05:13 < ScriptGeek> Well, that looks pretty basic for such a powerful antenna 05:17 < drathir> ScriptGeek: longer more elements give You less noise and wder operate spectrum kinda i think, the short ones base at wave multipling technic to adjst into different band from lower one.. probably at network are examples which stts affect that directly... 05:20 < drathir> ScriptGeek: probably no problem but needed clean LOS and second end also used directional antennna for p2p link... 06:17 < winsoff> WAIT A SECOND GUYS 06:17 < winsoff> If an OpenVPN client (named G) VPNs into a network (named A), can hosts on network A also connect to client G, typically? 06:18 < winsoff> Obviously. 06:19 < winsoff> Holy fug. 06:24 < HickorySmokedBac> Anyone know how 'good' Verizon wireless 'unlimited' would be for use as a real ISP rather than backup ? 06:32 < qman__> worthless 06:32 < qman__> most hotspot plans end around 5GB 06:33 < HickorySmokedBac> qman__: SOme say they put the .6 Mb/s throttle on after 22 GBs 06:33 < HickorySmokedBac> That'd be better than nothing 06:34 < qman__> yes, better than nothing, in both senses of the term 06:34 < HickorySmokedBac> Right now that's what I have 06:35 < HickorySmokedBac> Pretty much nothing 06:35 < HickorySmokedBac> I had to move 06:37 < qman__> I used 678GB last month, and that's pretty average for me 06:38 < HickorySmokedBac> That's a lot even for cable 06:40 < qman__> not really, my cable is pretty slow and it's not like I'm constantly downloading stuff 06:40 < qman__> 60/5mbps 06:40 < qman__> I do have quite a few users, though 06:40 < qman__> last july I did 1.01TB 06:40 < HickorySmokedBac> ATT probably would disconnect that 06:41 < HickorySmokedBac> lol 06:41 < qman__> March was a slower month, 436GB 06:43 < qman__> point being, trying to use any mobile plan as a primary internet connection would result in it being completely consumed in a day 06:44 < HickorySmokedBac> Well, the only alternative here is paying $360 for the first month without contract 06:44 < HickorySmokedBac> then $60 a month 06:44 < HickorySmokedBac> I don't really want to do that 06:44 < HickorySmokedBac> $100 setup fee, $200 without contract, and 4 Mbps is $60 06:46 < qman__> verizon's definitely not going to be cheaper than that 06:46 < qman__> maybe t-mobile 06:47 < HickorySmokedBac> $75 a month for the phone ? 06:47 < qman__> but you're still going to run into caps 06:47 < HickorySmokedBac> is all 06:47 < HickorySmokedBac> only 35 more than the $40 unlimited talk/text/3GB 06:50 < qman__> "Use your capable smartphone as Wi-Fi hotspot at no additional cost. Tethering speeds up to 600kbps on the $75 unlimited plan." - it's also throttled after 10GB, and you have to buy a phone, plus fees 06:51 < HickorySmokedBac> I already got the phone 06:51 < HickorySmokedBac> Using it now tethered 06:51 < HickorySmokedBac> They said it'd be about .6 Mbps , that 600 kbps 06:51 < HickorySmokedBac> Not sure if I believe that 06:52 < HickorySmokedBac> I couldn't just take my ViaSat account with me 06:52 < HickorySmokedBac> Or rather my dad's 06:52 < HickorySmokedBac> Or I wouldn't have any problems 07:33 < MACscr> i cant seem to get an l2tp vpn working on my ubiquiti edgerouter. I have it all setup http://paste.debian.net/1022764/, but when i try to connect to it from my mac, it says the server didnt respond. My swantctl --log is completely empty as well 07:34 < MACscr> im assuming my l2tp outside-address should be the same one that is assigned to my wan interface (eth0)? 07:37 < MACscr> since i cant really get any logging that im seeing on the ubiquiti in regards to this, im not sure wehre to start troubleshooting the issue 08:09 < MACscr> ok, i think i got it 08:10 < MACscr> cant seem to access any of the subnets though from the vpn connection 08:10 < liveuser1> Los Angeles 08:10 < liveuser1> If I can hold your stinking rotten flesh in my arms. 08:11 < liveuser1> For all who love me. 08:11 < liveuser1> Suppose it hasn't been done. 08:11 < liveuser1> To alter the course of the universe and regenerate one man of halflife. 08:12 < liveuser1> If the muslims can hold the koran in memory. 08:13 < liveuser1> While looking at #bioinformatics what is the overreaching rythm of My Flesh 08:13 < liveuser1> My MY 08:13 < liveuser1> ANd all of tha naive wanting an old testament church, forecast a would be 3rd gen curse. 08:17 < MACscr> ah, i guess im used to pushing routes by the server config with openvpn 08:43 < MACscr> damn, not being able to push routes to the clients is a huge drawback 08:43 < MACscr> of using pretty much anything other option than openvpn. ugh 09:13 < anddam> hello, need a bit of wireless wisdom 09:14 < anddam> I have two laptops, a macbookpro 2011 and a Clevo barebone model Something.Something, both in the same room therefore at the same distance from an AP, a home ADSLv2 modem-router-AP-dishwasher-hairdryer 09:16 < anddam> now my issue is that the Clevo clearly struggles browsing, the perceived connection quality is not good, also with a ubuntu based distribution the wireless icon in the menu bar has usually few filled lines, one out of three or four 09:16 < anddam> the macbook next to it shows a full wireless icon, and seems to browse much faster 09:17 < anddam> now I now the icons mean nothing without knowing exactly what the agent is programmed to display there 09:17 < anddam> I see both showing an average RSSI of -66 dBm and a noise level of about -88 dBm 09:18 < anddam> no, actually the macbook utility display the noise, I can only see the "Signal level" with iwconfig on linux 09:19 < anddam> I thought the Clevo had a bad antenna, maybe internally disconnected or so, but since I read roughly the same signal strenght that shouldn't be the case, right? 09:40 < detha> If both read the same signal strength, both have roughly equivalent antennas (if things report signal strenght correctly). 09:41 < detha> But 22 dB SNR is not much to work with - may well be that the chipset or firmware blob on the clevo is not as good as on the mac 09:47 < anddam> likely 09:47 < anddam> I was actually surprised by the low signal, are these common values? 09:48 < anddam> I mean in power terms this is a nanowatt or so 09:48 < detha> "it depends". RF and walls/ceilings/windows is magic. But it sounds rather low 09:48 < anddam> actually less, isn't it? 09:50 < detha> thinking about RF in watts doesn't really work (maybe unless you are designing equipment or trying to make sense out of govt. regulations) 09:50 < anddam> ok, btw this was the reason I was pestering the channel about accessing that AP device, I have a LaFonera 2100 that's been collecting dust for years now, figured it could well WiFi-light up this room 09:51 < anddam> detha: no I got that 09:52 < anddam> just a consideration in absolute terms 09:56 < anddam> detha: oh, the main difference I see in the wireless card configs is that the macbookpro picks a Txrate of 130Mbps 09:56 < anddam> the Clevo 52 Mbps 09:57 < anddam> I'm using GNOME network manager to automagically config the thing and there I couldn't find any setting about the transmission rate 09:57 < detha> sounds like it is only doing n ? 09:57 < anddam> considering the Clevo has Intel Corporation Wireless 3160 chipset it should go higher, shouldn't it? 09:57 < anddam> it's ac 09:58 < detha> what the chipset supports and what the driver supports can be two very different things 09:59 < anddam> damn computing stuff 09:59 < anddam> so I should check if the driver I'm running in kernel supports more, right? 10:01 < detha> yeah. what kernel version is that? 10:01 < anddam> from dmesg I *guess* the driver is called iwlwifi 10:07 < anddam> 4.13.0 10:07 < anddam> it's an ubuntu based system 10:16 < detha> fairly recent, that should do ac. And intel normally supplies decent drivers 10:18 < anddam> I think it's just a matter of some config, and Network Manager has a simple UI not allowing the wifi specifics 10:24 < detha> off to hostapd.conf. which doesn't have a decent man page, alas 10:28 < anddam> thanks for the info 11:07 < meth> hey are these stats qualify for 100Mbps https://i.imgur.com/t8ygfYH.png it's on FTTC 11:07 < meth> ISP says I can't sync on 100Mbps 11:08 < meth> are they lying to me>? 11:08 <+xand> you are synced at ~40Mbps 11:08 < meth> yeah 11:09 < meth> I mean from the stats above do I earn the 100Mbps lottery on FTTC? 11:09 < light> you may get 90 mbit instead of 100 mbit, but that's still a lot more than 40 mbit 11:10 < meth> it's 133Mbps 11:10 < light> what is 11:10 < meth> the max 11:11 < meth> the max i can recieve on down stream 11:11 < light> allegedly, but probably not really 11:11 < meth> wait, why?! 11:11 < meth> routers lie? 11:17 < shanee> Hi. I have a network that requires access be via a web proxy and login. I want to build a hotspot that bridges to this network in such a way that those connecting via my hotspot don't need to configure the webproxy themselves and it looks like normal internet access to them. What is this setup called and are they any existing programs or resources I should look at? 11:18 < light> shanee: supply the proxy via DHCP? 11:20 < detha> shanee: transparent proxy. also find out how proxy.pac works. 11:21 < shanee> light, Essentially, I'm trying to connect some IoT devices that don't support web proxies to a network that requires one be used. I think a DHCP solution would require that the device supported a web proxy? 11:21 < shanee> detha, I'll look into this now. 11:25 < detha> shanee: if the device doesn't support proxies (likely for IoT shit), a transparent proxy would be the only way. But that doesn't work nicely for SSL unless you can add a CA cert to the devices 11:26 < shanee> I see. Thank you. Transparent proxy looks like it's what I want! Thanks. 11:56 < Reventlov> I'd go with a access point masquerading a normal device 11:56 < Reventlov> without any proxy 11:58 < detha> Ehm, isn't that a description of a transparent proxy setup? 11:58 < djph> detha: yes? 11:59 < Reventlov> detha: maybe; I was associating "transparent proxy" with stuff like squid and so on 11:59 < Reventlov> But i'm pretty sure nftables / iptables would be enough, no ? 12:06 < detha> Reventlov: not if there is no direct internet access out of the network. Think 'all traffic from inside network to internet is blocked' 12:07 < meth> guys is that could be with vectoring https://i.imgur.com/t8ygfYH.png, does vectoring impact the latency ? 12:24 < royal_screwup21> I'm trying to dump some json into my local host and then retrieve it back. Here's what I've tried in java https://thepasteb.in/p/GZhWP0AkWn0IV While I'm able to dump the json, I'm not later able to acces my localhost - the request takes too long. How do I fix this? i'D love a pointer or two in the right direction :) 12:38 < banisterfiend> hi guys, 128.0.0.0/8 is the block of loopback in ipv4, what is the equivalent for ipv6? 12:38 < Peng_> 127.0.0.0/8 12:38 <+xand> ::1 12:38 <+xand> and yes it's 127 for ipv4... 12:44 <+catphish> woo, my 34" curved display arrived :) 12:45 <+catphish> it's not clear to me why in ipv6 it was determined that only one IP would be used for loopback instead of a range, but i guess there are other IPs you could use for the purpose if you wanted 12:45 < Peng_> well, you know, don't want to run out 12:45 <+catphish> lol 12:45 < Dagger> it does feel like they went from extreme overkill to extreme underkill 12:46 < Dagger> but ULA is there for you if you need it 12:46 <+catphish> yeah, that was my thought, no reason you can't use routable IPs for loopback 12:50 < drathir> catphish: im not get that trend of curved ones this times... 12:51 <+catphish> drathir: well, previously i used 2 screens, they were placed at an angle so that all parts of both screens were roughly the same distance from my eyes, curved screen just achieves the same 12:58 < usvi> hmm 12:59 < drathir> catphish: but still ot of $$ more for shape wonder how them compare with alife hours... also advantage of two screens thin frames them can be used as separatefeeding eg fulscreen movie and work monitoring... 13:00 < usvi> for dhclient, are the scripts in dhclient-exit-hooks.d protected from concurency issues by any chance? 13:00 <+catphish> drathir: i didn't think the curve actually added significantly to the price (not nearly as much as the price of one large high res screen vs 2 small ones anyway), i'm not sure if the separation is ever useful, i don't watch videos at work much :) 13:00 <+catphish> i guess i'll see, i like it so far though 13:02 < drathir> catphish: ot thats kinda good things bc will be not surprised when even for color the prices differ... ^^ 13:03 < usvi> of course safest is to assume that the scripts should be protected against concurrency 13:03 < drathir> catphish: may i ask if You will share usage experience eg angles of view from this one? 13:06 < thothcastel___> can a single internet linkwith static IP address have a VPN tunnel as well as direct connection to the internet? 13:06 < light> yes 13:06 <+catphish> drathir: because of the curve it's pretty useless at steep viewing angles, although technically it works well, it reflects ambient light from all kinds of angles when you try to view it sideways 13:07 < drathir> thothcastel___: yep it can... 13:07 <+catphish> thothcastel___: yes 13:07 < drathir> thothcastel___: there a lot of outgoin portys for use ^^ 13:07 <+catphish> you simply choose which traffic should go to the internet and which traffic should use the tunnel 13:07 < thothcastel___> I need all trffic on ports 80 and 443 to point to zscaler 13:08 <+catphish> you can do that :) 13:08 < thothcastel___> and all other traffic to point to the MPLS network 13:08 < drathir> thothcastel___: probably iptables rules i guess? 13:08 <+catphish> you'll need a router with policy routing 13:08 < thothcastel___> it is a cisco router 13:08 < thothcastel___> will I need routing? 13:08 < light> yes, you will need routing ._. 13:08 < thothcastel___> at the moment I have a static route point all traffic to the next hop (ISP 13:08 <+catphish> you can do it on linux using iptables to mark the packets based on port, then policy routing to send them to a different routing table 13:09 <+catphish> dunno about other routers 13:09 <+catphish> thothcastel___: you just need to work out if your cisco router can route based on destination tcp port, try #cisco 13:11 < Roq> You can make a route-map and apply that policy to the interface 13:12 < thothcastel___> can Cisco C891F-K9 cisco router can route based on destination tcp port? using static routing 13:13 < Roq> thothcastel___: yeah 13:14 < thothcastel___> Roq: could you please give me an example? 13:15 < thothcastel___> basically I need traffic on the 10.0.0.0/24 to go through the mpls and all http and https traffic to go directly out on the same link 13:15 < thothcastel___> 10.0.0.0/24 is already reachable via a VPN tunnel 13:16 < Roq> Just google "cisco pbr https http forward". Plenty of examples for similar cases 13:17 < banisterfiend> xand oh so there's only one loopback ip for ipv6? unlke in ipv4 where there's an entire subnet? 13:18 <+catphish> banisterfiend: yes 13:18 < banisterfiend> why is that? 13:19 < light> there's just not enough free ipv6 addresses 13:19 <+catphish> with ipv4 it was a bit of a mess, there was a whole /8 set aside for loopback, but OSs just used 1 IP by default 13:19 < thothcastel___> thanks Roq 13:19 <+catphish> now there's just one well known loopback address, which all OSs use (as before), but you can also use *any* other IP you like for loopback 13:20 <+catphish> if you want more addresses, simply assign yourself some ULA (private) addresses, and use them for loopback 13:21 < thothcastel___> Roq: will the static route 0.0.0.0/0 NextHopIP need to be removed if PBR is in place? 13:22 < tester> i'm having some issues with chromecast (never tried it before) where devices can't find each other. i believe the system relies on some sort of network broadcast and i presume that's blocked somehow(?). how do i even start debugging this? 13:22 < tester> the 2 devices i want to connect are connected to the same ap 13:23 < tester> i cant find any settings on the ap that may even possibly be related to this 13:23 < mAniAk-_-> client isolation maybe? 13:24 < tester> can't find such a setting. 13:24 < Apachez> client hug mode? 13:25 < tester> what's that? 13:25 < Apachez> when clients hug each other 13:25 < tester> .. 13:25 <+xand> special hug time 13:26 < tester> im not even sure you're being sarcastic or not now 13:28 < drathir> Apachez: ^^ ++ 13:31 < drathir> tester: but router fw log shoud catch blocked requests... 13:31 < dogbert2> LOL 13:31 <+xand> that's gonna be a busy log 13:32 < djph> ^ 14:02 < hjf> man, the bullshit one has to read on slashdot nowadays 14:02 <+catphish> you don't have to 14:02 < hjf> there's an idiot claiming he can get 250mbps from wifi 14:02 <+catphish> well you can 14:03 < hjf> anywhere on his multi-storey 4100 square feet house 14:03 < hjf> with a single AP 14:03 <+catphish> that last part makes it slightly less likely :) 14:03 < hjf> yeah, no. been installing wifi since 2004. I know what wifi can and cannot do 14:03 <+catphish> is his home in the wilderness, with all power off apart from the 2 devices? 14:04 <+catphish> it's not totally impossible if there were zero interference, but still unlikely 14:04 < hjf> well likely he wouldn't be able to get a 250mbps+ internet service in the wilderness 14:04 <+catphish> i didn't know that was a factor here 14:05 <+catphish> lol 14:05 < hjf> the point of my post there was that ISPs are now selling 500, 1000, 2000mbps packages 14:05 <+catphish> my ISP just increases their top package from 100 to 350 14:05 <+catphish> and probably more if you ask / pay :) 14:05 < hjf> and i said sure, they can sell you 10gbit if they want. but most people use it over wifi that it's very unlikely to get anywhere near that 14:06 <+catphish> indeed 14:06 <+catphish> not many people even have a router than can exceed about 500mbps 14:06 < hjf> and this clown comes in claiming he has a single device that can do 250mbit in such a large house 14:06 < hjf> and he could "easily saturate his 1gbit internet connection if he had more devices" 14:06 <+catphish> lol 14:07 <+catphish> "no" 14:07 < hjf> why do people have to make up bullshit stories to win an argument? 14:09 < djph> catphish: I do :) granted upstream is being weird and sitting at 350 when down is consistently 900. hmm ... 14:09 < djph> too lazy to really look into it though 14:09 <+catphish> i'm preparing for a fight with my ISP who want to offer 10:1 upload ratios 14:10 <+catphish> i'm hoping they'll be nice and offer me better 14:10 < hjf> i had 30/10 VDSL 14:10 < hjf> but one day the decided meh, we'll give you 20/3 14:10 < hjf> so they just did 14:10 < hjf> wtf? 14:11 < djph> was it that they forcibly downgraded you, or issues on the line or something 14:11 <+catphish> my ISP just announced they upgraded their network and introduced new packages, they're changing the package i'm on from 100/50 to 100/10, now i'm sad 14:11 < hjf> not really sure. their 30/10 plan is not even on their website anymore 14:11 <+catphish> but hopefully they'll help 14:11 <+xand> catphish: a real upgrade to be sure 14:11 <+catphish> xand: indeed :( 14:12 <+xand> who owns your FTTP? 14:12 <+catphish> they now offer all sorts of speeds, but always at 10:1, i can get 350/35 14:12 <+catphish> xand: https://www.wessexinternet.com/home-fibre-broadband/ 14:12 <+xand> catphish: didn't you install it? 14:13 < hjf> but my isp recently merged with another that's selling 50 and 100mbit packages. i think they want people to move over to their new brand 14:13 <+xand> do they have a cab somewhere like BT do that it goes to? 14:13 <+catphish> xand: physically yes, but yes, they have a cab nearby 14:13 <+catphish> i really like them, great service 14:13 <+catphish> but unsure why they're being mean on upload speeds 14:14 <+xand> it shows a 100/20 service there 14:14 <+catphish> there are a few possible reasons, i asked them, but i think the email got lost, gonna ask again 14:14 <+catphish> xand: that's true, i'm on the "home office" one 14:14 <+xand> I have 40/7 :X 14:14 <+xand> installing FTTP would not be practical 14:15 <+xand> I obviously need to move. given I'm changing jobs soon I should anyway but I'm lazy 14:16 <+catphish> changing jobs? :o 14:18 <+xand> going to work at king's college london 14:19 <+catphish> right, going to raise a support ticket about this speed thing :) 14:22 < lupine> needs more remote-only 14:30 <+xand> lupine: don't want to WFH all the time 14:43 < lupine> xand: that's what places that are not home are for 14:44 <+xand> lupine: I also don't want to do lots of work on a laptop 14:44 <+xand> requirements include decent internet connection, large amount of screen space, and my ssh connections not dropped from the day before :P 14:45 <+catphish> xand: those are very sensible demands! 14:47 < jvwjgames> i need some advice the data center where my server is hosted currently has a 10 mbps connection is that enough for a game server plus whatever i need to do to run my vuisnness if i upload any important files they complain cause the ping spikes up to 8000ms is there any way i can fix this 14:47 < jvwjgames> correction 800ms 14:47 < r0ss> A datacentre with a 10Mbps connection? 14:48 < dogbert2> I have 30-35mbit/sec at home 14:48 < jvwjgames> they have other plans but to start out it's 10 14:48 < dogbert2> and at work, I have a 10Gbit/sec data pipe 14:49 < dogbert2> best DSL can do here is 3-6mbit/sec 14:49 < jvwjgames> but the higher you go the higher the rates like for a 5-mbps is an extra 1$5/month 14:49 < jvwjgames> $150* 14:49 < dogbert2> sounds like highway robbery 14:50 < jvwjgames> 50mbps* 14:50 < r0ss> I would think 10Mbps would be ok for a game server but I don't run any myself so hard to say. RE your business it completely depends what you are doing. Those speeds seem odd in 2018...is there not anywhere else you can host? 14:50 < jvwjgames> i have another server in another data center in the same state that has our billing system that one is at a rate of 100mbps 14:52 < jvwjgames> i would swap locations but i can't afford the downtime just for one customers complaint plus that customer aka my friend isn't paying but i should make him pay 14:55 < r0ss> I'd be looking at swapping locations but I guess you could look at rate limiting the file transfers you are doing in an attempt to not saturate the circuit and spike the latency 14:56 < jvwjgames> or i could pay an extra $50/month to get another port so he has a dedicated connection 14:56 <+catphish> 10Mbps should be enough for a game server really, but may depend on the game 14:57 <+catphish> it really shouldnt be hard to check, play the game, see how much bandwidth it uses 14:57 <+catphish> but seriously consider looking for a better provided, 10Mbps is really really bad 14:57 < jvwjgames> ok 14:57 < Apachez> depends on game 14:57 < jvwjgames> let me check the pfsense firewall logs 14:57 < Apachez> like cs loads custom maps from the gameserver 14:57 < jvwjgames> cause it has a bandwidth monitor 14:57 < Apachez> in those cases having 100Mbps pipe is a good thing 14:57 < Apachez> but gamewise its give or take 100kbps per client 14:58 <+catphish> i have 50 at home, so 10 seems totally unreasonable for a server 14:58 < Apachez> thats including sound 14:58 < jvwjgames> i have a 1gbps pipe at home 14:58 < detha> also, if you can't move servers without causing serious downtime I would re-think the way the hosting is set up 14:58 < Apachez> so 32 concurrent clients should be fine with 32*100kbps = 3.2Mbps 14:58 < Apachez> during gameplay 14:58 < jvwjgames> but it wouldn't be profession to host my buiness vm software from my house would it? 14:58 <+catphish> cutting it a bit fine really 14:58 < Apachez> so 10Mbps should be sufficient also for downloading maps through the server 14:58 <+catphish> jvwjgames: depends how good the connection is 14:59 < jvwjgames> it is unturned 14:59 <+catphish> a data centre has power and network SLAs, your home doesn't 14:59 < jvwjgames> i know that 15:00 < Apachez> sure your home can have sla's 15:00 < Apachez> I got sla's 15:01 < Apachez> for my internetpipe 15:01 < Apachez> at home 15:01 < Apachez> its a companypipe 15:01 < Apachez> but still terminates at my home 15:01 < Apachez> and it has sla's 15:01 < Apachez> I have more uptime at home than nasdaq stock exchange got 15:02 < Apachez> and I got ups too :) 15:02 < Apachez> but sure, still lacking one or two submarine diesel engines on the frontyard :P 15:02 < r0ss> what are you running at home then? 15:02 < Apachez> techporn 15:03 < Apachez> dnsservers, webservers, gameservers 15:03 < Apachez> and my own workstations 15:03 < Apachez> and irc :P 15:03 < Apachez> and probably tnings I forgot about 15:04 < Apachez> having a 1600VA UPS is a sane thing to have nowadays 15:04 < Apachez> gives you an additional hour or so of internet when the rest of the neighbourhood goes poff 15:04 < r0ss> would be no use for me as I take an Ethernet service and the ISP's switches in the electrical risers would die before a UPS like that 15:05 < Apachez> our isp devices are upsed 15:05 < Apachez> dual 1600VA 15:05 < Apachez> eaton pro 15:05 < Apachez> good shit 15:05 < Apachez> also have nice displays so you can see current status and estimated runtime if shit goes south 15:06 < r0ss> I work for the ISP in question and I'm pretty sure we don't UPS the switches in the smaller comms risers, just the main one 15:06 < Apachez> http://powerquality.eaton.com/Products-services/Backup-Power-UPS/Ellipse-PRO.aspx 15:06 < r0ss> its more to protect equipment from instant power off than to keep service running if there is a power outage though 15:06 < jvwjgames> can having a desktop gui on the game server hamper proformance 15:07 < Apachez> why would you have a desktop gui on a gameserver? 15:07 < Apachez> does not compute... 15:07 <+catphish> jvwjgames: probably not 15:07 <+catphish> all my windows are a little bent today 15:07 < jvwjgames> i advised against it cuase of how much cpu and ram i gave him and he said he needed it 15:07 < Apachez> http://powerquality.eaton.com/ELP1600DIN.aspx?cx=98 15:08 <+catphish> well a GUI is going to use RAM certainly 15:08 < jvwjgames> cause he doesn't know how to use a command line 15:08 < djph> jvwjgames: yes, a GUI will hamper performance 15:08 <+catphish> leaving less for the games 15:08 < Apachez> then its time for him to learn? 15:08 <+catphish> an idle desktop really shouldn't be a problem 15:08 <+catphish> but i'd still avoid it, waste of ram 15:08 < Windy> heya, i have an IKEv2 question. if one side sets very restrictive traffic selectors, say - three pairs of /32 addresses, and the other side sets a single traffic selector with subnets containing said /32s, will it be possible for three Child SAs to come up? or how will that negotiate 15:09 < jvwjgames> and he keeps telling me that it's not the GUI it is the ram 15:09 < jvwjgames> and i said i can't just give you more ram like its candy and cpu cores 15:09 < jvwjgames> right now he is requesting 4 cpu cores and 4 gb of ram 15:09 < r0ss> is this the friend that doesn't pay? 15:10 < jvwjgames> correct 15:10 <+catphish> afaik they have to match, not certain though, try it? 15:10 < detha> Windy: most likely, "not", if the selectors don't match exactly 15:10 < Apachez> then have him pay 15:10 <+catphish> Windy: ^ 15:10 < Apachez> problem solved 15:10 < Apachez> dont forget the powerbill too 15:10 < recesfulu> anyone knows why in ipcpv6 in ppp ipv6 prefix is not confugred? 15:10 < jvwjgames> that's why i am not incressing it cause it is unfair to the other customers that are paying 15:10 < djph> jvwjgames: tell him to gitgud with the CLI? 15:10 < Apachez> a server that averages at 100W in total goes for 72kWh/month 15:11 < Apachez> so 5-10 USD depending on country 15:11 < Windy> detha,catphish: how does one typically traffic selectors when you have a large number of addresses? we're looking at 12 on one side, and 6 on another and the other side won't do subnets. so to make them match exactly I'd need 72 traffics selectors 15:11 <+catphish> of course a data centre will charge more than that for power, because dual feeds, UPS, etc 15:11 < Apachez> and about as much in cooling if you got a DC 15:12 <+catphish> oh yeah, plus cooling 15:12 < Apachez> yeah this was pure power 15:12 <+catphish> which is usually included in power cost 15:12 < Apachez> assuming you already have power and air to your home 15:12 <+catphish> true 15:12 < jvwjgames> he doesn't have a job and won't get a job like we have been trying for years to get him 15:12 <+catphish> power's cheap at home 15:12 < Apachez> depends on country 15:12 <+catphish> kill him with an axe? 15:12 < Apachez> here in sweden its like taxed 3 times or so 15:12 < r0ss> he shouldn't expect you to hand all this out to him for free then 15:12 < jvwjgames> what about if i try and install light GUI 15:13 < detha> Windy: never had to deal with that - I just map a subnet, if only a few addresses are needed ACL the rest off 15:13 < Apachez> what about if you stop trolling? 15:13 < Apachez> tell him to learn cli or get some other friend to screw? 15:13 < jvwjgames> lol 15:13 < Windy> detha: that would be my preference, but the engineer on the other end is adamant about not including the whole subnet in the traffic selectors. it's a sonic wall :-S 15:14 < detha> "sonic wall" "engineer". Conflict in concepts. 15:14 <+catphish> Windy: honestly, i've only ever done like 2 subnets on each end, so mine are always matching and simple 15:15 <+catphish> Windy: oh, actually i now use GRE instead, so routes can be whatever, so i'm not that sure about it 15:15 <+catphish> it's so much easier just to encrypt the gre, then route stuff over that 15:19 < jvwjgames> have pfsense bandwidth monitor up and running real time now logging into game server as a player 15:20 < jvwjgames> 12 -30kb for one player 15:21 < Apachez> and if you enable team speak within the game? 15:21 < Apachez> along with downloading assets through the server 15:24 < jvwjgames> no teamspeak or downloading 15:52 < drathir> ipt possible fast iptables masquarade gateways ? 15:53 < drathir> ipt/is* 15:53 < djph> drathir: err, what? 15:53 < drathir> djph: in case when device get wrong gateway set to access that device... 15:54 < djph> drathir: that's still not making a whole lot of sense :( 15:54 < djph> I probably need more coffee 15:55 < drathir> djph: device get .1.111 gateway is set to .1.3 and network true gateway is .1.1... 15:56 < drathir> djph: router able reach mtr .1.111 but not any other device in network looks like... 15:57 < drathir> djph: i guess the best solution jus directly connect that decice to notebook when goes near it... 15:58 < djph> er, so "device" is getting routed thru a fake gateway / transparent proxy? 16:00 < drathir> djph: yep device is routing to wrong gateway... that it cant be reached by any other device in network only router... 16:00 < djph> so fix its setup? 16:00 < r0ss> put the wrong gateway IP on the real gateway if you have a suitable device 16:01 < drathir> djph: yea need to get into device im wondered if its a way remote temporaly redirect to correct gateway... 16:02 < psprint_> Netmask for 7-bit network is 255.255.255.128 ? 16:02 < drathir> r0ss: hmmm that good idea... 16:02 < UncleDrax> We only transmit in octets in this house, mister! 16:02 < drathir> let me check... 16:09 < djph> psprint_: /25 (7 bits for hosts) is what you wrote, yes. 16:15 < roger_padactor> hello, I have a domain registerd with one company. the nameservers point to another company that hosts the site and the email. I need to change the domain name to point to an IP address but I need the email to keep working. Should I make the changes with the company that the domain is registered to or the hosting company? 16:16 < djph> roger_padactor: whichever entity is actually handling hte DNS records 16:18 < roger_padactor> thank 16:34 < drathir> djph: r0ss looks like get directly into correct vlan granted access to decice... 16:36 < drathir> and gateway was 0.0.0.0 a i see set... ;p 16:41 < psprint_> djph: thanks 16:44 <+catphish> my ISPs reply to my question of why they only offer 10:1 upload speed ratio was that anything more is "exceptionally fast and surplus to requirement" 16:45 < Dalton> according to whose standards? 16:45 <+catphish> "We have reviewed our packages recently and for our fibre packages, the upload speed was much higher than customers actually required. For usual internet browsing, speeds of up to 50Mb/s are exceptionally fast and surplus to requirement, unless you are uploading huge amounts to the the internet." 16:45 <+catphish> i've pointed out that just because i don't upload much doesn't mean i want to wait for it :( 16:45 <+catphish> very odd industry practice :( 16:48 < tds> catphish: are they able to offer you anything custom, or is it just "pick one of these standard packages"? :/ 16:49 < detha> Citizen, consume. How dare you have the initiative to want to upload content? 16:49 <+catphish> tds: they should be able to offer something custom, that was the reason for my email, they said other options are available on request, so i've replied with a more explicit request :) 16:50 < Dalton> catphish: you're in .uk no? 16:50 <+catphish> yeah 16:50 < tds> ah, I guess that's good at least :) 16:50 <+catphish> i also explicitly asked them if it would be OK to run my 20Mbps CCTV stream :) 16:50 <+catphish> since there's a difference between paying for the bandwidth, and having the audacity to actually use it :) 16:51 < drathir> catphish: when You will constanly upload them cut a line, bc too high traffic ... such a logic ;/ 16:51 <+catphish> drathir: lol 16:51 <+catphish> drathir: i fear that may be the logic here 17:17 < redrabbit> isps are stupid 17:17 < redrabbit> stuck with 100/5 here 17:18 < Demos[m]> Man dealing with Merit at work has spoiled me 17:18 < djph> I keep getting called by TWC - " buy our 50/5 for $stupid" 17:18 < Demos[m]> AT&T does give me 1000/1000 though 17:18 < djph> .. guys, I'm not gonna buy it, *ever*. AT&T has you beat handily. 17:19 <+catphish> this bandwidth symmetry thing is odd 17:19 <+catphish> some ISPs don't seem to care, others love to be restrictive with it 17:19 < Demos[m]> FTTC + 1000base-t 17:19 < Demos[m]> Even get working v6 with prefix delegation 17:19 < skyroveRR> Hiya catphish 17:20 < djph> Demos[m]: yup, is nice 17:20 <+catphish> i have ethernet to the home, though they can't seem to get ipv6 working on their ppp servers 17:21 < Demos[m]> I kinda wish they just put fiber to the wall, but shrug 17:22 < djph> I've got fiber all the way into the ONT. I'd kill to scrap that and just use an SFP (yeah, yeah, bidi blahblah) 17:22 < Demos[m]> My bet is they have like 24ish fibers coming in and then 40g to each floor 17:22 <+catphish> nice 17:23 < Demos[m]> Meh if your going to a switch nearby then why bidi? 17:24 < Apachez> why not? 17:24 <+catphish> why not indeed, less splicing :) 17:25 < Apachez> but personally I prefer non bidi unless really needed 17:25 <+catphish> though i'm happy with tx+rx, easier top upgrade to 100G later :) 17:25 < Apachez> the -U and -D is a nightmare 17:25 <+catphish> yeah i'd agree 17:25 < Apachez> you often end up with two -U or two -D which is no bueno 17:25 <+catphish> i didn't know they were asymmetric, makes sense though 17:25 < Demos[m]> The transceivers are more expensive and your going electrical before really exiting 17:25 <+catphish> different tx and rx band on each end 17:27 < Demos[m]> Besides in a large building you may be going to DWDM before exiting your building 17:27 < Demos[m]> And (I think) bidi will still need two dwdm wavelengths in the end 17:28 < Apachez> catphish: well its often like 1310 nm in one direction and 1550 in the other 17:28 < Apachez> so -D is like TX 1310 RX 1550 17:29 < Apachez> and -U is TX 1550 RX 1310 17:29 < Apachez> or if its the other way around 17:29 <+catphish> yep, makes perfect sense 17:32 < kenlumbo> thats what all ours seem to be, 1550/1310, but if tons of fiber to spare I prefer non bidi 17:37 <+catphish> non bidi seems the better option for most cases 17:40 < Apachez> and its cheap 17:40 < Apachez> $6 for 1G from fs.com 17:41 <+catphish> yep, the only downside is less density or more splicing 17:41 < mAniAk-_-> not LR are that costly 17:41 < mAniAk-_-> LX* 17:41 <+catphish> this monitor really is lovely 17:43 < Apachez> mAniAk-_-: ? 17:45 < mAniAk-_-> Apachez: compared to bidi 17:47 < Apachez> $6 for MMF 17:47 < Apachez> $7 for SMF 17:47 < Apachez> 10km 17:48 < ryao> catphish: non bidi is cheaper for upgrades too. The optics needed to have two wavelenghts in opposite directions on a cable are pricy. ^_^;; 17:48 <+catphish> indeed, easier upgrades / general compatibility is a great reason not to bidi 17:49 < ryao> catphish: Well, the bidi SMF stuff will likely be upgradable up to 1PbE if that ever becomes a thing, but at great expense. ^_^;; 17:49 < ryao> You don't really get economics of scale on those because the cheaper duplex stuff eats away at any market opportunity for them to be widely used outside of long distance links. 17:50 < Apachez> -D goes for $12 and -U for $9 17:50 < Apachez> ohh and you need SMF for that to work 17:50 < Apachez> so its like $21 per pair isntead of $6-14 18:03 < ||cw> the thing is, with ADSL and cable there are reasonable technical reasons for the difference. with fiber, there just isn't. it's really just to slow down servers across the board without having to resort to protocol aware traffic shaping and nothing more 18:04 < ||cw> whoah, I was scrolled way apparently 18:19 < king_button> If I connect(...) a socket specifying address and port, that specifies what port to send data to but what port is listened to to receive data? 18:19 <+xand> OS will choose one 18:20 < Apachez> ||cw: YOU SEEM TO BE WAY OUT OF SYNC 18:20 < Apachez> oops 18:20 < Apachez> caps? 18:20 < Apachez> actuaolly the tcpstack in the os will select srcport automagically 18:20 < Apachez> unless you specify one 18:20 < ||cw> Apachez: I've flushed my cache, all good now 18:20 < Apachez> then you might get an error if that port is already in use 18:21 <+xand> or if you're not root and choose one < 1024 18:22 < Apachez> or above 65535 18:22 < Apachez> but those only works in hollywood productions 18:22 < hweaving> Are there any good rules of thumb for choosing TX and RX ring sizes? 18:23 < king_button> would I specify a port (not that I'd want to) via a bind before connect? 18:23 < Apachez> say that again? 18:23 < arooni> question; with ufw on ubuntu 16.04; i have the rule 32400 ALLOW Anywhere ;; yet when ufw is enabled; i can't telnet to that port from another machine on my network through my routers public ip address (i have port forwarded both tcip and udp ) 18:23 < Apachez> RX and TX ring size? 18:23 < hweaving> I'm seeing millions of cache misses for a short test run, and I'm wondering if my TX/RX rings are too big 18:23 <+catphish> king_button: you can, but you usually shouldn't :) 18:23 < Apachez> you mean buffers or something else? 18:24 < hweaving> Apachez: yes, ring buffers 18:24 < Apachez> na 18:24 < Apachez> large buffers are just bufferbloat 18:24 < Apachez> as in you occupy mem but never really use it 18:24 < Apachez> you can have the other way around too small buffers 18:24 < hweaving> My system has max RX of 8192, current ring size is set to 1024...that doesn't look too big 18:25 < Apachez> should be sufficient 18:25 < Apachez> I prefer 10000 as TX buffers on 1G and upwards 18:25 < hweaving> I'm just wondering what's causing millions of cache misses, since I'm trying to do very high bandwidth gigabit networking and wondering if some of my huge buffer settings are contributing to it. 18:25 < Apachez> also those occurs when your cpu is busy 18:25 < Apachez> so in a normal system they should rarely occur 18:28 < hweaving> if I raise rx ring buffer size from 1024 to 8192, my cache misses basically double 18:28 < hweaving> hmmmmm 18:34 < hweaving> I'll be, lowering ring size reduces CPU usage 18:35 < hweaving> "ethtool -g eth0 rx 512" or similar...I wonder how low is safe, like 256? 18:35 < hweaving> From 1024 to 512 made me go from 160,000,000 cache misses to about 8,000,000 cache misses 18:41 <+catphish> i can't see how lowering the ring size could possibly reduce cpu usage 18:42 <+catphish> i might be wrong, but i'd think a larger ring is always better 18:45 < hweaving> catphish: That's what I would have thought 18:45 < hweaving> but I ran across this 18:45 < hweaving> https://www.napatech.com/vpp-200g-nic/ 18:46 < detha> size of ring versus size of L1/L2 cache, or some silliness like that ? 18:46 < hweaving> and I'm seeing the same sort of behavior. With ethtool setting RX ring buffer to 1024 or larger, I get hundreds of millions of cache misses for a 20-second test 18:46 < hweaving> 512 or smaller is 8 million max 18:46 < hweaving> I don't fully understand why yet, but the article does mention that among other performance factors 18:47 <+catphish> but you can't be using cache, every read is new data 18:49 < hweaving> I'm not sure why, all I can see are the results :( 19:01 < Apachez> perhaps you have a buggy driver? 19:03 < UncleDrax> Buggy driver? Amish over IP Networking? (sorry.. had to) 19:04 < Project86__> What exactly does mysql do? 19:07 < hweaving> Apachez: maybe, but that article author seemed pretty confident. I think it's just more complex than it appears 19:13 < MACscr> ok, so according to my findings so far, with a l2tp/ipsec vpn (ubiquti), i have to setup all subnet routing on the clients themselves instead of having it pushed from the vpn server? 19:18 < UncleDrax> Project86 - it's a database (specifically it's a SQL based RDBMS). so it stores data in a manner that is 'easy' to retreive. You can look up the wikipedia entry or one of a gazillion articles on any more detailed questions. 19:56 < GenteelBen> mrBen2k2k2k_: greetings, my fellow Ben. 20:02 < xdroop> Anybody have a Fedora pptp guide using Network Mangler and cli only? 20:03 < xdroop> Suitable for Fedora 27? 20:26 < Poster> PPTP should be largely replaced by now, do you have any other options for ipsec/openvpn on the remote side? 20:29 < hweaving> xingu: Are you still around these days? 20:30 < hweaving> I seem to remember you had some ideas about methods for spreading interrupts between CPUs. I think that would be my next option to reducing CPU overhead without actually doing the drastic step of moving everything into userspace ala DPDK and/or VPP and/or Snabb 20:31 < hweaving> but I think I'd have to use different VLANs to divide the interrupts up 20:34 < ravi_> is computer networks - a top down approach a good book to learn networking? 20:36 < UncleDrax> I believe the channel favorite was Tanenbaum's book. That said, I have not read any of those formal texts on the topic 20:38 < ravi_> noob here! can anyone suggest good cryptography channel? 20:39 < FuttBucker101> Sure, ravi! 20:39 < FuttBucker101> Why don't we chat about it?I am in 20:39 < FuttBucker101> the bitcoin channel 20:42 < kenlumbo> http://bfy.tw/HvQ3 20:42 < kenlumbo> ;) 20:42 < FuttBucker101> hi ken 20:52 <+catphish> ravi_: ##crypto 20:53 <+catphish> the problem with people who know about cryptography is that they believe that only people who already know crypto should be allowed to use it 20:54 < kenlumbo> thats the only problem? 20:54 < kenlumbo> haha 20:54 < FuttBucker101> hi cat 20:54 < skunkz> Hello, me and my friend live in the same building and we are both connected (I guess) to the same network. Here are our ipconfig outputs : https://paste.debian.net/1022848/. The problem is I can't ping his computer nor can we create LAN rooms on a game. How could I troubleshoot that? 20:55 < FuttBucker101> hi skunkz 20:55 < ||cw> skunkz: sounds like client isolation in effect. there's nothing to troubleshoot 20:56 <+catphish> kenlumbo: probably the most gatekeepered topic of all 20:56 < UncleDrax> I second ||cw . esp with a /16 20:56 <+catphish> A: I have a question about this algorithm B: don't implement crypto yourself, you will fail 20:57 < UncleDrax> I encrypt everything in ROT0 20:57 < skunkz> Ok so I won't be able to bypass this unless I have access to the router's configuration I guess ? 20:57 < mawk> is the windows firewall enabled skunkz ? 20:57 <+catphish> skunkz: is it wifi? soudns like client isolation 20:58 <+catphish> oh yeah, could be OS firewall 20:58 < skunkz> No we are both connected via ethernet 20:58 < UncleDrax> you can use one of those Internet LAN meet-me services (like Hamatchi or whatever). that might solve your problem. 20:58 < ||cw> skunkz: right, and that's a good thing really. you do not want to see your neighbors malware infected PCs 20:59 <+catphish> skunkz: well that should work :( although the /16 implies this is a complicated LAN, it probably has protection stopping you doing this :( 20:59 < skunkz> haha I just want to avoid buying another copy of the game ! 20:59 <+catphish> can you just connect with an ethernet cable? 21:00 < skunkz> How can we be sure that we are on the same network ? 21:00 <+catphish> or are these computers in different parts of a large building? 21:00 < mawk> so skunkz is the windows firewall enabled ? 21:00 < skunkz> we have an ethernet plug in the wall of our room, then we need to authenticate to a portal 21:00 < mawk> ah, portal usually means client isolation 21:00 < ||cw> skunkz: you can use arp to find the mac address of the gateway, if it's the same, it's the same network 21:00 <+catphish> skunkz: yeah, the LAN almost certainly doesn't allow what you're trying to do, that kind of LAN very often doesn't 21:01 < skunkz> mawk: Mine isn't, I don't know about his 21:01 < mawk> use that hamachi thing, it looks good 21:01 < mawk> or use a vps if you already own one 21:01 <+catphish> very likely this LAN uses "private VLAN" where it appears to be one large network but in reality every user has their own private connection to the router :( 21:02 <+catphish> a VPS and a VPN would solve it :) openvpn in tap mode looks like a lan to software 21:02 < tds> better than the hotel I was in recently where everything was on one giant flat /16 (with no isolation) :P 21:02 < mawk> hamachi is very simple to setup, I remember using it in my gaming days when I was 12 or something 21:02 < kottt> tds: *shudder* 21:02 < kenlumbo> those are fun 21:02 < redrabbit> or build your own lam 21:03 < kenlumbo> find out who is using chromecast 21:03 < redrabbit> lan 21:03 < kenlumbo> start casting Macho man clips 21:03 < mawk> they can't do that if they can't talk to each other redrabbit 21:03 < skunkz> ok I'm gonna look at this hamachi thing thanks 21:03 < mawk> they need a middle man 21:03 < kottt> skunkz: congratulations: You're going to have a LAN party! :D 21:03 < UncleDrax> a time honored traditioanl truely! 21:03 < redrabbit> dvorak noob; dont mind the typos 21:03 < kottt> get a switch and some chips and invent your buddy over for beer and games 21:04 < kottt> invite* 21:04 < skunkz> that's a solution aswell 21:04 < redrabbit> use wifi 21:04 < mawk> connect the two computers with the ethernet cable 21:04 < mawk> ah, or wifi indeed 21:04 < mawk> adhoc wifi or something 21:04 < Apachez> catphish: or "Protected VLAN" which is what you described 21:04 < xz> hey, imagine there is a server behind the router, e.g. FTP on port 23. There is port forwarding set up on router, so the server is usable for the clients from the outside. Now how will Ethernet header look like if I as a client send the request to that server? Will it contain router MAC address as a destination or server MAC address? 21:05 < Apachez> aka port isolation 21:05 < redrabbit> mawk: same building 21:05 < Apachez> xz: why would you run ftp on tcp 23 ? 21:05 < xz> Apachez, 21, whatever is the port 21:05 < mawk> xz: where would that client be located ? behind that router ? 21:06 < skunkz> I have no wifi card on my desktop haha, I'll try sharing wifi from my phone and he will connect to the same wifi before trying hamachi 21:06 <+catphish> i run my ftp on port 70000 to ensure nobody can get into it 21:06 < redrabbit> id buy a cheap router/ap 21:06 < xz> mawk, nope. Only server is behind the router, client will be any client on the internet (public/outside) 21:06 < mawk> lol 21:06 < redrabbit> done 21:06 < mawk> then behind the router you'll have the server MAC, xz 21:06 < mawk> after routing 21:06 < UncleDrax> xz: the router will route & translate the packet appropriately. Port Forwarding is more a specific instruction for where that will go 21:06 < ||cw> xz: the client only sees the router MAC/IP, if it sees a mac at all 21:06 < Apachez> sounds like a homework question to me =) 21:07 < Apachez> the server will most likely see the mac of the router 21:07 < Apachez> or whatever L2 domain you might have 21:07 < redrabbit> skunkz: lan > router )))))) your bud 21:07 < UncleDrax> catphish: custom TCP stack? tbh that would be prety secure. 21:07 < ||cw> xz: you might to study more on port forwarding and connection tracking (aka contrack) 21:07 < xz> wait, are you saying the 'destination MAC address' field within the packet will change depending if it's before routing or after routing? 21:07 < tds> catphish: the real trick is to put it on the current unix timestamp mod 65535, then nobody will ever notice it ;) 21:07 < redrabbit> you wont use wifi 21:07 < skunkz> redrabbit: I don't get it 21:07 < mawk> is OOB on TCP a bad idea ? 21:07 < Apachez> you have one ethernet one WAN of router 21:07 < xamithan> Why are we answering homework questions 21:07 < Apachez> and another ethernet on LAN of router 21:07 < mawk> I'd like to use it instead of some special protocol 21:07 < Apachez> your ftp server is on LAN of router 21:08 < redrabbit> only your friend 21:08 < Apachez> your clients are on WAN of router 21:08 < xz> Apachez, correct 21:08 <+catphish> xamithan: i don't think you are 21:08 < Apachez> which gives that the ethernet frame is replaced when passing your router 21:08 < xamithan> I am not, but people are 21:08 < Apachez> and the dstip too if you use portforwarding 21:08 <+catphish> xamithan: in fact you haven't answered anything, so either help, or stop criticising others 21:08 < redrabbit> skunkz: you > wired lan > router > wifi > your bud 21:09 < mawk> the fact that a new OOB byte will make any previous unread OOB bytes drop into the in-band data queue is very annoying tho 21:09 < UncleDrax> say it with me: layer cake muthafsckr! MAC address are L2.. they don't survive 'through' being routed. 21:09 < mawk> who designed that thing 21:09 < xz> Apachez, interesting, I didn't know router rewrites certain fields of the packet. So initially (before routing) dest MAC address will be the one of a router, and then after packet gets forwarded to LAN side of router, it will have actual, server MAC address as destination? 21:09 < Apachez> xz: depends on the router 21:09 < Apachez> you just said you had a portforward didnt you? 21:10 < skunkz> redrabbit: I still don't get it, I am indeed connected to the wired lan but I don't understand the router wifi and my friend in this scheme 21:10 < Apachez> well if you dont then the router wont touch the dstip 21:10 < Apachez> and there is no conntrack either needed 21:10 < Apachez> conntrack is only needed if srcip, srcport, dstip or dstport is changed 21:10 < xz> Apachez, well, if I don't use port forwarding then the packet would never reach my server, isn't that the case? 21:10 < redrabbit> skunkz: you > wired lan > router/AP that you have to buy > wifi > your bud 21:10 < Apachez> so it can keep track of a session and put back the original stuff when the returning packets flows by 21:10 < Apachez> xz: well depends on your network 21:10 < Apachez> assumption is the mother of all fuckups 21:10 < skunkz> ah ok that's the part I missed, you want me to buy a router ^^ 21:11 < Apachez> we just assumed your router was connected to internet 21:11 < Apachez> normally you just have just one ip to internet 21:11 < redrabbit> router on a separate subnet 21:11 < Apachez> so you need portforwarding on your router so somebody from internet can reach a server on your LAN 21:11 < Apachez> BUT 21:11 < skunkz> unfortunately he won't receive my wifi signal from where he lives 21:11 < Apachez> if you have plenty of public ip addresses 21:11 < xz> Apachez, hah, I'm not too experienced with routing. Let's say I have cheap dd-wrt router with 1 external IP, server behind that router and port-forwarding turned on. 21:11 < Apachez> there is no need to nat 21:11 < Apachez> and if you dont nat there is no need for conntrack 21:11 < redrabbit> no internet on it just lan 21:12 < Apachez> and since you dont nat the dstip wont change 21:12 < Apachez> actually the ip header and tcp header should be intact 21:12 < tds> Apachez: well, unless you're firewalling on the router (which I'd expect a small home network to do) 21:12 < Apachez> only thing that changes is the ethernet frame header 21:12 < Apachez> who is ripped off once entering the router 21:12 < ||cw> skunkz: are you at a school? if so check your ToS on using your own router/wifi 21:12 < Apachez> and then appended on the other side with the srcmac of the router etc 21:12 < redrabbit> skunkz: even with directionnal antenna? 21:12 < Apachez> tds: you can firewalling without nating 21:12 < Apachez> they have nothong to do with each other 21:13 < Apachez> -oií 21:13 < Apachez> yhäöldfsdfrgjrgönl 21:13 < Apachez> fucking keyboard 21:13 < xz> Apachez, and that operation of rewriting Ethernet header, does it happen both ways? for incoming/outcoming packets? 21:13 < Apachez> they have nothing to do with each other 21:13 < redrabbit> tyou can run your own vpn then 21:13 < Apachez> xz: yes unless your router is in transparent mode aka bridge :) 21:13 < tds> Apachez: yes, absolutely, but you still need conntrack if you're going to do stateful firewalling like a home router is likely to 21:13 < Apachez> nowadays we have switches that routes packets 21:13 < Apachez> routers who route packets on src/dstport and not just src/dstip 21:13 < skunkz> I'm not at school but I'm sure no one looks at what happens on the building network given the gb of copyrighted content dl'ed from there lol 21:14 < Apachez> firewalls who are transparent 21:14 < Apachez> etc 21:14 < Apachez> routers who doesnt decrease the TTL value of the packet flowing by 21:14 < Apachez> etc 21:14 < xz> Apachez, and does that happen also to control packets, like ICMP/SYN/ACK etc.? 21:14 < Apachez> tds: no, conntrack is only needed when you do nating (and/or pating) 21:14 < redrabbit> skunkz: you can run your own vpn then 21:14 < redrabbit> openvpn on a vps 21:14 < Apachez> xz: yes, a regular router (or l3 switch) have two different L2 domains for a single flow 21:15 < skunkz> yeah that's the last option if hamachi doesn't work well enough 21:15 < Apachez> one L2 domain on WAN and another on LAN 21:15 < Apachez> that is one mac address on WAN interface 21:15 < Apachez> and another mac address on LAN interface 21:15 < Apachez> L2 protocols are just nexthop protocols 21:15 < tds> Apachez: hmm, I may be missing something, but for a home network wouldn't you expect the router to allow outgoing connections from the lan, but not incoming from wan? (assuming plain routed traffic with public IPs) 21:15 < Apachez> they are stripped at every L3 hop 21:15 < tds> and to do that you'll need to do connection tracking 21:16 < Apachez> tds: well my home network have public ip's on the LAN side and the firewall is transparent 21:16 < Apachez> so my firewall blocks bad things 21:16 < Apachez> and allows good things 21:16 < Apachez> and there is no nating involved 21:16 < Apachez> so no need to waste cpu and ram resources on conntrack 21:16 < tds> ah, I mentioned earlier that I was assuming the firewall would drop non-established traffic coming from wan 21:16 * tds has to deal with conntrackd between home routers :/ 21:18 < xz> Apachez, hey thanks for explaining it 21:19 < LFSveteran> had my routing script working, but when I wanted to backup, stuff crashed....argh 21:19 < LFSveteran> only have some notes: https://pastebin.com/F3w9VMHs 21:20 < LFSveteran> setup: request to eth0 is forwarded to 192.168.10.1 and back 21:20 < Windy> my CA "recommends" RSA2048 certs for https. is there a reason not to use 4096, or better: elliptic curve? 21:21 < LFSveteran> server is 192.168.10.1, router 192.168.10.2 21:21 < LFSveteran> eth0 is 192.168.0.2 21:21 < MACscr> ok, if my vpn client gets an ip of 10.8.0.x and can ping 10.0.1.2 and 192.168.0.2 that are assigned to lan interfaces on the vpn server, what do i need to do on the server to allow the client to access those subnets as a whole. the vpn server of course can ping any ip on that subnet as well 21:22 < Apachez> xz: the basics are that in computer networks you have different layers which does different things 21:22 < Apachez> the first layer is the physical one 21:22 < Apachez> here you got the actual encoding onto the wire 21:23 < Apachez> frequencies, speed, 8/10 encoding and what else 21:23 < Apachez> this is strickly hop by hop 21:23 < Apachez> also referred to a collision domain 21:23 < Apachez> next layer is layer 2, here is where we got srcmac and dstmac and whatelse 21:24 < Apachez> this is more "device to device with logic" sort of speak 21:24 < Apachez> like router1 <-> switch <-> switch <-> switch <-> router2 21:24 < Apachez> then router2 will see router1 srcmac if they are both on the same l2 domain 21:25 < Apachez> so this will address the physical interface of another device who sits in the same L2 domain as myself 21:25 < Apachez> then at layer3 we got srcip, dstip, ttl and whatelse 21:26 < Apachez> this is like if we zoom out another notch 21:26 < Apachez> now we tell who this information is designed for far far away 21:26 < Apachez> and then layer4 who is the srcport and dstport 21:26 < Apachez> whcih then connects to application runned on client/server 21:27 < Apachez> so the application really only cares for src/dstip and src/dstport 21:27 < Apachez> while the server will then find out who to send this packet to (default gateway) and through arp find out what mac address the physical interface on this router this packet should be sent to as a frame 21:28 < xz> so then router doesn't touch IP header (layer 3) ? 21:28 < Apachez> actually it does 21:28 < Apachez> normally each L3 hop will decrease the TTL value in the ip header 21:29 < Apachez> the L3 hop where the TTL becomes equal to 0 should drop the packet and send an icmp back to the srcip of this packet that "ICMP TRANSMIT EXCEEDED" or whatever that icmp code is called 21:29 < xz> does router touch IP addresses in IP header? 21:30 < Apachez> but other than that the ip header shouldnt be touched 21:30 < Apachez> a regular router shouldnt touch the srcip or dstip of the ip header 21:30 < xz> I guess it might for incoming packets (as they have external IP address as destination) 21:30 < Apachez> unless the router is performing nat 21:30 < xz> right 21:30 < Apachez> sourcenat and/or destinationnat 21:30 < Apachez> then it will change srcip and/or dstip 21:30 < Apachez> before forwarding the packet 21:31 < Apachez> so a regular home setup usually just have one ipv4 address on WAN interface 21:31 < Apachez> and then you use a rfc1918 aka private iprange on the LAN side like 10.0.0.0/8 or whatever 21:31 < Apachez> in that case if your ftp server use ip 10.0.0.1 then the router will have to destination nat incoming packets 21:32 < Apachez> because the packets will be addressed to the wan ip of the router 21:32 < Apachez> and not the server itself 21:32 < Apachez> so the router changes the destination ip and forwards the packet while it at the same time creates a connection track entry in its conntrack table 21:32 <+catphish> a "normal" router will only look at the destination, address, and won't change it, NAT routers are a bit more complicated and will change those addresses as needed 21:32 < Apachez> so when the server responds back to the srcip the router knows it should change the srcip of the returning packet to the wan ip instead of the server ip 21:33 < Apachez> the problem with nat comes with anchient protocols like ftp 21:33 < Apachez> where the server will inform the client which ip to connect to 21:33 < kottt> ethernet frames get stripped off an replaced at every hop on a path, right? so as a rule your src/dst mac address info is just gonna be the hw addresses of the adjacent devices for the most recent hop. 21:33 < Apachez> however the server will tell the cleint to connect to 10.0.0.1 21:33 < xz> as they use port range instead of single port? 21:34 < Apachez> whcih will never find its way to the wan ip 21:34 < Apachez> so server can be manually configured to give out the wan ip of your router instead to make this work anyway 21:34 < Apachez> anyway things goes south quick :) 21:34 <+catphish> kottt: yes ethernet headers are totally replaced at every hop 21:34 < Apachez> as catphish said a regular router just routes traffic 21:34 < Apachez> that is it looks at dstip and then it looks at its routing table to find out what next hop is and then just forward the packet to the nexthop 21:34 <+catphish> kottt: those addresses are only useful inside the LAN, as you say 21:35 < kottt> source IP address is till gonna be the original sender (eg outside client reaching the FTP server), and your router, doing port forwarding, is literally translating the destination address when it sees traffic that triggers its rule (eg port 21 -> 10.0.0.7 or wherever your FTP server is privately) 21:35 < Apachez> while a homerouter normally also does nat to make stuff work 21:35 < Apachez> like snat for outbound traffic and dnat for inbound traffic 21:36 < tds> to make internal connections to services exposed externally you're also stuck with either doing nat reflection or split dns (assuming you're doing nat) 21:36 < kottt> is there even a technical distinction between port forwarding and NAT/PAT? isn't PF just a higher level extrapolation of NAT? 21:36 < kottt> targeted at non-technical weenies 21:37 < Apachez> sorry for killing the channel :( 21:38 < UncleDrax> (how dare you explain something to someone that wants to learn!) [sarcasm should be obvious] 21:38 <+catphish> kottt: there are loads of terms for types of NAT, i wouldn't pay too much attention to them 21:38 < MACscr> am i asking dumb questions or am i muted right now or something? 21:38 <+catphish> NAT, PAT, NAPT, port forwarding, SNAT, DNAT 21:39 <+catphish> MACscr: bad timing probably, channel is busy 21:39 < tds> people also like calling plain NAT done on prefixes "NPT" for v6 21:39 < UncleDrax> MACscr: Apachez had the token.. darned shared collision domain networks 21:40 <+catphish> kottt: it's more important just to recognize what is being rewritten in your specific case 21:40 < kottt> yeah, I guess that's what the different terms help to identify 21:40 <+catphish> personally i use the terms "source nat" to means the source ip (and possibly port) and changed, and "destination nat" meaning the destion ip (and possibly port) are changed 21:41 < kottt> it's all just network address translation, but port forward kind of implicitly means "traffic directed to the local zone of a routing device is redirected to an internal IP" 21:41 <+catphish> but there's lots of alternative terms, if in doubt, seek clarification of what is actually being rewritten 21:42 <+catphish> port forward is unambiguous, it's call i call "destination nat", the destination IP (and probably port) is rewritten 21:42 < MACscr> ok, if my vpn client gets an ip of 10.8.0.x and can ping 10.0.1.2 and 192.168.0.2 that are assigned to lan interfaces on the vpn server, what do i need to do on the server to allow the client to access those subnets as a whole? the vpn server of course can ping any ip on that subnet as well. Its an ubiquiti edgerouter. 21:43 < MACscr> i know when doing my own vpn with iptables and openvpn, i did something like: iptables -I FORWARD -i tun0 -o eth+ -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT 21:43 <+catphish> also, don't forget that when doing some kind of NAT, you usually need to do the opposite NAT on reply packets going the other way 21:43 <+catphish> so with port forwarding, you rewrite the destination address and port, on the way in, but you have to rewrite the source address and port on the replies going out too :) 21:44 <+catphish> stateful firewalls know to do this automatically, you only have to set it up one way 21:44 < kottt> bah, it's all handled in conntrack 21:44 < kottt> <_< 21:44 <+catphish> yep 21:44 < Apachez> kottt: every L3 hop 21:44 < Apachez> so passing through a L2 switch the ethernet frame is intact 21:45 < Apachez> kottt: port forwarding is just the common name 21:45 < Apachez> while NAT and PAT is the more technical description 21:45 < Apachez> where NAT operates on srcip/dstip 21:45 < Apachez> and PAT operates on srcport/dstport 21:46 <+catphish> or "NAPT" which means both i believe 21:46 < Apachez> which gives when people say NAT-router they usually mean NAT/PAT-router 21:46 < Apachez> never heard of NAPT during the years 21:46 < Apachez> N-APT perhaps 21:46 < Apachez> national advanced persistent threat :P 21:46 <+catphish> https://en.wikipedia.org/wiki/NAPT 21:47 <+catphish> you're a national advanced persistent threat 21:47 < LFSveteran> NAT enabled for certain ports is NAPT? 21:47 <+catphish> MACscr: your problem is likely that there's no return routes from those hosts back to your client 21:48 < UncleDrax> ANPT? (damn pipe threading) 21:48 <+catphish> you can send packets to 10.0.1.99, but it doesn't know how to send packets back to your 10.8.0.x IP 21:48 <+catphish> MACscr: there are 2 solution, 1) set up a route on that remote network's router, so it knows to sent 10.0.8.0/24 via the vpn server 21:49 <+catphish> MACscr: or 2) use NAT so all the packets appear to come from the VPN server's IP 21:49 < MACscr> catphish all im doing though is replacing my openvpn server/gateway with this edgerouter 21:49 <+catphish> err 21:49 <+catphish> is the vpn serer also the default gateway for those networks? 21:49 < MACscr> ah, though i guess i do have this test one as 192.168.0.2 and not 192.168.0.1, which acts as the gateway for those hosts 21:49 < Apachez> MACscr: have you read the ubnt howtos? 21:50 < MACscr> ah, i think that might be it. going to do a test 21:50 <+catphish> it'll only work if the vpn server is the gateway for those networks 21:50 <+catphish> otherwise you'll need static routes 21:50 < MACscr> yep, that was it. thanks! 21:50 < MACscr> i knew i was missing something simple 21:51 <+catphish> cool 21:51 < LFSveteran> sound like my problem 21:54 < xdroop> Poster: no, this is a VPN given to me by a partner for access to their network -- they are not networking guys so this is all they can do 22:01 < LFSveteran> where can I find info about routing with conntrack? 22:01 < LFSveteran> If I can create the rules myself the better 22:03 < Craig__> Hello 22:03 < ||cw> LFSveteran: you don't exactly route with conntrack. conntrack just helps out with NAT keeping track of where connections go 22:04 < ||cw> LFSveteran: you shouldn't need to do anything with it, except maybe for something FTP-like that it doens't already handle 22:04 < LFSveteran> it bundles different routes? eg. group them? 22:04 < ||cw> no? 22:04 < LFSveteran> ok 22:05 < ||cw> it tracks connections. like, it inspect for FTP traffic and looks for the alternate port commands and sets up that connection map automatically 22:06 < ||cw> most protocols don't really need it, standard NAT tracking works fine 22:06 < LFSveteran> ok, need to dive into NAT then 22:07 < LFSveteran> problem: "router" listens to eth0 at certain port, and forwards this through eth1 to external server, and traffic is to be routed back 22:07 < MACscr> catphish everything is working perfectly. Thanks again for the help. Was able to retire my lxc based vpn/gateway. Only negative ive found so far is that i couldnt push routes to the clients, but oh well at this point 22:08 <+catphish> cool :) 22:08 < LFSveteran> let's say its a webpage, I use the address of eth0 and the webserver which the request is routed to is on the network with eth1 of the router 22:09 <+catphish> catfish fact: the catfish is not a type of cat at all, in fact it is a fish 22:10 < UncleDrax> and also delicious 22:11 < ||cw> LFSveteran: do you mean port forwarding? it's not clear what you want here. routers don't normally listen on ports and forward to external servers 22:11 < LFSveteran> a fish specially for cats? 22:11 < LFSveteran> typical port forwarding 22:12 < LFSveteran> I call it router, but propably not a router my bad 22:12 < ||cw> port forwarding is for external clients to connect the router and it forwards to an internal server on the LAN 22:12 < ||cw> eth0/1 arne't important either, but which is WAN and which is LAN are 22:13 < ||cw> so, what's the question? 22:13 < ||cw> how do to it? it depends on your OS 22:15 <+catphish> lalalalalalala 22:15 < LFSveteran> https://awwapp.com/b/u6d9sxgjp/ 22:16 < LFSveteran> and done with linux/iptables 22:17 < ||cw> LFSveteran: is the middle box a router? this is really unclear 22:17 < ||cw> IDK why you'd do that 22:17 <+catphish> someone erased my drawing :( 22:17 < ||cw> what network is the middle box a router for? 22:17 < LFSveteran> the middle is the "router" e.g. the machine to configure 22:18 < LFSveteran> left is LAN A, right is LAN B or internet 22:19 < ||cw> if you want .2 to pretend to be the web server, you probably actually want a reverse proxy/ nginx or apache can do that 22:19 < LFSveteran> so request is done to the box, forwarded to the webserver and response of webserver is routed back through the box to the pc 22:19 < LFSveteran> actually it will be some samba ports 22:19 < ||cw> if you want the middle box to be a router, then do that, and the PC would then connect tot he web server directly 22:20 < ||cw> CIFS can work over the Internet with normal router. it's generally a bad idea thought 22:20 < ||cw> use a VPN 22:21 < LFSveteran> it's not the router to the internet, so not the default route 22:21 < ||cw> so make a route on your router to send traffic to that subnet out that alternate gateway 22:22 < ||cw> is that already a VPN? 22:22 < LFSveteran> so modified drawing 22:23 < ||cw> I dont' quite understand LAN B. is it internet? or a private lan? 22:23 < LFSveteran> private lan 22:23 < ||cw> I get you're trying to be minimalist in what info you expose, but you're being too minimal. 22:23 < LFSveteran> just two separate lans 22:24 < ||cw> then why does it have a public IP? 22:25 < ||cw> you just need to add routes. you need the middle box to act as a router, without NAT probably, and modify the router that's the default route on both LANs to direct traffic to the other subnet over this middel box 22:26 < ||cw> the big ugly question is, why is it going through this middle box in the first place? just make your router do it, that's what routers do. 22:27 < LFSveteran> I want the server seperated from the rest 22:31 < ||cw> then add your routes on the routers. you could add them on each client that needs access across 22:32 < ||cw> since you said samba share I'll assume the PC is windows. something like this would do: route add 192.168.10.0 mask 255.255.255.0 192.168.0.2 22:33 < ||cw> and something similar on that server too 22:33 < LFSveteran> trying to use the router then 23:08 < mawk> is TCP out-of-band bad ? 23:36 < truckcrash> So google has just made .app publicly open to registration - they stipulate that users of .app must use https. This raises a number of questions but primarily how do they plan on enforcing that? Anyone know? 23:39 < AlexPortable> Would you say wpa2-enterprise is more secure than wpa2-personal? 23:40 < ||cw> mawk: out of what band? 23:40 < qman__> AlexPortable: depends on the threat and the implementation 23:41 < ||cw> AlexPortable: sure, users all using the same password isn't really very secure 23:41 < AlexPortable> every user/device another password? 23:41 < ||cw> one user leaks it and you don't really have a password anymore 23:42 < AlexPortable> but isn't that just the same problem as with wpa2-personal? 23:42 < ||cw> no, you can disable one user or change their password and all the other users are unaffected 23:43 < AlexPortable> can i somehow limit one password per device? 23:43 < ||cw> are you sure you know what wpa2-enterprise is? 23:43 < AlexPortable> yes 23:43 < ||cw> then why are you asking that? 23:43 < AlexPortable> i dont know if its possible 23:44 < mawk> just out-of-band ||cw 23:44 < ||cw> if what is possible, the question makes no sense 23:44 < mawk> OOB data over TCP 23:44 < ||cw> mawk: and into what other band? 23:44 < mawk> it's send in priority over normal (in-band) data 23:44 < mawk> sent 23:45 < ||cw> that's not what out of band means 23:46 < mawk> I'm not responsible for how they called that 23:46 < ||cw> who 23:46 < mawk> people who designed TCP OOB 23:47 < mawk> using send(2) with flags = MSG_OOB allows to send 1 byte that should be transmitted with high priority to the recipient, and it will generate a SIGURG signal 23:47 < mawk> and the byte can be read with recv(2) with flags = MSG_OOB, given some conditions 23:49 < ||cw> that doens't seem useful for transmitting actual data. more for sending a command to interrupt normal processing 23:49 < mawk> yeah, exactly 23:49 < mawk> I was wondering if the usage of this thing is recommended against or not 23:49 < mawk> I know telnet uses it extensively 23:50 < ||cw> I wouldn't use it unless you really need it 23:50 < ||cw> just like many other things that affect priority 23:50 < mawk> it would be to cancel a transaction 23:50 < ||cw> that would seem important 23:52 < joro_> Hi guys, i want to ask... is it possible to learn computer networks, only if you read books... and how would someone practice computer networking ? 23:53 < ||cw> joro_: at a basic level you can learn with virtual machines and their virtual host-only and NAT networks 23:54 < mawk> systemd-nspawn is great for this 23:54 < mawk> especially with a btrfs file system, it takes no time to clone a container and add it to a network 23:54 < mawk> then you can play around with networking, with NAT and all 23:55 < ||cw> assuming you're using a system that supports containers :) 23:56 < joro_> hmm 23:57 < tester> i have 2 aps on the same network. different brands (tplink and some chinese company). both run 802.11n. 23:57 < tester> when i use the same phone to do speed testing, and place it 20cm from each router 23:57 < tester> i get 45mbps on one of them, and 15~20mbps on the other. 23:57 < tester> what can explain this? 23:58 < tester> both are configured to run on 40mhz 23:59 < joro_> i started with docker days ago, is systemd-nspawn better ? --- Log closed Wed May 02 00:00:04 2018