-network tips and thoughts and other conversation sharing time, I am heading off for bed now... you all take care! 10:34 < thothcastel_> but this additional site will need to also have site2 site to other locations 10:35 < thothcastel_> also, this additional site has only 1 public IP available with a sinlge fibre link 10:35 < Endraya> tezogmix: The stigma on the area is fortunatly decreasing but we are in a difficult economy at this time. I live in one of the few cities where health care is working excellent and i could go to a doctor now and be checked out within the hour. A phychologist appointment this week and so on. That's not the case for 95% of this nation. 10:35 < thothcastel_> possible without dmvpn? 10:37 < thothcastel_> help please 10:37 < thothcastel_> apparently cisco asa doesn't support dmvpn? 10:38 < mdm_> DMVPN is only supported on cisco routers, so not possible to implement it in routers. 10:38 < mdm_> This is because DMVPN still uses GRE which is supported only on routers. 10:38 < mAniAk-_-> thothcastel_: so set up site to site tunnels? 10:38 < Endraya> It's mainly supported in the ISR (or high end platforms) series. 10:39 < thothcastel_> mdm_: thank you - doesn't site2site vpn use gre? what does it use? as in the case of an asa5525 for example? 10:39 < mdm_> site-to-site tunnel using a dynamic-to-static configuration will be a good idea 10:40 < mdm_> here is a link for this https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html 10:45 < Endraya> mdm_'s answer is the best "bypass" for the asa series. Otherwise a router is required for GRE. 10:52 < thothcastel_> mdm_: thanks for that - this new site to be added needs connectivity to 2 other sites as well 10:53 < thothcastel_> will the dynamic-static work? 10:54 < thothcastel_> because here is the scenario: I have HQ running an ASA 5525 which has various site2site to branches, USA office and other. these branches don't have direct connectivity between one another - all traffic goes through HQ ASA 10:55 < thothcastel_> this new site will however need to have a direct connection to the USA office as well as to another remote site in addition to being connected to the HQ ASA 10:55 < thothcastel_> since DMVPN isn't an option because this new site will be having an ASA 10:55 < thothcastel_> also HQ also has an ASA 10:59 < thothcastel_> as I understand the link you sent me is related to having a dynamically assigned IP address on one of the peers - also applicable in my case but my question is actually around the capabilities of having 3 vpn's from the new office and having one of the 3 connected to the HQ 10:59 < thothcastel_> ?? 10:59 < thothcastel_> will dynamic-static allow that? 11:03 < thothcastel_> how many dynamic-static vpn connections can an ASA5525-x have while only using a sinlge public IP with a sinlge fibre link connection??? 11:09 < djph> "a lot" 11:17 < thothcastel_> djph: and will all connections go under a single tunnel or 1 tunnel per connection?? 11:33 < regdude> Hi! Few routers/switches have an option to not flood multicast traffic and there is sometimes an option to not flood unregistered multicasts. What do these devices do with multicast addresses in 224.x.x.x block? Do they make special exceptions for OSPF, VRRP, NTP etc. or do they just filter them out as well? 11:37 < grawity> why would OSPF need exceptions? 11:38 < grawity> most OSPF daemons I've seen explicitly join the multicast group via IGMP 11:38 < djph> thothcastel_: They connections will go through the tunnel that they need to -- if there's only one tunnel, then, well, the VPN stuff goes through the one tunnel. If there are half a dozen other sites, then the connections go through whichever VPN tunnel they need to in order to get to the intended destination 11:41 < regdude> grawity: do all protocols that depend on 224.x.x.x.x send a IGMP join request? There are a lot of protocols out there. If IGMP Snooping is used, then yes, OSPF will work 11:42 < grawity> regdude: I assume the switches would do what https://tools.ietf.org/html/rfc4541 requires them to do 11:42 < grawity> if a range uses IGMP – rely on IGMP registration 11:42 < grawity> if it doesn't – flood everything regardless 11:43 < grawity> 224.0.0.x is the "special" no-igmp-needed range 11:43 < grawity> the rest of 224., if I remember correctly, is fairly normal 11:43 < regdude> grawity: ok, this is exactly I was looking for, thanks! 11:49 < sandman13> why doesn't replayed traffic from tcpreplay show on tcpdump? 11:52 < thothcastel_> djph: ok, I am now reading a an interesting article which seems to be what I need but the only thing is that instead of my new site having a dynamic IP address, it will have a static ip address 11:52 < thothcastel_> https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html 11:53 < thothcastel_> also, this new site will act as the remote site of the main site but it will still need connection to 2 different sites 11:53 < djph> thothcastel_: static IPs tend to make ipsec easier, in my (limited) experience. 11:53 < thothcastel_> ok 11:53 < thothcastel_> as per the link, the section that starts with 'Central-ASA (Static Peer)' 11:54 < thothcastel_> that is meant to be configured on the HQ asa as it kind of acts as a hub and that is where the IKEv1 will authenticate to 11:54 < thothcastel_> however, the new site will also have to have the capability of authenticating with the other 2 sites, then how to deal with it? 11:55 < thothcastel_> shouldI invert configs and have this part of the article applied to the remote site and have the HQ as a remote site to the new site?? 11:55 < thothcastel_> won't it affect the current config on the HQ asa? 11:58 < djph> you'll have multiple configs on your "new site" asa 12:02 < thothcastel_> right - so new ASA to have both configs that is available on that article? 12:02 < thothcastel_> that makes sense to me... but not sure on the practical part of it 12:03 < thothcastel_> start by setting it up as the authenticator to the HQ which will act as a peer to the new site 12:03 < thothcastel_> then configure HQ to reflect the same 12:03 < thothcastel_> then configure the 3rd site as another peer also to the 'New site' 12:03 < thothcastel_> ? 12:08 < djph> sure, sounds like a sane approach. I don't really Cisco, so not sure what "fun(tm)" they'll throw into the mix. 12:10 < sandman13> how do you replay UDP traffic? where should it be done? on the same machine or remotely? 12:11 < b5509cd> Hey I've got to network a bunch of PC's again for the first time in a while. Need equipment, just double checking all I need is: ethernet cable, RJ45 connectors and crimping tool... is this correct, or am I missing something? 12:12 < bezaban> testing tool if you're going to be crimping those yourself, probably scissors / wirestripper, pre-made is going to be a lot less painful 12:13 < bezaban> and obviously switch, network cards etc depending on infra in place 12:13 < b5509cd> yeah it's just a bunch of relativley old windows PC's in a school, they have network adapters and I have a switch :) 12:13 < bezaban> and the plastic hood thingies 12:13 < b5509cd> They have funny switches here in Nepal actually 12:14 < b5509cd> couple of company brands I've seen that I didn't see before: digicom, netis 12:14 < b5509cd> I found a tp-link 16 port for ~20EUR though 12:14 <+catphish> sandman13: was there some context to that question? 12:14 < bezaban> :D 12:14 < b5509cd> I've heard of tp-link so I'll probably go with that 12:15 < bezaban> b5509cd: should be ok unless you're also attaching to wall plugs in which case you 'need' a different tool 12:16 < b5509cd> is there a good site for seeing reviews by actual net. eng. folk for routers/switches including odd brands from china and wherever 12:20 < djph> b5509cd: probably not. 12:21 < djph> b5509cd: although, most "network engineers" would probably be looking at Cisco / Juniper / etc. 12:21 < b5509cd> in developed countries, yeah 12:22 < b5509cd> but how would you configure this if it has no console port? https://www.tp-link.com/us/products/details/cat-41_TL-SG1016DE.html 12:23 < grawity> http://192.168.1.1 12:23 < b5509cd> maybe it has an IP and is listening for ssh or... yeah or that kind of thing^^ 12:24 < grawity> tp-link's web UI is not bad 12:28 < tds> b5509cd: one thing to be aware of, some of the cheaper switches like that will allow access to the web ui from any port, regardless of which vlan you put the port on 12:29 < tds> (I haven't used that one, but from a quick look at the manual I suspect it might be the case) 12:32 < dogbert2> time to get ready for w3rk :) 12:33 < thothcastel_> thanks djph 12:33 < dogbert2> stay away from edgecore (from someone who has to mess with these things) :P 12:39 < MJCD> hey 12:42 < detha> dogbert2: what have you found wrong with edcore so far? 12:51 < sandman13> FAQ of tcpreplay and few searches tell me that, tcpreplay can't send packets to the server or service listening on some port 12:51 < sandman13> I am little bit confused on how it should be run. Currently running on client, instead of server. 12:52 < noorul[m]> hi all 12:53 < be2pal> How hard or easy to crimp cat 6 cable 12:54 < be2pal> I am trying after watching several video on Youtube on how to crimp ethernet cable. 12:55 < be2pal> Out of 6 cables, only one is working after numberous attempt 12:55 < be2pal> My question is, I didnt get the tester, does it needed ? 12:56 < mAniAk-_-> no, but it can tell you whats wrong 12:56 < be2pal> And I got the ordinary crimping tool. Not the costlier. 12:56 < mAniAk-_-> if you test it between pc's youll just get no link or 100Mbit 12:57 < be2pal> What could be possibly wrong, 12:57 < mAniAk-_-> but why crimp when you can just buy patch cables 12:58 < be2pal> Well, actually, cable for IP camera. When inserted, few cables light up the ampere which indicate power is drawing 12:58 < be2pal> no data transfer light is on. 12:58 < djph> so your cable is most likely no bueno 12:59 < be2pal> mAniAk-_-: IP camera uses cat 6 which already inserted in the wall 13:01 < be2pal> i use a few patch cables which works well. I already called for professional help. But I couldnt figure what I am doing wrong 13:01 < djph> apparently the terminations. 13:01 < be2pal> djph: should I practise even more ? 13:02 < djph> be2pal: apparently. 13:02 < be2pal> After about, crimping 50 jacks, I returned the crimping tool which I thought is not working 13:03 < djph> you really should have a tester, even if it is just one of those chintzy LED ones that shows if a pair is okay. 13:03 < be2pal> https://youtu.be/rV5vgk2Mt3I is it good method ? 13:04 < be2pal> djph: I guess I need a tester. But just needed to be sure what I am doing. Even though this is one time job. 13:05 < be2pal> My guys who do the wiring is not available. So I got into action :) 13:05 < djph> pins (when looking at the backside -- without the clip) for 568B should be white-orange, orange, white-green, blue, white-blue, green, white-brown, brown. 13:06 < djph> on *every* male connector you make. 13:07 < djph> alternately, you can use 568A, which swaps the white-orange / orange, and white-green / green pairs. 13:07 < djph> any other pinout is wrong, and the person telling you to use that pinout is an idiot. 13:09 < be2pal> Yes. I followed type 568B. Carefully following the colour. What I doubt is could the crimp tool can affect since its bought from hardware shop 13:10 < djph> a bit, but more likely a chintzy crimp tool will just fatigue your hand faster than a good one. 13:10 < be2pal> I strictly follow the colour order. Do we need to push that wire/sleeve hard into till all pin reaches the end ,? 13:11 < Arpanet69> are you trolling? 13:11 < turtle> you need to do that with all of them, yes. 13:11 < djph> yes, the conductors all have to be at the end of the conenctor ... 13:11 < turtle> also, if you're using passive poe put it in your mouth to test 13:11 < Arpanet69> lol 13:11 < be2pal> Lol 13:12 < djph> just don't forget to plug in the other end. 13:13 < be2pal> So the RJ jack 13:14 < djph> or the switchport you're testing the passive PoE from 13:14 < be2pal> sometimes, i follow press twice on the crimp and the that thing which goes down to hold wire sleeve came off 13:15 < be2pal> Guess its matter of rj jack quality 13:15 < be2pal> Hardware offers another jack but looking at it, I cant tell 13:15 < djph> probably more you're doing it wrong. 13:16 < mAniAk-_-> be2pal: just buy patch cables... 13:16 < mAniAk-_-> is it solid or multi strand cable? 13:17 < djph> if the jack is falling off the cable, you've either stripped back too much of the outer jacket, and/or never actually got the plug on far enough. Or you're using stranded cable for plugs that're for solid (or vice-versa) 13:17 < be2pal> cables already installed. Customer complaint i couldnt set the switch properly which causing no video feed :( 13:21 < be2pal> https://s17.postimg.cc/pz1fkvknz/IMG_20180423_164930.jpg 13:22 < be2pal> https://s17.postimg.cc/7jgynjbpb/IMG_20180413_185954_1_2.jpg 13:23 < be2pal> Crimping tools. Tools used on you tube seem better quality 13:24 < be2pal> i am not sure what type of cable. 13:25 < be2pal> Any way, I will watch how the cable technician do. 13:25 < be2pal> I am here to see if anything I am doing unusual than you guys do 13:31 < Meta> I'm doing a lab here in Packet Tracer. It's a port-security one and I've disabled all traces of port-security on a certain link, however when I try to bring the port back up, it immediately err-disables again. :/ If there's no port-security on it, it shouldn't be doing that, right? 13:32 < djph> be2pal: meh, the tools are chintzy, but they'll do what they need to do. 13:32 < TandyUK> imho the tools dont matter much, provided youre using stranded plug with stranded cable, or solidcore plugs with solid core cable 13:33 < djph> be2pal: the picture of the ends is hard to tell, since the white jackets are all just ... white (can't see a stripe on them, so ...) 13:33 < TandyUK> but that said the 'crimp down' vs, 'crimp at an angle' tools work MUCH better 13:33 < TandyUK> https://s17.postimg.cc/7jgynjbpb/IMG_20180413_185954_1_2.jpg << this is an example of a good crimping tool imho 13:34 < be2pal> TandyUK: its relief to know that 13:34 < TandyUK> its ratcheted to push down on all the pins at the same time, the cheapers ones are more like pliers, and will crimp one side of the plug first 13:34 < TandyUK> quite often you find one of the pins isnt criped properly 13:34 < djph> TandyUK: meh, I've got a Paladin (pre-Greenlee) set that's absolutely grand to use. 13:35 < TandyUK> https://s17.postimg.cc/pz1fkvknz/IMG_20180423_164930.jpg << This doesnt look much like 568A or B wiring to me 13:35 < be2pal> TandyUK: if pins not crimped properly, crimp once again 13:35 < be2pal> No it doesnt 13:36 < be2pal> I simply straight the wires 13:36 < TandyUK> your pair order should be (looking down on the pins, left to right, orange/white, orange, green/white, blue, blue/white, green, brown/white, brown 13:36 < djph> for 568B 13:36 < TandyUK> ^^ yup 13:36 < djph> I can't tell what the white-* conductors are 13:36 < TandyUK> tbfh, everything should be 568B unless youre making a crossover lead 13:37 < djph> or 568A if the predecessor did it that way ('tard) 13:37 < TandyUK> it could be 568a actually looking closer 13:38 < be2pal> https://s17.postimg.cc/lfp6znslb/IMG_20180423_170647_1.jpg 13:38 < TandyUK> ^^ aye and in that case id be re-terminatiing both ends just in case :P 13:38 < be2pal> This is the only one that able to work correcty. PoE include 13:38 < TandyUK> ^^ even less helpful, check yor photos are in focus before sharing :P 13:39 < djph> TandyUK: assuming he got the whites in the right place, it's A ;) 13:39 < be2pal> https://s17.postimg.cc/7ys8gv2v3/IMG_20180423_170647.jpg 13:40 < djph> good lord almighty that's fuzzier than the surprise casserole the wife found at the back of the fridge... 13:40 < TandyUK> lol 13:41 < be2pal> In the beginning, I read type A is for residential so start with Type A. Then after examine how other cables already crimped, I figure Type B probably in use. So i changed type B. 13:41 < djph> although it would appear you're missing at least pins 1,2,6, and 7 ... 13:42 < djph> honestly it doesn't really matter which you choose, so long as you stick with it at both ends (although, that being said, 568B is kind of the defacto "use this" standard) 13:42 < be2pal> djph: yes. 13:43 < winsoff> do routers ever share frames between each other? 13:43 < be2pal> Now I learnt that tool I bought is ok. So I get it back the store which I already returned. 13:43 < winsoff> or is it only in packet form? 13:44 < djph> winsoff: all the time. 13:45 < winsoff> so one router to another is in frames (and also in physical signal, i guess), but over multiple nodes, it's going to be the IP layer, right 13:45 < grawity> if two routers are connected via e.g. Ethernet, then they exchange Ethernet frames – although the Ethernet header has no relevance to the task of routing 13:45 < djph> winsoff: packets are encapsulated in frames are "encapsulated" in pulses of light / voltage changes on the wire (over the air) 13:45 < winsoff> right, k, so the OSI model is just a way of seeing things through their propagative roles for the sake of large-traversal 13:45 < winsoff> two entities are only connected physically at the physical layer, for example 13:46 < TandyUK> correct 13:46 < winsoff> but the longest-propagating data and most-encapsulated (though most exposed, lol) is the application layer orw hatever 13:46 < TandyUK> layer 1 = the cable (or wiresless signal, beam of light, etc) 13:46 < winsoff> Huh. I've never heard it expressed that way. That's cool as hell. 13:46 < djph> routers just happen to decapsulate as far as the L3 packet, and then re-encapsulates for the exiting interface 13:46 < TandyUK> layer 2 = physical, ie wha tthat cable plugs into 13:46 < TandyUK> ethernet is layer 2 13:46 < grawity> uh, physical is layer 1 13:47 < winsoff> Okay, so most ISPs are not using ARP to populate their routing tables, right? Or can they easily avoid arp poisoning without avoiding arp altogether? 13:47 < TandyUK> layer 3 = ip for example, and a router exists here, allowing packets to be routed between different physical networks 13:47 < grawity> ethernet is "data link" 13:47 < grawity> though ethernet in general specifies both l1 and l2 13:47 < grawity> winsoff: ARP isn't used for routing tables in the first place 13:47 < grawity> winsoff: it's used *after* the routing decision has been made 13:48 < grawity> and yes, as far as that goes, most ISPs either use some sort of l2 protection, or even the fact that their link type doesn't use ARP 13:48 < TandyUK> ARP is the physical address of hardware within the layer2 physical network (Ie the MAC address of the NIC) 13:49 < winsoff> hold the fug up 13:49 < TandyUK> this is used by switches primarily, to know which of the 20 cables to send the frame down 13:49 < winsoff> fixed wireless ISPs are like one big wifi network 13:49 < djph> well, ARP is how a device resolves who (as in the physical address) "owns" (or was assigned) an IP address. 13:49 <+xand> *IPv4 13:49 < winsoff> that means they use a bus topology, right? 13:49 <+xand> :) 13:49 < winsoff> like, everything my neighbors broadcasts on the wire is visible to my endpoint 13:49 < TandyUK> lets not confuse him with v6 just yet lol 13:49 < winsoff> "thew ire" that is 13:50 < grawity> I'm not sure if that's a "bus" 13:50 < djph> winsoff: other than it not being wifi, yes, the AP -> CPE connection is probably equivalent to a bus topology. 13:50 < grawity> shared media, yes 13:50 < detha> winsoff: I doubt fixed wireless ISPs would agree 13:50 < winsoff> djph, it's wireless, so IT'S WIFI 13:50 < grawity> although data from you to your neighbour goes CPE -> AP -> CPE 13:50 < grawity> winsoff: wat 13:50 < winsoff> i'm just being antipedantic 13:50 < TandyUK> wireless !== wifi 13:50 < TandyUK> there are plenty of wireless connections that dont use 2.4/5ghz Wifi 13:50 < grawity> winsoff: it's sometimes wifi, but more often than not it's some proprietary wifi-based TDMA link 13:50 < winsoff> wireless fidelity -> marketing wank term -> we use it to describe whatever 13:51 < winsoff> i get what you mean though 13:51 < djph> winsoff: no, "wifi" is a particular *type* of Wireless communication utilizing particular protocols to encapsulate the traffic. While all wifi is wireless communication, not all wireless communication is wifi. 13:51 < winsoff> i was born at night 13:51 < grawity> you're not being antipedantic, you're being annoying 13:51 < winsoff> not born yesterday 13:51 < winsoff> there's a difference 13:51 < winsoff> i see no reason to attach a specific name/typing to a term that was born out of marketing wank. it's not useful. wireless is wireless. it's all radio gravy. 13:51 < djph> TandyUK: for example, my 5GHz / TDMA shot ... 13:52 < TandyUK> being pedantic is important, eg "we have fibre" but what type.. OS1/OS2/OM1/OM2/OM3/OM4 etc 13:52 < winsoff> if you want to be pedantic, then choose to talk about 802.11, which isn't called "wifi" on the paper, it's called 802 motherfucking 11 13:52 < TandyUK> its 802.11 actually 13:52 < winsoff> TandyUK, i agree, but using standards instead of buzzwords is the real meat of the problem ehre 13:52 < TandyUK> 802.11 is the section in the RFC 13:52 < winsoff> and yes, i know that 13:53 < winsoff> not typing the specific subsets of .11 was important for the spirit of speeding up the statement so we can move the fuck on from this 13:53 < winsoff> a n y w a y 13:53 < djph> you're the one who said wireless ISPs were wifi, not us. Furthermore, fixed-wireless doesn't even have to use 802.11 at all ... 13:53 < mAniAk-_-> TandyUK: "ARP is the physical address of hardware within the layer2 physical network" what? 13:53 < winsoff> djph, you're right, though i was just saying it in terms of security 13:53 < winsoff> wifi = bus toplogy 13:54 < winsoff> fixed wireless = bus topology 13:54 < djph> thicknet = bus topology 13:54 < grawity> not typing the fucking number is also equally important for the spirit of speeding up the statement 13:54 < winsoff> both of these are problematic, right, since most ISPs on wires aren't putting all customer traffic on the "wire," right? 13:54 < djph> no 13:54 < grawity> in any case it's not all customers, at most only the customers associated to the specific AP 13:54 < winsoff> right, true 13:55 < detha> winsoff: wifi/fixed wireless are not bus topologies :p 13:55 < winsoff> i assume there are multiple APs at the home station for fixed wireless? the isp i'm talking about is using Ubnt nanostation M5's 13:55 <+catphish> winsoff: cable ISPs put all customer traffic on the same wire, same with GPON 13:55 < winsoff> and their next-up router is some edgerouter 13:55 < winsoff> this is the one with the login exposed to every customer. lol 13:55 <+catphish> winsoff: fixed wireless for consumers usually uses a single central omni, then directional antennas for the customers 13:56 < winsoff> catphish, easily decoded by all other customers? 13:56 <+catphish> winsoff: not these days, no 13:56 < djph> It depends on how the fixed wireless setup is done. While the traffic is "over the air" and could potentially be listened to by anyone, the directional nature of the antennas involved, as well as proprietary stuff pretty much makes it a non-issue (not to mention additional measures, such as pppoe, or radius-assigned vlans, etc.) 13:56 <+catphish> winsoff: usually encrypted 13:56 < winsoff> now how about for the fixed wireless isps? 13:56 < detha> catphish: huh? one omni? 13:56 < djph> catphish: more likely a grouping of 60 or 90 degree antennas at the AP site, rather than a single omni 13:56 <+catphish> maybe sector antennas, but not one per customer 13:56 <+catphish> yeah, what djph said 13:57 < detha> sectors at least, sometimes an extra dish for 'heavy' or far-away customers 13:58 <+catphish> it really depends on the circumstances, for really small sites my ISP uses a single omni, for big towers its sectors 13:58 < djph> ... or I suppose if the installer is cheap/dumb enough ... a single omni for their entire town, which doesn't work, and then they whine about false advertising or something. 13:58 <+catphish> depends on requirements / number of customer i guess 13:58 < djph> probably RF soup as well... 13:59 <+catphish> well really a WISP should be using a dedicated channel 13:59 < djph> ... here it's RF soup thicker than molasses in january, so ... sectors or nothing. 13:59 <+catphish> licenced 5GHz here 13:59 < djph> 5Ghz isn't licensed here 13:59 <+catphish> really? :( 13:59 < djph> UNII-1, -2, or -3 is all ISM / unlicensed. 14:00 < detha> catphish: one wishes. 5.9 frequencies are $$$$$ 14:00 <+catphish> detha: maybe i'm thinking of 5.9GHz 14:00 < djph> there/s 3.66 (ish) that is, but FCC recently changed that recently 14:00 <+catphish> there's a really cheap licence here for WISPs 14:00 < djph> s/is/was/ 14:00 < djph> UK licensing is special 14:00 <+catphish> if you do site to multisite you get a reall cheap per-customer licence 14:00 < winsoff> how does the 5ghz for home gateways suck for distance, but they use it constantly for 'long-distance' los wisp stuff? 14:01 <+catphish> winsoff: directional antennas 14:01 < winsoff> makes sense 14:01 < djph> "Line of Sight", plus antenna gain. 14:01 <+catphish> and line of sight, yeah 14:01 <+catphish> any frequency is fine if you have a clear line if sight, and a high gain antenna 14:02 <+catphish> and higher frequencies generally give more bandwidth 14:02 <+catphish> due to less demand 14:02 < winsoff> to clarify again, if i were a customer of the wisp, my router/endpoint would see all traffic on the same endpoint? and also, if an ISP is using DHCP to assign addresses, why would it need to use ARP? 14:03 < djph> no. 14:03 < djph> ARP is to convert an IP address into a MAC address. 14:03 < djph> the tables timeout after some length of time, so they need refreshed. 14:04 <+catphish> this is what i was referring to in the UK: https://www.ofcom.org.uk/manage-your-licence/radiocommunication-licences/fixed-wireless-access 14:04 < winsoff> couldn't they just be updated along with the dhcp pool, or whatever? 14:04 <+catphish> £1 per user per year licence fee 14:04 < djph> winsoff: sure, if you had a DHCP lease of 10 minutes ... but that's just daft. 14:04 < winsoff> ah, okay 14:05 < winsoff> also, i just don't get how this isn't a huge vulnerability (to have data just heading to every customer all the time, and hoping they ignore it) 14:06 <+catphish> winsoff: internet traffic should always be considered public, that's why we have TLS 14:06 <+catphish> winsoff: if you're worried about your internet traffic being public, reconsider what you're transmitting 14:06 <+catphish> winsoff: but in reality, most such traffic is encrypted 14:06 < djph> winsoff: because the data isn't transmitted to "every customer" 14:06 < winsoff> true, though has this never been a massive vulnerability? i feel like you have MORE clients at layer 2 per equipment with WISPs than with other methods, but maybe that's because I don't understand the other techs very well. 14:07 < winsoff> catphish, you mean encrypted...at the data link layer? 14:07 <+catphish> winsoff: yes 14:07 < winsoff> with what tech 14:07 < djph> WPA2 14:07 < detha> Ehm, is isn't. 14:07 < winsoff> doesn't everyone on the same endpoint use the same psk, djph 14:07 <+catphish> WPA2 is a sane option, yeah 14:08 <+catphish> winsoff: i assume cable and GPON have options for l2 encryption too 14:09 < djph> winsoff: yeah, but each node (IIRC) is supposed to set its own session key. But then you've also got say pppoe encapsulation 14:09 <+catphish> but ultimately, you should not rely on your internet traffic being private 14:09 < winsoff> agreed, but i'm not talking about my traffic--i'm talking about the world at large, and WISPs in general 14:09 <+catphish> winsoff: again, in general internet traffic is not secure 14:09 < detha> However, customer traffic is sent to the customer's MAC, so most radio cards don't show non-customer traffic. But with an SDN radio, any customer can pick up traffic to any other customer 14:10 < winsoff> djph, ah, I thought you could decrypt everyone's traffic as long as you had the psk. I guess I'm just used to arpspoofing on wpa2 wifi networks and never thought beyond it 14:10 <+catphish> winsoff: you can decrypt anyone's traffic with the PSK and the initial handshake i believe 14:10 <+catphish> all this totally varies by network 14:10 < winsoff> well, the m5's are going to be on the physical layer, right? so they'll pass through the frames to whatever's sitting on the end? this ISP hasn't preconfigured their cheap netgear gateways with anything special, iirc 14:11 <+catphish> most coffee shops aren't going to have any worthwhile security, a proper cable ISP / wisp will probably have per customer crypto 14:11 < winsoff> also, thanks for sticking through this vague questionnaire 14:11 < winsoff> i'm curious why this local WISP is doing a bunch of weird, seemingly risky stuff, but then it opens questions that i never asked beyond my own network 14:11 < detha> catphish: /iff/ you have both sides of the handshake. Note that customer A can receive tower-to-customer B, but not necessarily customer-B-to-tower 14:11 <+catphish> but seriously, it doesn't matter, assume what you send over the public internet is not secret 14:11 <+catphish> detha: that's a good point 14:12 <+catphish> so yeah, WISPs and cable ISPs can generally protect that side of things adequately 14:12 <+catphish> coffee shop wifi not so much 14:12 <+catphish> but i wouldn't rely on it 14:12 < winsoff> So on ADSL2, is my modem sending my homerouter all of the frames on the local dslam? How many clients are usually on that? 14:13 < winsoff> catphish, i'm not certain that this wisp is doing it, though; I'll report back tomorrow 14:13 <+catphish> ADSL is not a shared medium 14:13 <+catphish> ADSL you have your own line 14:13 < winsoff> catphish, ah, okay. I wanted to double-check that, though doesn't it share copper on the way back? 14:13 < vasa> Any opensource tool for traffic control 14:13 < winsoff> vasa, is this a question? 14:13 <+catphish> winsoff: the copper isn't shared at all, it only has enough bandwidth for one customer 14:13 <+catphish> vasa: tc 14:15 < vasa> Yes ,I need a traffic control for multiple requests at a time so any tool opensource ? 14:15 < winsoff> catphish, orly? That's super interesting. But cable and fiber are shared media? 14:15 < winsoff> vasa, where are you from? 14:15 < vasa> India 14:16 <+catphish> winsoff: cable is usually (but not always) shared, fibre is shared for cheap consumer connections, not for business ethernet connections 14:16 < winsoff> india has many languages, right? not just hindi? 14:16 < light> they use C in India 14:16 < winsoff> light, fuck off lol 14:16 <+catphish> ADSL/VDSL are dedicated to one customer 14:16 < winsoff> catphish, that's super interesting. So what's the medium on the way back to the office? 14:16 < vasa> Yes English 14:16 <+catphish> winsoff: the office? 14:16 < winsoff> light, and then the persians developed Far C...? 14:17 < light> ._. 14:17 < detha> light: according to the SEO outsourcing offers I get, they use any web programming language under the syn 14:17 < winsoff> catphish, on the way back to the ISP's main office, where I assume they have a fookload of tech and a fiber link back to whatever ISP they're purchasing from 14:17 < light> what have I started 14:17 <+catphish> winsoff: backhaul could be anything, it's all shared at that point 14:17 <+catphish> winsoff: ideally a couple of bib fibers :) 14:17 <+catphish> *big 14:18 < winsoff> but shared medium doesn't have to mean bus topology/data delivered to each endpoint, right? 14:18 <+catphish> winsoff: a shared mesium means the data is delivered to everything connected to it 14:18 < winsoff> ah, k, wanted to double check 14:18 < TandyUK> winsoff: https://imgur.com/a/u8RldB2 A diagram of BT's network 14:18 <+catphish> in the case of backhaul, 2 things are connected to it: a router at each end 14:19 <+catphish> then at one end it's send to the appropriate "last mile" connection 14:19 <+catphish> that might be one per customer (DSL) or shared (cable) 14:19 < winsoff> oh, i wanted to ask this previously 14:20 < winsoff> but if the NSA is logging every single packet and sending it back for analysis to another network 14:20 < winsoff> they're halving the throughput of the internet, right 14:20 < winsoff> or demanding twice the throughput at least 14:20 < amosbird> Hi, how is this url even valid ? 257.257.257.257/?mode=opencl 14:21 < winsoff> TandyUK, that is super interesting. 14:21 < winsoff> Ping request could not find host 257.257.257.257. Please check the name and try again. 14:21 < winsoff> amosbird, it's not valid 14:22 < TandyUK> winsoff: if the nsa or GCHQ are doing this, they split the signal using a prism, and send this over its own dedicated fibre. it has no impact o n'the internet' whatsoever 14:22 < TandyUK> its a purely passive split 14:22 < amosbird> winsoff: https://github.com/graphistry/infrastructure/tree/master/nvidia-docker-rhel 14:22 < winsoff> TandyUK, wanted to double-check 14:22 < winsoff> which is funny, because i wonder if that's what they call it when the nsa and gchq filter the same data ;D 14:23 < TandyUK> they dont 'filter' anything lol 14:23 < TandyUK> gchq stores _everything_ for at least 3 days, beyond this its metadata only 14:23 < winsoff> well, they filter it to get the metadata 14:23 < winsoff> in a loose term of filter 14:23 < winsoff> (a programmer's sense, perhaps) 14:24 * TandyUK is glad you arent writing code for me lol 14:24 < winsoff> amosbird, you have to input your own ip address instead of 257.257.257.257 14:25 < winsoff> TandyUK, you've never used filter()? 14:25 < winsoff> Are you an OOP fanboy? ;P 14:25 < amosbird> winsoff: oh, you mean that is a placeholder ? 14:25 < winsoff> amosbird, I assume 14:25 < winsoff> try 127.0.0.1 if it's your own box 14:53 < djph> had damn well better be, what with it being invalid. 14:58 < detha> OTOH, http://0257.0257.0257.0257/ is a valid URL 15:01 < djph> too much math for this early in the morning... 15:13 < regdude> has anyone seen a switch where you can add static entries into the multicast address table with IGMP Snooping? For example, I add 239.0.0.1 that it is located on port1 15:59 < thothcastel_> connected to asa5525 via console 15:59 < thothcastel_> I also have an ethernet cable between laptop and mgmt0/0 interface of asa I am trying to connect via http but for a weird reason I can only ping the mgmt0/0 interface from the laptop but I cannot ping the laptop from the asa cli 15:59 < thothcastel_> help please 15:59 < thothcastel_> I need to configure this asa and need access to it via http / asdm 16:03 < drathir> guys its normal that games sending >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 16:03 <+xand> that is a netbios name lookup 16:04 < drathir> xand: its kinda act like security check purposes? 16:04 <+xand> nope 16:06 < drathir> xand: than what idea of purpose could be that game using it? 16:08 <+xand> it's just for resolving PC names 16:15 < SporkWitch> drathir: it's a windows thing, really noisy and antisocial 16:18 < drathir> SporkWitch: im playing with defaut deny fw setup... 16:18 < TV`sFrank> nbt is netbios which is windows networking 16:19 * TV`sFrank is reminded of Netbeui or whatever it was called 16:20 < SporkWitch> TV`sFrank: same thing 16:28 < Kemopan> Hello! I have dnsmasq and lots of windows hosts with static IP, what should be most convinient way to populate mine local DNS with hostnames of these machines? use nbtscan or nmap, then > /etc/hosts? 16:28 < The_Dude> Was there some update recently that disabled all the NTPD daemons out there? I've had a few servers disable itself upon boot 16:33 < ice9> i'm facing extreme slow speed and packet loss when using wifi range extender, any idea? 16:34 < djph> don't use a range extender. 16:34 < djph> get a proper wired-in AP 16:42 < drathir> TV`sFrank: yea but unlikely connect to game server port not locally as always spamming... that why im interested about that... 16:42 < ychaouche> Hello ##networking 16:42 < ychaouche> do you agree with the following statement : "In a TCP bytestream, each byte of the stream consumes one sequence number" 16:42 < drathir> ice9: or use proper aka expensive repeater with separated radios... 16:43 < drathir> Kemopan: own dns server? 16:43 < dandaman> I've having some wifi issues recently(99% sure it has to do with noise)… can anyone help me solve this :( I've outline my problem here: https://www.reddit.com/r/HomeNetworking/comments/8e8mwo/router_has_been_doing_some_funky_stuff_in_the/ 16:43 < thothcastel_> help please 16:44 < thothcastel_> connected to asa5525 via console 16:44 < thothcastel_> I also have an ethernet cable between laptop and mgmt0/0 interface of asa I am trying to connect via http but for a weird reason I can only ping the mgmt0/0 interface from the laptop but I cannot ping the laptop from the asa cli 16:44 < thothcastel_> help please 16:44 < drathir> ychaouche: probably mean packets are counted and verified or just frames need fulfil corect schema? 16:44 < Kemopan> drathir, yeah, dnsmasq 16:45 < Kemopan> nbtscan is quite awesome, it can even output in "/etc/hosts" format 16:45 < ychaouche> drathir: I have no idea, I thought sequence numbers were to identify a whole segments window, not individual bytes. What do you think ? 16:49 <+catphish> i have a server that refuses to see a hard drive in one of its bays :( 16:49 <+catphish> bad times 16:49 < aaa_> yea 16:50 <+catphish> hopefully a reboot will fix it, 945 days uptime :( 16:50 * SporkWitch plays taps 16:51 < kottt> inb4 server never comes back up 16:51 <+catphish> lol 16:51 <+catphish> it'd better come back up 16:52 < kottt> turns out that HDD had that only copy of your MBR 16:52 < kottt> s/that only/the only 16:52 < drathir> ychaouche: it counting whole packets sended, bc need put them back together in correct queue + verify... 16:53 < ychaouche> catphish: did you check the SATA cable ? 16:55 <+catphish> ychaouche: nope, it's a production server 100 miles away, wouldn't trust anyone to pull it out and poke around inside while it's live 16:55 <+catphish> including myself 16:55 < ychaouche> oic 16:56 < ychaouche> no spare server ? 16:56 < ychaouche> drathir: I think it serves multiple purposes 16:56 < ychaouche> drathir: including counting the number of bytes sent, yeah. 16:57 <+catphish> ychaouche: it's architected in a way that means there is a spare server, but the failover process is much better avoided, file storage is hard 16:57 <+catphish> if i did it again, i'd probably use gluster, but that wasn't really ready when i set this up :) 16:58 <+catphish> so what i have is drbd+nfs clusters 16:58 < andrewSC> hi all, I realize there are a lot of factors involved here but i'm trying to figure out what might be the bottle neck in my network when doing a large file transfer.. 16:58 < ychaouche> crashed servers two times by trying to change RAIDed disks, no when a disk is orange it stays orange until complete crash 16:59 < ychaouche> now* 16:59 < ychaouche> or until I learn how to change disks properly 16:59 < andrewSC> I'm connected to my router via 802.11ac with a tx rate of 878Mbps and with no "substantial" traffic on the network, I'm uploading to another machine at around 13MB/s 16:59 <+catphish> i use hardware raid, so luckily its just a case of pull and replace 16:59 < djph> andrewSC: both are wireless? 16:59 < ychaouche> I use hardware raid too, but unluckly it crashed two times 16:59 <+catphish> i stopped using soft raid years ago because the replacement processes sucked 16:59 < andrewSC> the other machine is connected to the router via wired connection at 1Gbps and has plenty of bandwidth/drive speed 16:59 < andrewSC> djph: ^^ 17:00 < Phil-Work> AndrewMC, 104mbit isn't bad over wifi 17:00 < djph> andrewSC: limitation of the wireless machine perhaps 17:00 < Phil-Work> ignore the connected rate, it means very little 17:00 < andrewSC> iirc something like 50% of wifi traffic is overhead no? 17:00 < djph> e.g. RAM, Disk I/O 17:00 <+catphish> andrewSC: your bottleneck is wifi :) 17:00 < andrewSC> catphish: that's what I'm thinking.. 17:00 < ychaouche> It's marketed as just pull and replace, but maybe you need to wait for 5 minutes or so between the pull and the replace, idk 17:01 < andrewSC> catphish: I'm going to connect to the wired network and try the upload again and see if there's a substantial difference 17:01 < djph> andrewSC: 802.11ac, in ideal conditions, gets about 60% of the PHY rate 17:01 < andrewSC> gotcha gotcha 17:01 < ychaouche> so that the whatever subsystem notices you are changing disks and rebuilds the array. 17:01 <+catphish> i've seen 802.11 run at 500Mbps, but i would never rely on that, or assume it was working properly :) 17:01 < andrewSC> lol 17:02 <+catphish> 100 is generally considered decent for a normal wifi connection 17:03 < andrewSC> alllright confirmed we're on wired with wifi card disabled and i'm going to start the upload 17:03 < andrewSC> ... catphish confirmed for wifi... 17:03 < andrewSC> 118MB/s now... 17:04 < andrewSC> well that seemed to be a burst kinda hovering around 16MB/s 17:04 <+catphish> andrewSC: well you can try to optimize your wifi 17:05 <+catphish> although 16MB/s isn't good for gigabit :( 17:07 < drathir> djph: good mention only if router gets all ac devices connected into... 17:07 < drathir> djph: otherwise it drop to n mode... 17:07 < andrewSC> hmmmm 17:08 < andrewSC> yeah not sure what to make about the gigabit situation.. 17:08 < drathir> n depend on radio max 450M i guess... 17:08 < andrewSC> i know both machines are more than capable of pushing/pulling large amounts of data... 17:08 < ash_work> why is it that not regardless of which DNS Server I use, I get `apt-get update` errors on dl.google.com ? 17:08 < drathir> at 2.4G 17:08 < djph> ... could be a garbage router 17:09 < andrewSC> 2013 mbpr as source and a intel nuc with a samsung 960 evo as dest 17:09 < andrewSC> djph: possible... it's an older asus rt-ac66u with merlin firmware flash 17:09 < andrewSC> i was running dd-wrt on it for a while but decided to go back to something stock-ish with updates 17:10 < andrewSC> have scheduled reboots every sunday at 3am so i don't think it's an uptime issue 17:10 < andrewSC> hmmm 17:11 < djph> it's probably a "crap router" issue 17:11 < drathir> routers still needs a restarts? 17:11 < andrewSC> may be time to upgrade huh 17:12 < andrewSC> drathir: i don't think they "need" it per-se but it's not a bad practice since most exploits seem to live in memory 17:13 < drathir> andrewSC: hmmm... thats good point... 17:14 < drathir> O.o mandrake/mandriva that still alive ? 17:14 < drathir> linux distro if good remember... 17:15 < andrewSC> https://gist.github.com/andrewSC/20bd6c3874239360dd4c8974dd7074c2 17:15 < andrewSC> well know i don't know what to think.. 17:15 < andrewSC> s/know/now/ 17:15 < andrewSC> hmmmm 17:16 < drathir> andrewSC: not bad.. 17:16 < andrewSC> yeah it seems to be something other than just the network at this point... 17:17 < drathir> andrewSC: probably m$ upgrades ^^ 17:17 < andrewSC> lmao if i was running m$ quite possibly!! 17:17 < drathir> andrewSC: it even kills fiber lines ;p 17:18 < andrewSC> amusing 17:18 < drathir> andrewSC: hmmm than multicast ? 17:18 < Mandrake> drathir yep im still alive and well 17:18 < drathir> Mandrake: ^^ os mean, but good to hear... 17:20 < andrewSC> oh you know what it might be? 17:20 < andrewSC> ssh... 17:22 < djph> ? 17:22 < andrewSC> ughhh okay i'm like 99% sure this is the issue.. I'll need to setup something else for faster speeds then 17:22 < drathir> andrewSC: hmmm... that only with ss -X i guess... 17:22 < Mandrake> drathir after all those years, 17:23 < drathir> ss/ssh* 17:23 < andrewSC> djph: i was using rsync to transfer the file and i only have ssh setup on the remote so... 17:24 < drathir> andrewSC: rsyncould take whole line thats possible... 17:26 < sammyg> is this channel same as #networking? 17:26 < sammyg> or are they different? 17:31 < qman> sammyg: channels with one # are usually for "official" channels on something, while channels with ## are more generally about the topic and a little more laid back - this used to be in the freenode policy but it's not in the current version, so who knows if that's still the convention, but should give you an idea of the reasoning 17:32 < sammyg> ok qman 17:33 < sammyg> it's a bit strange that it's the same name of the channel, just different number of hash pounds 17:33 < sammyg> sometimes i have seen that one is used as alias for the other, that's why i ask 17:34 < qman> well, while I don't know about #networking, an example of one that's a bit different is #linux vs ##linux - #linux is not a real channel, it's a catch for spam bots, and ##linux is the real linux support channel 17:34 < SporkWitch> qman: still in there https://freenode.net/kb/answer/namespaces 17:35 < qman> ah, the page I got to had a broken link to the policies page, and the policies page doesn't appear to mention the names at all anymore 17:36 < EmberCrest> anyone in here use Spectrum/Time Warner Cable business class? 17:36 < EmberCrest> for their uplink 17:36 < SporkWitch> EmberCrest: Don't ask to ask 17:37 < djph> thank god no 17:37 < ||cw> sammyg: # means it's and offcial channel for a project, ## means it's an unofficial community channel. freenode's website covers the specific differences 17:37 < qman> I have charter/spectrum, unfortunately 17:38 < EmberCrest> qman: personal or business net? 17:38 < qman> business 17:38 < EmberCrest> Do they not "support" port forwarding? 17:38 < zenix_2k2> is there anyhow i can scan all of the existing hosts in my current LAN ??? 17:38 < ||cw> I guess I should scroll back more... 17:38 < qman> what? 17:39 < ||cw> zenix_2k2: nmap can do that. 17:39 < EmberCrest> I port forwarded 3389 to the proper IP on my LAN 17:39 < SporkWitch> EmberCrest: if you're using their hardware, you're wrong. don't use their router 17:39 < EmberCrest> and I can't use our static IP to connect to RDP 17:39 < EmberCrest> SporkWitch: the problem is that it's a 2-in-1 17:39 < EmberCrest> Modem and Router 17:39 < qman> ok, first, don't port forward 3389, and second, no, they don't block any ports if you have a static IP 17:39 < zenix_2k2> ||cw: this command you mean --> nmap -sP 192.168.2.1/24 ? 17:39 < SporkWitch> EmberCrest: i assumed as much; go to best buy witht he company credit card and buy a DOCSIS3.0 modem for 50 bucks or less 17:40 < zenix_2k2> i have tried but it doesn't seem right 17:40 < djph> zenix_2k2: nmap? 17:40 < Kingsy> does anyone in here know anything about docker? 17:40 < ||cw> EmberCrest: they do, but the last time I used the cable side they want you to ask them to set each one. you can also ask to have their router in passthru mode and send everything to your own router. 17:40 < SporkWitch> kingsy: don't ask to ask 17:40 < EmberCrest> Ok thanks, all good tips 17:40 < ||cw> zenix_2k2: maybe? what's the man page say 17:40 < Kingsy> heh rephrase. 17:40 < EmberCrest> ||cw: following up on that, I can actually set the 2-in-1 to a "Bridged" connection 17:40 < zenix_2k2> the man page says a lot, too much actually 17:40 < EmberCrest> But that means all devices on the WiFi network suddenly get assigned a WAN IP 17:41 < zenix_2k2> djph: yes 17:41 < qman> you want to use bridged mode with your own router instead, if possible 17:41 < djph> EmberCrest: which is why you set their crapass device into bridge mode, and then use a proper router, and APs. 17:41 < ||cw> EmberCrest: that's I did. that way I could have a lan to lan vpn easily well 17:41 < SporkWitch> djph: the ones they issue now don't fully disable themselves even in bridge mode >_< 17:41 < ||cw> EmberCrest: no you use your own wifi, not theirs 17:41 < djph> SporkWitch: bastards! 17:42 < SporkWitch> djph: if it's one of their "technicolor" brand devices, it's literally the absolute worst piece of networking gear i've ever encountered 17:42 < Kingsy> does anyone in here know how to connect to the host machine from within a docker container, so in my example .. telnet localhost 9000 on my machine works perfect, if I exec into my docker container and run telnet 172.17.0.1 9000 it just says Trying 172.17.0.1... and never connects. The aim is to be able to connect to a port on the host 17:42 < EmberCrest> qman: what about bridged connection on the modem, plug my RDP box into that, then hook up a router for everyone else 17:42 < qman> no, definitely not 17:42 < ||cw> EmberCrest: use their 2n1 as a modem only, don't use its wifi or LAN ports, except for your router 17:42 < djph> SporkWitch: I would agree 17:42 < qman> RDP should not be presented to the internet unprotected 17:42 < EmberCrest> qman: how do I protect RDP? 17:42 < djph> qman: s/unprotected// 17:42 < EmberCrest> that's how I have it at home 17:42 < SporkWitch> EmberCrest: i STRONGLY recommend against keeping their all-in-one device in the network. Go to best buy, buy a DOCSIS3.0 modem, return the Spectrum one, and give them your modem's MAC 17:43 < qman> you should be using a VPN or an RDS gateway over HTTPS, ideally 17:43 < qman> at a bare minimum you should have a pretty decent firewall in front of it 17:43 < qman> SporkWitch: Charter/Spectrum does not allow you to BYUOD 17:43 < qman> BYOD* 17:43 < qman> you have to use their device, no options 17:43 < SporkWitch> qman: charter might not have, spectrum does 17:43 < qman> no, they don't 17:43 < SporkWitch> qman: if they're saying otherwise, the rep is full of shit 17:43 < qman> I have their service, they do not allow you 17:44 < zenix_2k2> ok so this command does the thing --> nmap -sP
, so the thing i am wondering is is "
" the gateway's address ? 17:44 < SporkWitch> qman: well then call corporate, because spectrum here does allow you to use compatible devices and doees not ILLEGALLY force you to use their rental device 17:45 < qman> there's no fee for the device, it's included 17:45 < SporkWitch> qman: call corporate 17:45 < Andrew_0010bit> voidstar, were you being a jerk? 17:46 < djph> only company that forces you to use their kit around here is ATT 17:46 < voidstar> Andrew_0010bit, underhandedly 17:46 < djph> stupid uverse :( 17:46 < Andrew_0010bit> Very good, voidstar. Let the hate flow through you... 17:46 < ||cw> qman: when did this policy change? I mean, there's no reason not to use their free modem, but I've used my own modem with charter in the past, and I've always used my own router 17:46 < SporkWitch> qman: here, i did your googling for you https://www.spectrum.net/support/internet/compliant-modems-charter-network/ 17:47 < kottt> lmgtfy is one of the most infuriating things... but then, i generally dont ask questions until i've googled thoroughly and found nothing... 17:47 < ||cw> at home I have their modem and my router 17:47 < kottt> (or can't work out what terms i need to be googling to get a useful result) 17:48 < qman> SporkWitch: must be a recent policy change, I've looked it up before 17:48 < EmberCrest> SporkWitch: just saying, it's not unusual to get a rep who doesn't know the difference between a router and a modem 17:48 < qman> SporkWitch: they had precisely two modems that they offered, and you could not BYOD 17:48 < EmberCrest> but that article checks out 17:49 < ||cw> kottt: I usually say "I've searched for `x`" to cut that off at the pass. I'd rather get better search term suggestions than blind links anyway 17:49 < SporkWitch> qman: that's been spectrum policy since the merger; can't speak to charter, but it was also the policy under TWC 17:49 < Andrew_0010bit> kottt, I agree. There's times, though, where I'll think out loud and then someone hits me with that and I start cussing. 17:49 < ||cw> qman: recent? no, 20 years. 17:49 < SporkWitch> EmberCrest: i know, and i said as much: if they told him that, the rep was full of it 17:49 < voidstar> qman, I just installed my own ARRIS SB6183 and it's working very well 17:50 < voidstar> sales people don't know what they're talking about, just use technical jargon till they transfer you to the technical department to sort you out 17:50 < qman> I used to have my own before we switched to business class 17:50 < qman> it was charter at the time when we switched 17:50 < EmberCrest> I had a net engineer come out yesterday and he said two surprising things: 1. I re-strung the line coming into the building so your bandwidth should be twice what it was 17:50 < qman> but their technical support folks are equally useless 17:51 < EmberCrest> 2. Oh yeah, Spectrum doesn't support port forwarding, I remember that from the seminar 17:51 < SporkWitch> they don't need to support it, you do it on your edge router 17:51 < kottt> so when i got a modem for my TWC connection i made sure to get one of the ones on their list of specifically allowed 3rd party modems. Was the only real requirement that the modem should be DOCSIS3.0 compliant, or is there some other factor that TWC might have been considering 17:51 < djph> that they have a config file for it 17:51 < voidstar> ^ 17:51 < kottt> aha 17:51 < SporkWitch> kottt: the only real requirement is DOCSIS3.0; the list is just those devices they've tested themselves and guarantee a degree of service on 17:52 < kottt> <_< 17:52 < kottt> conflicting information :Z 17:52 < SporkWitch> kottt: they do not guarantee that anything else will work, though it SHOULD 17:52 < kottt> makes sense 17:52 < SporkWitch> kottt: it's the difference between "not supported" and "incompatible" 17:52 < kottt> anyway, motorola sb6121 has been working fine for years, and i got it used from ebay 17:52 < ||cw> EmberCrest: the techs are not always the most experienced on the internet side. 17:53 < qman> the modems they give us aren't even on that list 17:53 < qman> I've had a Ubee and two different SMCs 17:53 < kottt> uuuugh the ubee 2-in-1... 17:53 < Kingsy> does anyone in here know how to connect to the host machine from within a docker container, so in my example .. telnet localhost 9000 on my machine works perfect, if I exec into my docker container and run telnet 172.17.0.1 9000 it just says Trying 172.17.0.1... and never connects. The aim is to be able to connect to a port on the host 17:54 < voidstar> spectrum tried to give me a modem/cable box in one and I wasn't having it 17:54 < qman> Kingsy: is the host listening on that address? 17:54 < EmberCrest> voidstar: cable box and modem in one?? 17:54 < voidstar> https://www.timewarnercable.com/content/dam/residential/images/support/faqs/TV/digital-cable/technicolor/spectrum101-201userguide.pdf 17:55 < Kingsy> qman: netstat says yeah --> tcp 0 0 0.0.0.0:9000 0.0.0.0:* LISTEN 25314/./debugclient 17:55 < voidstar> err https://www.timewarnercable.com/content/dam/residential/images/support/faqs/TV/digital-cable/humax/Humax%20DS_Spectrum101-H_nDVR%20HD_16-1005.pdf sorry 17:55 < qman> Kingsy: and there's no firewall rules blocking the connection? 17:55 < Kingsy> qman: this is the part I am unsure of 17:55 < voidstar> net speeds dependent on who is watching tv. nope nope nope 17:56 < qman> Kingsy: iptables -nvL 17:56 < Kingsy> second 17:57 < Kingsy> qman: http://paste.ubuntu.com/p/DWwSx5q3BG/ <-- woah, alot opf stuff 17:57 < qman> Kingsy: ok, you have UFW, which is going to be a problem 17:57 < Kingsy> a UFW ? 17:57 < qman> Kingsy: and you have an input drop policy, so unless you've explicity created an exception, it won't be allowed 17:58 < Kingsy> oh... 17:58 < Kingsy> so the problem is the firewall 17:58 < detha> eeeeeew. ufw plus the shit docker generates. Can not unsee 17:58 < Kingsy> hahah 17:59 < Kingsy> qman: what is the easiest way of allowing this? 18:00 < voidstar> ufw allow / 18:01 < Kingsy> what is ? 18:01 < voidstar> tcp/udp/icmp/etc 18:01 < voidstar> man ufw #for more info 18:02 < Kingsy> voidstar: oh wow, well how do I know what protocol to use? heh, all I know is the service behind it is xdebug. 18:03 < detha> qman: netstat says yeah --> tcp .... 18:03 < detha> so I guess it is tcp 18:03 < Kingsy> oh ok!! 18:03 < voidstar> ^ 18:03 < Kingsy> I honestly cant imagine this working. 18:03 < Kingsy> hah been trying to get this working for a week 18:05 < Kingsy> OH MY GOD. 18:05 < Kingsy> it worked.. 18:05 < Johnjay> Kingsy: what? 18:05 < Kingsy> its fixed my problem! 18:05 < Kingsy> thankyou so so much qman voidstar detha 18:05 < Johnjay> what's the problem? 18:05 < Kingsy> honestly, I have been on tht for a bloody week man 18:06 < Kingsy> Johnjay: I was trying to connect to my host machine from within a docker container on a port using telnet 18:06 < Kingsy> it was timing out and I couldnt figurte out way 18:06 < Kingsy> why* 18:06 < detha> Kingsy: the lesson from this: "It's the firewall. It's always the firewall" 18:06 < Johnjay> so you have a virtual machine on a host and you want to telnet between them? 18:06 < Johnjay> and this took a week to defeat? 18:07 < Kingsy> detha: what is the best way of my figuring out how to read these iptable rules myself so I could debug this without asking you guys. 18:07 < drathir> Kingsy: lol better provide container ip unless You wanna open widely access.. 18:07 < qman> when you need to troubleshoot connectivity, it's a step by step process - can I route there? is it listening? is a firewall in the way? 18:07 < Kingsy> Johnjay: well yes and no, the problem was actually much more complex and it took a few days of drilling down to actually find the cause, which was this, and even then I was unsure it was my docker setup or not. 18:07 < Johnjay> i feel like something is missing here. is firewall iptable rules something you have no experience with? 18:08 <@pppingme> Kingsy very literally, read them in order, following jumps' 18:08 < drathir> detha: unless isnt systemd than fw ^^ 18:08 < Kingsy> Johnjay: yeah none really, I am not even sure how to make sense of the rules by reading them. 18:08 < detha> Kingsy: start with a simple tutorial explaining how iptables works and how to set up a firewall, 18:08 < detha> Once you understand the basics, you can start deciphering the soup that various tools generate 18:08 < Johnjay> i think more interesting than the solution to your problem is HOW you arrived at it as qman implied. 18:10 < Kingsy> drathir: do you mean remove the rule I just added and use an ip? is it possible to use an interface instead of the an IP? the IP is dynamic afaik 18:10 < detha> But to be honest, trying to decihper tool-generated rulesets is at the same level as trying to debug a C++ program by looking at the assembly the compiler generates 18:11 < voidstar> Kingsy, http://manpages.ubuntu.com/manpages/xenial/man8/ufw.8.html 18:11 < Kingsy> thanks 18:11 < zenix_2k2> hello ? 18:12 < voidstar> man is your friend and will have all the answers quicker than we will 18:12 < Kingsy> yeah its not friendly, so you guys knew because you could see ufw that it mean I had to specifically allow access or it was denied? 18:12 < Johnjay> i should note that voidstar's statement is not endorsed by the community and is basically completely false 18:12 < Kingsy> voidstar: np :) 18:12 < Johnjay> s/man/stackoverflow// 18:13 < voidstar> idk, man has always done me right 18:13 < voidstar> when my obscure issue is not on stackoverflow/random forums that come up on google 18:15 < Johnjay> they're useful for different things 18:15 < detha> stack overflow leads to copy/paste. 'man' leads to understanding. If one just wants it fixed quickly without understanding the why, use stack overflow 18:16 < drathir> Kingsy: not sure if ufw allow device... 18:16 < Johnjay> man is if you need to know either the basics of the command or some obscure option or subtlety 18:16 < drathir> Kingsy: but should allow pool... 18:16 < Johnjay> for everything in between there's stackoverflow 18:16 < Kingsy> I'll have a look see. 18:16 < Kingsy> anyway thanks so much people. really appreciate the time. 18:17 < drathir> Kingsy: yea fw is all time learning... 18:19 < Johnjay> i mean idk. without stackoverflow linux would be completely opaque to me 18:19 < be2pal> TandyUK: , djph Thank you very much for all your support. I have gained confidence to start again to crimp till I get it working :) 18:20 < Johnjay> i'm usually constantly asking the question "how do I do X? how do I fix Y?". and people on irc don't always know the answer. 18:24 < drathir> Johnjay: bc some questions are not so obvious... 18:24 < voidstar> something something right tool for the job 18:26 < djph> be2pal: along with that "confidence", did you pick up a cable tester? 18:27 < Johnjay> drathir: i'm still asking in #raspberrypi how to diagnose the fact that my x server keeps randomly restarting 18:28 < ||cw> Johnjay: nothing in the logs? 18:29 < Johnjay> not as far i could tell. 18:29 < Johnjay> which might mean it's the driver or something else entirely 18:29 < Johnjay> i guess maybe the issue is the people who do know are on the raspberry pi forums and have "Engineer" under their forum name. Xd 18:33 < qman> Johnjay: any hardware problem will present some sort of indication in dmesg 18:33 < Johnjay> ok. i did look at dmesg but didn't understand the output very clearly 18:34 < drathir> Johnjay: dmesg/xorg and try alarm... 18:35 < Johnjay> cool thanks 18:37 < drathir> Johnjay: depend on configuration of xorg logs are in /var/log/ or ~/ 18:38 < drac_boy> hi 18:40 < drac_boy> just wondering if noone minds but whats the feature name you need if you wanted two ethernet lines between identical switch/router (whichever osi layer is needed anyhow) for routing failover purpose? like I mean its not bonded 2gb but just two separate 1gb 18:41 < qman> bonding is what you want in that situation, but the other option is bridging together and using STP or similar to prevent loops 18:41 < qman> however, in this hardware configuration, bridging provides no advantages over bonding, so you should bond 18:42 < qman> with LACP 18:45 < drac_boy> qman ah so its called lacp, is that a rotuer thing or switches could do it too? 18:46 < qman> https://en.wikipedia.org/wiki/Link_aggregation 18:46 <@pppingme> Its more of a switch thing that most routers can do 18:47 <@pppingme> its an L2 thing... switches=L2, routers=L3 18:47 < drac_boy> many ty 18:47 < shtrb|laptop> Any idea what other then dhcp host attribute could cause an ISP choose a profile ? when I boot to linux I get a preferable routing but if I boot to win10 I get a different (worse) routing ? 18:48 < shtrb|laptop> connected over pppoe 18:48 < djph> win10 is bad at routing 18:48 < djph> ? 18:48 < shtrb|laptop> the ISP is the bad one (I get a very strange route inside ISP machines) 18:48 < drac_boy> djph as long as we don't get into a packet flamewar over how much is wrong with win10 tho :) 18:48 <@pppingme> shtrb|laptop the pc is doing pppoe to your isp, or its going through a router thats doing pppoe? 18:48 < shtrb|laptop> but win10 is the worse 18:49 < shtrb|laptop> pppingme -> laptop ethernet cable to a modem (hence pppoe) --> aDSL cable 18:49 < djph> drac_boy: I'd start a packet flamewar about how bad W10 is ... but the guys on W10 would never see it. 18:50 < shtrb|laptop> I just wish to setup win10 to act (work ) as if it was a linux machine 18:50 < djph> stick it behind a linux router? 18:50 < shtrb|laptop> but can't get what could cause a different behavoir 18:50 < shtrb|laptop> djph, possible , but I wish to understand what make the change (I wish to learn ) 18:51 < djph> shtrb|laptop: could be your ISP, stupidity in Windows itself, or any number of other things 18:51 < shtrb|laptop> *already got a pi to act as a hostapd + pppoe (need to set it up) 18:51 < ||cw> shtrb|laptop: you'd need to ask your provider. 18:51 < shtrb|laptop> I don't think windows can interfere with ISP routes 18:51 < sammyg> do internet providers block port 3389 for remote desktop? 18:51 < qman> if you're not behind a NAT gateway, the ISP may be detecting that you are running Windows and putting you through a different system 18:51 <@pppingme> you sure you don't have some vpn crap on the win10 machine? 18:52 < shtrb|laptop> qman, that sound like it 18:52 < djph> shtrb|laptop: no, but it can send a different ppp login string, and the ISP sticks you somewhere else. 18:52 <@pppingme> sammyg I've heard of them doing it, but its not super common 18:52 < shtrb|laptop> djph, wow intersting thanks (maybe win10 dialer is crazy ) 18:52 <@pppingme> shtrb|laptop you really shouldn' 18:52 < qman> connecting a windows PC directly to the internet is seldom a good idea, so they might have a system to filter out common problems 18:53 < sammyg> pppingme, in which case i should be able to just change the port to something else and connect? 18:53 <@pppingme> shtrb|laptop you really shouldn't be hooking a win10 machine direct to internet anyway 18:53 < shtrb|laptop> yes I know 18:53 < sammyg> i have remote desktop working between 2 pcs locally, but i can't connect to the host pc from outside, even though i have port forwarding set up 18:54 < shtrb|laptop> sammyg, some ISP block p/fw 18:54 < qman> also, opening 3389 directly to the internet is a bad idea 18:54 < shtrb|laptop> sammyg, but before that check it is not dropping incoming traffic 18:55 < shtrb|laptop> sammyg, win has several "domains" for the firewall (private/public/domain) and you also have the network crap that blocks everything 18:56 < SporkWitch> shtrb|laptop: how would an ISP block port forwarding? O.o INPUT DROP rules on known ports? O.o 18:56 < redrabbit> idk if its really worst than using a weak sieve router 18:56 <@pppingme> sammyg in general, you're better to do a vpn, and expose nothing to the 'net 18:56 < shtrb|laptop> s/crap that blocks everything/homegroup 18:56 < sammyg> shtrb|laptop, you mean file sharing or? 18:56 < sammyg> is it not enough to enable remote desktop? 18:56 < shtrb|laptop> SporkWitch, easy the fuckers block everything unless you to request to open a specific port and an application for incoming 18:57 < qman> many ISPs, particularly on residential connections, filter incoming traffic on certain common ports, such as 23, 25, 80, 443, 445, and 3389 18:57 < qman> this is for your protection as well as theirs, since most people using said residential connections do not know how to use these ports in a secure manner 18:57 < sammyg> pppingme, yes i know, i was just curious to see if it actually works, but in todays world it may be much more dangerous than in the past when only 50 people in the city had internet connection, lol 18:57 < shtrb|laptop> SporkWitch, I was a customer of one that had a whitelist for protocol and port (in/out) https was for white listed sites only and google was blocked ) 18:58 < SporkWitch> yeeesh, that's terrible even by US standards 18:58 < shtrb|laptop> SporkWitch, it has it's own benifits (it make the ISP make more money ) 18:58 < djph> SporkWitch: that's not even US standards ... 18:59 < sammyg> wooot... google was blocked? 18:59 < shtrb|laptop> djph, any ISP that uses netspark expected to work like that or fortinet whitelist domains 19:00 < shtrb|laptop> sammyg, (https) until you install their CA 19:00 < djph> there'd be a riot here if an ISP tried MITM'ing ssl 19:00 < sammyg> i had a situation a couple of years ago where i was unable to configure email client with pop3 i think, think it was port 25 19:00 < sammyg> i had to use i think 2525 instead 19:00 < sammyg> anyone had that situation? 2525 as alt port for 25? 19:00 < djph> nope 19:01 < shtrb|laptop> djph, you don't have to be their customer 19:01 < drac_boy> well imap/pop3 on alternative ports isn't too unusual although its generally rare to happen nevertheless 19:01 < djph> I mean, I had to call my ISP to open 25, but that was about it. 19:01 < qman> 25 is smtp, and is blocked to prevent spam 19:01 < qman> pop3 uses 110 or 993 19:01 < djph> shtrb|laptop: er, my point being that if an ISP tried that, they'd quickly come under fire for those practices. 19:01 < SporkWitch> shouldn't be using pop3 anyway; what is this, 1990? 19:01 < qman> yeah, really 19:01 < drac_boy> qman well I know my current imap has its smtp on some 3-digit port .. provider's request as per their faq :) 19:02 < Johnjay> what's the use of the alarm utility exactly you were intending? 19:02 < drac_boy> sporkwitch pop3 still has its uses especially on remote systems away from home 19:02 < qman> 25 is for server to server SMTP, clients should use a mail submission port, which is usually 587 19:02 < djph> drac_boy: er, why not imap? 19:02 < SporkWitch> ^ 19:02 < redrabbit> even my shitty isp doesn't do filtering. i never tried port 25 though 19:02 < SporkWitch> what qman said *glares at djph for messing up his arrow* 19:02 < drac_boy> djph do you know of any imap client that can only pull in new mails header-only and nothing else? 19:03 < djph> SporkWitch: *hugs* 19:03 < SporkWitch> drac_boy: all of them? 19:03 < shtrb|laptop> drac_boy, check kontact but why not just going full dIMAP ? 19:03 < SporkWitch> standard behaviour is to only pull headers; you don't grab body or attachments until you open it 19:03 < drac_boy> sporkwitch well its clearly not in either alpine or thunderbird 19:03 < djph> drac_boy: mutt, tbird, I bet claws, or evolution ... 19:03 < drac_boy> easier to just use pop3 instead on the remote connections till I'm 'home' again 19:03 < shtrb|laptop> djph, you are not a kde user ha ? 19:04 < SporkWitch> drac_boy: check your settings again; there's no IMAP client i've ever heard of that can't do headers-only until you open it 19:04 < shtrb|laptop> drac_boy, dIMAP is nice (safer for you not to loose stuff) 19:04 < djph> shtrb|laptop: KDE is ... meh 19:04 < shtrb|laptop> drac_boy, what client are you using 19:04 < djph> drac_boy: https://support.mozilla.org/en-US/kb/imap-synchronization 19:04 < shtrb|laptop> djph, but Kontact/Kmail works on windows 19:05 < shtrb|laptop> also a gazailion of imap sync scripts 19:05 < drac_boy> sporkwitch actually no .. thunderbird's only setting to imap is to pull whole as soon as you ever want to sync .. you only can limit it to parent-only folders but not much else 19:05 < djph> shtrb|laptop: yeah, but then you're using "windows" 19:05 < drac_boy> (and that's on 3.* build .. not some old copy) 19:05 < djph> drac_boy: checkbox - "do not download larger than [] kb" 19:06 < sammyg> yeah i think my ISP blocked 25 because of spam, but the funny thing is when i called them up they never admitted and kept telling me to set up using port 25 19:06 < qman> set to 1kb, it won't download much if anything 19:06 < drac_boy> djph and how is that suppose to not block the brand new 10-word email? :) 19:06 < zenix_2k2> hello anyone 19:06 < zenix_2k2> ? 19:06 < SporkWitch> drac_boy: it's literally a checkbox in the settings for that server in thunderbird https://www.ghacks.net/2012/04/30/how-to-configure-thunderbird-to-fetch-headers-only/ 19:06 < drac_boy> hi zenix? 19:07 < djph> drac_boy: I'd have to look, but I'm fairly certain even short messages are ... 19:07 < djph> *are a few kb 19:07 < sammyg> i don't recall where i got the number 2525 from, but i remember trying that as alt port and voila! it worked, but my ISP still kept telling me to use 25 and that they do not filter or block this port 19:08 < sammyg> now that i think about it... it may not have been my ISP directly... but their sub or rather super-contractor that blocked it 19:09 < djph> drac_boy: just tried a text-only mail Subj=Test; body=Test. 2.9KB 19:09 < sammyg> we have a utility net/infrastructure on which several ISPs can connect to, and as a customer i can pick whichever i want by just plugging a cable in, and it gets activated within minutes 19:10 < zenix_2k2> drac_boy: hey do you know about nmap ??? i need a little help here 19:12 < shtrb|laptop> sammyg, physical cable ? to N different sockets 19:14 < sammyg> yeah when i moved in here i just plugged a cat5e cable into my computer and the other end into a network socket on the wall 19:14 < Apachez> ping? 19:14 < sammyg> i got some local gateway ip from the basement i think, and when i opened a browser window i got this portal that displays all available ISPs on the net 19:15 < sammyg> you just pick one, select service, add your details in, and within about 5 minutes you are online 19:16 < sammyg> the ISP then sends you the welcome letter and maybe some package if you ordered a router or telephony 19:16 < shtrb|laptop> oh I remember such services in the 90s 19:17 < sammyg> heh i remember the AOL CDs for "getting online" 19:17 < sammyg> maybe you're thinking of those? :) 19:18 < shtrb|laptop> good memories - https://www.youtube.com/watch?v=gsNaR6FRuO0 :D 19:18 < shtrb|laptop> I don't remember 19:20 < sammyg> oh yeah, i had a few friends who had dial up 19:20 < sammyg> i didn't get connected until the turn of year 2000 19:20 < sammyg> my first internet connection at the time was 10 mbps 19:21 < sammyg> i had many friends back then... wonder why :P 19:22 < sammyg> unlimited data o/c, not capped crap like today 19:23 < sammyg> regarding the 25 port, here is something on that: https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#Ports 19:23 < sammyg> Port 2525 and others may be used by some individual providers, but have never been officially supported. 19:23 < sammyg> also here: https://luxsci.com/blog/alternate-smtp-ports-save-the-day-when-you-are-on-the-go.html 19:23 < sammyg> Nonstandard port open on most firewalls. Supports insecure SMTP and SMTP over TLS 19:25 < phd> shtrb|laptop: oh, that was some US Robotics 20:07 < Demos[m]> any nfs wizards here 20:08 <@pppingme> you're best to just ask your question 20:08 < Demos[m]> is there a way to get an nfsv4 pseudofilesystem root that will only show subexports? or do I just use bind mounts 20:08 < Demos[m]> also if the root is exported ro, is there a way to then export the children as rw? 20:15 < tpanarch1st> is there a term for finding out whether a virtual machine can run another virtual machine on it please? 20:16 < tds> tpanarch1st: nested virtualisation 20:16 < tpanarch1st> or, alternatively, i'm interesting in other potential ways round what i'm looking to do - I run Proxmox and ISPConfig on it as a virtual machine, I have a couple of pieces of software that seem to need to run on a machine as opposed to a website 20:17 < tpanarch1st> I need the software's web interface to be accessible on a subdomain of an existing website managed by ispconfig 20:18 < tds> Demos[m]: I just remembered that you were asking about open source SAML IDPs the other day, did you ever find anything decent? 20:18 < tpanarch1st> so i'm presented with instructions like this https://www.casebox.org/dev/install/ 20:19 < kuahara> Thinking about taking a sonicwall nsa 220 wireless home and using it as an IPSec/L2TP vpn server, but not as a primary gateway. Just take my surfboard and forward VPN to the gateway. Will turn off DHCP. It reaches EOL in 2 years and I have no plan to renew services after they expire in 6 weeks. 20:19 < tds> tpanarch1st: I'd probably just create a separate VM on the proxmox host for each thing 20:19 < kuahara> Anything immediate concerns come to mind? 20:19 < tpanarch1st> tds: sure, but then i only have one public ip 20:19 < tds> you can run some kind of internal network between VMs and then use the existing web server as a reverse proxy if you're short on v4 20:19 < tpanarch1st> so i suspect, i'm a bit limited there 20:19 < kuahara> in other words, any reason it'd fail to serve its purpose as a VPN endpoint just sitting inside the network like that. 20:21 < ||cw> tpanarch1st: host only network is the term. 20:21 < djph> kuahara: it's a sonicfail 20:22 < tpanarch1st> ah what does a host only network mean in essence please ||cw 20:23 < ||cw> tpanarch1st: it'a a virtual network that only exists on the host. the VMs you add to it can talk to each other just like a real lan, and your "main" vm can have 2 vnics, one in host only, one on the bridged lan, and act as a router/proxy for the host only lan 20:24 < tpanarch1st> ahhh thanks both of you, at least I know what i'm asking for! :) 20:24 < tds> ^ for proxmox you just want to create a second bridge interface on the host (with no physical interfaces as members), then give your VMs NICs attached to that 20:27 < kuahara> I've had a pretty good experience with sonicwall over the years. 20:28 < SporkWitch> .... 20:28 < tpanarch1st> tds: so, with that setup -> one public ip coming in, dns managed outside and port 80 and 443 and 52 pointed to ispconfig on 192.168.1.110 == ispconfig box 20:28 < tpanarch1st> pointed == port forwarded 20:29 < tpanarch1st> does that fit? 20:33 < tpanarch1st> also, when you both us the term "host", are we talking about proxmox or ispconfig box 20:33 < tpanarch1st> or the third box 20:33 < ||cw> host is always the real hardware 20:33 < tpanarch1st> aha! 20:34 < tpanarch1st> tds: will this proposed setup work with one public ip where everything necessary is port forwarded to ispconfig box? 20:34 < tpanarch1st> i believe the term is "behind NAT" 20:34 < ||cw> ispconfig is in a vm right? 20:34 < tpanarch1st> certainly is :) 20:35 < ||cw> it would just need to port forward or reverse proxy as well 20:35 < tpanarch1st> is it not re-inventing the wheel somewhat noto use ispconfig's provision for vhosts? 20:36 < tpanarch1st> so ||cw when you say it, you mean the ispconfig box? 20:36 < ||cw> yes 20:37 < ||cw> I'm not that familiar with ispconfig. vhost is kind of ambiguous. 20:37 < ||cw> Id guess it could mean containers or VMs. containers you can run in a vm without much issue. VMs not so much. even when you can, there tend to be limitations. 20:52 < WishBoy> USA no neutrality today? 20:55 < sammyg> when you set up android device as wifi ap, are all the ports open on it? inbound? outbound? 20:56 < Apachez> I guess so 20:58 <@pppingme> sammyg you mean like a phone that does 4g and you're doing a hotspot? 20:58 < djph> sammyg: don't forget that it's quite likely CGNAT'd by Verizon (etc.) 20:58 < sammyg> pppingme, yes 20:59 <@pppingme> outbound traffic is typically unencumbered, inbound though, as djph just stated, its typically nat'd at the carrier.. 20:59 <@pppingme> so no inbound 21:01 < sammyg> so i can't run a server on my laptop connected to my phone's wifi and have some pc connect to it? 21:01 < tpanarch1st> oooh ok ||cw 21:02 <@pppingme> if the pc is on the same network possibly, if its "outside" most likely not 21:02 < sammyg> ok so if they are both on the phone's wifi then it should work, but it can't connect from the outside 21:02 < tpanarch1st> ||cw the terms of my access to the ispconfig is that I don't publically re-produce the ispconfig manual that i've bought but i'm allowed to re-produce it for personal use, would you mind if I PM you the relevant paragraph please? 21:03 < tpanarch1st> terms of access to the ispconfig manual* 21:03 <@pppingme> sammyg a lot of hotspots do AP Isolation (wifi clients can't talk to each other, even though they are on same network), no promises there.. 21:04 < sammyg> ok, so they are not truly like your wifi AP at home 21:05 < sammyg> you can't build a LAN with that 21:05 < sammyg> WLAN 21:05 < sammyg> pppingme, what about the other way around? my laptop connecting to some server on the outside? this should not be blocked by my phone or by my carrier right? 21:05 <@pppingme> typically not 21:06 <@pppingme> besides the normal paranoia ports that isp's like to block (25, all the smb stuff, etc) 21:06 < sammyg> right 21:07 < sammyg> what about RDP port 3389? would that be blocked by my carrier? 21:07 < sammyg> im still working on that, and it's not working, but i am using my phone as AP to my laptop 21:08 <@pppingme> hard to say without testing, It didn't used to be a paranoia port, but seems like more and more it is.. 21:08 < sammyg> i am thinking about giving this up and maybe trying to set up vpn instead 21:08 <@pppingme> where is rdp server, rdp client, in relation to the phone? 21:08 < redrabbit> thats how i did it sammyg 21:09 < redrabbit> works over cellular data and everything 21:09 < sammyg> yeah and for that reason i have now changed the RDP port on the server to something other than 3389 and i had to open the port even for LAN RDP connections 21:10 < redrabbit> home > vpn < client 21:10 < djph> why on god's green earth would you ever expose RDP to the internet? 21:11 < redrabbit> the vpn runs on a vps 21:12 < sammyg> pppingme, rdp server @ home > home router > internet > phone > laptop > rdp client 21:13 < sammyg> djph, for fun? :p 21:13 <@pppingme> you need to vpn it.. 21:13 <@pppingme> not expose rdp 21:13 < redrabbit> indeed 21:14 < ||cw> tpanarch1st: I'm not sure that would help 21:14 < tpanarch1st> ah, it's just that it actually explains the developers intention 21:14 < tpanarch1st> of what it should do :) 21:14 < tpanarch1st> ||cw: 21:14 < sammyg> so i setup vpn server on my computer and vpn client on my laptop? any software package you would recommend? 21:15 < sammyg> so i would not need to port forward if using vpn? 21:16 < djph> openvpn, port 1194 UDP 21:18 <@pppingme> a properly setup vpn would put you on the same routed network.. 21:18 <@pppingme> ideally, the vpn server should be on your routing device, if its possible 21:18 < redrabbit> or 443 tcp 21:18 < Project86__> Rip to net neutrality 21:19 <@pppingme> Project86__ glad its gone, it was a liberal hack so the government could exert more control over the internet while giving absolutely no consumer protections 21:20 < kottt> https://twitter.com/fightfortheftr/status/986993528503971841 21:21 < Project86__> pppingme: I'm glad too. Of course now must internet customers will get their speeds reduced unless they pay more. 21:21 < Project86__> *most 21:21 <@pppingme> thats not true.. 21:21 < kottt> the title II classification was dumb bullshit but as i understand there isn't really anything else there to prevent ISPs from doing whatever they want 21:21 <@pppingme> in fact, most cable based isp's have INCREASED speeds since it was dropped 21:21 < Project86__> It allows companies to reduce or increase speeds though. 21:21 < kottt> ok, but literally nothing has officially changed since the vote happened 21:21 < superkuh> Increased download speed, decreased data transfer, decreased ports, decreased actual ipv4 IPs. 21:22 < Project86__> Well I'm glad they sped it up instead 21:22 < superkuh> Upload the same or less. 21:22 < kottt> they are working under the same restrictions yesterday as they were a year ago 21:22 < Project86__> Oh ok 21:22 < superkuh> ISP do want it to be more like TV, yes. 21:22 <@pppingme> Project86__ you need to ignore all the liberal hype about it and understand what it really means, hint: its not what the media was telling you 21:22 < superkuh> So "download speed" increases. 21:22 < superkuh> But nothing important increases. 21:22 < kottt> so the 'speed increase since it was dropped' only shows that the Title II provision didnt actually affect their ability to improve their infra after all 21:23 <@pppingme> by classifying it, it only gave the government more control, it did nothing for the consumer 21:23 < Project86__> Media is always lying, your right, I shouldn't listen to that lol 21:25 < kottt> liberal hype... augh 21:26 < kottt> this isnt a partisan issue -_- 21:26 <@pppingme> kottt it very much was.. look who supported it and who didn't.. big government people supported it, small government people didn't support it.. doesn't get much more partisan than that.. 21:28 < kottt> it's hard to have a good discussion about NN, since everything is colored by the Title II repeal 21:28 < kottt> NN is overwhelmingly supported by people on both sides of the aisle 21:29 < kottt> the partisan divide is because of the WAY the FCC tried to implement and then repeal NN protections 21:29 <@pppingme> the true concept of it is, sure, but what was brought in, then repealed was not NN 21:29 < kottt> which, granted, was implemented fucking badly- 21:29 < kottt> but is also being repealed without a backup plan in place 21:30 < kottt> meaning that after the title II repeal goes through there will be nothing, and the fear is that the issue is going to just get forgotten about, and then the fight for NN will be lost altogether 21:30 <@pppingme> why does it need a backup plan? so we can hire more government cronies to watch it then charge more fee's on our bill? 21:31 <@pppingme> The claims of the issues of NN have NEVER been true, anything that supports it is basing their argument on fear, not the reality of the market 21:31 <@pppingme> you want true NN, eliminate the government supported monopolies.. 21:31 < kottt> i mean, i'd be content for an FCC chair who isn't literally in the pocket of the biggest telecomm carrier on the planet 21:31 < kottt> as for the monopolies... it makes perfect sense for telecomm to be a monopoly, just like it makes sense for sewage and roads to be 21:32 < kottt> except that telecomm providers are almost universally anti-consumerist bastards 21:32 < kottt> which is why regulation seems like the right call here 21:32 < kottt> IMO 21:32 <@pppingme> does it? In KC there actually is true competition (but only in some parts of town, thats another issue) and in those parts of town, they have the lowest prices/rates, the best customer service ratings, and the happiest customers.. 21:33 < kottt> kansas city? 21:33 <@pppingme> yeah 21:33 < kottt> i'll look into that 21:33 <@pppingme> There are TWO actual cable carriers, not just one.. then there's Google Fiber and the normal telco offerings on top of that 21:33 <@pppingme> that means people have a choice from FOUR providers for tv/phone/net services 21:34 <@pppingme> and they are some of the happiest customers in the country 21:34 < kottt> that's awesome, who owns the fiber in KC? 21:34 <@pppingme> TWC now has SAME DAY repairs in most situations when they need to roll a truck 21:34 < kottt> do they all run their own cables to their customers? 21:34 <@pppingme> for now, google owns it 21:35 <@pppingme> yep, most polls have two cable lines, telco line, and google line 21:36 <@pppingme> and in business heavy areas, there's multiple telco options, fed by fiber, from multiple carriers 21:36 <@pppingme> at&t is all but out of business in KC 21:38 < kottt> it still kinda sounds like there's a monopoly on the fiber, in the sense that it's all owned by one organization. 21:39 < kottt> im curious how that actually works; google goes into a town and runs fiber, are they doing it at their own expense? 21:39 <@pppingme> google only owns whats theirs, there are other fiber options, not generally in residential areas, but in biz areas absolutely 21:39 < fnDross> seems simple, doesnt NN interfere with many services provided by companies ie Xbox, PS, where low latency is a must? 21:39 < fnDross> simple solution ban those isp's from those services in total 21:40 < fnDross> let thier customers raise hell 21:40 <@pppingme> fnDross the idea is that a carrier can't "cripple" any traffic, they have no mandate to guarantee latency, oh, and by the way, carriers crippling traffic is not a wide spread issue. 21:40 < fnDross> need low lag for games 21:41 < fnDross> which hiders gameplay 21:41 < fnDross> hinders* 21:43 < fnDross> and freedom of information act doesnt apply anymore? 21:44 < Quatermass> freedom of greed always applies 21:45 <@pppingme> NN didn't change FOI 21:45 < ||cw> yet 21:45 < fnDross> so what happens to greed when we get to space and can grab TONS of resources like.... gold? 21:46 < Quatermass> if/when that happens then we'll fight over land on other planets 21:46 < djph> ^ 21:46 < Quatermass> OT so..moving on 21:56 < fnDross> heh, semi OT... NN might tighten up so much that no one can talk on these anymore 21:57 < kottt> what, IRC? 21:57 < fnDross> unmonitored communications 21:57 < kottt> nah man there'll always be a way 21:58 < kottt> a few steps into the future is nationwide mesh network 22:13 < drathir> kottt: probably not heared about cjdns ^^ 22:13 < Johnjay> nationwide subspace network like on star trek more like 22:16 < drathir> kottt: fiber even is developed by private probably need share min % to other prividers... 22:17 < drathir> Johnjay: space network Musk creating already ^^ 22:21 < Johnjay> anything that will let me download 5gb android studio from my crappy inet would be cool 22:26 < djph> Johnjay: http, ftp, torrent ... 22:28 < S_SubZero> go find not-crappy internet 22:29 < Johnjay> S_SubZero has the right of it 22:37 < djph> well, there's that too; but most protocols are able to cope with crap connections 22:40 < ||cw> Johnjay: http and ftp both have resumable options if the server is configured for it. many aren't these days. torrent is probably the best bet. 22:41 < grawity> or static files, it's available by default, and you have to go out of your way to break it 22:42 < grawity> it's only things like serving downloads via php that break resuming 22:42 <@pppingme> or haul your laptop up to the library or something 22:42 < Johnjay> ||cw: yeah i exploit that fact to download files with wget sometimes 22:42 < Johnjay> if i can get the URL from firefox's console that is 22:43 * djph always liked cliget 22:43 < Johnjay> djph: my connection is so crap that firefox and chrome both can't handle it 22:43 <@pppingme> make your isp fix it 22:43 < Johnjay> ||cw: one time i downloaded a *torrent* and it was corrupted 22:43 < Johnjay> i'm not even joking 22:43 < SporkWitch> could try going with an actual download manager, if those are still a thing 22:43 <@pppingme> thats not possible 22:43 < sammyg> if i setup vpn on my router, does all my traffic have to go through the vpn? 22:44 < Johnjay> pppingme: all i can tell you is what my lying eyes told me 22:44 < SporkWitch> sammyg: that would be normal, yes 22:44 <@pppingme> torrents check themselves, small parts at a time.. if it was corrupt, then the download didn't finish 22:44 < Johnjay> however when i forced a recheck it then put it back at 70% or something and redownloaded the bad chunks 22:44 < Johnjay> that could be it as well 22:44 < SporkWitch> sammyg: if the router is the vpn client, then the VPN is transparent to hosts on the LAN, it just passes all outbound traffic to the VPN 22:45 < Johnjay> also SporkWitch there were some great download managers on firefox, but they mostly got wiped away with the change to FF57 quantum 22:45 < Johnjay> the one i used was downloadthemall, i'm not sure if that guy ever got it remade for FF 22:45 < SporkWitch> yeah, i used that one for a while to grab embedded video :P 22:46 < Johnjay> now i sort of make do with downloadhelper which i can copy the link from and then give to wget 22:46 < SporkWitch> it's been ages since i had a sufficiently slow or flaky connection that a download manager was actually necessary, so i wasn't sure if they were still a thing 22:46 < Johnjay> because my connection is so bad that VideoDownloadHelper can't cope with it 22:47 < sammyg> SporkWitch, so for remoting into my pc at home i would need a vpn server? 22:48 < SporkWitch> sammyg: hosting a vpn server on the router would be one option; port forwarding is another. VPN server on the router would allow you to behave as if you're on the LAN yourself. port forwarding would only get you into the one host, though you could pivot from there into the rest 22:48 < tds> if the router runs linux, ssh tunnels can also work nicely 22:49 < SporkWitch> sammyg: another option, especially if you have a dynamic IP and don't want to bother with DDNS, is a remotely hosted VPN server you control. have the router connect to it as a client and when you're remote you connect to the server as a client, inter-client networking and you're back in that "same effective network" boat 22:49 < SporkWitch> i've done the latter in the past, remote VPN server and client on router and remote computer 22:51 < jakethedogyo> what's the protocol for posting long questions here? I don't wanna break any rules, but my full question with all details provided is two full message lengths 22:52 < sammyg> SporkWitch, i can get a static ip from the isp, so that should not be a problem 22:53 < SporkWitch> jakethedogyo: be precise and concise; provide as much information as you can and take advantage of the full size of the message limit. include: what your end goal is, what you're stuck on, what you've tried, and use pastebin sites for relevant logs / anything over three messages 22:53 < SporkWitch> jakethedogyo: see also this wonderful write-up: https://linuxmafia.com/faq/Essays/smart-questions.html 22:53 < sammyg> i don't think remote vpn server i control is an option... don't they cost a pretty penny? 22:53 < jakethedogyo> SporkWitch: thank you 22:54 < SporkWitch> sammyg: US$5/mo would be sufficient for your needs (good luck finding cheaper lol) 22:54 < SporkWitch> sammyg: no reason to do that if you can get a static IP or if you're fine using DDNS, though 22:55 < sammyg> so would one of the vpn services like vyprvpn or mullvad work? 22:55 < tds> SporkWitch: I route all my traffic via a VPN on a VPS cheaper than that (and with a bgp session with a full v6 table) ;) 22:56 < sammyg> tds, spill it out! what's it called? :) 22:56 < SporkWitch> sammyg: doubtful; most paid vpn services are explicitly for hiding your activity from your ISP, not connecting geographically separated networks 22:56 < SporkWitch> tds: i'm curious too; the cheapest i've ever seen for a VPS that wasn't very nearly a scam (i'm looking at you, cloudatcost lol) is 5/mo 22:57 < tds> ^ if you have a static unfirewalled v4 address though, might as well just host it from home 22:57 < redrabbit> sammyg: a vps is about 2.5/mo 22:57 < redrabbit> SporkWitch: vultr 22:58 < tds> that one isn't with vultr, but yeah, they do cheapo ones with bgp as well 22:58 < redrabbit> im at ovh. 22:59 < sammyg> so the idea here is you get a virtual private server and deploy your own virtual private network server on it? 22:59 < SporkWitch> i've heard mixed things about ovh 22:59 < SporkWitch> gonna have to keep an eye on vultr; 120/mo for a dedi and damned decent specs is impressive 22:59 < tds> ovh vpses are good value if you want a load of v4 addresses and don't care about only having a 100Mb link 23:00 < SporkWitch> the main complaints i've heard about ovh was sub-par support and unreliability 23:01 < sammyg> ok, so since i can get a static ip, let's assume i use the router as my vpn server, what would i need for the setup? 23:01 < SporkWitch> sammyg: openvpn client on the remote computer, and an hour or so to read documentation and get everything set up lol 23:02 < SporkWitch> probably much less, actually; i imagine 99% of it would be done automatically by the router 23:02 < sammyg> heh right 23:02 < sammyg> i see it asks for certificates and stuff like that, i know almost nothing about that 23:03 < tds> if you have a router running pfsense, you just keep clicking next through the wizard until you're done :) 23:03 < SporkWitch> sammyg: check your router's documentation; if it supports running a VPN server on it, it probably also supports generating those certs 23:03 < sammyg> it's a dd-wrt btw, but i will go do some research on that 23:05 < SporkWitch> not sure; haven't touched DD-WRT since i discovered the glory of stock asus firmware lol 23:06 < djph> SporkWitch: I haven't touched it since EdgeRouters 23:06 < Johnjay> i tried getting something working on my dd-wrt, but it depends on what size build you have of it 23:06 < Johnjay> the "micro" builds leave out a lot of features and i think if you want vpn it has to be specifically included in a build 23:06 < SporkWitch> wow... https://www.vultr.com/sla/ i'm going to be watching these guys VERY seriously... 23:06 * Johnjay still doesn't understand the difference between dd-wrt and openwrt 23:07 < drathir> SporkWitch: 23:05:53 up 102 days only bc kernel patching... about ovh is stable as rock but as i heared depend on dc... 23:07 < SporkWitch> drathir: yeah, like i said, i've heard MIXED things about ovh. some people praise them, others lament them for being unreliable and having poor support 23:07 < drathir> sammyg: not much the most important You need have open incoming port... 23:07 < SporkWitch> drathir: it's the main reason i've stuck with linode; the prices are reasonable and their support is excellent. they're even very understanding if bills line up in such a way that i'm a little late 23:08 < drathir> SporkWitch: linode isnt little expensive in compare or they get any refresh recently to offer? 23:09 < SporkWitch> drathir: their nodes start at 5 or 10 bucks, which put their starting price at or equal to digital ocean's pricing from last year and earlier, but offered about twice as much RAM for an otherwise identical VPS 23:09 < drathir> sammyg: aso take a look on lede... 23:10 < SporkWitch> s/equal/just above/ 23:10 < ||cw> Johnjay: it's kinda like the difference between redhat and debian 23:11 < ||cw> they are bothy linux based, but do pretty much everything very differently 23:11 < drathir> SporkWitch: thats good they adjusted, im remember times when they was much way back to do with prices and spec, but indeed no bad words about quality... nice they fixed plans in offer... 23:12 < SporkWitch> drathir: yeah, DO has FINALLY listened to the calls on their feedback site to update their prices and specs as well, to be competitive with linode 23:12 < SporkWitch> drathir: unfortunately they'll never see a penny from me again, since they started killing customers for ideological, rather than legal, reason 23:12 < drathir> SporkWitch: thats why god to have competitors... looks at intel ;p 23:13 < SporkWitch> drathir: why ryzen and threadripper make me so happy; i've always preferred AMD, and they managed to stay competitive on price-to-performance ratio, but it's nice to see them actually having the best again 23:13 < Johnjay> ||cw: i thought maybe openwrt was more free software or something 23:13 < SporkWitch> s/best/best outright/ 23:13 < drathir> SporkWitch: lol dont say me no no constant high bandwith traffic auto kill instance ;p 23:13 < ||cw> Johnjay: dd-wrt isn't? 23:13 < GenteelBen> SporkWitch: shame Raja sabotaged their GPUs before jumping ship to Intel. 23:14 < SporkWitch> lol 23:14 < Johnjay> well debian is more rigorously committed to free software than redhat is 23:14 < SporkWitch> [17:13:51] SporkWitch: shame Raja sabotaged their GPUs before jumping ship to Intel. 23:14 < SporkWitch> [17:13:51] GenteelBen [~GenteelBe@cpc111801-lutn14-2-0-cust55.9-3.cable.virginm.net] has quit IRC: Read error: Connection reset by peer 23:14 < Disconsented> I duno Vega is good at what it is actually meant to do 23:14 < Disconsented> (compute) 23:14 < Disconsented> And well miners have been eating them up for ages as a result 23:15 < SporkWitch> the real problem with the GPUs is the drivers; apparently the new stuff is actually usable, but they've been unusable on linux for decades, and terrible on windows for the same time 23:15 < Disconsented> Only if you're coming from 2002 23:15 < Disconsented> They've been fine for years 23:15 < Disconsented> and great for the last few 23:16 < SporkWitch> it was an issue AT LEAST as recently as 2012; that new "radeonsi" or w/e is supposed to be passable, though 23:18 < ||cw> Johnjay: that mostly has to do with hardware binary blobs and default software. router hardware you don't get much choice, and default software is usually pretty slim 23:19 < Johnjay> ||cw: meaning they both use hardware blobs? 23:19 < ||cw> dd-wrt seems more ease of use focused, and openwrt more power user focused. that's my take anyway 23:20 < ||cw> just depends on the hardware. not all vendors release source for things like wifi firmware that have to loaded with the driver 23:20 < Johnjay> ok well i want to have all the power 23:20 < Johnjay> so maybe i'll try openwrt 23:21 < ||cw> Johnjay: you might review Lede too 23:21 < ||cw> hm, maybe that's the same again 23:24 < ||cw> man, I just realized my router at home is almost 6 years old now. 23:24 < ||cw> might be a new record for me 23:27 < ||cw> huh, and it's still worth $20-30 on ebay in used condition. 23:28 < drathir> yep ac not mut choice... 23:28 < drathir> or none ;p 23:29 < drathir> ledec is like arch for routers ^^ 23:29 < drathir> lede* 23:50 < sammyg> lede is openwrt now... again 23:51 < Lord-Kamina> Hey. Anybody have experience setting up AiMesh? 23:53 < SporkWitch> Lord-Kamina: If you have a question, just ask! For example: "I have a problem with ___; I'm running Debian version ___. When I try to do ___ I get the following output ___. I expected it to do ___." Don't ask if you can ask, if anyone uses it, or pick one person to ask. We're all volunteers; make it easy for us to help you. If you don't get an answer try a few hours later 23:54 < SporkWitch> the official documentation is also army-proof 23:54 < Lord-Kamina> I didn't really think that counted as asking to ask but fair enough. 23:54 < djph> SporkWitch: documentation for what? 23:54 < SporkWitch> you should also specify "asus" as while they're the only ones using that name, it's not especially well known yet 23:55 < Lord-Kamina> I've just bought three routers, two AC5300 and a RT-AC88U, trying to set up AiMesh, cannot seem to get the AC5300 to detect the AC88U 23:56 < SporkWitch> Lord-Kamina: it's a survey-style question, more importantly, it's a question that in itself doesn't ask a "good" question, as the only responses are either "read the docs" or to just do it for you. I happen to have asus routers and was reading about it, which is why i was able to quickly give you the other stuff 23:56 < djph> too far away perhaps? wrong channel? (insert typical derision of ap-repeater setups here) 23:56 < SporkWitch> djph: Asus AiMesh wireless range extension implementation 23:56 < djph> SporkWitch: damn, first time I've heard of a soho brand having *good* documentation 23:57 < SporkWitch> djph: dude, the asus firmware, its documentation, its features, its hardware, it's all awesome stuff, especially for the prices 23:57 < djph> SporkWitch: dunno, tbh, I've been outta the soho arena for a while now 23:57 < SporkWitch> djph: and yeah, the documentation for setting up aimesh is army-proof: step by step WITH PICTURES. And the setup is pretty much fully automated 23:58 < djph> fuuuu 23:58 < Lord-Kamina> I've had mixed experiences with ASUS. 23:58 < Lord-Kamina> Like, things work... until they don't. 23:58 < SporkWitch> the only issue i've encountered like that turned out to be antisocial apple devices, not the asus device 23:58 < Lord-Kamina> And while their docs are usually pretty good, if you get stuck, their tech support is abysmally bad IMO 23:59 < Lord-Kamina> SporkWitch, it is. Problem is when things don't go the way they should. 23:59 < tpanarch1st> thanks all :) --- Log closed Tue Apr 24 00:00:06 2018