--- Log opened Wed May 02 00:00:04 2018 --- Day changed Wed May 02 2018 00:00 < ||cw> tester: 20cm is REALLY close. try a meter. one is just handing a swamped receiver better 00:00 < tester> i doubt this will make a difference, but one moment. 00:02 < tester> ||cw tested with 1 meter away. 45 vs 20 00:12 < Terminus> hello. i'm doing a crapload of transfers from my laptop to my desktop and i'm looking at my router's tx/rx and it's only a few hundred kbps at most yet my desktop is receiving ~100 mbps. what's going on here? i thought all wifi traffic goes through the AP? laptop is 802.11n and desktop is 802.11ac, both on 5 GHz if that matters. 00:13 < djph> router may only be showing *routing* traffic 00:14 < Terminus> djph: i'm looking at the interface rx/tx itself though. 00:14 < djph> wifi interfaces can be fun 00:14 < djph> e.g. it might not actually "be" wlan0 (ath0, whatever) 00:19 < Terminus> djph: pretty sure wlan2 is the 5ghz interface my desktop is connected to. https://i.imgur.com/YmVuTjI.png 00:20 < Terminus> router is a mikrotik hap ac. 00:22 <+catphish> if both are on the same radio, the router may only show what's routed, not traffic that's just reflected 00:22 < Terminus> definitely wlan2 -> https://i.imgur.com/v8fCH9d.png 00:23 < Terminus> catphish: even if i'm looking at interface stats and not routing stats? 00:24 <+catphish> the interface stats likely only show traffic between the cpu and the interface 00:24 <+catphish> but traffic that bounces off the AP doesn't need to go anywhere near the routing cpu 00:25 <+catphish> so it may not be recorded 00:25 < Terminus> catphish: i see so in this case, it doesn't hit the CPU? the interface already knows where the traffic is heading to on rx so just immediately forwards it without involving the CPU? 00:25 <+catphish> wifi AP interfaces are unusual, because they can reflect traffic without it needing to enter the cpu 00:26 <+catphish> Terminus: i suspect that's the case, yes, though my only evidence is what you're saying 00:26 <+catphish> since i've never tested it peronally 00:26 <+catphish> *personally 00:26 < AlexPortable> ||cw: well can i limit one passwowrd per device? 00:26 < Terminus> ah... makes sense though since that's much faster. 00:26 < Terminus> thanks catphish 00:31 <+catphish> Terminus: that's the idea, routing via the cpu is often slower 00:42 < MACscr> hmm, seems i cant actually query my edgerouter for dns. When i try: dig puppet @192.168.0.1, it times out 00:43 < MACscr> i have the system nameserver set to 127.0.0.1 within the edgerouters configs and the proper entries are in its /etc/hosts file 00:46 < MACscr> i am not using dhcp, so that doesnt come into play here 00:47 < admiralspark> Okay, guys, here's some requirements for a network device: 12 or more ports (no PoE), l2/l3, at LEAST two SFP+ ports for 10G connectivity, and 48v dc power 00:47 < admiralspark> gotta love em 00:49 < djph> think UniFi or EdgeSwitch have DC-Power options (although you will get PoE) 00:50 < justin^^^> what do i buy to make my girlfriend a better car key RF device? that is, to identify the frequencies it emits to unlock/lock the car and then to recreate them? 00:51 <+catphish> MACscr: "i have the system nameserver set to 127.0.0.1 within the edgerouters configs and the proper entries are in its /etc/hosts file" i don't understand that at all, why would you point it at itself? 00:51 < justin^^^> I already have an arduino microcontroller 00:51 < djph> justin^^^: aftermarket security system for the car 00:51 < admiralspark> djph: thanks....need more reliable and 5-10 year support though. Like Cisco TAC level support (so slighty above none at all? haha) 00:52 < djph> you're not legally gonna get the hardware in most places, since they can be used for less-than-savoury purposes 00:52 < justin^^^> djph: I'd rather not spend that much money and I also want to do this for the brain stimulation 00:52 < admiralspark> mgmt wants a neck to squeeze if it all goes to shit 00:52 <+catphish> and i doubt its dns looks in /etc/hosts, it might, but i wouldn't assume so 00:52 < djph> admiralspark: fair enough. Guess Cisco, Juniper, HP, etc then? 00:53 < MACscr> catphish because it should always reference itself before looking at the public nameservers 00:53 < MACscr> and thats what the guides show it should be doing 00:53 <+catphish> MACscr: but wouldn't that just make a loop :| 00:54 < Zepo> Hello guys. I have a debian server running but someone is using blocking all the traffic, is there a way to filter that person out and "kick" him out for a limited time ? 00:54 <+catphish> maybe for its own lookups lookups, but in that case, not relevent to the dns server 00:54 <+catphish> Zepo: what do you mean by "using blocking all the traffic" 00:54 <+catphish> what are they doing? 00:54 < MACscr> catphish http://paste.debian.net/1022864/ 00:55 <+catphish> ok, so you forward to 1.1.1.1 and 8.8.8.8, that's fine then 00:56 < Zepo> catphish: I assume they download something. I get really low rates if I try to watch videos but the server shouldnt be that slow. If I watch with iftop I see people using 5 - 10 mb/s which is "to much" for the server 00:56 < admiralspark> djph: yeah. Cisco's only offer that meets all of it is locked behind a vendor paywall 00:56 <+catphish> MACscr: that all looks ok, do lookups of external names work? 00:56 < admiralspark> cant even get spec sheets 00:56 <+catphish> MACscr: if so, it probably just doesn't use /etc/hosts, i wouldn't expect it to 00:56 < MACscr> yes. the problem is that it seems i cant even query the ubiquti for dns 00:56 < djph> admiralspark: no VAR to get them from? 00:57 < MACscr> if i do dig google.com @192.168.0.1 (the lan ip), it times out 00:57 <+catphish> Zepo: maybe use tdpcump to see what's using the bandwidth 00:57 <+catphish> Zepo: then block it with iptables 00:58 <+catphish> MACscr: well that's weird, either it's firewalled, or it can't access 1.1.1.1 01:00 < admiralspark> djph: we don't have a "partner"....I'm new and they shop around 01:00 < djph> well, then get yourself a VAR that can get you the docs, and those sweet, sweet VAR benefits 01:02 < admiralspark> I agree 01:02 < admiralspark> boss, however...well 01:02 < admiralspark> you know how it is 01:02 < admiralspark> culture shift 01:02 < admiralspark> anyway 01:02 < MACscr> catphish hmm, i got it working within the lan. looks like i broke something again within my vpn. doh 01:02 < djph> then you're at "pony up the dosh to Cisco" 01:08 < Terminus> admiralspark: i'm checking cisco out out of curiousity and it looks like WS-C3650-24TD might work for you. you'll need to swap out the AC supply for a DC one. 01:09 < Terminus> either that or a 3850. 01:14 < Terminus> admiralspark: also juniper EX3300-24T-DC 01:18 < AlexPortable> I've setup two 'private' VLANs, port based. is there anything I still need to do now or are the clients separated from each other? 01:22 < djph> AlexPortable: firewalls? 01:22 < AlexPortable> nothign in the firewall tab about vlans 01:22 < djph> AlexPortable: what router? 01:22 < AlexPortable> firewall -> port configuration, action allow/deny and rate limiter id 01:23 < AlexPortable> draytek vigor 2130 01:26 < djph> suppose you'd set new chains on different "port" then ... least that's how it sounds you'd have to do things 01:27 < AlexPortable> for the firewall you mean? 01:27 < djph> yeh 01:29 < AlexPortable> still no idea 02:21 < spaces> IRC is messedup these days 02:21 < spaces> or Freenode is 02:32 < Mchammerdad> I have a pretty indepth, question on ubiquiti unifi switches. Is there a more appropriate channel or should I take my chances with this one? 02:34 < djph> here, or #ubnt 02:34 < djph> * ##ubnt 02:35 < djph> or the forums 02:39 < Mchammerdad> Anyone here know how I might go about getting an invite to that channel? 02:44 < meingtsla> Mchammerdad: ##ubnt is not +i. 02:45 < dogbert2> hey djph 02:54 < djph> yo dogbert2 02:54 < dogbert2> whazzup? 02:54 < djph> nm here, you? 02:54 < dogbert2> just got home from a long day at w3rk 02:55 < compdoc> would you make us some dinner? 02:56 * dogbert2 looks at compdoc...go to the local burger joint :) 02:56 < djph> ^ 02:56 < dogbert2> gee, 2/3rd's of 8th grade students in the US aren't proficient in reading and math 02:58 < djph> sounds about right 02:59 <+pppingme> dogbert2 only when you look at "public" schools, if you look at private, and more so for homeschooled, students achieve much higher. 02:59 < dogbert2> yeah...well another study shows that 67% of students admitted to community colleges in the US and 40% into 4 year colleges need remedial coursework in english and math 03:01 < dogbert2> pppingme...most students think they're ready for a STEM major...I've told plenty of them, if you haven't taken math through algebra II/trig, 3 years of science (2 of which are lab sciences), 4 years of english, including literature and composition, and 3 years of history/gov't (with solid knowledge of material)...you ain't ready 03:01 < dogbert2> then they throw up when they see the math required for a comp sci degree :) 03:02 < djph> hehe, I threw up when I got a fresh-off-the-boat import for a maths teacher :( I'd have had a better time if he spoke in ... whatever his first language was :( 03:04 < dogbert2> heh...well, when a comp sci degree requires calc I/II, linear algebra, applied stats, Diff Eqns I/II, Abstract Algebra, and Numerical Analysis, plus Engineering Physics I/II, Symbolic Logic (philosophy dept), and Digital Logic I/II...they usually change majors 03:06 < djph> dogbert2: couldn't even get past calc1/2, since his english was so broken, even the written tests were incomprehensible :( 03:07 < dogbert2> djph...had the same issue in Linear and Abstract Algebra 03:08 < dogbert2> though most students who have difficultly doing this are going to struggle in calc: lim (x->5) (x^2 - 25) / (x - 5) 03:08 < djph> yeh, i ended up doing nearly the entire major anyway, since the Comp. Sci. and Comp. Info. Systems were pretty close (just less maths, and more biz classes) 03:08 < djph> ERR,DIV0 03:08 < dogbert2> yeah...most IS degrees require a lot less math... 03:09 < djph> its been far too long since I did it though 03:09 < djph> it's a funny s-curve tho 03:09 * dogbert2 looks at djph...nope...factor the top and cancel 03:09 < dogbert2> lim (x->5) (x + 5)(x - 5) / (x - 5) == ? 03:10 < djph> dogbert2: 3 beers in. 03:10 < dogbert2> x == 10 :) 03:10 < dogbert2> but in reality, to solve that limit requires nothing more than algebra 1 03:11 < djph> too much maths and it's been too long since I've had to do it. It really gets rusty quick 03:11 < dogbert2> well, calc for dummies is a good refresher... (that tactic is called 'plug and chug' 03:12 < djph> yeah, I'd have to do that 03:12 < dogbert2> calculus = the agony and dx/dt :) 03:12 < djph> I *may* end up getting heavy maths books again if/when I get heavily into C again 03:12 < djph> picking it up (slowly) so I can play with arduinos 03:12 < dogbert2> djph...not needed, really... :) 03:13 < djph> dogbert2: no, it's not needed, but apparently it's helpful with more of the "classic"(tm) C books. 03:14 < djph> realistically, it'll probably amount to "talk" rather than "activity" though 03:14 < dogbert2> yeah...which is why I like Practical C by ORA (The cow book) 03:14 < djph> I meant in that I was considering stuff like Knuth. K&R2 for now is pretty easy to follow 03:15 < dogbert2> LOL...scotland battles alcohol crisis by minimum alcohol pricing 03:15 < djph> but realistically, Knuth (etc) is a BIG leap from "learning" 03:15 < dogbert2> Knuth requires some heavy duty math 03:15 < djph> dogbert2: yay! cheaper booze! 03:15 < djph> dogbert2: yeah, I know 03:15 < dogbert2> no, more expensive b00ze 03:15 < djph> NOOOOOOOOOOOOOOOOOOOOOOOOOOO 03:16 < djph> dogbert2: which is why "realistically", I'm probably never going to get Knuth, or the math books 03:20 < dogbert2> u drink too much b00z3, your junk falls off 03:21 < djph> dogbert2: is that like going blind? 03:21 < dogbert2> LOL... 03:22 < ouemt> so my ubiquiti er-4 apparently just stopped working (mostly) at 6:25am today, like that's the last log entries in /var/log/messages until I unplugged it just a min ago, but I could still get to the internet on one or two wired devices 03:22 < ouemt> any guesses or troubleshooting suggestions? 03:22 < dogbert2> power glitch? 03:23 < ouemt> I was home for 3 hours after it stopped working, and we didn't notice any problems 03:23 < ouemt> with the power* 03:23 < dogbert2> I have a D-Link AC 1750 (DIR-859) 03:24 < dogbert2> if you have a system dedicated as a syslog server you could set the logging to point there from the ER-4 03:24 < ouemt> I don't 03:24 < ouemt> the er is the first piece of what I hope becomes a homelab 03:24 < ouemt> but, graduate student, so purchases will be slow 03:24 < dogbert2> get some old junk gear, and build a frankenputer linux box 03:25 < ouemt> been considering getting another raspberry pi to try and run some network services on 03:25 < dogbert2> I have a libre computer (Le Potato): http://snoopy.ciscofreak.com/libre.html 03:26 < ouemt> not least of which would be ubnt's unifi software 03:26 < dogbert2> should have gotten the 2GB version for $10 more :) 03:26 < ouemt> how much did that guy set you back? 03:27 < dogbert2> well, the board itself was $35...power adapter $9, 32GB microSD $12 (sale at frys), and a case for $8 03:28 < dogbert2> you gonna run a RPi or clone, don't skimp on power 03:30 < ouemt> neat 03:30 < ouemt> didn't know that existed 03:31 < dogbert2> you can find anything on amazon :) 03:34 < dogbert2> LOL... Chicago Bears - Super Bowl Shuffle 04:16 < ouemt> hmmm, my VPN config also disappeared 04:16 < ouemt> I specifically remember typing both commit and save... 05:22 < SlidingHorn> I'm here, which means "Stupid Question Time" - Do rules regarding DNS further down the chain (e.g. an individual device vs. at the modem level) take higher priority? 05:24 < SlidingHorn> I ask because the ISP-provided modem doesn't have the option to change DNS servers, whereas I have my own router after it (wall > modem > router > my personal devices) - Would changing the DNS servers on the router and/or devices ignore the ISP-set rule in the modem? 05:35 < HickorySmokedBac> Would it be possible for a mikrotik RB951-2..something something to pick up the wifi off of a mobile phone hotspot and then route it ? 05:35 < HickorySmokedBac> Or should I just buy all wifi adapters for my PCs.. 05:36 < atten10> HickorySmokedBac, try it 05:36 < HickorySmokedBac> atten10: how? is the question 05:36 < atten10> well that isn't the question you asked 05:36 < atten10> but you should still try it 05:36 < HickorySmokedBac> Would it be possible 05:36 < HickorySmokedBac> I'm assuming you are saying it probably is? 05:37 < atten10> would it be possible? probably, I'd venture to say I could do it 05:37 < HickorySmokedBac> I had to move where there are no ISPs , and they don't care 05:37 < atten10> I too don't care, but you should definitely try it 05:37 < HickorySmokedBac> And I'm not going to be here 2 years so.. Exede/ViaSat is out of question 05:37 < atten10> it would be fun to get into a project like that 05:37 < atten10> you'll learn a lot 05:38 < HickorySmokedBac> I'll see what the mikrotik forums say too 05:38 < atten10> think of it like this 05:38 < atten10> can your computer connect to your phone's hotspot? 05:39 < HickorySmokedBac> I'm going to be forced to use Verizon Wireless 05:39 < HickorySmokedBac> no 05:39 < HickorySmokedBac> That's the problem 05:39 < HickorySmokedBac> None of them have wifi 05:39 < atten10> how does it connect then? 05:39 < HickorySmokedBac> I'm using USB tether 05:39 < atten10> I see 05:39 < HickorySmokedBac> USB tether for now 05:39 < atten10> so your computer can connect to it via usb 05:39 < atten10> and other computers could connect to your computer via wifi 05:39 < HickorySmokedBac> Yes. But I'd like to be able to atleast take the phone like.. to the kitchen or bathroom.. 05:39 < atten10> thus you can ultimately do it 05:40 < atten10> lol well you're kinda fucked with no internet tbh 05:40 < atten10> I'd move 05:40 < HickorySmokedBac> I am 05:40 < HickorySmokedBac> On apartment waiting list after losing house 05:40 < HickorySmokedBac> had to move in with brother for temp 05:40 < atten10> you lost your house? 05:40 < HickorySmokedBac> He's in the country too 05:40 < atten10> that sucks 05:40 < HickorySmokedBac> Well, parents died 05:40 < atten10> sorry to hear that friend 05:40 < HickorySmokedBac> And I didn't make enough for mortgage 05:40 < HickorySmokedBac> and bills 05:40 < HickorySmokedBac> and food 05:40 < SlidingHorn> this escalated quickly 05:40 < atten10> I know damn 05:40 < HickorySmokedBac> so, house had to go 05:41 < atten10> did you at least get full price for the house? 05:41 < HickorySmokedBac> hellllll naw 05:41 < atten10> I would've taken out another mortgage on it or something 05:41 < atten10> bought some time 05:41 < HickorySmokedBac> The bank's adjuster came out and beat it down to nothing 05:41 < HickorySmokedBac> well nearly nothing 05:41 < HickorySmokedBac> Wasn't even enough to cover funerals 05:41 < atten10> did you tell him that you fixin to shoot anyone serving papers 05:42 < atten10> well its water under the bridge now so you can only move forward 05:43 < atten10> I suck at emotions so lets focus on the wifi problem 05:43 < HickorySmokedBac> yeah hell I just hated to see it go all because they took out a loan a long time ago 05:43 < atten10> maybe there is a wireless usb option 05:43 < HickorySmokedBac> It was time to do a ton of upgrades at that place again anyway 05:43 < HickorySmokedBac> ANd I couldn't afford it 05:43 < HickorySmokedBac> So, really it was the best option to move.. even if it was in family name for 100+ years 05:43 < HickorySmokedBac> but anyway 05:45 < atten10> do you have unlimited data? 05:45 < atten10> if you start ramping up hotspot usage 05:45 < atten10> its going to chew through a giant chunk of data 05:45 < HickorySmokedBac> Yeah, Verizon has 600 kbps unlimited now 05:45 < atten10> gross 05:45 < HickorySmokedBac> Which is gonna suck 05:45 < atten10> they are surely going to be traffic shaping as well 05:45 < HickorySmokedBac> But it's what I got.. 05:46 < atten10> have you gone to verizon and asked for a wifi hotspot? 05:46 < HickorySmokedBac> Those are only 10 GB max 05:46 < HickorySmokedBac> I think 05:46 < atten10> on 600kbps 05:47 < atten10> you could download 10gigs in 40 days 05:47 < atten10> so you're fine 05:47 < HickorySmokedBac> Nah, full 4G LTE Speeds on the capped stuff 05:47 < atten10> so my question is 05:47 < atten10> did you go to verizon and ask them about your situation? 05:48 < HickorySmokedBac> I called them earlier 05:48 < atten10> don't call them 05:48 < atten10> here is my advice if I were you 05:48 < HickorySmokedBac> They said I may want to contact contract verizon 05:48 < atten10> go down to the store 05:48 < atten10> talk to a manager 05:48 < HickorySmokedBac> Prepaid Verizon said Contract Verizon may have something unlimited uncapped.. 05:48 < atten10> right so lets start over 05:48 < atten10> go down to verizon 05:48 < HickorySmokedBac> OK 05:49 < atten10> talk to a manager 05:49 < atten10> explain your situation 05:49 < atten10> explain WHY you are in this situation if you need to 05:49 < HickorySmokedBac> here is also MetroPCs , but it's coverage isn't good enough to mess with 05:49 < atten10> I would also, before going to verizon 05:49 < atten10> go to their 2 biggest competitors in the area 05:49 < HickorySmokedBac> Which is Metro 05:49 < atten10> and ask THEM what they would do "Since verizon said no.... (lie)" 05:49 < HickorySmokedBac> And I think maybe Sprint 05:49 < atten10> then take the information to verizon and when they say no, say well XYZ competitor said ABC 05:52 < atten10> HickorySmokedBac, I'm going to start surfing the internet until the next question comes up in here, lets recap: What are you going to do this week to resolve your problem? 05:53 < HickorySmokedBac> atten10: call suddenlink and whine they don't come out to country? 05:53 < atten10> also, plan Z is always satellite internet (it is insanely fast, but they traffic shape to all shit and latency is terrible.) 05:53 < HickorySmokedBac> atten10: I couldn't take my father's ViaSat/Exede internet account with me 05:53 < atten10> I would recommend that as well, but that isn't what I suggested 05:53 < HickorySmokedBac> I had to terminate it 05:53 < atten10> they will most likely tell you they need a petition to bring internet out to your house 05:54 < atten10> we need 200 customers to sign letter of intent etc etc 05:54 < HickorySmokedBac> Thus, Exede/Viasat would want a contract 05:54 < atten10> or you need to pay $10,000 to run cable yourself 05:54 < HickorySmokedBac> And I can't do a contract 05:54 < atten10> why can't you do a contract? 05:54 < HickorySmokedBac> I wont be at my brother's house long enough 05:54 < atten10> how long will you be there? 05:54 < atten10> approximately 05:55 < HickorySmokedBac> well I been waiting at 47 on apartment waiting list since Dec 05:55 < HickorySmokedBac> I'm now 23 05:55 < HickorySmokedBac> So probably 4-7 months? 05:55 < atten10> sounds like you'll be there for longer than you think 05:55 < atten10> thus a one year contract might not be a bad idea 05:55 < atten10> ask your brother to take the contract and you pay him 05:55 < atten10> since he will not be relocating 05:55 < atten10> if he says no (I would say no) 05:55 < atten10> then you have to decide 05:56 < HickorySmokedBac> They use mobile internet is all 05:56 < HickorySmokedBac> No PCs 05:56 < HickorySmokedBac> So he wont 05:56 < atten10> I mean I wouldn't either 05:56 < atten10> I also wouldn't live in the sticks 05:56 < atten10> but that isn't the point 05:56 < atten10> you've been on a wait list half a year 05:57 < HickorySmokedBac> You can't make pew pews in the city 05:57 < HickorySmokedBac> Less you are killing someone 05:57 < atten10> I live like .2 miles outside city limits 05:57 < atten10> I shoot my guns all the time 05:57 < HickorySmokedBac> any out, is plenty out 05:57 < atten10> 5 minute drive to city, 10 minutes to downtown 05:57 < atten10> there is a way to make it happen, but we are talking semantics 05:57 < atten10> it sounds like you're just kinda fucked either way 05:58 < atten10> so I would look into wireless USB "cable" 05:59 < atten10> also another option 05:59 < atten10> get another phone on your plan 05:59 < atten10> pretty sure you can cancel it at anytime 05:59 < atten10> then leave it plugged into your "wireless router" 08:30 < Project86__> Would running a vpn server on VM, be safer than on device itself? I'm assuming I'd need at least one WiFi dongle. i'm just thinking in case someone tried to get into the host machine, if I had it set as a public(open) VPN router 08:31 < Project86__> Was thinking if through vm with no bridge, using seperate WiFi dongle, it may make things more difficult? Or am I wrong? Like if I made the "open network" a honeypot to watch everything going on. Or is it just as secure to do on host machine that way? 08:37 < winsoff> Alright, so I have a mikrotik HAP, and it is connected to a cisco WAP (unsure of the model--I can look if you really need me to). I need to know a few things. 08:38 < winsoff> The network that the WAP provides has client isolation enabled. The hAP(lite) does not. Can I disable NAT and DHCP on the hAP and have addresses come from the WAP's network to clients on the hAP(lite)'s network? 08:38 < nojeffrey> With cisco/ios, you can prepend 'no' to just about any command to remove that setting/option you just set, does ubiquiti have an equivalant? 08:39 < winsoff> If so, how do I configure this in routerOS? I just want to be able to disable NAT (though it's only one NAT to the internet, I'm still thinking it's an improvement in latency to have no NAT at all, right?) 08:39 < winsoff> nojeffrey: hmm, i'll check; this isn't ubnt, but that's a good start 08:40 < nojeffrey> ubiquiti is a fork of vyatta I think 08:41 < nojeffrey> well EdgeOS is a fork, not ubiquiti 08:45 < MrNaz> Setting up 2 servers and a storage array in a rack, want all to be connected via 10GbE... is there any difference between buying SFP+ modules using RJ45 vs SFP+ modules using fibre? 08:50 < winsoff> Sorry about that. Now that I think about it, I basically just want to use the hAP as a switch+ap, which would make it just a layer 2 device. 08:57 < detha> MrNaz: Ain't no such thing as 10Gb SFP+ RJ45, there is fiber and DACs 08:59 < hugge> and thats where you are wrong. 09:00 < hugge> https://www.fs.com/products/66612.html 09:00 < hugge> However i wouldnt reccomend them to anyone 09:00 < hugge> but they do exist 09:01 < detha> does that work within SFP+ power budget? Or just 'we'll draw what we need, and assume the device will supply it' ? 09:02 < MrNaz> detha but... i've seen them ubiquiti sell them as do broadcom 09:02 < MrNaz> or am i mistaken? 09:04 < detha> MrNaz: as far as I know, there are 2 ways to create a SFP+ 10Gb module: ignore the SFP+ maximum power budget, or ignore the 10Gb ethernet spec. Either will work, some of the time. 09:07 < MrNaz> hmm 09:07 < MrNaz> so then you're saying that SFP+ cannot do 10G ? or is that only with cat6? 09:10 <+pppingme> that module claims it uses 2.5 watts.. isn't sfp+ power limit 1 watt? 09:10 < detha> one can build something that fits in an SFP+ slot, and transfers 10Gb/s over copper. But not within both SFP+ and 10Gb ethernet specs. 09:10 < Phil-Work> I've seen those on fs.com, then got confused as to why someone would spend significantly more on one of those vs a DAC 09:11 <+pppingme> Phil-Work distance... copper always "feels" cheaper, even if its not 09:12 <+pppingme> most sfp+ dac's aren't very long 09:12 < Phil-Work> yeh, but MM optics are also significantly cheaper than those 09:13 < Phil-Work> I was only looking because, for some rediculous reason, Dell decided to present the 10G ports as RJ45 on their gen14 servers 09:13 < Phil-Work> it was cheaper to put 10G SFP+ cards in and use DAC/optics 09:23 < nojeffrey> I have a core stack of Cisco switches running PVST+, I'm about to introduce a bunch of ubiquiti switches, should I leave PVST+ on the cisco, or switch it over to MST, as ubiquiti's by default have MST enabled. 09:25 < Phil-Work> nojeffrey, personal choice 09:25 < Phil-Work> I prefer MST 09:26 < nojeffrey> Which is easy to configure/get my head around 09:45 < simoneb> I have a weird problem: if I ping a node's IP address, the receiver will get ICMP requests and replies (I've checked with tshark), but the client reports all pings with "request timed out". Any clue? 09:46 < simoneb> receiver has 2 NICs, and one of them is over vlan 09:46 < r0ss> simoneb: probably a firewall somewhere? Are you using linux/iptables? 09:46 < simoneb> client was windows and receiver is omnios (opensolaris derivative) 09:47 < simoneb> no firewalls afaik 09:47 < detha> simoneb: is the reply going out the same interface the request came in on? 09:48 < detha> ne'er mind, solaris ties IP to interface if I remember right 09:57 < LissajousPattern> man my networking skills are improving 09:59 < funabashi> Hi guys can anyone be nice and tell me where i can see the incoming interface and outgoing interface in wireshark? 10:00 < simoneb> detha: yes, same interface, checked with tshark. (the vlan is a virtual interface anyway) 10:03 < detha> simoneb: if the reply goes out, with the correct source/dest IP and correct dest MAC, I would start pointing at windows and/or firewalls 10:05 < simoneb> detha: hmm, but somebody should have firewalled ICMP replies only (still allowing ICMP requests) 10:07 < detha> simoneb: wireshark on the client I guess 10:07 < r0ss> simoneb: not necessarily, with iptables as an example you can quite easily be allowing an ICMP message outbound and not be allowing the ICMP reply on INPUT 10:08 < simoneb> ah, another detail. ping works when pinging a different IP on the same node 10:08 < r0ss> not used ipfilter much though to compare 10:08 < simoneb> the receiver has two NICs, one is a "normal" IP, the other one is over vlan 10:09 < simoneb> when I ping the "normal" one everything is ok, only pinging the vlan does that thing 10:09 < detha> define 'over VLAN'. where does traffic get routed into that vlan? 10:10 < simoneb> hmm, I don't know what is between those nodes if this is the question 10:10 < detha> yeah. I'm assuming the IPs are on different subnets? 10:10 < simoneb> yes 10:11 < detha> So something must be routing between those subnets. And that something seems borked 10:12 < simoneb> it works for other nodes in the same subnet though... 10:13 < simoneb> as in... from the sender I can ping other hosts in the same subnet as the IP which shows this behaviour 10:15 < detha> Can you traceroute from the target back to the windows machine, with the VLAN IP as source? (and if yes, try from another machine on that subnet back to windows machine, and see where it breaks) 10:16 < simoneb> hmmm I think I tried tracerouting but it couldn't get the middle hops 10:19 < detha> Something in between there - you'll have to find you what is between the nodes, and ask whoever runs that 10:30 < hetii> Hi 10:30 < hetii> :) 10:30 < hetii> Could someone explain me how SNI works ? 10:30 < Emperorpenguin> £&£)"(&$()T&£"$£$£"DOMAIN.COMY$/£)$£/")$&(/)£ 10:30 < Emperorpenguin> like this 10:31 < bezaban> you send a Host header with the https request, web server selects the certificate (and site) to return. 10:33 < Emperorpenguin> yes, and the domain you want is in clear 10:35 < hetii> so is it just for http (need http headers to know where to push traffic) ? 10:35 < hetii> or what about RAW tcp/ip traffic ? 10:36 <+catphish> no, it has nothing to do with http 10:37 <+catphish> hetii: with SNI, you send the hostname as part of the initial ssl handshake, and the server chooses a certificate based on that 10:37 <+catphish> so the client connects, and says "hello, i want to talk to example.com" and the server responds with the certificate for example.com 10:39 < hetii> so it means that using SNI means that I need to have ssl termination 10:39 < hetii> ? 10:39 < Emperorpenguin> SNI is a feature of ssl 10:39 < hetii> I see 10:40 < Emperorpenguin> you don't necessarily mean ssl termination to the server 10:40 < Emperorpenguin> could be to your load balancer, and cleartext in the backend 10:40 < hetii> ok thank you for claryfication 11:06 <+xand> s/SSL/TLS/ 11:55 < Aubrey101> Hi guys what is usually the cause of not being able to access a web server using http but being able toTelnet and ping the server ?. 11:56 < grawity> a) http service not running 11:56 < grawity> b) http service listening on the wrong addresses and/or ports 11:56 < grawity> c) http service's ports firewalled 11:56 < grawity> d) all of the above 11:56 < dogbert2> well, if you can do 'telnet 80' and get a response, it's listening 11:56 < dogbert2> or e) ISP blocks port 80 inbound 11:57 < djph> dogbert2: well, he never specified telnet host 80 though 11:57 < Aubrey101> within the same segment the webserver is accessible but over the vpn its is failing only icmp packets are going through and tcp 11:57 < grawity> but but but, http runs over tcp. 11:57 < Aubrey101> telnet i mean 11:57 < Aubrey101> telnet 80 11:57 < grawity> so that's the http port 11:57 < grawity> and what part is failing 11:57 < grawity> have you tried submitting a http request over telnet? 11:58 < drathir> fw? 11:58 < detha> f) MTU on tunnel 11:58 < djph> $5 says .htaccess or something is blocking "not local subnet" 11:58 < drathir> or port redirection? 11:58 < djph> or what detha said 11:59 < drathir> mornin/evenin... 11:59 < dogbert2> hey d 11:59 < Aubrey101> when trying to access http:x.x.x.x:80 it is failing across the vpn but telnet x.x.x.x 80 and ping x.x.x.x -t is working fine 11:59 < dogbert2> djph, 12:00 < dogbert2> even (meh) 12:00 < dogbert2> ss 12:00 < grawity> Aubrey101: you didn't answer the question 12:01 < Aubrey101> have you tried submitting a http request over telnet? how do you do this ? 12:01 < grawity> GET / HTTP/1.1 12:01 < grawity> Host: example.com 12:01 < grawity> blank line 12:12 < veek> is it possible to do pppoe over wifi bridge mode? ie. setup the modem in bridge mode, enable wifi with psk-aes and then do pppoeconf over the wlan0? 12:13 < veek> or do i have to run nat on the modem for the wifi clients compulsorily 12:13 <+catphish> you can run pppoe over a wifi bridge afaik 12:14 < veek> thanks catphish let me try 12:15 < grawity> as long as you can send ethernet frames (with ethertype and all), you can do PPPoE 12:15 < grawity> so I don't see why it wouldn't work over wi-fi 12:15 < grawity> but... it's not exactly the most reliable of uplinks 12:15 < dogbert2> well, for home use it should be ok... 12:16 < grawity> yeah, but 12:16 < veek> ah yeah home use and slow at that 12:16 < dogbert2> it will be /dev/slow 12:16 < grawity> usually it also means you can only have one wi-fi device connected 12:16 < veek> yep.. just my laptop 12:19 < simoneb> anybody knows how to recognize SMB3 packets in tshark? 12:20 < simoneb> as opposed to smb2 or 2.1 12:20 < TotallyNotKim> stop stealing your sisters pics 12:20 < TotallyNotKim> jk, have no idea, sry 12:23 < CA> what are the common reasons for pppoe. client to.not connect? 12:24 < CA> im seeing a large amount of connection on some brand of routers not getting ip address and ultimately failing 12:24 < CA> is not all implementations pppoe in different routers not done the sMe way 12:38 < djph> CA: pretty much. I mean it SHOULD[RFC2119] be consistent, but that's the downside of 'SHOULD' in the RFCs :) 12:54 <+catphish> thinking about it, loads of WISPs do pppoe over wifi backhaul 12:56 < grawity> simoneb: you'll have to look at what dialect was chosen in Negotiate Protocol Response 12:56 < grawity> simoneb: smb2 introduced a whole new protocol, but smb3 is just incremental 12:57 < djph> catphish: yeah, but that's the fun part of "ethernet" :) 13:01 < drathir> catphish: what advantahes of that ? 13:01 < grawity> authentication, I think 13:03 < drathir> im wonder how about 802.1x ? is possible over wifi too? 13:03 < mawk> the ip checksum is computed as the 1s-complement of the 1-complement sum of every 16-bit words of the header, is that right ? 13:03 < grawity> drathir: well yes, but 13:03 < mawk> the 1s complement sum consisting of adding back the carry from a regular addition 13:03 < grawity> drathir: wpa-enterprise is literally 802.1X over wifi 13:14 < detha> catphish: most here terminate the pppoe on the highsite nearest to the customer, then run whatever over the backhaul. Highsites talk to a central radius server for auth. 13:15 <+catphish> detha: yeah, sorry, when i said backhaul, that's not what i meant at all, i meant the last-mile wifi link 13:16 <+catphish> temrninating at the local tower or nearby POP is most likely as you say 13:18 < detha> That's the most common. There are of course exceptions, there is one that runs an enormous L2 throughout there entire network, with one vlan per customer..... 13:18 < detha> *their 13:28 * drathir wonder that hotspot2.0 its hw feature? 13:28 < marktiell0> hello 13:29 < drathir> marktiell0: hi, hi... 13:29 < grawity> drathir: mostly software (available in hostapd), though I can imagine some parts might require flexibility from the driver/firmware 13:29 < grawity> but it's mostly just sending some extra information, isn't it 13:30 < marktiell0> I'm trying to code a SOCKS5 reverse proxy server to bypass NAT restrictions. That server would behave as a client (no port forwarding needed), any tip on how to handle multi connections? I'm a little bit confused :D 13:31 < drathir> grawity: oh bc i wondered if its possible to ahieve that functionality under normal devices, bc as good remember hotspt2.0 networks are little different recognized by clients... /me guess its time to migrate into lede from pharos... 13:32 < grawity> they're fully backwards-compatible 13:32 <+catphish> detha: don't even need pppoe if you have a vlan per customer :) 13:32 <+catphish> you can just identify them by the vlan and do plain dhcp 13:33 < drathir> grawity: yep devices mobile ones too see them little different way also give support to multiple auth methods... oh thats good to hear... 13:33 < grawity> I don't remember it defining any new auth methods 13:34 < drathir> marktiell0: isnt socks act as proxy which allow multiple incoming connections handling? or im wrong understanding the idea? 13:35 < marktiell0> drathir: yes, but I'm making it reverse to avoid port forwarding (I can't port forward on my mobile phone 4g network) 13:36 < drathir> catphish: how does them handle dhcp over multiple vlans ? kinda proxy for dhcp thing or just redirection of packets ? 13:36 < marktiell0> so, the phone device is connecting to my server to port 8000, for instance. Now, my browser (Firefox) is also connecting to port 8000 and server is forwarding all packets like this Firefox<->Server<->Device 13:37 <+catphish> well the downside of the normal way of doing dhcp is you'd need a whole subnet for the customer, quite wasteful 13:37 < detha> catphish: that's what they seemed to be doing ;) Doesn't really scale, and I don't want to debug the STP in that setup, but yeah. 13:37 < Kryczek> marktiell0: what is the end goal? To have Firefox on a different computer use your phone's Internet access? 13:37 < marktiell0> drathir: the problem is that when device is replying back to a request made by Client (1) [firefox] it sends its data back to port 8000 and the server might have more than one client to forward the request to, how do I handle multi connections? 13:38 < marktiell0> Kryczek: to use my phone IP address (4G network) on my computer, using Firefox SOCKS5 configuration 13:39 < marktiell0> Kryczek: but I obviously can't do that using the "simple" way because I can't port forward and listen for connections on my phone device 13:39 < Kryczek> marktiell0: how is Firefox communicating with your phone? WiFi? 13:39 < grawity> some mobile operators do allow you to listen for connections 13:40 < Kryczek> I am confused as to why there is a need to listen on the 4G side 13:40 < Kryczek> just listen on the LAN side :) 13:41 < marktiell0> Kryczek: I made an android app that connects to a Python server that is running locally. The flow is the following: Android connects to 127.0.0.1:8000, Firefox socks5 configuration is set to 127.0.0.1:8000. When data is coming from firefox client, I forward it to android device that handles socks5 protocol and sends data back 13:41 < drathir> marktiell0: You can in phone probably use web proxies i guess... 13:41 < marktiell0> Kryczek: because ideally I'd run a socks5 server but I need port forwarding so I need to use reverse proxy model 13:42 < marktiell0> take a quick read here, if you are interested in the issue with this "standard" model: https://backproxy.blogspot.it/p/issues-with-standard-proxy-model.html 13:42 < Kryczek> wait... your Firefox is on the Android device too? o_O 13:42 < marktiell0> Kryczek: nope, Firefox from my PC 13:43 < Kryczek> aaaaaaaaaaaaah, ok you have Python stuff on both the PC and the Android device? 13:43 < marktiell0> end goal: browsing internet using my phone 4G network from my computer 13:43 < marktiell0> python stuff is on the pc, listening on port 8000 13:43 < Kryczek> marktiell0: PC and phone can reach each other over WiFi, right? Or USB, or Bluetooth... 13:43 < marktiell0> on android device there is a app connecting to port 8000 (python server) 13:43 < marktiell0> yes 13:44 < Kryczek> then why not just run a normal SOCKS5 proxy on the phone? 13:44 < drathir> marktiell0: i suppose You need to loook at webrtc functionality but thats guess.. 13:45 < marktiell0> Kryczek: how? That would need port forwarding? I need to use 4G network 13:45 < marktiell0> drathir: I'll take a look, thanks! 13:45 < Kryczek> marktiell0: no need for any port forwarding 13:45 < Kryczek> marktiell0: let's say your phone is 192.168.0.7 on the WiFi, just tell your Firefox that the SOCKS5 proxy is at 192.168.0.7 13:45 < marktiell0> Kryczek: ideally, phone and server could also be on different LAN 13:45 < drathir> marktiell0: bc when phone connect to localhost its still need pridge requests from server somehow which one doont have access incoming only outgoin... 13:46 < Kryczek> marktiell0: so then you would have web traffic going from your PC to the Internet to your phone to the Internet again, and back? 13:46 < drathir> marktiell0: i think better use proper tethering app... 13:46 < marktiell0> Kryczek: exactly 13:47 < marktiell0> Firefox (PC) <-> Server Forwarder (Python) <-> Android Device 13:47 < Kryczek> marktiell0: you realise that would cost twice the mobile data? :) 13:48 < marktiell0> why? 13:48 < marktiell0> android device receives SOCKS5 connect command, makes the request 13:48 < marktiell0> and yes, it would need to send it back too, correct! :D 13:48 < Kryczek> because the phone has to download each of your requests before uploading them to the real destination (e.g. Google) 13:48 < drathir> Kryczek: will not work phone isnt in default mode actepting any incoming connections or forwarding traffic i assume or shouldnt do that at lest ;p 13:48 < Kryczek> and then back: download the responses from e.g. Google and then upload them to you 13:48 < marktiell0> Kryczek: yes, yes. 13:49 < marktiell0> Kryczek: how would you handle multi-connections? 13:49 < Kryczek> marktiell0: it's good that you are interested in these topics but you have the wrong approach :) 13:50 < drathir> marktiell0: even if YOu fireup on phone docks server You will unable connect from pc to it... 13:50 < drathir> docks/socks* 13:50 < marktiell0> Kryczek: why? I'm open to all suggestions 13:50 < marktiell0> drathir: phone will act as a client but at the same time it is a server 13:50 < Kryczek> drathir: he is aware of that, his idea is to have a rendez-vous server to which the phone connects first, and then have it act as some sort of reverse SOCKS5 proxy 13:51 < marktiell0> exactly 13:52 < Kryczek> marktiell0: why do you want to proxy everything through a phone? 13:52 < marktiell0> I want to use my phone IP 13:52 < drathir> marktiell0: in my opinon w/o forwarding or local redirection isnt doable... even if in theory connections could be bidirectional, i think You still need somehow routing traffic... 13:52 < bgsteiner> strap it to a bird to fuck with the NSA and FBI 13:52 < mawk> for the checksum I split the header into 3 uint64_t, add them up, take its residue modulo 65535, invert its bits 13:52 < marktiell0> drathir: it is doable 13:52 < mawk> is that right ? 13:53 < drathir> marktiell0: than switch android into tethering mode... 13:53 < Kryczek> marktiell0: why do you want to use your phone IP? 13:53 < drathir> marktiell0: it will just act like router... 13:54 < Kryczek> drathir: he wants the phone to be possibly far away, maybe on a bird like bgsteiner said :) 13:54 < marktiell0> Kryczek: it is a part of a project I'm working on, I need my own "proxy" without buying it from 3rd party providers. 13:55 < Kryczek> marktiell0: I'm just saying if it's illegal 1) I don't want to help 2) you'll get caught 13:56 < marktiell0> Kryczek: as for now, my android device connects on port 8000, then python server listens on port 9000 -> firefox connects to port 9000 and python server forwards all packets received from port 9000 to device socket (port 8000) 13:56 < AlexPortable> Can I get VLANs if i add a switch to my router? 13:56 < marktiell0> Kryczek: absolutely not illegal 13:56 < marktiell0> why would it be? 13:56 < Kryczek> only legitimate purpose I can think of is to bypass the annoying per-country limitations of some videos but then you'll burn through your data plan super fast 13:56 < drathir> Kryczek: but phone still need routing packets somehow... even if phone connect to the server for open bidirectional connection phone somehow need route requests from server under that connection... 13:56 < marktiell0> devices are my property 13:57 < drathir> Kryczek: thats only theoretical guessing ofc,.. 13:57 < mawk> property is a fuzzy notion in the era of copyrights marktiell0 13:57 < marktiell0> drathir: https://backproxy.blogspot.it/p/presentation-of-reverse-proxy-model.html 13:57 < marktiell0> mawk: correct :D 13:58 < Kryczek> marktiell0: make the phone(s) connect to the rendez-vous server with a datagram VPN (e.g. IPsec or OpenVPN in UDP mode, as opposed to TCP mode) and then you can just use a normal SOCKS5 proxy on each phone 13:59 < Kryczek> I mean it would work with a TCP VPN too but that's bad for performance 13:59 < drathir> marktiell0: You know some time ago even unable was openvpn on phoone bc of roting device bc there wasnt tun user driver accesability? if that was so easy to perform there would be tons of apps doin that... 13:59 < marktiell0> Kryczek: well, tbh I don't have experience with that, I feel like it's over complicating things 14:00 < Kryczek> marktiell0: I have experience with both and trust me your current approach is overcomplicating ;) 14:00 < marktiell0> okay, could you give me some insights on how to accomplish the goal with your approach? 14:00 < drathir> marktiell0: the biggest problem i assume You cant easy manipulate packets under android side of proxy im assume thats the main problem and reason that isnt done already... 14:00 < Kryczek> just install the OpenVPN app on the phone, get it to connect to your server 14:01 < Kryczek> marktiell0: then you don't have to worry about the mobile phone operator blocking inbound connections: inside the VPN tunnel you can connect from Firefox to phone, even though the tunnel is from phone to gateway 14:02 < drathir> Kryczek: again he would need phone openvpn server functionality client connected to home server shouldnt be abble to route packets over phone ip... 14:02 < Kryczek> drathir: no need :) 14:02 < Kryczek> the SOCKS5 proxy app on the phone will do the "forwarding" 14:04 < marktiell0> Kryczek: this looks over complicating things (from my prospective). I'd need OpenVPN server and do the same things 14:04 < Kryczek> gateway <=== phone 14:04 < marktiell0> In the original approach I'd only need a python server and android app 14:04 < Kryczek> firefox ---> gateway ===> phone 14:04 < marktiell0> but in gateway <=== phone 14:05 < drathir> Kryczek: he would access the server side of resources w/o any access to phone side of resources even more phone lwan to gsm redirecton... or at least shoulnt get access to them, bc of isolation... 14:05 < Kryczek> marktiell0: no in the original approach you need a python server, a python client, and solving your weird SOCKS5 problems 14:05 < marktiell0> when phone is giving responses, how can it target the client that originated the request/command? 14:05 < Kryczek> marktiell0: what I am recommending is proven VPN server, proven SOCKS5 normal proxy, and... no need for any Python I think 14:06 < Kryczek> drathir: sorry I don't understand your line :) 14:06 < Kryczek> marktiell0: just use normal (forward) SOCKS5 in a reverse VPN, like everybody does... 14:07 < marktiell0> I see, Kryczek, thank you! 14:07 < marktiell0> The problem is that I never did anything like that so it looks over complicating (but just in my head) 14:07 < marktiell0> I also wanted to make the server to learn something new 14:07 < drathir> Kryczek: mean it shouldnt able access any phone side service ip port over reverse-connection from client connect to server connection... 14:07 < marktiell0> Using OpenVPN and a normal Socks5 server would remove all the fun :( 14:09 < Kryczek> marktiell0: maybe this can inspire other fun: http://campagnol.sourceforge.net/ 14:10 < shibumi> heyho, does somebody here have an answer on this issue: https://networkengineering.stackexchange.com/questions/50236/connecting-two-devices-via-vxlan ? 14:11 < marktiell0> Kryczek: interesting 14:11 < AlexPortable> Should I tag my ports when using vlans? 14:11 < marktiell0> Kryczek: did you ever take a look at socks5 protocol specifications? 14:15 < Kryczek> marktiell0: iirc it's just SOCKS4 with FQDNs instead of just IP addresses 14:16 < Kryczek> marktiell0: and SOCKS4 is basically just telling what IP and port you want to connect to, at the beginning of the TCP stream 14:16 < marktiell0> Kryczek: yep, but I need a clarification if you can 14:16 < marktiell0> I sniffed a communication while using a socks server and took a look at the flow 14:17 < marktiell0> after each request it restarts the session? What's the point in that? 14:17 < Kryczek> that's part HTTP's fault, part SOCKS' fault 14:18 < marktiell0> client and server do some kind of handshake and negotiation regarding auth, then client asks to connect to blabla.com, server replies 14:18 < marktiell0> then client again need to do handshake? 14:18 < marktiell0> and connect again, this is weird :D 14:18 < Kryczek> in HTTP there is a feature called pipelining which asks the web server to keep the connection open so that the client can send more requests 14:18 < Kryczek> marktiell0: that's why I was telling you to use UDP 14:19 < Kryczek> then SOCKS' "fault": it's the original proxy protocol, it's extremely simple 14:19 < marktiell0> Kryczek: the weird thing is that after server replies back, connection is not closed for some reason 14:19 < Kryczek> it's not meant to carry multiple TCP streams, it's just a hack of one TCP stream 14:19 < marktiell0> it makes a bunch of connections 14:20 < Kryczek> depends on the server 14:21 < marktiell0> I see, thanks Kryczek 14:22 < Kryczek> if you want interesting coding exercices: implement your SOCKS proxy over SCTP so that it can carry multiple streams with just one handshake, except some NAT devices might have a problem with SCTP 14:22 < Kryczek> basically: UDP < DCCP < TCP < SCTP 14:24 < marktiell0> I'm a beginner in networking, I'll make first a simple socks server :D 14:24 < marktiell0> the concept is interesting, though 14:24 < Kryczek> of course :) take your time 14:26 < Kryczek> DCCP and SCTP are really cool, it's just annoying that quite a few NATs will freak out if it's neither UDP nor TCP 14:26 < Kryczek> luckily there are already standards for DCCP over UDP and SCTP over UDP, but meh: it wastes 8 bytes per packet and some performance 14:36 < AlexPortable> Should I tag my ports when using vlans? 14:36 < AlexPortable> Can I get VLANs if i add a switch to my router? 14:37 < dogbert2> you need a switch which can handle VLAN...most home unmanaged switches don't do that 14:39 < dogbert2> also, any switch which does not have that capability will strip the information from the ethernet frame 14:40 < dogbert2> https://serverfault.com/questions/333859/what-happens-when-a-consumer-switch-receives-a-vlan-tagged-ethernet-frame?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa 14:40 < AlexPortable> well the switch supports vlans 14:40 < grawity> huh? no it won't 14:40 < grawity> at least *most* unmanaged switches won't 14:41 < djph> dogbert2: or will pass the tag unmolested. It's undefined on L2-only switches. 14:41 < grawity> I mean, if they don't know what a VLAN is, how would they know to strip it 14:41 < dogbert2> yeah..."depends" is the right answer :) 14:41 < djph> *though admittedly, the outcome is undefined ... 14:41 < grawity> might be worse though; might cut off 4 bytes off the *end* of your frames, because their max mtu doesn't account for tags. 14:42 < grawity> but with reasonably recent switches, it passes through with no problems. 14:43 < dogbert2> right, from 1514 -> 1518 -> 1522 bytes...the 4 bytes after 1522 might get eaten 14:43 < dogbert2> after 1518, even 14:45 < trigcode> I have a wireless 4GLTE hotspot that uses a small httpd for the web interfacing and does not support HTTPS 14:46 < trigcode> Is there any way I can force a re-direct to a HTTPS for authentication to administrate the device? 14:46 < grawity> if it doesn't support https, then it doesn't 14:46 <+xand> trigcode: nope 14:47 < Kryczek> trigcode: stunnel 14:47 < grawity> if this is for *remote* administration, you could put a proxy on top of it 14:47 < grawity> as long as the proxy runs in the same LAN 14:47 < grawity> (e.g. nginx, haproxy, apache2... "reverse proxy" that is) 14:48 < grawity> but traffic from proxy to hotspot will remain plain http 14:48 < Kryczek> trigcode: can you add software to the hotspot? stunnel only takes a couple of kilobytes 14:48 < trigcode> Yeah, and the device shows the damn wifi password in plain text on the main page of the "status" of the hotspot 14:49 < AlexPortable> grawity: what do you mean passes through? I mean the router doesn't support vlans, the switch does 14:49 < trigcode> Kryczek: I think I can modify the firmware 14:49 < trigcode> Other than that, I haven't tried anything 14:49 < grawity> AlexPortable: 15:39 also, any switch which does not have that capability will strip the information from the ethernet frame 14:49 < AlexPortable> yes but it has the capability, there is a setting for it in the web interface 14:50 < Kryczek> trigcode: then make stunnel listen on port 443 (or whichever you want) and forward the data to 127.0.0.1:80 inside the device :) 14:50 < dogbert2> well, go ahead and try it, but all devices will need to be on that same vlan... 14:50 < AlexPortable> or does the router needs to support it too? 14:50 < grawity> dogbert2: or they'll need to support tagged vlans 14:51 < grawity> if said devices are e.g. wifi access points 14:51 < Kryczek> trigcode: do you mind saying what brand the hotspot is? So we can avoid buying it :) 14:51 < dogbert2> or as grawity just said, it needs to support tagged vlans (or vlan tagging) 14:51 < grawity> mixing those with regular PCs on same dumb switch *is* bad and painful though 14:51 < grawity> (bad for security, and painful due to Windows driver bugs) 14:53 < trigcode> Kryczek: It's a Netgear product distributed to Verizon 14:53 < Kryczek> trigcode: sounds bad enough maybe you should go to the press (e.g. ArsTechnica) about it 14:54 < Kryczek> TheRegister also 14:54 < grawity> how much damage can someone do with the admin password? 14:55 < trigcode> The wifi password is displayed on the main page 14:55 < Silenced> Can someone explain me what is SRV record ? 14:55 < trigcode> So it basically makes a WPA2 encryption through wifi pretty useless 14:55 < grawity> but don't you need to connect to WPA2 first before you can see that page? 14:55 <+xand> trigcode: no because you'd nneed to connect to the network to see it 14:56 < dogbert2> well, on my home network, I have a D-Link AC 1750 router and a D-Link DGS-108 8-port switch, needed extra ports on LAN, so I got that for $30 at frys 14:56 < trigcode> grawity: I have mac address filtering, so on occasion i have to add new addresses 14:56 < trigcode> So, I have to log into the device 14:56 <+xand> MAC address filtering isn't very useful 14:56 < trigcode> No it's not 14:56 < dogbert2> I mean, if they built a home router with say 8 LAN ports built in, would be pretty nice (LOL) 14:56 < grawity> and what's wrong with logging in 14:56 < Kryczek> xand: grawity: not if you can Cross-Site Script that info through a user's browser ;) 14:56 < grawity> do you do that remotely over a long series of tubes, or directly over the same wifi? 14:57 < grawity> Silenced: how much do you know about DNS yet 14:57 < trigcode> Kryczek: exactly 14:59 < Kryczek> the administration interface in cleartext also makes everyone on the network an admin, which you might not want if you're sharing the hotspot with random friends or something 14:59 < grawity> everyone who can already log in, that is? 14:59 < grawity> or is the admin interface itself passwordless? 15:00 <+xand> those devices tend to be pretty rubbish 15:00 <+xand> "minimal viable product" 15:00 <+xand> minimum? 15:00 < Silenced> grawity: Very less. Suggest me some good reads if possible 15:02 < L3gacy> Anyone have any experience setting up a VPN with a flat subnet and flat IP space? 15:02 < grawity> L3gacy: as in you have a *requirement* that it remain a flat subnet? 15:02 < Phil-Work> L3gacy, a layer 2 VPN? 15:02 < L3gacy> yes 15:03 < L3gacy> subnet 255.255.255.0 15:03 < L3gacy> ip range 10.1.10.x 15:03 < grawity> and where does the requirement come from? 15:03 < L3gacy> Client with two sites, sharing NAS, SAN, and printers 15:03 < L3gacy> tried pfsense and could not get it to work. I have sonicwalls, and VyOS routers available, also 15:03 < Kryczek> grawity: the login is over HTTP :) 15:04 < Phil-Work> L3gacy, what there means you need a flat subnet? 15:04 < L3gacy> the whole IP space needs to be flat 15:04 < L3gacy> I cant do 192 or anything else 15:04 < L3gacy> this is over comcast 15:04 < grawity> is that what "flat" means nowadays? 15:05 < L3gacy> As told by client, yes 15:05 < Kryczek> L3gacy: have you tried with OpenVPN in TAP mode? 15:05 < grawity> so client doesn't want 10.1.11.x/24, or two /25's, either? 15:05 < L3gacy> no, and no 15:05 < L3gacy> Does pfSense support OpenVPN? 15:05 < light> yes 15:09 < L3gacy> gonna see if this will work for client. thank you! 15:12 < Kryczek> L3gacy: I had a similar need in the past and I successfully addressed it with OpenVPN in TAP mode; I also added high-availability with two gateways on each side and a Spanning Tree Protocol setup (as simple as bridging OpenVPN's TAP interface with the physical NIC and then configuring STP, with bridge-utils' brctl command) which ensured that at least one combination of {LeftA,LeftB}-{RightA,RightB} 15:12 < Kryczek> was working :) 15:26 < ne2k> Kryczek, RSTP over L2 over WAN. yuk 15:27 < ne2k> L3gacy, be prepared for shocking performance on large packets unless you can implement MSS clamping 15:27 < Windy> any opinions on qualys vs tenable.io for vulnerability scanning? 15:28 < ne2k> L3gacy, don't forget that you can also use proxy arp to implement a virtual L2 extension without actually bridging. depending on your exact requirements/reasons for wanting L2, you may find that it is good enough 15:28 < Kryczek> ne2k: I didn't say it was the best :) it was just a very particular need 15:28 < muAdmDev> If there are not ACLs defined on a switch, but I get ACL-drops, may those be due to VLAN separation? 15:29 < AlexPortable> if my switch has support for setting vlans, is this for creating them, or following them from the router? 15:29 < ne2k> Kryczek, the fact that I know it's yuk means I must have done it too ;-) 15:29 < djph> AlexPortable: "that depends" 15:29 < Kryczek> ne2k ;-) 15:29 < AlexPortable> djph: on what 15:29 < ne2k> AlexPortable, what does "following" them mean? 15:29 < AlexPortable> router makes vlan, switch 'uses' them 15:29 < AlexPortable> forwards 15:30 < djph> AlexPortable: cheapo switches may only be able to handle (un)tagging (i.e. no inter-vlan routing). Others can do basic routing. 15:30 < AlexPortable> what is inter-vlan routing? 15:30 < djph> what's it sound like? 15:30 < AlexPortable> well connecting the different vlans, but isn't the purpose of vlans to keep them seperate..? 15:30 < ne2k> AlexPortable, if a switch supports VLANs, that means it can understand VLAN tags on ingress and add them on egress 15:31 < ne2k> djph, only L3 switches can do routing. key is in the name. AlexPortable is (almost certainly) talking about a L2 switch 15:31 < djph> AlexPortable: for some value of "separate" 15:31 < Windy> layer 3 switches can route 15:31 < djph> ne2k: I didn't want to go down that rabbit hole :) 15:31 < ne2k> djph, it's nothing to do with being cheapo or not 15:32 < ne2k> AlexPortable, perhaps you should tell us what it is you are actually trying to do 15:32 < AlexPortable> ISP router/modem, i want vlans, isp router/modem doesnt support it 15:33 < ne2k> AlexPortable, "I want VLANs" is not an explanation of your requirements 15:33 < djph> AlexPortable: then get a proper router and proper switch. set the ISP kit to modem-only (or replace it with just a modem) 15:33 < AlexPortable> tutorials on internet show that some switches have vlan support and have a web interface for configuring and adding them. so my idea was to get a switch 15:33 < ne2k> djph, do please stop suggesting solution when you don't know what the actual problem is 15:33 < djph> ne2k: yeah... but consumer crap gets weird. 15:33 < AlexPortable> having to buy a proper router and proper switch is 2 extra devices 15:33 < AlexPortable> i want to make a guest network separated from my home network, hence the vlans 15:34 < Kryczek> AlexPortable: an easy way: https://www.pcper.com/reviews/General-Tech/Steve-Gibsons-Three-Router-Solution-IOT-Insecurity 15:34 < regdude> Hi! I want to generate CDP packets (you know why), but can't seem to figure out how to calculate the checksum. Does anyone knows which fields are used for the calculation and what algorithm? 15:34 < djph> ne2k: he's been in here several times now with the sam... actually, nevermind, you're just gonna rant how I'm wrong anyway. carry on, good luck. 15:34 < Windy> regdude: why? 15:34 < AlexPortable> Kryczek: yes something like that, and then the 'border' being the new switch 15:35 < Kryczek> regdude: Wireshark knows: https://wiki.wireshark.org/CDP 15:35 < regdude> Windy: to see if I have properly implemented protection for it 15:35 < regdude> Kryczek: it does know, but can't seem to figure it out from the code 15:41 < zepo> Hello guys. I have a problem with my debinan server, right now the bandwidth seems to be pretty unbalanced. Some people seem to get really good rates (about 4-5) while the rest is starving. I have like 35 people connected to it so it can be a major problem. What can I do to change that ? 15:41 < Dalton> that's pretty vague 15:42 < Dalton> bandwidth for what on the server? 15:42 < zepo> down and upload rates 15:42 < Dalton> via? 15:42 < Dalton> FTP/HTTP/HTTPS/etc/etc 15:42 < Live> Hi! I have generic question regarding DHCP. Let's say I use DHCP for my network and I have a device (printer) that uses DHCP to get an address etc. What happens if I, while the printer is connected, statically reassign that IP to a different device. Does the printer notice that and try to get a new lease with a different IP or do I need to manually release and renew? Its very weird scenario, I know :| 15:42 < Dalton> are they all located in the same place or is this over the interwebs? 15:43 < Kryczek> zepo: is debinan a counterfeit debian? ;D 15:43 < Dalton> live: not generally, you either drop the port and delete the old DHCP lease or reboot the printer 15:43 < Live> roger, thank you 15:43 < Dalton> Kryczek: i was thinking of something like that but couldn't manage to come up with an answer 15:44 < zepo> Its a building, so all are local. and i would assume http. I am looking into iftop and just watch the bandwidth there 15:44 < Kryczek> Dalton: haha :) 15:44 < Dalton> zepo: are they all connected to the same switch or multiuple switches? 15:44 < Kryczek> zepo: are you by any chance blocking ICMP traffic? 15:44 < zepo> Kryczek : fat fingers :P 15:45 < zepo> Dalton: mutliple. this hole network is a mess tbh. ( i just took the administrator role because the other one is leaving soon). We have 1 main server and 2 switches. 15:46 < Dalton> zepo: what kind of switches? 15:46 < zepo> Kryczek: I cant follow you there. Sorry, I am kinda new to networking ^^" 15:46 < drathir> zepo: iperf3 link in pm? 15:46 < Dalton> one 10/100 and one gigabit? 15:47 < Kryczek> zepo: when firewalling, many people think of what UDP and TCP ports to allow but they forget that ICMP is also important, typically the Fragmentation Needed message which when you block it makes everything look super slow 15:47 < Dalton> if you think the whole network is a mess and don't really know where to start, start with basic physical stuff like cables and switches 15:47 < zepo> Dalton: Sorry, don't know. I have gotten root access and that is all my informations ^^ 15:47 < Dalton> do some walking then 15:47 < Dalton> take pictures 15:47 < zepo> Locked~ 15:47 < Dalton> then leave... lol 15:48 < zepo> Haha 15:48 < Dalton> if you can't get in, what's the point? 15:48 < drathir> Kryczek: but icmp its security risk need to be cut at fw ^^ 15:48 < Dalton> maybe this is why old admin is saying "peace out" 15:49 < drathir> Kryczek: joking ofc... 15:49 < Kryczek> drathir: I take it you know but just in case anyone else doesn't get the sarcasm: you're joking, right? ;) 15:49 < djph> drathir: "security risk(tm)" 15:49 < Kryczek> haha thanks 15:49 < mawk> Kryczek: isn't that already let to pass by ESTABLISHED,RELATED conntrack states ? 15:49 < mawk> or I need to let that pass explicitely/add that to RELATED handlers 15:49 < zepo> How can I check if i block ICMP ? 15:49 < Kryczek> mawk: maybe RELATED does yes, but I have seen setups where it's only ESTABLISHED 15:49 < Kryczek> mawk: can't blame them, I don't really like the idea of the kernel parsing the FTP protocol to find the related connections for example 15:50 < mawk> yeah 15:50 < zepo> Its hard to explain, let's say its a flat and the networking got installed 1990 15:50 < mawk> well that auto behavior for FTP has been disabled by default iirc 15:50 < mawk> but I hope it hasn't been for ICMP 15:50 < Kryczek> zepo: iptables -nvL 15:50 < mawk> --lin 15:51 < mawk> from my wonderful C program how can I find the source address to be used to send packets to a particular ip ? 15:51 < mawk> ip route get is cheating, can't use that 15:51 < mawk> and I won't poll that thing every second of so, I need a proper polling notification 15:51 < zepo> icmptype8 is accepted 15:52 < mawk> don't use -n if you want the nick readable names for ICMP types 15:52 < mawk> nice* 15:53 < Kryczek> mawk: for Linux-only I think there is an API like the Netfilter ones, to query the routing table programmatically, otherwise iirc there was a trick of binding a socket and then using getsockaddr or something to see what address it got 15:53 < mawk> yeah I've thought about that second trick, but it's ugly 15:53 < zepo> I thought on debian/linux there are commands for everything. Like commands that allow me to "balance" the bandwitdh so every user gets max etc. 15:53 < mawk> and I won't do that every second 15:53 < Kryczek> indeed 15:53 < mawk> other possibility is using the raw netlink socket, but it's pretty complicated 15:54 < Kryczek> mawk: out of curiosity what is the context? 15:54 < mawk> I'm doing a VPN in C++, and I need a source address to send ICMP Host Unreachable messages 15:54 < mawk> and I want to support hot-changes of addresses on the interface 15:54 < Kryczek> zepo: https://wiki.debian.org/TrafficControl 15:55 < drathir> Kryczek: yea better inform in case... 15:55 < Kryczek> mawk: oh nice! I have been meaning to finish writing my VPN for quite a while... Got super annoyed when I found out that many routers on the Internet drop packets with IP Options >:( 15:55 < mawk> lol 15:55 < mawk> you were using custom ip options ? 15:56 < Kryczek> mawk: yeah I wanted to make my VPN go through any kind of opening (any UDP/TCP/... port, any layer 4 protocol, etc) so I had all my VPN data as IP Option fields 15:56 < Kryczek> I mean all my VPN headers 15:56 < mawk> ah, I see 15:56 < mawk> yeah 15:57 < mawk> the contrast between the RFCs and the real world is often disappointing 15:57 < mawk> e.g. MTU problems with ipv6, or ECN, or OOB data 15:57 < ne2k> Live, depending on how clever the DHCP server is, it may be able to detect that an address it is supposed to be in charge of has been taken by something that it didn't give it to, and do something about it, but there is no guarantee of this, or if it is even possible 15:57 < mawk> yes it's possible ne2k 15:57 < mawk> I'd expect a well-written dhcp server to support that 15:57 < mawk> iirc isc-dhcp-server does it 15:58 < ne2k> mawk, it's not logically possible if no frames from the rogue static client ever reach the dhcp server 15:58 < Live> ne2k: thanks! 15:58 < Kryczek> mawk: silly question: why not use ICMP sockets for your Host Unreachable messages? As in IPPROTO_ICMP 15:58 < mawk> yeah it was assuming it's not a rogue client ne2k 15:58 < Live> i'm pretty sure its a garbage implementation, because of several other issues with this router :D 15:58 < mawk> I stuff the response in the tun device Kryczek 15:59 < ne2k> mawk, he said some client gets statically assigned an address that has already been given to another client by the dhcp server; I'd call that a rogue client 15:59 < Live> also is it normal that the DNS TTL is 9 seconds in local network :thiking: 15:59 < mawk> I thought it would be simpler than opening a raw socket to create an icmp message 15:59 < ne2k> mawk, sorry, some host, I should say 15:59 < ne2k> rogue host 15:59 < ne2k> or have I misunderstood the question 16:00 < mawk> ne2k: the dhcp client will probe using ARP and if the client isn't hiding itself it will answer 16:00 < Kryczek> mawk: maybe I am missing something... You don't have to only write() to the TUN device, you can also bind regular sockets to it 16:00 < ne2k> djph, sorry, I didn't mean to sound offish earlier; if you know more about the specific case that is apparent from what has been shared today then great 16:00 < mawk> yeah 16:00 < mawk> but it has a lot of overhead compared to just a write() to it 16:01 < mawk> I just have a bunch of checksums to compute 16:01 < Kryczek> true :) 16:01 < Kryczek> but not if you have to annoy the kernel every second! ;D 16:01 < mawk> lol 16:01 < ne2k> mawk, do you mean the server will probe for the address being used statically before handing it out? 16:01 < mawk> yes ne2k 16:01 < Kryczek> "hey hey, what was the routing table again?" 16:02 < Kryczek> "oom_killer: killed mawk's process for... reasons" 16:02 < mawk> lol 16:02 < ne2k> mawk, but the question was about a host being assigned an address statically /after/ the dhcp server had already given it out to a client, wasn't it? 16:02 < mawk> I think I'll use the netlink socket to get a proper polling notification 16:02 < mawk> that way I don't annoy anybody 16:02 < Kryczek> :) 16:02 < mawk> just properly have my process sleep until the next event 16:02 < mawk> but there's a slight race condition between the address change and the time I process the event, there could be some ICMP messages lost because the source address was nonsense 16:03 < mawk> but it doesn't look very solvable, and lost packets aren't dramatic 16:03 < Kryczek> what kind of sleep? 16:03 < mawk> ne2k: ah maybe, then it's different indeed; that way the new client will have trouble talking to the gateway/other people 16:03 < mawk> it's not of much use for the rogue client 16:04 < mawk> but I'm not a hacker, I'm sure there are ways to exploit this 16:04 < Kryczek> I don't know what kind of async notifications netlink provides, but maybe you can "sleep" on a select()able/poll()able socket, or maybe even get a signal 16:04 < mawk> yeah I'm using epoll() 16:04 < mawk> epoll_wait(), with all my file descriptors in it 16:05 < Live> ne2k: mawk: thanks for your input. Normally that case shouldnt ever happen anyway :) 16:08 < Kryczek> mawk: maybe you can get the IP of the interface on which you received the packet for which you want to answer Host Unreachable, with something like SO_ORIGINAL_DST? 16:09 < mawk> you mean switch source and dst in the icmp message ? yeah, it makes sense 16:09 < Kryczek> I mean not this one in particular but maybe there is a similar flg 16:09 < Kryczek> flag 16:09 < mawk> as long as the vpn isn't on a router 16:10 < Kryczek> ah yeah in fact you shouldn't be replying with your own IP [thoughtful emoji] 16:11 < mawk> I should answer with the "canonical" address of the tun interface I think 16:11 < mawk> which without routing corresponds to the source address of the original faulty packet 16:11 < Project86__> Can your ISP block only certain devices from accessing internet? 16:11 < mawk> even with routing, actually 16:12 < mawk> that's a good solution lol 16:12 < mawk> I forgot to try that first, it seemed too easy 16:12 < Kryczek> high 5 :D 16:13 < mawk> lol 16:14 < Project86__> Win asking because my rpi (even though it's connected to router) has no internet access. Meanwhile, my laptop, phone, and tablet (all connected to same ap) are working just fine 16:14 < Project86__> *I'm asking 16:16 < Project86__> Pinging google from rpi also confirms no internet 16:17 <+xand> Project86__: more likely the network is misconfigured on the pi 16:17 < Project86__> It's a fresh install. Same one I've always used 16:18 < drathir> Project86__: it gets ip and dns? 16:18 < Project86__> No, ping comes with the error 16:18 < mawk> let's do that netlink think for completeness, it's a task I already needed before and I had to parse ip route output, which is lame 16:22 < Project86__> drathir: ping www.google.com: Temporary failure in name resolution. 16:22 < mawk> it's not "not having internet" 16:22 < mawk> it's just "not having DNS" 16:22 < mawk> try ping 8.8.8.8 16:22 < drathir> Project86__: mtr 8.8.8.8 ? 16:23 < Project86__> Just started doing this last night, was fine yesterda 16:23 < Project86__> Ok one sec 16:23 < Project86__> Ping 8.8.8.8 is working. I'm getting pings 16:24 < mawk> who's answering to host -v google.fr ? 16:24 < Dalton> if that's the DNS you're using though 16:24 < mawk> (type host -v google.fr and find the ip address) 16:24 < Project86__> Mawk ok 16:25 < Project86__> mawk: connection timed out; no servers could be reached 16:25 < mawk> that's not very helpful 16:25 < mawk> I should've asked for the contents of /etc/resolv.conf instead 16:26 < Project86__> I know.. it just started doing this out of nowhere last night 16:26 < Project86__> One sec 16:26 < drathir> echo 'nameserver 8.8.8.8' > /etc/resolv.conf or kinda like that for fast needs... 16:26 < mawk> some dns server managers rewrite this every moment or so drathir 16:26 < mawk> it's not good enough 16:27 < mawk> the way compatible with most programs that set resolv.conf is to make resolv.conf a symlink to another file 16:27 < mawk> which you named yourself 16:27 < mawk> that way systemd-resolved won't touch it, neither networkmanager 16:27 < mawk> not sure about NM tho 16:27 < drathir> mawk: yep correct dhcp coud replace in a while, but mostly enough for fast download something when needed/missed... 16:27 < mawk> yeah 16:28 < drathir> skyroveRR: hi, hi ^^ 16:28 < Project86__> Mawk no such file? 16:29 < mawk> what ? 16:29 < mawk> how can that be 16:29 < endeebee> Hello friends, anybody know how to dumo ip of a computer by hostname on windows? 16:29 < drathir> mawk: always could cheat wth chattr ^^ ;p 16:29 < mawk> Project86__: then create it with for instance echo 'nameserver 9.9.9.9' | sudo tee /etc/resolv.conf 16:29 < drathir> mawk: but not recommended... 16:29 < mawk> or use 8.8.8.8 if you like google, or 1.1.1.1 if you trust an american company to guarantee your privacy 16:30 < Dalton> cause google isn't american? :P 16:30 < mawk> 9.9.9.9 isn't, I mean 16:30 < avu> or 9.9.9.9 if you'd rather trust the London police :) 16:30 < mawk> 8.8.8.8 isn't trusted for privacy by nobody I assumed 16:30 < mawk> lol 16:30 < mawk> we have a tight data protection policy 16:30 < mawk> but you're right, britain has not much time to live with it 16:31 < Peng_> 9.9.9.9's mailing address is in Berkeley, California. 16:31 * drathir still preffer 8.8.8.8 than give data to mitm one always cloudflare... 16:31 < mawk> I'm sure the frenchies behind 9.9.9.9 will have it moved after the brexit 16:31 < Project86__> Thanks mawk.. idk how this could of happened 16:31 < tds> or just run your own resolver and be done with it :) 16:32 < drathir> Project86__: check dhcpcd from hand maybe... if fetch dns-es... 16:32 < Project86__> What's that new "super fast" dns I read about? Like 2.2.1.1 or some shit 16:32 < Peng_> Project86__: Folks just mentioned it multiple times. 16:32 * drathir wonder if no dns in dhcp configured it add by auto gateway? 16:32 < avu> probably 1.1.1.1 16:33 < Peng_> Okay, one time. 16:35 < needle> hello, I am just asking out curiosity. Anyone out there already using segment routing on nodes? 16:36 < Project86__> I'll have to fiddle after work unfortunately 16:36 < needle> not routers, only end nodes. 16:37 < needle> Segment routing has been added last 9-12 months to the linux kernel. 16:59 <+catphish> https://i.imgur.com/1WtQV4V.jpg 16:59 <+catphish> my battlestation with new monitor :) 17:00 < Sail0r> nice 17:00 < Phil-Work> not bad 17:00 < Phil-Work> how big is that? 17:00 < Sail0r> still prefer two seperate ones 17:00 < Dalton> is that an old MS mouse? 17:01 < Sout> so nice catphish 1. what heaphones, 2. What amp? and 3. cool a curved monitor. 17:01 < ne2k> Dalton, I have the exact same mouse. well, it looks the same, but it has Microsoft written on it 17:01 < Sout> and is that a dac on top? 17:02 <+catphish> 1) U3417W 34" monitor 2) it's a very cheap DAC (an old USB creative sound blaster) 3) it's an behringer headphone amp and a new pair of DT770 Pro 250 ohm headphones 17:02 <+catphish> and 4) yes, it's an old microsoft wheel mouse, i love them 17:03 < Roq> Nice screen 17:03 < Roq> Now go clean your keyboard ;) 17:03 <+catphish> just got the screen yesterday, i love it 17:03 <+catphish> the keyboard and mouse have been with me for nearly 10 years, one day i'll replace them 17:03 < Phil-Work> glad you already managed to put a sticker on it ;) 17:04 < Sout> nice. my computer's headphone socket broke. so i jot a fairly cheap dac / amp. schiit fulla-2. I'm rocking some koss pro 4aa. like an old school boss :D 17:04 < needle> Roq: I had exactly the same thought. 17:05 < needle> regarding the keyboard 17:06 <+catphish> lol, i empty the crumbs out sometimes 17:06 < ^7heo> I think keyboards should be designed like toasters. With a slide-out crumb tray. 17:06 < needle> catphish: go clean your keyboard, it would make your screen look even more good. 17:06 < mawk> I'm using libmnl to manipulate netlink sockets but they managed to screw up the doxygen configuration so I wonder if I need to use it 17:06 < mawk> if I want to use it, rather 17:06 <+catphish> i keep meaning to get a new keyboard and mouse, problem is i don't know what to buy, there's really nowhere to try them out 17:07 < mawk> it comes from the netfilter people, it can't be that bad 17:07 < mawk> but why did they deprivate themselves from tons of documentation that went unnoticed because of their doxygen config, it's like they didn't even try to browse their generated docs 17:07 < Sout> nah all about mech keyboards. just pop off the keys and dunk in denture cleaner. Then you can vaccume / blow out the stuff below the keys 17:08 < needle> Noways people tend to buy new stuff instead of cleaning it. 17:08 < tds> just get a model m, then you'll never need to replace it :) 17:08 <+catphish> i could probably clean the keyboard :) 17:09 < needle> finally 17:09 < needle> ;) 17:09 <+catphish> it's actually 12 years i've had this keyboard! 17:09 <+catphish> probably the same for the mouse 17:10 < Sout> and re model m. they are sort of hard to find. and the news ones SUCK to buy if you dont live in the states. (like $50 dollar shipping) 17:11 < tds> I'd sorta like an SSK, but the prices on those (in the UK at least, and I suspect elsewhere as well) are stupidly high 17:11 < tds> there seem to be quite a few full size model Ms on UK ebay, though 17:11 <+catphish> price isn't terribly important when you use something 8 hours a day for 10 years :) 17:12 < Sout> I agree. hence how i justified buying a herman miller chair :D 17:12 <+catphish> lol 17:12 < Sout> and 12 year warranty 17:12 <+catphish> my chair of choice: http://www.allsteeloffice.com/products/seating/stools/trooper?path=Trooper-Task 17:13 < tds> heh, I'm a student, I can't justify spending £300+ on a keyboard which is identical to my current one but without a numpad ;) 17:13 <+catphish> lol 17:13 <+catphish> i have a numpad, never used it :) 17:14 < mawk> I use my numpad only to type my luks password 17:14 < needle> 1+2=3 17:14 < mawk> 0.9999.... = 1 17:15 < ^7heo> 2 + 2 == 5 // For extremely larges values of 2 17:15 < mawk> lol 17:17 < Epic|> (Plank energy \ pressure at Earth's core) x (Prius epa combined gas mileage \ minimum width of English channel) = pi 17:17 <+catphish> given that 4.999... == 5, and 2.4999... is 2 (1SF), that's not entirely untrue :) 17:17 < mawk> 2.4999 is 2 ? 17:17 <+catphish> yes 17:18 < mawk> you mean by rounding 17:18 < mawk> my way is mathematically exact 17:18 <+catphish> expressed to 1 significant figure 17:18 < mawk> 100% exact 17:18 < mawk> I can prove it right before your eyes 17:18 < mawk> 0.999... = 0.9 + 0.09 + 0.009 + 0.0009 + ... = 0.9*(1 + 0.1 + 0.01 + 0.001 + 0.0001 + ...) = 9/10 * 1/(1-1/10) = 9/10 * 10/9 = 1 17:18 <+catphish> it's hard to prove the recurring decimal thing to any great satisfaction 17:19 < mawk> by using the well known fact that 1 + a + a² + a³ + ... = 1/(1-a) if |a| < 1 17:19 <+catphish> that's cool 17:19 <+catphish> i was commenting more on ^7heo's theorem 17:20 <+catphish> i was suggesting that for sufficiently large values of 2, 2+2 may equal 5 :) 17:20 <+catphish> not sure it'd hold up in court 17:22 < ExoUNX> greetings 17:22 < mawk> courts almost ruled that pi = 3.2 17:22 < ^7heo> in the US? 17:22 < mawk> yes 17:22 < ^7heo> then it would be accurate. 17:22 < ExoUNX> I've created a vlan in pfsense, however it doesn't seem to be working through my Netgear GS748TP 17:22 < ^7heo> pi = 3.2 flibiwoush 17:22 < mawk> https://en.wikipedia.org/wiki/Indiana_Pi_Bill 17:22 < ^7heo> imperial flibiwoush obviously. 17:23 < mawk> lol 17:23 < needle> ExoUNX: your netgear and your pfsense have have a dot1q interface connected? 17:24 < ^7heo> because a flibiwoush, or flibiwosh in US American, is defined as pi/3.2 17:24 < ^7heo> s/American/English/ 17:24 < ExoUNX> needle, tbh I don't know what that is 17:24 < UncleDrax> nothing personal, but a proposed bill != 'courts almost' :] 17:25 < ExoUNX> https://en.wikipedia.org/wiki/IEEE_802.1Q might help though 17:25 < needle> ExoUNX: go read the manual about DOT1Q first before creating VLAN's https://en.wikipedia.org/wiki/IEEE_802.1Q 17:25 < mawk> if there wasn't a mathematician that day in the court hall to restore truth, the bill would have passed, UncleDrax 17:25 < mawk> hence the almost 17:26 < ExoUNX> needle, additionally - https://kb.netgear.com/30918/How-to-configure-an-802-1Q-VLAN-on-a-ProSAFE-Web-Managed-Plus-Switch-using-the-web-interface 17:27 < needle> yes, read that ExoUNX 17:28 < ExoUNX> so I just add the vlan to the switch configuration and I should be good 17:28 < needle> and add pfSense dot1q howto to this 17:29 < needle> so looks like segment routing on end nodes has still not arrived 17:29 < needle> out there 17:35 < drathir> there are any bettter traffic control things than at switch i use per port limit at router im planning also enable per /24... 17:39 < needle> I have no clue what you are talking about, also is this a question or... 17:41 < drathir> needle: #TrafficShaping 17:52 < OliverUK> What would be the recommendation, have better encryption setup on phase 1 of an ipsec tunnel or better encryption setup on phase 2? 17:53 < OliverUK> I was thinking it was industry standard to have better encryption on phase 1 of a connection but I just wanted to make sure :-) TIA 17:55 <+danieldg> there's no reason to use bad crypto in any part of a connection, that's the standard 17:58 < Kryczek> OliverUK: if I recall correctly "phase 2" refers to the bulk of the data traffic, so you typically want performance there 17:59 < Kryczek> OliverUK: it also depends how often the handshakes happen in your case: if it's WAN link that do phase1 only once a day for example then you can tune it to 11 17:59 < Kryczek> OliverUK: otherwise if it's for IPsec Transport traffic for example, where you might have phase 1s happening quite often then you might want to make it lightweight 18:00 < Kryczek> OliverUK: no sense in making phase 2 stronger than phase 1 though, since phase 2 derives from phase 1 18:02 < OliverUK> Kryczek: Yeah, pretty much what I thought was the case, no harm in a sanity check once in a while though, I appreciate your time. :-) 18:03 < Kryczek> OliverUK: unless you're so unlucky the hardware lacks AES acceleration (in that case use ChaCha20), you don't really have to worry about performance impact in phase 2, e.g. AES-NI does it at pretty much 0 cost 18:04 < Kryczek> OliverUK: watch out for DH negotiations though 18:04 < drathir> OliverUK: use wg ^^ 18:06 < Kryczek> OliverUK: especially if you have many remote offices re-establishing VPN tunnels to HQ all at the same time when the Internet there went down and just came back; I have seen a setup were that HQ box was brought to its knees because of all the concurrent DH requests and it kept timing out 18:06 < Kryczek> a setup where* 18:07 < OliverUK> Ah OK, thank you, there are going to be a few remote sites connecting so I will be looking at the performance anyway but thanks for the tip :-) 18:07 < Kryczek> :) 18:07 < Kryczek> just make sure they don't all reconnect at the same time 18:08 < Kryczek> or that the main gateway is beefy enough... in that case I think it was poor little Soekris box haha 18:09 < Zepo> I have a weird problem. I used this "iptables -I INPUT -m iprange --src-range 137.193.213.112-137.193.213.128 -j DROP" but I still see someone using the ip 137.193.213.116 ? Also I can't ping anymore... :D 18:10 < Kryczek> Zepo: "someone using" doing what exactly? 18:10 < Kryczek> connecting to you? 18:10 < E1ephant> does --src-range take hyphen notation? not a subnet? 18:10 < E1ephant> oh I guess so 18:11 < skyroveRR> Alllo E1ephant! 18:11 < Zepo> On a server. I thought I blocked the range from 112 to 128 with this one. So IP's in this range wont be able to have a con to the server. 18:11 < E1ephant> howdy! 18:11 < Kryczek> Zepo: maybe they match an earlier rule? Like an ACCEPT on TCP port 22 or something 18:12 < drathir> E1ephant: hi, hi... 18:12 < Zepo> How are iptable rules anyhow ? I thought from up to down. Like if I "allow" them earlier but block them later the latter rule would be used 18:12 < drathir> Zepo: maybe established already? 18:13 < Zepo> established mean, because they are connected while I changed this the server wont use the rule ? 18:13 < Kryczek> if you have a -m state --state ESTABLISHED rule earlier yes 18:14 < drathir> if not killed all connections established before rule apply i guess will left untouched, but not 100% sure confirm needed on that... 18:14 < E1ephant> that too, but yeah I think iptables is first match eh? usually the other way to match would be most specific 18:14 < Kryczek> Zepo: try `iptables -Z` to reset the counters and watch `iptables -nvL` to see what counters increase? 18:14 < E1ephant> "last rule" is not a matching method any FW uses I am aware of 18:14 < Kryczek> Zepo: you can also make rules with -j LOG to get packet info in `dmesg` for example 18:15 < E1ephant> so it's gonna be the first rule you hit in a chain 18:15 < Zepo> I have the established rule but later 18:16 < drathir> with -I isnt goes to top ? even if after? 18:16 < E1ephant> can you dump a copy into pastebin? 18:16 < Zepo> my tables ? 18:16 < drathir> -I vs -A mean... 18:17 < Kryczek> drathir: -I is supposed to have a number which I guess was removed here? normally it's `iptables -I INPUT 2` to insert on line 2 for example 18:18 < drathir> Kryczek: oh didnt know that number thing always w/o... 18:18 < drathir> Kryczek: thanks for tips... 18:20 < AlexPortable> Radius every device one password, versus one password per user, what is more safe? More passwords means bigger attack vector no? 18:20 < Kryczek> oh apparently -I assumes line 1 by default 18:20 < Kryczek> I'd recommend using only -A unless you made a mistake :| 18:21 < Kryczek> AlexPortable: eh? 18:21 < Kryczek> AlexPortable: what/whom are you authenticating? :) 18:21 < Zepo> These are not mine. I am just using what I got okay ? 18:21 < Zepo> https://paste.debian.net/1022947/ 18:21 < E1ephant> you can already track devices, I would track per user 18:21 < E1ephant> since that is a useful metric you don't get from logs 18:22 < Kryczek> Zepo: be careful that having `iptables -P INPUT DROP` at the top means you risk losing access to that machine if the script fails later on for some reason 18:23 < Zepo> Kryczek well this machine worked for 8 years now. seems to be ok 18:23 < Kryczek> Zepo: maybe bad luck will strike in year 9... 18:24 < Zepo> Kryczek Dont wish me bad luck ^^" 18:24 < Kryczek> Zepo: why the filters on MAC addresses? That's easy to circumvent 18:24 < AlexPortable> Kryczek: what do you mean? 18:24 < E1ephant> hehe yeah interesting lines here 18:24 < E1ephant> but you have a lot of FORWARD, as in this is routing/firewalling? 18:24 < Zepo> Kryczek Its just a simple "stop" - I usual get some informations from tops who is having a virus and I block the MAC for a while so they can clean their pc 18:25 < E1ephant> are you trying to block these connections locally? or from passing through the firewall? 18:25 < E1ephant> (INPUT vs FORWARD?) 18:25 < Zepo> Good questions, I don't really know and just copied what was already written. 18:25 < Harlock> AlexPortable one password means it's easier to spread and not very tracable where your leak is 18:26 < AlexPortable> well if you disregard leaks, but more look into getting into the network 18:26 < Kryczek> Zepo: you should unplug their network cable, your MAC filtering rules are not good enough :) 18:27 < Zepo> Kryczek I know. One of the big problems I have in this mess here 18:27 < Harlock> i could land spacecraft on the sun if i disregard the fusion occuring 18:27 < E1ephant> it could be fun 18:28 < Zepo> Kryczek Can you see why I cant ping local anymore with my current settings ? 18:29 < AlexPortable> Harlock well if you disregard leaks, but more look into getting into the network 18:29 < Zepo> Kyczek forgett it. I pinged IP's who are offline ... duh 18:29 < Kryczek> lol 18:29 < Kryczek> and here I was thinking man... I have too much of a headache already lol 18:29 < Zepo> Haha 18:29 < E1ephant> do you get destination unreachable? 18:29 < E1ephant> or just no response at all 18:30 < E1ephant> tbh you only have one block of DROP (no response) and one block of REJECT (destination unreachable) so it would be one of those two 18:30 < Zepo> Nah its fine 18:30 < Zepo> I really just pinged dudes whos pc are offline 18:31 < Zepo> works with my own 18:31 < E1ephant> lo;l 18:31 < E1ephant> :D 18:31 < Zepo> Is there a way to dumps everyone from there server for a sec . Like a reboot thats not a reboot ? (I really dislike rebooting this thing) 18:33 < E1ephant> looks like conntrack can do this? http://conntrack-tools.netfilter.org/manual.html#conntrack 18:33 < E1ephant> hmmm not sure about native iptables 18:42 < AlexPortable> Radius every device one password, versus one password per user, what is more safe? More passwords means bigger attack vector no? 18:43 < drathir> AlexPortable: personally every device own pass...' 18:43 < drathir> AlexPortable: under compromise not get compromised whoe chain of servers... 18:45 < redrabbit> ovh has top notch support tbh 18:46 < redrabbit> took under 2h to solved total from the (free) call to supprt 18:47 < redrabbit> and, I was the one who forgot to renew his failover ips 18:48 < endeebee> Hey friends using windows when i try and ping a device on my net by hostname (ping "example-box"), I get message cannot find host "example-box". Is there something i am missing for host discovery? 19:16 < ExoUNX> does anyone know if the GS748TP restarts if you add a VLAN to its configuration? 19:17 <+pppingme> if it does, I'd consider that to be a bug 19:20 < Phil-Work> ExoUNX, it doesn't 19:20 < ExoUNX> does it disrupt switch activity at all? 19:21 < Phil-Work> not that I've ever seen 19:21 <+pppingme> for the ports you're screwing with it will.. 19:22 < ExoUNX> well, I'm not going to assign the vlan to a specific port at the moment 19:22 < UncleDrax> unless you're clobbering/disrupting some existing configuration, I would expect any switch worth a spit (even a Netgear) to not care about adding a new VLAN into the system (unless it has some weird VLAN cap or you cause a MAC table to flood or some other ancillary behavior) 19:22 < E1ephant> it sounds like a phone not a switch no? 19:23 < E1ephant> oh ignore me 19:23 < UncleDrax> but as always, if you think it could disrupt your network, and you care about traffic, schedule it appropriately and plan for a recovery 19:23 < GenteelBen> Is there anything which explains what kind of hardware the root name servers underpinning DNS run on? 19:23 < GenteelBen> I'd assumed it was some IBM mainframe shit 19:23 < GenteelBen> And not x86 19:23 < UncleDrax> ya i'm assuming the GS748TP is a 'Netgear ProSAFE switch' 19:23 < GenteelBen> But someone disputes this. 19:23 < E1ephant> why would it be that? 19:23 < E1ephant> it's just commodity servers, using anycast 19:24 < UncleDrax> GenteelBen: clusters man.. clusters. 19:24 < GenteelBen> Who are you talking to? 19:24 < E1ephant> you? 19:24 < GenteelBen> Clustered using what? 19:24 < E1ephant> ibm... 19:24 < E1ephant> x86 servers 19:24 < GenteelBen> ... 19:24 < E1ephant> some HP and Dell too :P 19:24 < GenteelBen> Well this is disappointing. 19:25 < E1ephant> is it? 19:25 < GenteelBen> Why wouldn't it be? 19:25 <+pppingme> GenteelBen why assume a mainframe? root servers really don't get that much traffic, in the range of 10's of thousands of hits a day 19:25 < GenteelBen> Hmm good point. 19:25 < E1ephant> very well distributed as well 19:25 < GenteelBen> What about ISP DNS servers? 19:25 < E1ephant> that one IP may be served by hundreds of servers 19:25 < GenteelBen> Let's say, Verizon's DNS server architecture 19:25 < GenteelBen> Is it x86? 19:25 < E1ephant> if it's a good ISP, they should be well anycasted as well 19:25 <+pppingme> but yes, several of them do publish their setup, and as far as I know, the majority are indeed on x86 hardware running bind 19:26 < GenteelBen> Hmm, that's surprising. 19:26 < UncleDrax> also many of the root server operators maintain websites, some talk about thier architecture. all comply to RFCs 19:26 < E1ephant> no doubt vzn is using x86 to drive dns 19:26 < GenteelBen> I shall ask them, UncleDrax. 19:26 < E1ephant> why would you use something more expensive, for a very menial, easy done task? 19:26 < GenteelBen> I wish you well on your journey to avenge your family. 19:26 < UncleDrax> I'm sure there are videos from conferences that talka bout this 19:27 < E1ephant> especially when people are finding they have extra x86 all over the place as they consolidate to VMs 19:27 < UncleDrax> most of the Roots just run BIND.. same as you could today 19:28 < UncleDrax> https://en.wikipedia.org/wiki/Root_name_server#Root_server_addresses plenty of BIND. so you don't have to run x86, (you could run PPC, or probably even ARM, so long as you can run the software) 19:28 < E1ephant> I worked at an ISP hosting roots, and we did two per PoP 19:29 < E1ephant> eventually, it was just two VMs per PoP 19:29 < E1ephant> two was more about redundancy, than any demand 19:29 < UncleDrax> ya root nodes have definately proliferated (a good thing) 19:31 <+pppingme> GenteelBen the thing to remember about mainframes, they are awesome at massive I/O, and don't skimp when cpu's hit 100%, with those being their target market, neither of these really defines a root dns server 19:31 < E1ephant> good explanation, specific tool for a specific job 19:31 < E1ephant> serving DNS turns out to be very basic and rudimentary 19:31 <+pppingme> especially root servers, tld's on the other hand do generate a bit more traffic 19:32 < atten10> use pi-hole or be squared 19:32 < E1ephant> plug for powerdns 19:32 < E1ephant> the greatest of all time :P 19:33 < ExoUNX> lame, the most quiet switch I can test this on still connects our phone systems 19:33 < ExoUNX> will have to wait just to be safe 19:33 <+pppingme> ExoUNX you don't have a spare? 19:34 < ExoUNX> nope 19:34 < ExoUNX> well, that's netgear 19:34 <+pppingme> seems like a bad idea for something thats so core to you, yet so cheap 19:34 < ExoUNX> we have spares, but nothing to test with 19:42 < Psi-Jack> Can someone help me better understand what are and how to effectively use STP/RSTP options, such as Priority, Admin-Edge-Port, Auto-Edge (kinda understand this one), Root Guard, TCN Guard, BPDU Protect, BPDU Filter, and point-to-point? I'm trying to setup an OpenVSwitch 3-way VXLAN, and stop duplicates/looping from occurring, and have a reliable network. 19:42 < ExoUNX> Psi-Jack, damn, that's a couple college courses there lol 19:42 < Psi-Jack> heh 19:44 < UncleDrax> BPDU Filter: filter out any BPDU packets the port receives. obviously you should never do that if the far side could ever create an L2 loop (and you're not running something other then STP) 19:44 < UncleDrax> Priority is just a priority (read up on Bridge elections, super easy). 19:45 < Psi-Jack> I guess I might need to try to simplify my configuration a tad. Right now, I have a bridge that swallows the ethernet port, and a TEP port which gains the IP. Then I have another bridge that gets added to the previous bridge which consumes the vxlan tunnels, and the VM's tap interfaces. 19:49 < UncleDrax> RootGuard does pretty much what it says, guards the root port. (you can read up on the details) 19:49 < grawity> as I also tried to understand it... point-to-point ports can safely assume there's only one switch on the other end (i.e. it's not hub-like shared medium), so they can do a much faster RSTP handshake than otherwise; and edge ports (aka portfast mode) assume they're connected to an end device, not a switch, so they skip the 'learning' state and go straight to 'forwarding' 19:49 < UncleDrax> most of the others I'm not sure specifically what do.. google will help you there. if they are Ciscoese, it's probably decently documented 19:50 < grawity> ("admin edge" is the initial manual setting, "auto-edge" makes it automatically switch back to 'off / non-edge' if it detects a switch) 19:50 < grawity> the rest is weird stuff 19:51 < grawity> actually, I've never quite understood how "BPDU filter" is different from just disabling STP on the port 19:51 < Psi-Jack> hehe. 19:52 < Psi-Jack> Oh yay! Got ping back so far, and without duplicates. :D 19:52 < grawity> "BPDU protect": I guess it's like "BPDU guard" in other models, diables the port completely if the device tries to talk STP 19:53 < Psi-Jack> Ahh that makes sense. 19:53 < mawk> Kryczek: I went with the netlink socket to subscribe to the RTMGRP_LINK and RTMGRP_IPV4_IFADDR multicast groups then I poll it, and I receive every networking update seamlessly, it's very nice; I used libmnl from the netfilter guys, it's a set of helpers for netlink 19:53 < grawity> I mean, you wouldn't want someone accidentally enabling STP on their WinXP box, and becoming the root port of the entire LAN 19:53 < mawk> now I just have to watch for every subtile race condition that is hidden in there 19:53 < Psi-Jack> Obviously, leaving that off for ports that to run bridges is not going to work. :) 19:53 < mawk> if I could lock the whole userspace but me it would be much easier lol 19:54 < Psi-Jack> It may've just been as easy as enabling RSTP on the actual vmbr2 which housed the vxlan ports and VM taps. 19:55 < Psi-Jack> I had it on the br0 which housed the eth1 and tep0 only. 19:55 < mawk> hey br0 19:55 < Psi-Jack> br0 me some stp. :) 20:11 < Amnesia> question, how do programs determine when to stop reading data from a socket, e.g a client sends 350 bytes, and the server uses recv(100), how does it know to stop receiving after 3,5 iterations? 20:11 < Amnesia> suppose the client sends an EOF char ? 20:12 < Zepo> I am back with more questions ! :) Haha - So I wonder why but my server is still giving some ip's all the download speed. Am I able to put myself into a higher priority there ? 20:13 < Zepo> So if I want to download something or surf the web the server allows me to use more traffic ? 20:13 < Phil-Work> Amnesia, there's usually a terminator of some description, yes 20:14 < Amnesia> Phil-Work: do you happen to have any idea what particular byte this is:D? 20:14 < Amnesia> Zepo: utilize QoS 20:14 < Phil-Work> Amnesia, depends on the protocol 20:14 < Aeso> Amnesia, there's typically some kind of message structure that's often unique to the application 20:15 < Amnesia> Phil-Work: layer 4 protocol I assume? 20:15 < Aeso> yep 20:15 < Phil-Work> Amnesia, Layer 7 20:15 < Phil-Work> for example, HTTP terminates requests and responses with \r\n\r\n 20:16 < Psi-Jack> Wooo, ping still working without duplicates or degredation. Sheash. All I had to do to fix my actual problem was enable rstp on: either the right bridge, or both bridges. 20:16 < Aeso> actually, that's more of a presentation layer thing (layer 6) 20:17 < Aeso> but anyways it's above layer 4, which puts it outside the scope of most of the people in this channel :) 20:17 < Phil-Work> it's not - layer 6 is broadly hidden from most applications as it's handled by a library such as openssl 20:17 < Amnesia> ack, ty gents;) 20:18 < Psi-Jack> Who was that again? 20:22 < pvl1> is it a defacto standard to put webservers on a www subdomain? does it even matter anymore 20:24 < fstd> hey ##networking, in Ethernet, is a "Link" (as in, PHYs notice they're connected, Link-LEDs light up) a Layer 1 concept or a Layer 2 concept, OSI-wise? 20:24 < mawk> are the psd and lscan iptables modules complementary ? 20:24 < pvl1> physical layer fstd 20:25 < fstd> pvl1: thanks 20:25 < mawk> psd detects port scans by some means, and lscan detects TCP stealth scans, TCP SYN scans, TCP connect scans, banner grabbing scans 20:25 < mawk> should I use only one or both ? 20:25 < pvl1> fstd: i think its more important to understand what layer 2 entails, than where ethernet falls in the layers 20:25 < pvl1> https://en.wikipedia.org/wiki/Data_link_layer 20:27 < fstd> pvl1: sure. it was just an argument that came up. a device didn't get a link, i called it a L1 problem, coworker objected that since L1 *are* the actual cables/terminations, a "link" over such gear must be on the next layer 20:27 < fstd> i felt that was wrong but i wasn't absolutely sure, hence me coming here to scratch that itch :-) 20:29 < ||cw> pvl1: yes, www should still answer. you can have a site answer for both, or have one redirect to the other 20:31 < ||cw> fstd: if you don't get a link because the cable is faulty, then it's L1 still 20:31 < pvl1> ^^ my point 20:32 < pvl1> ||cw: i set up something weird where www. forwards to domain.org 20:32 < pvl1> isntead of remaining www.domain.org 20:32 < pvl1> i kinda dont care? unless im gonna be given ar eaosn to care.... 20:32 < ||cw> it's not that weird 20:32 < AlexPortable> drathir: but won't that create more passwords? 20:33 < ||cw> as long as www get you there it's all just preference which way that happens 20:33 < pvl1> ur weird 20:33 < pvl1> ||cw: i figured it wont matter much. thanks! 20:34 < ||cw> what's weird is when you say things like "go to webmail.domain.com" and they repeat back "ok, going to www.webmail...." 20:35 < pvl1> aah thats a good point 20:35 < pvl1> should prolly check for that 20:39 < fstd> ||cw: yes, true 20:39 < fstd> thank you both 20:43 < fstd> now that i think about it, i guess the best argument for L1 would be that 'link' has to be a state of the PHY 20:43 < fstd> (for obvious reasons that i still can't put into coherent words :s) 20:46 < LFSveteran> looking for an elegant way to wait for a vpn interface getting ready 20:46 < LFSveteran> had this: https://pastebin.com/7NJQnvKT but it has no timeout and [[ isn't recognized by bash scripting 20:46 < LFSveteran> in bash it works 20:47 <+pppingme> what are you waiting to do before it comes up?? 20:48 < LFSveteran> tun0 is up but the tunnel isn't active yet 20:48 < LFSveteran> I want to wait till tun0 has a valid ip 20:48 < LFSveteran> wait until tun0 has ip 20:49 <+pppingme> whats waiting on it to come up? 20:53 < LFSveteran> i'm creating I script that has to handle some connections when the VPN is up, but firing up the VPN connection and directly do the handling is too fast 20:54 < LFSveteran> so what I'm trying is setup the connection, wait until tun0 is ready and has a ip indicating the tunnel is established and then do the rest of the job 20:55 < LFSveteran> but what if the VPN is never coming up? then the script will infinitely wait, so a timeout is needed 20:56 < LFSveteran> maybe do check within a certain time, if ip within time then continue if time is up, exit with error.. 20:57 < obcecado> what vpn are you setting up LFSveteran ? 20:58 < pythonirc101> can anyone help me construct an RTS frame using python? 20:59 <+pppingme> LFSveteran just loop the "check" say 15 times, and "sleep 10" between tries.. 21:02 < Zepo> This server is so weird. 21:02 < Zepo> I tried to install wondershaper and testes it. But instead of equal share I just get lower rates for everybody. 21:02 <+pppingme> why? 21:03 < LFSveteran> hmm yes also a possibility , just adding a counter 21:03 <+pppingme> and sleep so it doesn't loop and retest too fast 21:03 < Zepo> I have a server for a flat, we have about 50mbs downloadrate. yet only 5 people can get up to 2-3mbs while the rest is under 1mbs. 21:03 < AlexPortable> my router says my switch is connected on 100 mbps, how do i diagnose this? i believe it's a gigabit switch 21:04 < obcecado> some vpn daemons have the possibility to run scripts after tun interfaces gets an ip 21:04 < LFSveteran> ^^ checking openvpn manpage 21:05 < obcecado> --up 21:05 < obcecado> is what you're looking for 21:05 < obcecado> :-] 21:05 < LFSveteran> checking thx 21:07 < UncleDrax> AlexPortable: verify the switch and router are both GigE capable, and are not configured for 100. Failing that, replace patch cord. Actual diagnosis is to get a LAN tester (or just a laptop with known Gig-link capabilities) and plug em up. 21:08 < AlexPortable> patch cord is kinda built in 21:08 <+pppingme> AlexPortable what model switch? also, the cable between them, where did it come from? 21:09 < AlexPortable> switch is Netgear JNR3210, cable between them is inside the house for quite some time already 21:15 <@pppingme> AlexPortable so this is a "home-made cable, that you put the ends on, or a completely factory made cable? 21:15 < AlexPortable> factory, but it looks home made 21:15 <@pppingme> what do the markings on the side of the cable say? cat5? cat5e? something else? 21:15 < AlexPortable> 5e 21:15 < UncleDrax> AlexPortable: 'built in patch cord'? I roll to disbelieve. I succeed. 21:16 < AlexPortable> UncleDrax: sorry, what? 21:16 < UncleDrax> joke, don't worry about it 21:17 <@pppingme> AlexPortable if you look at the ends closely, are all 8 wires in it (count the wires, not the pins), and do the colors of the wires match on both ends? 21:17 < AlexPortable> yes 21:18 <@pppingme> sounds like a suspect cable to me, possibly damaged.. 21:18 < UncleDrax> have a laptop or other device that you KNOW can link at GigE you can plug into each of the other devices just to check for link state? 21:58 < AlexPortable> UncleDrax: tested it just now, still getting only 100 out of it 21:58 < AlexPortable> ends match, laptop with gigabit is still on 100 on the same cable 22:18 < TandyUK> dodgy cable then 22:22 < Apachez> well, this sucks: https://www.youtube.com/watch?v=tpa4kp4lK60 22:25 < S_SubZero> an old colleague of mine had a brain tumor removed. Since he was hardcore, and insane, he came to work soon after it was done. The stitches on the side of his head were like baseball stitches 22:26 < spaces> Apachez it does but why do peope need to share on YouTube by themself ? 22:26 < spaces> I might be under the bus tomorrow 22:26 < spaces> or you\ 22:27 < spaces> or Trump (which would be a pain for the bus tho_ 22:28 < LFSveteran> lol 22:28 < TandyUK> trump under the bus would be good, particularly if its the world biggest heaviest bus, and there were like 50 of them in a pile 22:28 < LFSveteran> and the buscompany can sue the family trump 22:31 < spaces> TandyUK now that it not nice sir 22:31 < S_SubZero> it's an offense to busses 22:32 < S_SubZero> at some point our politics will become so polarized that someone is gonna go postal in the Senate and it just becomes a battle royale and it will be so wonderful 22:37 < Apachez> spaces: perhaps to let people know why they will be offline for some time 22:41 < spaces> Apachez could be, it's good to not start a rumour, but this is too much if you ask me and not needed. Everyone who has such thing (and indeed I know where I'm talking about) is emotional about it but first see how it turns out. I know people who became blind when they woke up or it happened during their sleep and they are still full of life, it took them just to settle down. What I mean is... the reactions on such video's 22:41 < spaces> about how sad it is won't help you that much if you ask me 22:42 < spaces> and if she was a CEO of some big firm, like Steve Jobs had, you simply cannot let know because the stockvalue will collapse (also very strange) 22:43 < spaces> conclusion, the world is strange with it's people in it 22:50 < Apachez> well that escalated quickly: https://www.wsj.com/articles/pentagon-asking-military-bases-to-remove-huawei-zte-phones-1525262076 after refusing of installing NSA backdoors :D 22:57 < spaces> Apachez rumours is what the world dominates 23:03 < Apachez> well good for you 23:04 < spaces> Apachez I would not know why, I dislike the people who do it 23:05 < Apachez> dislike people who are good for you? 23:05 < Apachez> whatever floats your boat... 23:17 < spaces> Apachez also the people who apply the backdoors, what are you trying to say ? 23:19 < Apachez> think of the children? 23:20 < spaces> eh ? 23:20 < spaces> do you think about someone else hif coffee too ? 23:20 < spaces> because I doubt it 23:24 < Apachez> http://englishrussia.com/2018/04/26/what-russian-army-does-with-soldiers-mobile-phones-photos/ 23:25 < Apachez> spaces: I think you need a hug 23:34 < UnsaneVirusez> Hello my friends, which tool would you recommend online to test the security of my email server setup? 23:34 < UnsaneVirusez> Including spam 23:38 < light> UnsaneVirusez: mxtoolbox 23:38 < light> Setup SPF, DMARC and DKIM, then SpamAssassin and a few DNSRBLs 23:40 < TandyUK> pyzor too 23:41 <+catphish> does anyone happen to know how scsi commands are kept in order when multipathing is used? 23:42 < spaces> Apachez hugs are always welcome! 23:45 <+catphish> oh, i see how --- Log closed Thu May 03 00:00:06 2018