--- Log opened Fri May 04 00:00:03 2018 --- Day changed Fri May 04 2018 00:00 < S_SubZero> the one that connects me to the endpoint 00:00 < ghostyy> whoa i want that one 00:00 < ghostyy> which one is that? 00:00 < S_SubZero> that one 00:00 < yuljk> Using StrongSWAN on Android and Greenbow VPN on Windows for IKEv2 stuff 00:01 < ghostyy> ooh 00:01 < ghostyy> yeah i wanna use it on android + linux systems i think 00:06 < redrabbit> openvpn 00:33 < drac_boy> hi 00:34 < ash_work> o/ 00:34 < drac_boy> just had to wonder but like in general whats the minimum you need in term of hardware (well, ups aside) for to be able to extend adsl service to a further point on map? 00:37 < xamithan> You mean like a dsl repeater ? 00:37 < drac_boy> yeah 00:38 < xamithan> telco uses those in really rural areas. As a consumer I doubt you could use one 00:39 < drac_boy> so its just one single box .. like with wifi repeater? 00:39 < xamithan> https://www.idpc.com/loop-extenders.htm 00:41 < drac_boy> xamithan I must have been using the wrong keywords when I first thought about it this morning .. thanks for that link 00:41 < drac_boy> anyway yeah I don't doubt you about it not being available to random peasants :) 00:42 < xamithan> A random peasant would have to settle for a point to point link wireless =/ 00:45 < drac_boy> xamithan heh well ptp does have its own new issues in certain conditions too but fair enough still :) 00:45 < drac_boy> that aside hows you tonight? 00:48 < electricmilk> SonicWALL is asking for a hostname under WAN interface settings only when I choose DHCP. Any idea on what I'm supposed to put there? 00:48 < electricmilk> Its just connecting to Cox Business Cable 00:49 < electricmilk> Doesn't look required 00:49 < xamithan> Just asking you what you want the sonicwall to be called 00:51 < electricmilk> xamithan, But its under the WAN interface port setting and only when set to DHCP...when clicking static the hostname field disappears 00:51 < electricmilk> Its not the system wide setting for the device hostname 00:51 < xamithan> Its a setting for the WAN port hostname 00:52 < electricmilk> weird. Any idea why its asking for a WAN hostname only when using DHCP? 00:53 < xamithan> No idea, I'm just going by what the manual says 00:54 < electricmilk> Come to think of it...where is the damn hostname setting for this device?? 00:54 < electricmilk> Ugh Sonicwall 00:54 < THE_GFR|WORK> I really dislike Sonicwall 00:54 < electricmilk> It has a "Firewall Name" section which I imagine is the hostname 00:55 < electricmilk> You do get a lot of features for the price...and we were given a TZ300 and a TZ500 for free with enhansed security licenses of 3 years 00:55 < electricmilk> But yea...configuring is a bitch 00:55 < xamithan> I've never actually used a sonicwall but I see lots of them. The older ones that only do 100m 00:56 < electricmilk> These are new...honestly not as bad as I thought. The older ones I worked on were HELL 00:57 < electricmilk> okay so I take it they call hostname "Firewall Name"...but on interfaces with DHCP its called a hostname..so confusing 00:58 < electricmilk> Screw it I'm gonna scan it with nmap -A and see what it says for the hostname. Good way to test the IPS/IDS 00:59 < THE_GFR|WORK> yea 01:01 < electricmilk> hmm. no hostname coming up 01:01 < electricmilk> Logs: Flood Protection Alert Possible SYN Flood on IF X0 - src: 192.168.254.126:54013 dst: 192.168.254.1:3404 ; Attacks Alert TCP Null Flag dropped ; Attacks Alert TCP Xmas Tree dropped 01:12 < drac_boy> xamithan not to go a bit too off here but if theres one thing I really don't like .. its that almost noone ever sells a dsl modem anymore which sometimes makes it difficult to do repairs even less new install at times :-| 01:13 < electricmilk> Dude I can't even configure the X3 and X4 interfaces on this thing...what the heck SonicWALL 01:14 < xamithan> Good, DSL needs to die and make room for fiber 01:14 < electricmilk> Fiber is too expensive out here 01:14 < electricmilk> Running Ethernet over Copper and Cable :-/ 01:15 < drac_boy> xamithan wrong 01:15 < drac_boy> electricmilk and fiber access can't even work without copper still needing to be there too anyway so its a moot point 01:15 < xamithan> The DSL provider here can't give more than 20/.5 meg 01:16 < electricmilk> Our main office is running a pitiful 25Mbps up/down 01:17 < electricmilk> Ah I figured it out...I had to go to "portshields" and set the interfaces as unassigned 01:17 < electricmilk> I wish there was a sonicwall channel on this server 01:17 < S_SubZero> make one 01:17 < drac_boy> electricmilk all I care for is getting the handshake for 5-10mb .. its only very rare that even 5mb wouldn't stay up and I have to then phone the super-high tech line and ask them to take over this house for me 01:17 < drac_boy> :) 01:17 < electricmilk> Bah..alright 01:27 < electricmilk> meh alright so I made ##sonicwall. If anyone ever has SW questions please send them over. 02:15 < Johnjay> i guess my question is is it a company or a product 02:15 < Johnjay> https://en.wikipedia.org/wiki/SonicWall 02:19 < electricmilk> Johnjay, Both 02:19 < electricmilk> I'm dumbfounded people haven't heard of SonicWALL 02:20 < ^7heo> yet they know that ubuntu is for power users 02:20 < ^7heo> see how life is awesome? 02:21 < ^7heo> full of clever people 02:23 < electricmilk> hehe 05:25 < ironpillow> hi all, question regarding meraki guest ambassador https://meraki.cisco.com/blog/2013/05/guest-ambassadors-providing-simple-and-secure-guest-access/. Does it use RADIUS in the background? thanks :) 06:04 < Nautilus> I have a device I've added to my Netgear router (WNDR3400v2) which obtained a DHCP'd IP at install time. I've since made an Address Reservation for the MAC address in the DHCP range, but it won't move off the original IP to the reserved one. Any ideas how I can do that? Is there a way to expire a lease? 06:10 < SporkWitch> Nautilus: search "renew ip on [operating system]" 06:11 < Nautilus> oh you mean the deive end, didn't think of that, hmmmm. an IoT thing, but lemme sign in 06:12 < Nautilus> device* 06:13 < SporkWitch> yeah; the client has no reason to check until the lease expires 06:15 < Nautilus> Makes sense, but don't have that option in the UI. 06:16 < SporkWitch> what is it? 06:16 < SporkWitch> and what was the result of the search i told you to run? 06:16 < Nautilus> D-Link DCS-936L (wifi camera) 06:17 < Nautilus> can't search on an unknown "OS" 06:17 < SporkWitch> disconnect and reconnect 06:17 < Nautilus> have done that 06:17 < SporkWitch> with a bare minimum of critical thought you could replace [operating system] with [device model] 06:17 < Nautilus> left it off 24 hours but the lease is probably more like 7 days. 06:17 < Nautilus> ah, sorry ;) 06:18 < Demos[m]> ugh.... ipsec 06:18 < Demos[m]> please kill me 06:18 < Demos[m]> spent all day setting up goddamn libreswan 06:22 < Nautilus> SporkWitch: my search "renew ip on D-Link DCS-936L" is coming up short on my issue. One thing the UI will let me do is set a static IP address. I could change that (to something outside the DHCP range), but am unsure if it then just "shows up" in the router there after a reboot. Don't want to lose control of it. 06:23 < SporkWitch> Nautilus: assuming you've configured the static lease correctly, just set the static on the device to the desired IP then set it back to dhcp 06:24 < Nautilus> ohh, ok, that sounds like a great idea 06:30 < veek> are there any cheap/adsl+wifi-2Mbit BUT secure router alternatives to dlink 06:30 < Nautilus> sprodag nab, back to the original IP 06:30 < Nautilus> SporkWitch: dag nab, back to the original IP 06:31 < skyroveRR> veek: all commercial ADSL routers are shitty as fuck, forget about security. 06:31 < SporkWitch> Nautilus: dunno what to tell you mate; assuming you correctly configured the static lease on the DHCP server, this is an issue with the device, not a networking problem 06:31 < skyroveRR> Hi SporkWitch 06:31 < SporkWitch> hi... 06:32 < Nautilus> SporkWitch: yep, I agree about device issues 06:32 < veek> wish there was a way to diy adsl 06:33 < skyroveRR> veek: well, there isn't. 06:33 < skyroveRR> Next question. 06:33 < Nautilus> adsl modem and separate router doesn't help him? 06:35 < veek> Nautilus, i just use one laptop so a router isn't really necessary 06:35 < veek> i used to use adsl in bridge mode.. but the trouble is the lousy security on the adsl 06:36 < veek> if worry about open ports or not firewalling Xorg on the pc 06:36 < Nautilus> wired connection to the laptop? 06:36 < veek> so it would be nice to have a 2stage process 06:37 < veek> yeah - pretty much till yesterday i bought a dlink-adsl+wifi 06:37 < veek> but i can't close off the dlink lan ports - buggy firmware 06:38 < Anatzum> I need to test an api to see how well it handles mass requests, Is there a server service that takes all traffic and discards it? The only thing I could think of would be to spoof and ddos it but I would need a recipient that just discards all that traffic. Is there a better way to do this? 06:38 < Nautilus> veek: what I'm getting at is a simple adsl modem connected to a better router 06:39 < veek> Nautilus, what features would the router have to enforce security? what features should i be looking for 06:40 < Nautilus> oh wait, you're looking to turn off lan ports? 06:41 < Nautilus> so get a wifi only unit to plug into the modem? 06:41 < veek> Nautilus, the dlink-adsl-wifi has acl's for its ports.. i blocked modem-dtp/telnet/ping using acls but i can still connect so.. it's not working (internal lan-side) 06:41 < veek> s/dtp/ftp 06:43 < veek> Nautilus, lets say i did things afresh.. what router features should i be looking for.. eg: if the adsl gets hacked, the guy could spoof arp or snoop (on a hub type router) 06:43 < SporkWitch> an all-in-one isn't working right? this is unheard of. Next thing I know you'll suggest water is wet 06:44 < Nautilus> you're getting a bit past me, sorry. I think of an ADSL modem as npthing more than DSL wires in and a Ethernet port. Blocking and such happen more in the router. 06:45 < Nautilus> nothing* 06:46 < Project86__> mawk: drathir , y'all here? 06:46 < veek> Nautilus, well even a simple adsl comes with telnet/ftp/snmp/web/dns/iptables and a cpu/32mb ram so.. if it does get hacked.. the guy could redirect traffic directly from the simple adsl 06:47 < Nautilus> oh. I think there's simpler ones. 06:47 < veek> bridge mode only protects the wan side of things.. but the guy can hop into the modem from the lan side 06:47 < veek> Nautilus, ah name? 06:50 < Nautilus> anything thats JUST a dsl modem. Not a recommendation, but like this: https://www.amazon.com/SpeedStream-5360-Ethernet-DSL-Modem/dp/B00006HW8A 06:50 < Nautilus> aaand i just realized I dont know what the A means in ASDL 06:52 < Project86__> Perhaps not... either way, I used their help to change my dns to 'netgateway 9.9.9.9' in resolv.conf. however there is a 2nd gateway that looks like an extended bssid number (syntax-wise). And when I "cat /etc/resolv.conf" it still responds with Hitron something or another (god I hate them). So did I not change dns? I saw a tut where they changed it in another file (dhcp.d* I believe) 06:54 < Nautilus> veek: this is an ADSL moem: https://www.ebay.com/itm/Siemens-SpeedStream-4100-Ethernet-ADSL-Modem-with-Power-Adapter/173296027669?hash=item28593f8815:g:JS8AAOSwng9ZsrLa 06:56 < veek> Nautilus, hmm.. so it bridges the wan with the lan side? trying to understand what's the diff.. can someone flash the firmware with their own tools? 06:57 < veek> does it use a microcontroller/cpu/ram/flashmem? 06:57 < Project86__> I guess I'm asking 1) what does changing dns in resolv.conf do, if not completely change the dns? 2) what is the secondary gateway for and do i need to modify that one as well? 3) if I change all settings successfully, will "cat /etc/resolv.conf.conf" respond with a hitron line either way, since that's the router in use? 06:58 < veek> Project86__, resolv.conf can search order for dns - secondary's used if primary's slow 06:59 < veek> man resolv.conf 07:00 < Nautilus> veek: it has phone-line based DSL upstream (copper pair) 'input', and a single Ethernet downstream 'output', a fairly dedicated device. I assume it has smarts inside but not a lot of compromise can happen there. 07:00 < Project86__> veek: so they go in order from top to bottom? 07:02 < veek> Project86__, you can check that with tcpdump -i ppp0 -s0 -a -n 07:02 < veek> err -A -n 07:02 < veek> and dig yahoo.com 07:06 < Project86__> Veek the first command is just showing a bunch of router advertisements coming in. Dig yahoo.com, I don't understand the output 07:07 < veek> dig queries the dns servers.. and tcpdump shows you which nameserver's being queried first 07:07 < Project86__> veek: all these commands are new to me as well, it seems man just tells what what something does? Very useful, thank you. 07:08 < veek> man = manual 07:08 < Project86__> Awesome 07:09 < Project86__> Dig said it took 21msec to reach the 6 ips 07:09 < Project86__> Tcpdump seems like what wireshark does, correct? 07:09 < veek> yeah 07:10 < Project86__> Neat 07:11 < Project86__> But this dig output, how does that tell me my dns is working properly? 07:11 < veek> because firefox and all the other apps use the same underlying library/dns-thingy dig uses 07:12 < veek> The resolver is a set of routines in the C library that provide access to the Internet Domain Name System (DNS 07:12 < veek> resolver configuration file contains information that is read by the resolver routines the first time they are invoked by a process. 07:15 < Project86__> But if i ran the dig command with default settings in resolv.conf, dig would still work, right? So how do i tell the difference by output? 07:52 < xz> hi there, I'm trying to set up .htaccess/.htpasswd method to password protect a website/directory. I followed that tutorial: http://www.htaccesstools.com/articles/password-protection/ but as of now nothing is password protected. The caveat in my case is that all website files physically exist within /home/me/website/ and they are symlinked to /var/ 07:52 < xz> www/html/ 07:52 < xz> do you have any experience with setting up .htpasswd? I might be using wrong directories, or .htpasswd might be incompatible with symlinks 07:56 < detha> xz: do you have to appropriate allowoverride in your main config? 07:57 < xz> detha I don't think I do, here is my config: https://hastebin.com/rerokexuqu.apache 07:58 < xz> wait, that's not main config, is it? 07:59 < detha> xz: sorry, can't read javascript bins. But you should have allowoverride authconfig somewhere on the site or directory level 08:00 < xz> detha should it be in apache2.conf or within my website conf file? 08:01 < detha> website main config should suffice. The manual says to preferably not do this in your main server config, or something to that effect 08:02 < xz> ok, let me play with it 08:10 < xz> kind of works now, at least I get pop-up asking for username and password. However, I enter correct credentials (ones from .htpasswd file) and it won't redirect me through it 08:11 < xz> asks to input login/password again :/ 08:12 < xz> I think password in .htpasswd has to be md5 instead of clear text 08:13 < detha> Check log files, password file needs to be spec'ed as absolute path 08:13 < xz> yeah, md5 worked 08:13 < xz> sweet 08:13 < detha> cool 08:13 < xz> is the .htaccess/.htpasswd reliable method? 08:14 < detha> as reliable as the web server 08:15 < detha> note that when using http it goes over the line in clear, so only use it on https. Another thing is that there is no way for the server to log someone out 08:20 < xz> right, I have everything over HTTP now 08:21 < xz> do I have to do cert and all that fun stuff to enable HTTPS? 08:25 < detha> yes. letsencrypt is your friend 08:27 < xz> ok will do that 08:27 < xz> I also need a domain as I remember 08:27 < xz> https is so much work 08:30 < detha> yes. and not needed in most cases, except for authentication. If http had included a non-sucky way for authentication, things would have been a lot easier 08:46 < psprint_> I want to run redis-server through tunnel, as redis sends passwords and data in clear text. I cannot recall why ssh tunnel wasn't an option. Has anyone setup remote redis-server, how? It should be: machine-A = redis-server, machine-B = 127.0.0.1:1234 (port leading to machine-A:1234) 09:15 < Kershaw18> hey 09:16 < Kershaw18> is there any way i can connect my laptop to my television without a hdmi cable 09:16 < Kershaw18> like wirelessly 09:17 <+pppingme> Kershaw18 what os? 09:17 < Kershaw18> windows 09:17 <+pppingme> 10? 09:17 < Kershaw18> yeh 09:17 <+pppingme> possibly 09:18 < Kershaw18> what about my phone 09:18 < Kershaw18> cause i have android not iOS 09:18 < Kershaw18> connect to my TV 09:18 < Live> well what TV do you have 09:18 < Kershaw18> a fairly new one 09:18 < Live> thats very specific ;) 09:18 < Kershaw18> it has internal antenna 09:18 <+pppingme> android supported it for a little bit, but recent versions have dropped support for wireless creen sharing 09:24 <+pppingme> Kershaw18 you're looking for "miracast" some tv's have it built in, you can find dongles for under $20 09:24 < Kershaw18> is this like bluetooth 09:25 <+pppingme> it actually works over wifi-direct 09:25 < Kershaw18> i will look into it 09:27 <+pppingme> its great for slides, presentations, etc.. not so great for video 09:46 < phre4k> Kershaw18: what TV? Miracast goes by many names nowadays 09:47 < Kershaw18> i dont know the fucking specs its TCL 09:47 < Project86__> pppingme: I thought they had a new android one to work with mirrorcast? Used to be called AllCast 09:47 < grawity> allcast seems to be a proprietary app 09:47 <+pppingme> earlier versions suppored it natively, now its just an add-on, like any other app 09:49 < Project86__> I just know I saw a recent tut to mirrorcast showbox from phone. It didn't show as a mirrorcast device however. And further settings didn't seem to work. It linked, just no mirror. That was a shittt tablet though, haven't tried from my phone. 09:50 <+pppingme> I think it was just android 4.x that supported it, nothing older, nothing newer 09:51 < Project86__> I may have used wrong setup too. But I am pretty sure I did everything right. I was going to mirrorcast from phone to win10 laptop, that has hdmi to large monitor (the minister isn't "smart" though) 09:52 < Project86__> pppingme: maybe I should downgrade on one of my 4 old phones to run 4.4 then 09:52 < Project86__> *monitor. Lol 09:52 <+pppingme> I'm not even sure all versions of 4.x supported it, like I said, it seemed to have a very short life on android 09:52 < grawity> hmm it's present in my stock android 6, did they remove it in 7? 09:53 < Project86__> It's present in mine too, but there's also a sharecast? Something similar. Newer. Says it evolved from AllCast 09:53 <+pppingme> I've got android6 devices its not supported.. maybe added back in by manufacturer?? 09:53 < grawity> manufacturer being Google in this case 09:54 < grawity> I've successfully "casted" the thing into a Win10 laptop, haven't tried actual TVs though 09:54 <+pppingme> sweet 09:54 < grawity> maybe it's *removed* by manufacturers 09:54 < grawity> since wifi direct needs some additional hardware capabilities 09:54 < Project86__> grawity: how did you accomplish it? 09:54 < Project86__> To win10 09:54 <+pppingme> my phone and tablet both do wifi-direct 09:55 < Project86__> pppingme: same 09:55 < grawity> Project86__: literally enabled the feature in Settings and it showed up in my phone 09:55 < Project86__> Yet it would only see it as a regular bt 09:55 < grawity> though android 6 has a checkbox (off by default) "Enable wireless displays" in the Cast menu 09:55 < Project86__> grawity: lol. Yeah, I tried all that onve 09:55 < grawity> I think *by default* it only shows Chromecast if that's off 09:56 < grawity> but yeah, no apps were used 09:56 < Project86__> Didn't chest cast menu... 09:56 < grawity> it was bloody useless though 09:56 < Project86__> Oh? So not worth movies? 09:56 < grawity> idk, like I said I didn't try with a TV personally 09:57 < Project86__> I got mine to do the pic vast and DOWNLOADED vid. But not live stream 09:57 < Project86__> *cast 09:58 * Project86__ getting tired. Can't type right 09:58 < grawity> https://i.imgur.com/xbiH3aQ.png 09:59 < Project86__> About to check it 10:02 < Project86__> Speaking of windows grawity , is there a way to completely turn off the annoying updates that happen even when you have autoupdates off, and it says, hey, sorry, were downloading stuff. 10:02 < grawity> ¯\_(ツ)_/¯ 10:03 < grawity> I don't care, it's not like we have data limits here 10:03 < Project86__> Even better. To actually completely disable firewall besides what they allow you too now? 10:03 < Emperorpenguin> ^ 10:06 < Project86__> It's not about the limits, I want to install what I want, and discard what I don't like old times. (Haven't used window in quite some years). And I want to be able to control my defender. It was sneaky to the people not too familiar, but could be completely disabled. Not anymore 10:06 * Project86__ rambling.. 10:06 < grawity> are you talking about the network firewall or about the antivirus system? 10:06 < Project86__> So does defender 10:07 < Project86__> *windows defender 10:07 < Project86__> You can "turn it off" but it auto contains anything it doesn't like 10:07 < Project86__> Off or not 10:35 < cr1t1cal> apparently smtp is the protocol used between mail servers 10:35 < cr1t1cal> so what is the protocol used between user agents/clients and mail servers 10:35 < grawity> also SMTP 10:35 < grawity> or, a profile of SMTP called "Mail Submission" 10:35 < grawity> er, "Message Submission" 10:36 < cr1t1cal> okay 10:36 < cr1t1cal> thanks 10:36 < cr1t1cal> grawity can you link me to any sources? 10:36 < grawity> https://tools.ietf.org/html/rfc6409 – different port, requires auth, may perform header cleanups/filtering, but still SMTP 10:37 < grawity> (in the past, mail clients *did* use exactly the same SMTP on port 25) 10:37 < grawity> (but it was split because the requirements were different, after all) 10:38 < grawity> for message retrieval *from* a server, it's usually IMAP4 or POP3 10:50 <+pppingme> or a number of proprietary protocols like mapi, or something web based that may query the mail database directly (most web based groupware would work this way) 10:51 < grawity> most of the ones I tried still use IMAP 10:56 < drathir> Project86__: yep... 10:57 < drathir> mornin/evenin... 11:12 < Guest74972> hi. is there a way to check a subnet's details? we have a tool for that and it's down. it provides data like network, netmask, broadcast, country, domain, acronym, pool, comment, dhcp server, created etc. 11:13 < Guest74972> powershell or admin cmd window? 11:20 < Emperorpenguin> Guest74972: I'm not sure I understood what you mean 11:20 < djph> ^ 11:20 < Emperorpenguin> shouldn't you like check the router's configuration? 11:21 < Emperorpenguin> or are you using your internal IPAM tool? 11:21 < Emperorpenguin> there's no way to know when a subnet was created unless you write it down when you do it 11:21 < djph> it sounds like perhaps their "tool for that" is a windows AD thing. 11:21 < Guest74972> it is a global corp with 300k+ devices. there is a tool where i can search for ips or hostnames. then i can get the details of the subnet 11:22 < needle> also the question is from which side to check the subnet details, from the client side or from the router side? 11:22 < Guest74972> yeah it's a company tool.. so i'm not sure it can be done "externally" 11:22 < djph> I mean, "country, domain, acronym, pool, comment, dhcp server, comment" all sound like random trash database tables 11:22 < thothcastel____> asdm not accessible through the vp ntunnel currently in place asa5525-x 11:22 < thothcastel____> I am able to access the single local network that is attached to the firewall from the datacentre through the tunnel but unable to launch the ASDM 11:22 < thothcastel____> I am able to access the access switch that is plugged onto it via ssh and also able to jump onto the firewall via ssh through this local switch 11:22 < enfire> Hello, I'm looking for a tool that would allow me to draw a graph of network usage between two hosts. I tried Wireshark, but it cannot handle the load, as I transfer quite large amounts of data and wireshark is not even able to load the capture files. I do not need the packet data, just the visual graphs. 11:22 < thothcastel____> I really need to regain access to this firewall via asdm - anybody knows how to enable this connectivity through cli? 11:22 < enfire> (for windows) 11:23 < Guest74972> https://ibb.co/gTCGpS here is a pic that's all i can send no actual data duh. 11:23 < enfire> Wireshark also seems to hinder with the network speed, so I really am hesitant to use it. 11:23 < djph> use another host / mirror the switchport. 11:41 < frederik_> Anyone know how reliable powerline networking is? 11:41 < frederik_> For sure better than 5GHz WiFi through 3 concrete walls 11:41 < frederik_> But is it as good as dragging an ethernet cable from the router? 11:42 < Phil-Work> frederik_, it's alright 11:43 < Phil-Work> depends on the quality of your wiring, in a lot of cases 11:43 <+xand> it's not as good as an ethernet cable though, no 11:43 < grawity> and sometimes on what appliances are connected, and such 11:43 < Phil-Work> depends on requirements 11:43 < frederik_> I see :) 11:44 < Phil-Work> I run a few IP Cameras over powerline - no issues there 11:44 < grawity> it's like wi-fi in that quality varies between environments, you need to care about interference etc. 11:44 < Phil-Work> but I'd rather not run my PC over it if I can avoid it 11:45 < frederik_> yeah its for my PC :( 11:45 < frederik_> and interference might be a problem 11:45 < frederik_> bluetooth devices, 5&2.4GHz wifi, microwave, all that stuff is pretty close 11:53 < Reventlov> Hi 11:54 < Reventlov> I have a kind of "problem" with Wifi Sniffing 11:54 < truthr> what is the problem 11:54 < Reventlov> I'm using iperf to benchmark a connection to an open network, and another interface in monitor mode 11:54 < Reventlov> The pcap I get is this one (I got it from scapy): https://ptpb.pw/N95L.pcap 11:55 < Reventlov> It seems it "misses" most of the packets, as there are mainly only "acknowledgment" in this pcap 11:57 < Reventlov> Is this because the AP is in 40MHz ? 11:57 < grawity> it's possible 11:58 < Reventlov> Ok, so let's find a way to sniff on 40MHz. 11:59 < CutieCat> Sniff sniff 11:59 < CutieCat> Do you peeps recommend buying a range extender to steal wifi? 12:00 < Reventlov> ? 12:02 < thothcastel____> in order to set up 2 separate vpn tunnels site2site to remote location, will a cisco router need 2 crypto maps? 12:03 < thothcastel____> what about the transform-set if they are to use the same type of encryption 12:13 < Sepultura> Hallo, if TLS is a Transport Layer Protocol like TCP and UDP why do Routers only have UDP and TCP Port redirections? 12:14 < ^7heo> because it's not. 12:14 < Sepultura> there are only UDP and TCP? 12:14 < publicarray> TLS runs on top of TCP (and maybe UDP) 12:14 < grawity> it's not a transport layer protocol, no 12:14 < grawity> maybe session layer if you want 12:15 < mAniAk-_-> Sepultura: osi does not translate well to reality 12:15 <+catphish> it's not 12:15 < grawity> it's called that only because it sits on top of a transport layer protocol 12:15 < grawity> (really, I think it'd fit into the session layer.) 12:15 < grawity> but if you asked about *actual* transport protocols, like SCTP or DCCP, then the answer would be "because the routers you're buying are made for people who don't use these" 12:16 <+catphish> Sepultura: tcp and udp are the only protocols with ports, and the only ones you'd need to forward in almost all circumstances 12:16 < grawity> lies, SCTP also has ports 12:16 <+catphish> true, as grawity says, other exist, but nobody with home routers uses them 12:16 < grawity> so either they're omitted due to laziness, or in order to avoid confusing users, or both 12:17 <+catphish> does linux even support nat on those protocols? 12:17 < grawity> yes 12:17 <+catphish> cool 12:17 <+catphish> but also pointless mostly :) 12:17 < grawity> they recently made the support non-modular so that router makers would stop forgetting to enable it >_> 12:18 < Sepultura> grawity: theoretically everyone could invent such protocols? 12:18 < grawity> ...anyway, TLS *could* be proxied in a similar manner to port-forwarding, based on ALPN and/or SNI, like sniproxy does 12:18 < grawity> Sepultura: yes 12:18 < grawity> very small chance of it going through home routers (due to what we're discussing right now) 12:18 < Sepultura> grawity: so TLS is sitting on top of TCP? 12:18 < grawity> yes 12:19 < grawity> (though it could work over stream transport really) 12:19 < grawity> there's also DTLS which is adapted for UDP and other datagram protocols 12:20 < Sepultura> Is SCTP better than TCP? 12:21 < grawity> in some ways 12:21 < grawity> but still not 'better' enough to become popular 12:28 < cr1t1cal> does an inbox stay on one and only one mail server? 12:29 < cr1t1cal> meaning if the mail server were to go kaput so will the inbox? 12:29 < Emperorpenguin> depnds how you configure it 12:29 < Emperorpenguin> obviously 12:29 < Emperorpenguin> one server one disk? gone 12:29 < Emperorpenguin> multiple servers shared storage? you're good 12:31 < cr1t1cal> alright 12:31 < mAniAk-_-> Sepultura: it's not a replacement for tcp, it was developed to carry ss7 over ip 12:33 <+catphish> is ss7 over ip a thing? i might actually need to do that 12:33 < grawity> that doesn't preclude it from being a replacement for tcp 12:34 <+catphish> i'll have to look into it, i thought ss7 only worked over ss7 hardware interfaces 12:34 < mAniAk-_-> nope, but that was not the intention of the protocol either 12:35 < Emperorpenguin> catphish: ss7? cool 12:36 < Emperorpenguin> i have NO idea how that works 12:36 < grawity> catphish: well there's https://github.com/openss7/openss7 apparently 12:37 < grawity> also this is how you know someone is a telecom dev https://github.com/openss7/openss7/issues/8 12:39 < mAniAk-_-> catphish: look up SIGTRAN 12:40 < mawk> how to programmaticaly send an ICMP error to a connected party ? 12:41 < mawk> opening a raw socket is too ugly 12:41 < mawk> there should be a nice clean way 12:41 < mawk> akin to how you can receive icmp errors 12:46 < mAniAk-_-> mawk: why? icmp is typically only sent by the os/network stack as a response to something recieved, not by any application 12:52 < fabolous> what is this page? http://www.thedubber.altervista.org/ip/ 12:52 <+catphish> thanks 13:07 < mphj> Hello guys! I'm just wondering about domain fronting usecase for companies like amazon (aws) or google (gogole app engine), why do they have such this feature, they don't set a special ip for each of their services?? and another question, cdn servers that helps applications like signal or telegram to do domain fronting, do these servers act like a reverse proxy?? if yes, then why?? i know cdns and reverse proxy almost do similar work (at least i think), but 13:07 < mphj> why a cdn should forward the request to the request's hostname without restriction?, why they don't restrict requests, for example a cdn like cloudflare, says that i just cache requests with hostname example.com and not others? 13:08 < grawity> there's no use case for the companies themselves – it's not a feature they *offer*, it's a side effect of their configuration (or lack thereof) 13:08 < grawity> they do *have* to host multiple domains on the same IP addresses because there just aren't that many IPv4 addresses 13:09 < grawity> it's not exactly a reverse proxy – both the 'front' and 'back' domains usually live on the same server, or the same cdn node, or whatever 13:10 < grawity> it certainly doesn't work with sites hosted somewhere else entirely, so the restriction you mention is already always in place 13:11 < localhorse> if i buy an ethernet to usb adapter, plug it into my tablet, then use an ethernet cable between tablet and laptop, can i communicate between tablet and laptop? like it works between Rpi and laptop without router 13:11 < mphj> great answer grawity! thank you man, you saved my day! 13:12 < localhorse> test 13:12 < grawity> it's like having two vhosts on a single Apache service: your TLS handshake is for vhost 1, your HTTP request is for vhost 2, and Apache only cares about the latter 13:12 < grawity> unless you enable https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslstrictsnivhostcheck that is 13:13 < grawity> localhorse: it should generally work the same, yes 13:13 < grawity> as long as the tablet has the correct drivers for the adapter 13:28 < mawk> mAniAk-_-: because I'm part of the network stack 13:28 < mawk> I'm doing stuff with a tun device 13:28 < mawk> I want to send icmp host unreachable to nodes trying to reach other unknown nodes 13:29 < frederik1> My server in the DMZ can ping 8.8.8.8 but no other hosts in its subnet, not even the router 13:29 < frederik1> it does get an IP though 13:30 < frederik1> how do I debug this? 13:30 < frederik1> ip routes tell me default gateway is correct 13:32 <+catphish> frederik1: you're using DHCP for servers in your DMZ? 13:32 < frederik1> Yes 13:32 <+catphish> well this is going to be very dependend on the devices involved, if you can ping the internet but not your gateway, then very likely it's just not configured to respond to ping, mine don't 13:33 <+catphish> as for other hosts on the network, there could be various reasons for that, firewalls in particular 13:34 < frederik1> The other hosts are responding as intended, responding to pings from the internal network behind the DMZ 13:34 < frederik1> This particular host isn't 13:34 <+catphish> that's totally different from what yo said a moment ago 13:34 <+catphish> what is the exact problem you want to debug? 13:35 < frederik1> Yeah I realize I didn't properly outline, let me try again 13:36 < frederik1> I have a DMZ with several hosts that can all be contacted from the internal network. I want the same thing for a new host in the DMZ. This host, when connected, gets an IP from the DMZ router, but can't contact the router by ping or be contacted from the internal network 13:36 < frederik1> It can, however, ping WAN IPs 13:37 <+catphish> sounds like perhaps it hasn't been allowed by the firewall 13:38 < frederik1> Does sound like a iptables thing doesn't it? :s 13:39 < dogbert2> looking at a Synology DS216j 2 bay NAS...any thoughts? 13:41 < localhorse> grawity: thanks. btw, can i also share the phone's wifi to the laptop that way? 13:42 < localhorse> or is it not capable of routing packets between its wifi and usb ethernet connection? 13:42 < localhorse> (OnePlus One / Cyanogen OS) 13:43 < GenteelBen> dogbert2, how much RAM does it have? 13:43 < GenteelBen> It probably doesn't allow you to upgrade RAM, either. 13:44 < dogbert2> 512MB... 13:44 < GenteelBen> A new NAS needs at least 2GB of RAM. 13:44 < GenteelBen> LOL 13:44 < GenteelBen> dogbert2, that's the price you pay for a cheap NAS: market segmentation. 13:44 < dogbert2> yeah...Synology gets very high ratings...let me see what else I can find 13:44 < dogbert2> IMO, WD is way overpriced for home use :) 13:44 < GenteelBen> They keep the RAM spec low enough that nobody in business can buy j-series NASes. 13:45 < GenteelBen> dogbert2, Synology NASes are overpriced if you just look at hardware, but their software is 1000x better than anybody else's. 13:45 < dogbert2> go figure, right :) 13:45 < GenteelBen> Case in point my DS1812+ still gets feature + security updates at the same time and frequency as their latest 2018 NASes. 13:45 < GenteelBen> DS1812+ = early 2012, IIRC. 13:46 < GenteelBen> Plus they do something nobody else can (AFAIK) do: SHR/SHR-2, their name for tech which lets you mix and match drive sizes without much wasted space. It's kind of like a RAIDed JBOD. 13:47 < GenteelBen> So you can start off with 4x 2TB disks and then change to 3x 2TB + 1x 4TB, then 2x 2TB + 2x 4TB, for example. 13:47 < GenteelBen> Though though you only get more space in the second example. The first just gives you better redundancy. 13:47 < GenteelBen> Try this: https://www.synology.com/en-us/support/RAID_calculator 13:48 < GenteelBen> But yeah the #1 complaint of Synology NASes comes when people buy a home NAS and then realise 512MB is too damn low. I wouldn't recommend it. 13:55 < dogbert2> I think I will go with the DS218 (2 bay, 64-bit quad core processor, 2GB DDR4) 13:55 < dogbert2> 4K 10-bit H.265 video transcoding on the fly 13:55 < GenteelBen> Good choice. 13:56 < GenteelBen> It has the GenteelBen seal of approval. 13:56 < dogbert2> :{ 13:56 < GenteelBen> It's also my NAS pick of the week. 13:56 < GenteelBen> You sure you wouldn't rather get a four-bay NAS? 13:56 < GenteelBen> Redundancy, dogbert2. 13:56 <+catphish> i also like synology :) 13:56 < GenteelBen> You could do SHR-1 and have like 4x 2TB disks for 6TB raw usable. 13:56 < dogbert2> I can run the unit in a RAID-1...more than enuf 13:57 < dogbert2> Realtek RTD1296 Quad-core 1.4 GHz processor 13:57 < GenteelBen> How big are the HDDs? 13:57 < dogbert2> can handle up tp 2x12TB drives 13:57 < GenteelBen> That's still a shameful ARM CPU, dogbert2. 13:57 < dogbert2> so is this: http://snoopy.ciscofreak.com/libre.html :P 13:57 < GenteelBen> That's official support; there's nothing stopping it from supporting 14/16TB HDDs either. 13:58 < dogbert2> pfft...I' 13:58 < GenteelBen> What's the difference between the 218 and 218play? 13:58 < dogbert2> 218play looks like it's a streaming and video unit, which I don't need 13:59 < GenteelBen> 218play is cheaper isn't it? 13:59 < GenteelBen> They usually use RAM and Ethernet ports to differentiate. 13:59 < GenteelBen> There's also the DS218+, if you're a pro. B) 14:00 < GenteelBen> https://www.synology.com/en-global/products/compare/DS218/DS218+/DS218play/DS718+ 14:00 < GenteelBen> The 218+ has an x86 CPU. 14:00 < GenteelBen> 218...must be a listing mistake because it doesn't mention AVC there. 14:01 < GenteelBen> Also, you shouldn't be using that NAS to do encoding unless it's for YT videos or something. The image quality isn't as good as a CPU encode. 14:03 < dogbert2> https://www.synology.com/en-us/products/compare/DS218/DS218+/DS218play (the 218+ is a better option but costs more)... 14:03 < dogbert2> the ram is also expandable in the 218+ to a max of 6GB (2GB installed + 4GB chip) 14:26 <+catphish> iscsi is still confusing me, it's so weirdly put together 14:31 < L3gacy> that feeling when the server room temp is 28C... 14:32 < L3gacy> Not sure if fans are trying to cool, or I now have "hover servers" 14:32 <+catphish> toasty 14:47 < AlexPortable> What is the most secure password based EAP method? 14:49 < djph> AlexPortable: PEAP 14:49 < djph> MSCHAPv1 14:49 < AlexPortable> http://deployingradius.com/documents/protocols/compatibility.html 14:49 < AlexPortable> only clear text passwords in PEAP apparently 14:49 < djph> AlexPortable: Did you ever tell us the usecase yesterday? 14:50 < AlexPortable> for what? 14:50 < dogbert2> crashed my windows 7 ultimate desktop :) 14:50 < djph> AlexPortable: your desire for WPA-Enterprise in the first place. 14:50 <+xand> AlexPortable: but it goes over TLS 14:50 < AlexPortable> separate passwords for each user 14:50 <+xand> look at the eduroam stuff and do it that way 14:51 < djph> AlexPortable: Yesterday, we were all under the assumption that "this is internal use for a business entitiy" - is that the usecase, or not? 14:51 < AlexPortable> yes 14:51 < AlexPortable> but maybe also for guests 14:51 < djph> Guests get a different auth method, different VLAN, different everything. 14:52 < AlexPortable> why 14:52 <+xand> maybe 14:52 <+xand> well different VLAN sure 14:52 < AlexPortable> speaking of vlans, how to prevent communication between clients in a vlan? 14:52 <+xand> (probably) 14:52 <+xand> client isolation which is an AP feature 14:53 < djph> Because why go through the trouble of setting them up with a RADIUS login when "touch the banana for a guest wifi voucher" gets them connected? 14:53 < AlexPortable> djph: what? 14:53 < djph> I mean, most high-end vendors have "voucher-based guest auth" already 14:54 < AlexPortable> what banana do you mean 14:54 <+xand> banana in your pants? 14:54 < djph> the banana thing was someone on reddit. Instead of a simple pushbutton, he measured the difference in capacitance of a banana sitting on a desk to kick off the "generate & print voucher code" process. 14:55 < djph> because it's funny. 14:55 < AlexPortable> more likely create account for new user 14:55 < AlexPortable> not just a button 14:56 < djph> err, I suppose you and I have a different opinion of "guests" then. I'd never set them up with an account on any systems in my networks, ever. 14:56 <+xand> I can confirm that doing 802.1x for casual visitors is a PITA though 14:56 <+xand> many years experience of that here 14:56 <+xand> there are different kinds of visitor though 14:56 < djph> ^ less years of experience, but it's a PITA nonetheless. 14:56 <+xand> some are just here for their own reasons, others are here as e.g. IT contractors 14:57 < djph> xand: everywhere I've worked, "contractors" are considered "employees" in terms of "where on the network they live" 14:57 <+xand> ha 14:57 <+xand> here that depends whose contractors they are and how stupid they're considered :D 14:58 < djph> unless you mean vendor dudes who're in to replace hardware or something else 14:58 < djph> where they're only expected to be in for like a week or someting 14:58 < AlexPortable> I think that covers the situation here 14:58 < AlexPortable> one week guests 15:01 < dogbert2> hey djph 15:02 < djph> heyo dogbert2 15:03 < djph> AlexPortable: then a voucher or other portal type guest network is likely to be fine. 15:03 < AlexPortable> possible, but i dont have such a system 15:03 < djph> but I suppose that it also depends on what kind of access *to your network* they need (if any) 15:04 < djph> ... then you get one ... 15:12 < sine0> I would like to whitelist some ip ranges 86.12* to 86.18* and I know up until 86.120.0.0/16 15:13 < sine0> can i do a 86.120.0.0/16 -> 86.180.0.0/16 15:13 < Emperorpenguin> sure 15:13 < Emperorpenguin> but you have to subnet it properly 15:13 < sine0> yea mean with the 255 15:14 < Sepultura> IRC is using TCP? 15:14 < sine0> how do i do the range though 15:14 < Emperorpenguin> so it'll be like 86.128.0.0 to 86.160.0.0/19 15:14 < Emperorpenguin> and then smaller subnets till you fill up all the space 15:14 < Emperorpenguin> or you just do 60 /16 15:14 < light> Sepultura: yes 15:14 < Emperorpenguin> Sepultura: yes 15:16 < djph> sine0: what do you mean "86.120/16 -> 86.180/16" ? That's just the range you want to allow? 15:17 < Emperorpenguin> he wants to whitelist a range of 60 /16 15:17 < Emperorpenguin> too bad they go by powers of 2 15:17 < Emperorpenguin> so sine0 the quickest way to do it is just adding 60 /16 lines in your firewall 15:17 < Emperorpenguin> or 15:17 < Emperorpenguin> you can do 120->127 15:17 < Emperorpenguin> 128->160 15:17 < Emperorpenguin> 160->175 15:17 < sine0> ok 15:18 < Emperorpenguin> 176->179 15:18 < Emperorpenguin> and 180 15:18 < Emperorpenguin> now you do the subnetting 15:18 < sine0> ok let me think my heads hurting i want to work it out 15:18 < sine0> djph: yea 15:19 < djph> in which case, you'll need multiple rules (e.g. 86.120/13; 86.128/11; 86.160/16) 15:19 < sine0> guys does this click after a while or hwat ? 15:19 < djph> err, oops, I thought it ended at 160 15:19 < Emperorpenguin> sine0: yes 15:20 < djph> 86.160/12 ... and then whatever else to get from 176 - 180 (likely 176-179, then 180/16) 15:20 < sine0> i did not know you could just shorten it like that 15:20 < djph> shorten what? 15:20 < sine0> 86.120/13 15:20 < Emperorpenguin> no 15:20 < Emperorpenguin> sine0: it's all about powers of 2 15:20 < Emperorpenguin> is 120 a power of 2? 15:20 < Emperorpenguin> no 15:21 < tds> iirc the . will get expanded to .0.0. (maybe) 15:21 < Emperorpenguin> which is the closest? 128 15:21 < djph> I'm just stripping out the zeroes -- "86.120/13" is similar to writing "::" for v6 15:21 < Emperorpenguin> can you get down to 128 from 128 with one power of 2? 15:21 < Emperorpenguin> yes 15:21 < Emperorpenguin> 8 15:21 < Emperorpenguin> so you can do 120/13 15:22 < Emperorpenguin> can you get from 128 to 180 in one power of 2? 15:22 < Emperorpenguin> no 15:22 < Emperorpenguin> you need to do 32 (159) + 16 (171) + 8 (179) +1 (180) 15:23 < Emperorpenguin> so that' a /11 15:23 < Emperorpenguin> then a /12 15:23 < Emperorpenguin> then a /13 15:23 < Emperorpenguin> then a/16 15:23 < djph> hey, I did it right 15:24 < djph> started second-guessing my maths there for a minute :) 15:24 < skunkz> Hi, I have configured a vpn on a aws free tier instance so me and my friend can play "lan" games. We can both connect and to the vpn and have managed to join a LAN room together but when he gave me his ip I can't ping him so I don't understand, why can we play together but I'm not able to ping him ? 15:24 < sine0> I think that maths is not natural for me and my brain 15:25 < Emperorpenguin> sine0: it's simple 15:25 < sine0> I can see the chart 15:25 < Emperorpenguin> all you need to remember is the power of 2 up to 256 15:25 < Emperorpenguin> so 1 2 4 8 16 32 64 128 265 15:25 < Emperorpenguin> so 1 2 4 8 16 32 64 128 *256 15:25 < Emperorpenguin> that's ALL you need 15:25 < sine0> but there are 3 people machine gunning the channel with numbers its like the matrix screen 15:25 < djph> skunkz: the game may be punching holes in his PC's local firewall 15:25 < dogbert2> calculus = da agony and dx/dt :) 15:26 < sine0> I have this online tool it shows me, im having a play 15:26 < skunkz> djph: ok so his firewall prevents me from pinging but allows the game to connect each other ? 15:27 < djph> skunkz: yeah, the game is likely telling the PC "hey, I gotta listen for game traffic on port 12345, let it thru please" 15:27 < djph> *PC firewall, rather 15:28 < skunkz> Ok I see, I have another question: the room I created doesn't show up when he browses the LAN party finder, but there's a direct connexion button that works when he enters my ip. Any idea why the room doesn't appear? 15:29 < sine0> 86.150.0.0/100 15:29 < sine0> 10 not 100 lol 15:29 < ||cw> skunkz: ping is and ICMP packet, and the ICMP is often filtered out at firewalls for "security" 15:29 < sine0> I can see now how the mask takes a certain block and you build around it where it starts and ends 15:30 < UncleDrax> sine0: i think if you wrote it out in binary, it'd make more sense 15:30 < Sepultura> is Softether a dead project? 15:31 < UncleDrax> a lot of ppl that struggle with teh concepts of subnetting, imo, are taught wrong so it just appeasr to be arbietary numbers without reason 15:31 < skunkz> ok I thought ping was a good test to see if two devices are correctly connected but I didn't think of user firewalls 15:31 < sine0> UncleDrax: yea I know that part of it, the bits etc but i didnt know how it would take the range, now i can see it visually (which is how my artistic brain works) I can see it. 15:32 < UncleDrax> incidently, I think if you're taught classful networking, or rather the math of it, it can help with that idea.. even if you have to toss most of what you just learned out because it's obsolete. 15:33 < sine0> cos ip6 15:33 < skunkz> do you have any idea why the room doesn't show up yet my friend can join it with direct connection to my local ip on the vpn ? 15:34 < sine0> allow from 86.144.0.0/12 86.160.0.0/11 15:35 < UncleDrax> if it's a LAN mode room, it's likely because its using a layer-2 (LAN) discovery protocol that isn't being passed through the VPN. 15:35 < djph> sine0: obsolete because CIDR, not because IPv6 15:35 < UncleDrax> or ya, ofc end-user FW issues and stuch too 15:35 < sine0> djph: why is it obsolete then 15:35 < UncleDrax> sine0: because it is. 15:36 < UncleDrax> Classful networking only allowed for (discounting class D & E space) 3 usable subnet sizes 15:36 < UncleDrax> a Class A, B, and C. 15:36 < Emperorpenguin> eeww 15:36 < Emperorpenguin> EEEEEEEWWWW 15:37 < djph> sine0: because CLASSFUL networking was "class A -> IP addresses in binary start 10 (you get 256 Class B)/ Class B -> IP addresses start 110 (you get 256 Class C) / Class C -> start 1110 (you get 256 host addresses) ... 15:37 < UncleDrax> CIDR (Classless Inter-Domain Routing) allows for around 30 different usable subnet sizes.. and more importantly, the ability to use something like a CIDR /24 inside the old Class A space 15:37 < skunkz> how could I try to pass this discovery protocol to the vpn ? UncleDrax ? 15:37 < UncleDrax> skunkz: no idea. 15:38 < UncleDrax> skunkz: well, i have ideas, but they would be complex. or you can use something designed for this like Hamatchi 15:39 < djph> IIRC, once you owned a classful network, you "could" subnet it farther (that is, your entire site didn't have to be 65,536 hosts on a flat network, if you owned a class B), but it is rather unweildy nonetheless 15:39 < UncleDrax> ya, I was thinking more from the IP allocation standpoint 15:41 < djph> skunkz: You'd honestly have to do a lot of fiddling - the direct connection is the most straightforward option. 15:41 < djph> UncleDrax: yeh, classful networking sucked. Glad my intro to it was "here's what it was, why it was bad, and what came out of it" 15:42 < UncleDrax> djph: yeap. but I still got routers that don't display CIDR notation if the route falls on a classful boundary 15:42 < UncleDrax> which is annoying 15:42 < djph> ew 15:43 < UncleDrax> fortunately we don't let them do anything real anymore though 15:43 < UncleDrax> ya, Cisco 7600s 15:43 < UncleDrax> prob a way-to-old load 15:44 < djph> haha 15:47 < dogbert2> stupid router :p 15:58 < djph> is it that the router's stupid, or the admin is, for leaving it at an ancient IOS version? hmmm 15:59 < UncleDrax> ya, this is a case of 'uptime is not really a good thing'. but that said, it hasn't done anything beyond a sub-/28 static route in many years. 15:59 < UncleDrax> so really it just a switch 16:00 < UncleDrax> well i mean as far as we use it 16:00 < djph> ah 16:00 < UncleDrax> but it's def been roadmapped to be surplussed 16:00 < UncleDrax> the problem is meatsacks to finish the job 16:00 < UncleDrax> (as in, not enough) 16:01 < djph> if you paid well (and didn't involve entire digging up me roots here ...) 16:01 < UncleDrax> and if we were hiring anyone to replace the meatsacks that leave ;] 16:01 < UncleDrax> but ya. 16:02 < UncleDrax> well i put ;], but I meant :[ 16:02 < UncleDrax> but enough about layer 8-10 problems 16:21 < djph> meatsacks, manglement, and ... ? 16:25 < hweaving> Checking one more time today here in case there's someone who isn't in #ipv6 16:25 < hweaving> Does anyone know offhand why Linux fails lookups for site-local multicast addresses 16:25 < hweaving> e.g. "ping6 ff12::1234%eth0" doesn't do anything useful but doesn't fail 16:25 < hweaving> while "pign6 ff15::1234%eth0" outright fails with an unknown host error 16:25 < Andrew_0010bit> May the 4th be with you all. 16:25 < hweaving> *ping6 16:25 < hweaving> Andrew_0010bit: and with you 16:36 < stan7> my isp doesnt let me open port 80 for my apache server, its blocking it, what do you recommend? if i configure apache for opening different port, wich port do you recommend? any port? it works? 16:37 < tds> stan7: if they allow other ports then that would work (eg 8080 is quite common for a web server), but browsers won't use ports other than 80/443 by default 16:42 < stan7> so its not gonna work? 16:43 < stan7> why they block it? because dont wanna have people installing server at home? 17:00 < UncleDrax> stan7: on purpose or by malicious-bot-net, yes 17:01 < UncleDrax> stan7: which is seperate from the discussion of 'is that effective/just/right/morally-acceptible' to block it 17:01 < tds> if you call them they might be willing to unblock it, but probably only if you pay for a business connection ;) 17:07 < ash_work> I was thinking of striving for a plug-and-play like effect in the data center. My thought was to have a mgmt server run a conf-tool to set up new bare metal servers by connecting over IPMI, installing an OS using iPXE and configuring containers, networking, etc... I thought you could have a dhcp server container hand out static ips to BMC MACs for this, but you still need to manually (a) add the MAC to the dhcp server configurat 17:07 < ash_work> so (a) is this a good idea? and (b) should I find (is there) some way to trigger the conf-mgmt script automatically when a configured MAC is discovered? 17:09 < detha> ash_work: in that type of setup, config mgmt generally pushes the MAC out to the dhcp server 17:10 < needle> why trigger a MAC address, when hthe installation routine is finished, the server that has been setup could send the MAC address to to responsible DHCP server. 17:11 < detha> needle: what if I want some servers to load centos, some debian, and some windows? 17:11 < ash_work> detha: like, you run a conf-script locally that gives your tool that information? 17:11 < ash_work> needle: it's not the MAC of the server... it'd be the MAC on the bmc 17:12 < detha> ash_work: like, you get the MAC address, enter things in config mgmt, that triggers an update to the DHCP server 17:12 < detha> once that is done, you connect the server 17:13 < ash_work> detha: wouldn't the conftool connect to the server at that point? (and set it up?) 17:13 < detha> ash_work: depends on your workflow. if you want to enter things after the fact, yes. 17:16 < ash_work> okay, so I can see why you'd want your conf tool to manage the dhcp server... since I think it's probably not ideal to manage it directly and managing it as a container... I don't think you want to redeploy your dns server on every conf change... I can see that getting hairy... 17:17 < ash_work> detha: okay, but what about part (b)? like, even incorporating your advice, my idea would be that would take place before the server is even delievered (so that you're sure what the host is for the bmc, rather than somebody plugs it in and it's accidentally automatically allocated) 17:17 < detha> ash_work: you can make it as complex as you like.... e.g., dhcp server that hands out a PXE boot for any unknown address that does nothing but connect to mgmt, and create a ticket 'Please configure 00:4a:00:12:34:56' 17:18 < ash_work> detha: oooo, that sounds like a good fallback 17:18 * ash_work writes that down 17:18 < ash_work> detha: but, should I be stiving to automate when the conftool decides to setup that server, given what I said about delievery? 17:20 < tds> ash_work: I guess if you have an existing system to keep track of what switch ports are used by what, you could also just lookup the mac addresses on the switches and avoid storing them 17:20 < detha> ash_work: normally invoices/delivery notes have the MAC address on them. So your normal workflow could be 'on delivery note, have someone enter that MAC, and what role that server should take'. Fallback to 'create a ticket for an unknown server on the network' 17:20 < ash_work> like, somehow listen for a bmc that has been connected 17:21 < ash_work> detha: right that... but when the person actually plugs it in... should I be trying to involve a process that tells the mgmt server, "ok, do your thing." 17:21 < ash_work> rather than me issuing an ansible command or something manually 17:23 < detha> that should be automatic. PXE boots an install image that gets its config from, e.g., some http server. The http server runs perl or python scripts that pull from the config database, and generate config on the fly 17:24 < ash_work> detha: assuming the box is set to network boot on delievery? 17:24 < detha> yeah. If it isn't, you're basically stuffed for anything automagic 17:25 < detha> you could scan for new BMCs periodically can if you find one, kick off something to go install it, but meh 17:26 < ash_work> detha: okay, so I'm with you there 17:26 < ash_work> I'm banging the gavel on part (b) as 'meh' 17:26 < detha> Also, that can lead to lots of fun and games if the config database goes offline for a bit. All servers are suddenly 'new' and get reinstalled 17:27 < ash_work> detha: well, my idea... that wouldn't happen 17:27 < ash_work> because the only purpose of the IPMI stuff was just to set the boot order 17:28 < ash_work> supposedly, the conf tools should be idempotent enough not to run over already installed plays 17:28 < ash_work> or something... maybe it would happen.... idk... I haven't thought this through all the way 17:30 < detha> think about it in a 'event' -> 'action' type of way. Event can be server plugged in, check-in to config mgmt, etc. Action is 'some salt/ansible/whatever task does something' 17:33 < ash_work> detha: yes, but that's too abstract for me 17:34 < ash_work> like, what the actual "check-in" process is 17:35 < ash_work> detha: I'm still trying to chew on your earlier statements 17:36 < ash_work> detha: when you were saying "that pull form the config database, and generate config on the fly" were you talking about the config for the whole machine, or like a networking config, or...? 17:36 < ash_work> (because isn't that really ansible/puppet/salt's job? 17:39 < needle> the tool really does not matter in that case, it is more a question of what is the initiator of the process, manually, automatically, half-automatic, event-driven... 17:40 < needle> with perl and python you could do all the "magic" you want. It is up to you. 17:41 < ash_work> well, I'm really liking this 'configure me' stuff if say a server is plugged in without any setting for it 17:41 < ash_work> but my point was just to clarify that we are indeed talking about the right 'step' 17:41 < ash_work> s/right/same 17:42 < ash_work> but when I say this is too ambiguous... so like do you write your own script that listens for such an event like "server get's plugged in"? How? 17:45 < ash_work> I am surprised I am getting so much information in this channel 17:46 < needle> yes, this channel is really amazing looking from that perspective. 18:02 < ash_work> detha: okay, so suppose you want to set up a new webserver as a node in a docker swarm; at some point, something must run `docker swarm join ...`; taking your advice is that something done by what you're install via pxe? or after pxe installs the os (ie, like you were saying before: pulling the config from a config database... idk how that would work though), or a conftool runs a webserver configuration script? 18:07 < detha> ash_work: it depends. some places build fancy images with everything pre-installed, other places do a PXE boot of a generic minimal install that on first boot pulls the rest of 'what needs to be done' from config mgmt 18:08 < ash_work> detha: so the installed image is responsible for communicating with the config tool? 18:08 < ash_work> (in that case) 18:08 < detha> correct. the second style seems to be winning, boot into something that has network stack, basic tools and package manager, and pulls the rest of the config from a config server 18:09 < ash_work> detha: well, my idea was to use rancher-os which has a cloud-config for the basic system configuration 18:09 < ash_work> and they have a ipxe script too; although I was unsuccessful in testing this on a vm because I guess it doesn't support bz compressed initrd 18:10 < ash_work> but the could-config can't do things like `docker-machine` and `docker swarm` commands 18:12 < detha> ash_work: never played with rancheros, but as long as there is a way to have docker either in the install image or pulled in through package manager, why not 18:13 < ash_work> so things I need to investigate are how to set up the dhcp server to handout the right pxe image (in my case a different script per cloud-config) and how to get the system to tell the mgmt config to run post-install 18:14 < ash_work> the latter of which I basically still want to ask here 18:15 < ash_work> this is probably better asked in #rancher 18:15 < ash_work> thanks so much detha, that was a huge help 18:15 < ash_work> detha: ftr, are you more a fan of "some places build fancy images with everything pre-installed"? 18:31 < detha> ash_work: no. building 'golden images' is a pain. 18:32 < detha> It has a place, like standard corporate desktops with windows+office+SAP 18:32 < ash_work> good to know. Thanks ;) 18:36 < fnDross> either of you well versed in networking? 18:37 < redrabbit> no 18:41 < detha> fnDross: I know about 3% of what I can imagine one can know about networking. Does that qualify as well-versed? 18:42 < fnDross> it might, https://ibin.co/3wZx0gWjNDUu.jpg << trying to put actual guest network on the dir-835 18:42 < Apachez> https://twitter.com/Rotarywings1/status/992281756177854466 18:42 < screwsss> 130 megabits per second. sound about right for the read transfer speed of a regular HDD 18:43 < fnDross> dont want to put another dhcp&vlan on the dva(router1) 18:44 < fnDross> ive read up on routes, but read nothing about routing in this scenario 18:45 < ||cw> screwsss: bytes yes, bits no 18:45 < usvi> if police was logging my ssh connections, could they be so stupid that they would always drop the initial connection, forcing me to take another, succeeding one? 18:46 < skyroveRR> usvi: a censorship tool isn't always guaranteed to work........ people need to FORCE IT to work. 18:46 < skyroveRR> A censorship tool or an MITM tool for that matter. 18:46 < usvi> yeah 18:46 < usvi> I need to dig into this 18:47 < usvi> my best friend, university buddy, turned out to be the biggest drug dealer of finland 18:48 < usvi> I think the police could be trying anything at this point to catch additional bad guys 18:49 < usvi> I must admit, of course, that Im also quite the tinfoil guy 18:51 < skyroveRR> Doesn't matter, they probably figured out who you are at this point. 18:52 < screwsss> balls 18:52 < screwsss> somethings wrong with me home network then 18:52 < usvi> skyroveRR: I have no secret identities, I dont even have those fancy contemporary drug dealer apps like.. was it wicr or something 18:55 < usvi> police arrested one tor network forum admin probably because he was telling me in car that he was the admin. car was bugged, he was in custody like 1-2 months. for having a forum on tor network 18:57 < usvi> and why do all these kinds of guys seek my company you ask? I kind of dont know. maybe being some kind of local privacy advocate makes this happen 19:06 < redrabbit> cool story 19:07 < screwsss> police bugged ur car? 19:07 < usvi> my friends car. the forum admin 19:10 < screwsss> 0wn3d. 19:10 < screwsss> spent 2 months in slammer? 19:11 < usvi> redrabbit: yeah.. I guess if you google Douppikauppa, you get some articles. some of them might even be english 19:11 < djph> so what I'm hearin' is that usvi is a plant 19:11 < usvi> screwsss: yes he did. 1 or 2, I dont rmember which one 19:12 < usvi> djph: I have thought many times that my friends must be thinking Im a snitch or something :D 19:12 < screwsss> i download plenty of torrents 19:12 < usvi> but it is just bad luck 19:12 < screwsss> one after the other 19:13 < screwsss> never even been sent a letter 19:17 < usvi> screwsss: yeah, I also fight those letters, I have an operation 19:18 < usvi> not abusiness, charity work without pay 19:25 < coco> usvi what kind of forum was it? 19:30 < screwsss> bit torrent 19:36 < usvi> coco: kind of imageboard in tor network, but used also for drug deals by users 19:41 < coco> imageboard of what? 19:45 < screwsss> drug dealers just use craigs list lol 19:46 < superkuh> I put every site that I host on the clear web on tor as well. 19:46 < superkuh> (as a hidden service) 19:47 < fstd> a-are you a hacker? 19:47 < fstd> oh this isn't ##C, shit 19:47 < needle> It's strange that many users assume tor being a kind of "illegal" network. 19:48 < coco> yea, why would anybody assume that 19:48 < lupine> probably due to its overwhelming use for illegal activities 19:48 < kenlumbo> "dark web" 19:48 < kenlumbo> lol, my fav 19:48 < needle> On the other side, one never hears good things about tor, only the negative stuff gets public. 19:48 < kenlumbo> "oh I found it on the dark web" 19:48 < lupine> facebook 19:48 < kenlumbo> you mean it wasn't on facebook... 19:48 < coco> i totally want my legal content to be more difficult to access and slower 19:48 < lupine> nono, facebook *is* the dark web 19:48 < kenlumbo> #fakenews web 19:49 < kenlumbo> I cringe everytime I hear a commercial or some talking head say dark web 19:49 < screwsss> dark web 19:49 < kenlumbo> just because you say it's a thing, doesn't mean it's a thing 19:49 < coco> have you heard the one where they say the dark web is 10x bigger than the normal web? lol 19:49 < coco> I think i surfed most of it in an afternoon 19:50 < lupine> *facebook is the dark web* 19:50 < lupine> so, no, you did not 19:51 < coco> i'm wrong and you're right 19:51 < lupine> <3 19:52 < Ryvius> How are you gentlemen. May I have your best ideas for Wifi names 19:52 < SporkWitch> doesn't facebook have an onion site? lol 19:52 < SporkWitch> Ryvius: https://lmgtfy.com/?s=d&q=best+ideas+for+Wifi+names 19:52 < coco> so the hotel I'm staying at has a nazi DPI that blocks everything including vpn 19:53 < coco> and airvpn.org (best vpn bar none) has ssl tunneling 19:53 < coco> so to fight the man I'm going to kep the line saturated for my entire stay 19:54 < usvi> coco: it was like a very small-scale finnish 4chan 19:54 < coco> is that what they're calling it these days 19:57 < `whoami`> Ryvius: Surveillance Van #3 19:57 < needle> If the holel WAN uplink is saturated I setup a IPv6 DHCP server and route the incoming IPv6 packets to /dev/null, thanks to happy eyeballs after some minutes the link is not that saturated anymore. 19:57 < lnks> hello, anyone familiar with the raritan terminal servers? 19:57 < usvi> coco: I think imageboard is the common name for 4chan-like boards 20:17 < xz> why would one use duckduckgo 20:21 < ||cw> xz: that seems prety clear from the website 20:21 < SporkWitch> ^ 20:21 < ||cw> and from wiki "DuckDuckGo (DDG) is an Internet search engine that emphasizes protecting searchers' privacy and avoiding the filter bubble of personalized search results." 20:22 < SporkWitch> nolove: yes 20:22 < nolove> lol 20:22 < xz> you can use google search in incognito mode for the same functionality 20:23 < ||cw> google will track you by IP and browser signature, just less aggressively 20:23 < SporkWitch> xz: not quite. They don't track it the same, but you shouldn't assume they aren't still tracking things in some way as to be useful to them. 20:23 < xz> you mean fingerprinting ||cw ? 20:23 < ||cw> yeah 20:23 < xz> I have some plugin to address that 20:23 < xz> not sure how efficient it is, however 20:24 < ||cw> DDG does it just by default, no matter who's computer you're on 20:27 < redrabbit> https://www.startpage.com/ 20:57 < t0x0sh> Hi, I have a KVM networking question. I have 2 VM (vm1, vm2), and I want to forbide communication between them. What's the best solution ? Creating a bridge interface and a subnet for each VM ? 21:03 < SporkWitch> t0x0sh: sounds like a kvm question, not a networking question 21:05 < t0x0sh> ok :( 21:10 < kuahara> I setup a L2TP/IPSec VPN on a sonicwall in one of our county networks. I've tested it out from my office and from my home PC. The connection works fine. I have two customers in other counties that cannot connect and both just happened to be sitting behind different Cisco ASAs. I don't have access to either, so I can't be model specific, but in general, does outbound L2TP need to be 21:10 < kuahara> specifically permitted before it will work? 21:12 < E1ephant> t0x0sh: I think it may be possible https://serverfault.com/questions/388544/is-it-possible-to-enable-port-isolation-on-linux-bridges 21:12 < E1ephant> the ebtables seem the fullproof way, but hard to manage. 21:13 < E1ephant> https://tools.ietf.org/html/rfc5517 is the rfc for pvlans, linux calls this "l2 client isolation?" ofc? 22:11 < cluelessperson> can unifi isolate clients? 22:12 <+catphish> cluelessperson: yes 22:14 <+catphish> cluelessperson: although looking through the config, i can't see it 22:16 <+catphish> cluelessperson: so, no idea :( should be possible, but can't find the setting on mine 22:22 < cluelessperson> catphish: also lan clients. :P 23:49 < ironpillow> hi all, trying to understand how meraki ambassador works: https://meraki.cisco.com/blog/2013/05/guest-ambassadors-providing-simple-and-secure-guest-access/. Does it use radius server in the background? thanks! --- Log closed Sat May 05 00:00:09 2018