--- Log opened Thu May 10 00:00:14 2018 00:01 < seven-eleven> hi 00:02 < seven-eleven> where do I add this in ubuntu's network configs? http://dpaste.com/1PT1EM7 00:02 < seven-eleven> if i put it inside /etc/network/interfaces its removed upon reboot, maybe is should put it into /etc/network/if-up.d or /etc/network/interfaces.d/? 00:03 < E1ephant> are you using network-manager? 00:03 < seven-eleven> not using NM 00:03 < E1ephant> in my experience that should absolutely stay, 14/16/18 LTS? 00:04 < seven-eleven> yeah using ubuntu 16.04 00:04 < E1ephant> this is under an interface stanza correct? 00:04 < seven-eleven> yes 00:05 < seven-eleven> maybe my vps provider which uses openNebulo to create my VM, forces to overwrite the interfaces file on reboot 00:06 < seven-eleven> ill try to add my stuff to interfaces.d 00:09 < E1ephant> yeah interesting, I would say yes that is not default behviour 00:15 < seven-eleven> hm, so custom configs in interfaces.d/ aren't deleted, just interfaces file is overwritten 00:40 < luxio> what's the name for that circular connector with one pin in the center that you tighten 00:41 < luxio> nvm its coaxial 00:43 < Evan1929838484> How much do you guys earn being an IT? 00:47 < SporkWitch> Evan1929838484: that's a google question; lots of resources compiling average pay rates 00:48 < Evan1929838484> Yea, but I want to hear it from a peesom 00:48 < Evan1929838484> Working person* 00:48 < SporkWitch> you mean like the people those statistics are compiled from, and has nothing to do with ##networking? 00:49 < SporkWitch> not to mention it being generally considered rude to ask random people what they make 00:52 < luxio> is it possible to buy coax to cat6 and connect the coaxial cable from wan straight to a router through that converter? 00:52 < luxio> or do i need a modem 00:52 < Holo> o.o 00:53 < Holo> luxio to what? 00:57 < luxio> nvm what's the difference between cheap modems and expensive modems 00:57 < luxio> they both do the same thing right? 00:58 < SporkWitch> luxio: https://duckduckgo.com/ 01:00 < Artemis3> luxio, i wonder why do you want coax in the first place. 01:00 < luxio> Artemis3: because thats where my internet comes from 01:01 < SporkWitch> ... 01:01 < Artemis3> luxio, the connector is called BNC, they haven't used those in decades. And yes, transceivers did exist for that. 01:01 < Artemis3> luxio, so you mean cable modem? 01:01 < luxio> i dont think its bnc 01:02 < luxio> i googled that and it doesnt look like bnc 01:02 < luxio> i will take a picture 1 minute 01:02 < Artemis3> nah don't bother 01:03 < luxio> https://i.imgur.com/mFRCAmK.png 01:03 < Artemis3> and yes you need your cable modem 01:03 < luxio> that is what i connect my modem to 01:04 < c|oneman> yes? 01:04 < xamithan> Is there another device that does docsis that isn't a cable modem? If so, use that 01:04 < Donjuanal> luxio: yes you need a modem. Modem is a modulator demodulator. 01:04 < Artemis3> you can move your cable modem closer, just use a longer coax, there are female/female of those 03:02 < mast> Its a good thing my fiancee is away while I'm buying all this server crap 03:11 < ghostyy> whatd oyu get? 03:38 < neoweb> why would a connection ever give me a 12 second to 20 second ping 03:38 < neoweb> would it not just drop the ping? 03:39 < Criggie> cos the devices between you and it have got buffers 03:39 < neoweb> qos buffers right? 03:39 < Criggie> they don't care how old an ICMP packet is 03:39 < neoweb> I have only ever seen this on a t1 03:39 < Criggie> routers generally only drop ICMP when TTL is expired . 03:39 < neoweb> Can I force them to drop packets? 03:40 < neoweb> set a TTL via firewall rule i suppose? 03:40 < neoweb> I am being told that when I use over 80% of a T1 speed that a t1 will degrade. 03:42 < Criggie> a T1 is 1.544 Mbit/s right ? Not a lot. 03:42 < neoweb> right 03:42 < neoweb> but even when I setup QoS and specify icmp as king, limit the bw to the max 03:42 < neoweb> t1 pings = bad 03:43 < neoweb> I have done 1.25 mbits 03:43 < neoweb> 1 mbits 03:43 < neoweb> etc 03:43 < Criggie> that's probably the acks being delayed 03:43 < Criggie> try adding ACKs to the high prioritisation list. 03:43 < neoweb> did that too 03:43 < Criggie> personally I set http/https to low. 03:43 < neoweb> i mean, this should not be happening if I do it right? 03:44 < Criggie> No idea - I'm not in your position 03:44 < Criggie> But a 1.5 Mbit link should be achieving 90% all the time minimum 03:44 < Criggie> I have 30 Mbit at home and routinely get 33 Mbit out of it. 03:47 < neoweb> dammit man 03:48 < neoweb> teir 2 verizon 03:48 < neoweb> bah 04:49 < Terminus> turtle, ||cw: so i actually checked the latest samba package for freebsd. you're right, it comes with a whole load of options enabled now. that wasn't the case before with samba 3.x. 05:12 < ash_mobile> Do you consider a device which maps ips, "routing"? 05:26 < Logg> ash_mobile, a router passes packets from one network to another. 05:49 < vlad_> hello 05:51 < vlad_> So I setup an environment which can be VPN'd into, I want to limit this so that only one VPN connection can be established at anytime from each .ovpn config file. However, I know people could broadcast their tun0 or tap0 or w/e ifconfig interface pertains to the VPN connection via an external NIC and thereby have multiple connections while it appears to be only one established VPN connection. Is there a way to prevent this? 05:53 < CHENG08> guys can you help about openwrt in linksys e1200 I cant access the web gui and ssh. When I try to reset it using failsafe mode its not working 05:57 < CHENG08> I try all the method on google but it still not working. 06:01 < CHENG08> guys can you help about openwrt in linksys e1200 I cant access the web gui and ssh. When I try to reset it using failsafe mode its not working? 06:02 < mast> Have you tried connecting your computer directly to the router? 06:02 < mast> And attempting the webgui that way, 06:03 < mast> If yes, have you tried a full system reset CHENG08 06:03 < mast> I had to deal with something similiar on my e3000 06:08 < jair> Hello there I am looking at one of the stack switches in one and and another stack switch on one of our chassis and I see lights on all ports going nuts 06:08 < skyroveRR> You have a loop somewhere, jair 06:09 < jair> skyroveRR: I believe so 06:09 < skyroveRR> Remove all the cables one by one, and check. 06:09 < CHENG08> mast: yes i try to use lan to connect on the router 06:09 < jair> I am wondering what will be the best way for me to do a packet capture 06:09 < skyroveRR> jair: you can't, in a dumb switch. 06:09 < jair> skyroveRR: right 06:09 < skyroveRR> It does not have packet mirroring. 06:09 < mast> And you've tried connecting using the Routers IP address? 06:10 < jair> skyroveRR: that is what I was trying to find out, what can I do to isolate the issue and identify what is causing it 06:10 < CHENG08> yes I configure ip4 to 192.168.1.1 06:10 < mast> My other suggestion would be a full reset. Which would be, while the router is powered on, pressing and holding the RESET button for 10 seconds, 06:10 < skyroveRR> jair: only option is to unplug all the cables, and see if the craziness is stopping. 06:10 < jair> skyroveRR: I am thinking about connecting to the switch via console and check the logs? 06:11 < mast> Powering the device off, and then power it up while also pressing the reset button 06:11 < mast> That's what I had to do to get mine to stop all that nonsense 06:11 < CHENG08> mast: I try it but not working 06:11 < jair> skyroveRR: you mean unpluging all the clients I have connected in the switch hmm :( 06:11 < skyroveRR> jair: you haven't told us whether it's a managed switch or not, so it's kinda hard to answer your question. 06:11 < CHENG08> before when dd-wrt is installed on my router it works but when I change to openwrt not working 06:12 < skyroveRR> jair: I'm assuming you have a dumb switch. And in dumb switches, that's the only way 06:12 < jair> skyroveRR: this is a production environment and this will require letters and outage notice to everyone :( 06:12 < jair> skyroveRR: the switches are DELL 06:12 < mast> So you have tried this full reset that I just suggested? CHENG08 06:12 < jair> I can pass the exact models 06:13 < skyroveRR> jair: managed or unmanaged? 06:13 < CHENG08> mast: yes I try it. 06:13 < jair> skyroveRR: managed 06:14 < skyroveRR> But are they configured per port? 06:14 < jair> skyroveRR: the switch has an IP address configured and they also have bgp configured as well 06:14 < jair> skyroveRR: yes, they do support vlans 06:14 < jair> let me share the models 06:14 < skyroveRR> What's the configuration of each port?... 06:15 < CHENG08> mast: other solution to reset the router openwrt? 06:16 < jair> skyroveRR: hold on please 06:16 * skyroveRR holds on..... to what? This isn't a phone call. 06:18 < CHENG08> guys can you help about openwrt in linksys e1200 I cant access the web gui and ssh. When I try to reset it using failsafe mode its not working? 06:19 < mgolisch> are loops even a thing with (m/r)stp? i always thougt it would just shutdown a port that would form a loop 06:19 < jair> skyroveRR: I will share the details via a paste site 06:19 < jair> skyroveRR: sorry for the delay though 06:20 < skyroveRR> jair: I'll be gone in 2... 06:20 < jair> :( 06:20 < jair> skyroveRR: http://paste.debian.net/1024077 06:21 < skyroveRR> Yeah, not configured in any way. 06:21 < skyroveRR> You'll have to do it the old (hard) way. 06:21 < skyroveRR> Unplug it all, see if the loop stops 06:22 < jair> skyroveRR: I see OK 06:23 < jair> skyroveRR: thank you for the help 06:23 < skyroveRR> * Not configured in any way to avoid a loop. 06:23 < jair> skyroveRR: http://paste.debian.net/1024077 06:23 < skyroveRR> Hm? 06:23 < jair> skyroveRR: should I add to all the ports spanning tree? 06:23 < jair> I know stp will prevent loops? 06:24 < jair> or add it port by port and see? 07:00 < z3t0> hi, what is the right place to ask about configuring servers, vmware, and windows server related questions? 07:03 < light> just ask away, no one else is talking 07:05 < z3t0> Alright 07:05 < z3t0> I am learning about servers and ansible etc 07:05 < z3t0> So far I have been given access to home server that is running on windows server 07:05 < z3t0> From there I can use vmware vsphere to setup virtual machines 07:05 < z3t0> Now, my current workflow is to rdp into the windows server, and then ssh into the other servers from there 07:06 < z3t0> Is it possible to skip the rdp, and ssh directly from my machine? 07:06 < light> yes 07:06 < z3t0> Currently the IP I am using for ssh is a local one 07:06 < z3t0> So I am assuming there must be some way to bind it to the rdp ip so that is externally accessible 07:07 < light> you could just give that IP to the VM you want to SSH into 07:07 < light> if you only have 1 IP and you want to access multiple machines you will need to port forward 07:07 < z3t0> There are multiple vms running on that server 07:08 < z3t0> Okay thanks, I'll do some searching on how to port forward 07:24 < neoweb> it looks like a bad interface configuration and possibly a bad ethernet cable too fyi 07:50 < vlad_> So I setup an environment which can be VPN'd into, I want to limit this so that only one VPN connection can be established at anytime from each .ovpn config file. However, I know people could broadcast their tun0 or tap0 or w/e ifconfig interface pertains to the VPN connection via an external NIC and thereby have multiple connections while it appears to be only one established VPN connection. Is there a way to prevent this? 07:53 < detha> vlad_: short answer: no. longer answer: some commercial vpn clients (anyconnect for example) have options to forbid that, which they implement by fucking with the client's routing tables. 08:10 < password-1> hi 08:11 < password-1> is there a way i can now the mac adress of the switch my computer is plugged in ? 08:11 < password-1> I have a need to for devices to know where they are plugged in automagically 08:12 < detha> managed switch? can it do LDP or CDP ? 08:13 < password-1> might be managed 08:13 <+pppingme> if its not managed, it doesn't have a mac address.. 08:13 < password-1> someone asked me in passing , and I've been pondering if it is possible 08:13 <+pppingme> what switch? 08:13 < password-1> idk 08:14 < password-1> 'My responses are limited" 08:14 <+pppingme> switches don't need a mac to operate, the mac address on a switch is only for the purpose of management 08:14 < password-1> i though each port had a macadress? 08:14 <+pppingme> nope 08:14 < linux_probe> lol 08:14 < linux_probe> snort my port 08:15 < password-1> hmm 08:15 < password-1> tehn my networking knowledge is skewed 08:15 < linux_probe> pooed 08:15 < myxenovia_> how can I reset openwrt I try failsafe but not working? 08:16 <+pppingme> only for management, interactive management like ssh, www, etc, or infrastructure management (lldp, etc) 08:16 <+pppingme> for actual doing its job as a switch, not needed.. 08:16 < myxenovia_> I use ssh and the web gui but I cant access it. 08:16 < password-1> but the switch do know which mac are on which ports internally? 08:17 <+pppingme> it learns by listening.. 08:17 < password-1> yeah , that i remember 08:17 < password-1> and to the computer all macs is on the 1 08:17 < password-1> port 08:18 <+pppingme> it only needs to know where other mac's reside, so it knows where to forward traffic.. none of that requires that it actually have a mac 08:18 < password-1> what is LDP or CDP then? 08:18 <+pppingme> lldp is link layer discover protocol, cdp is just a branded similar protocol 08:29 < vlad_> detha: Would it not be possible to coun't the MAC addresses to see if their are multiple users connecting over on VPN connection? 08:29 < vlad_> count*, there* 08:30 < Mead> Vlad: no, mac addresses get stripped when it hits layer 3 08:31 <+pppingme> If your vpn is operating at Layer2, its setup wrong 08:32 < Mead> a VPN gateway opperates at layers 3 and above anyway. 08:32 < phocking> Mead: unless it's mpls-vpn operating at the magical layer 2.5 lulz 08:33 < vlad_> Mead: Oh okay, so there's basically no way to protect from multiple connections over one .ovpn config (if the interface is broadcasted by an external NIC allowing multiple users to connect to the VPN service)? 08:36 < detha> vlad_: people will just hang a bunch of clients behind NAT. You can usually spot it in the traffic patterns if you look closely, but not guaranteed 08:37 < detha> Mead: L2 VPNs are a thing too 08:37 < Mead> I'm not horribily familure with .ovpn, but I know if someone wants to hide a load of clients behind a IP running PAT you really can't do anything about it without some form of packet inspection after it leaves the otherside of the gateway. 08:37 < myxenovia_> guys can you help me about openwrt I change the config br_wlan to wlan0 the default is set to eth0. 08:37 < Mead> myxenovia_ there is a openwrt channel that could be more helpful 08:39 < myxenovia_> okay sir Mead thank you. 08:40 < Mead> myxenovia_, good luck I know they can be helpful. 09:41 < regdude> HI! In switches, there are uplink ports and (???) ports. What are the opposite ports called? 10:07 < jurislav> anyone can recommend an ldap server for proxying multiple backends together, so they appear as a single sync source? 10:22 < Apachez> what about an ldap proxy? 10:23 < Apachez> but I doubt you can do it over the same port for all 10:23 < Apachez> how will you handle collissions? 10:29 < detha> regdude: 'ports'. In some cases, you could say 'access ports' 10:30 < regdude> detha: I don't like the name access ports since that is more used for VLAN setups. How about uplink and isolated ports? 10:31 < detha> isolated ports? I would only use that in PVLAN setups 10:32 < regdude> detha: true, how about downstream ports? 10:34 < detha> regdude: downstream sounds like aggregation layer to access layer in traditional setups. What is wrong with just 'ports' ? 10:34 < marktiell0> Could anyone please take a look at this weird SSL issue? https://stackoverflow.com/questions/50267953/android-socket-proxy-server-randomly-fails 10:34 < detha> As in, no specific function, connect to it what you want 10:36 < regdude> detha: dunno, seems like there must a decent name for ports that are not uplink ports, I guess will need to stick with just ports 10:39 < regdude> did a US navy ship cut off a optical line in the ocean? 10:41 < mast> Why is Netflix buffering now 10:51 < Apachez> regdude: again? 10:54 < regdude> last time I think it was India and almost started WW3 11:16 < GodOfSea> Hi 11:16 < GodOfSea> anyone got a link or tutorial on how to add a new user/ email to an existing postfix config 11:23 < light> you don't need to edit the postfix config to add users 11:24 < Kryczek> indeed, and iirc you add the firstname.lastname addresses as aliases (since usernames usually look like flastname) 11:26 <+xand> thye do? 11:27 <+xand> that's a terrible username format 11:27 <+xand> people can chnage their name and then their username would be "wrong" 11:28 < Apachez> whats your flastname? 11:28 < Kryczek> xand: what other format are you thinking of? 11:28 < Apachez> let the users have a random num 11:28 < Apachez> user00029938 11:28 < Apachez> and then alias their name to that 11:29 < Apachez> so when they go SJW and change gender and whatelse all you have to do is to append another alias 11:29 < Kryczek> yeah but then you'll have a never ending queue of people at the IT helpdesk because they forgot their username 11:29 < Apachez> why would you? 11:29 < Apachez> the users have smartcards to login 11:29 < Apachez> all they need to remember is their pincode 11:30 < Apachez> they will never have to care about usernames and passwords 11:30 < Kryczek> hah! I have been recommending that everywhere for years, nobody cares :( 11:30 < irwiss> wonder how people like nobody even survive on irc with a nick like that :P 11:31 < Kryczek> especially now that you can merge building access control badges with computer access smartcards, notably with dual interface (contactless & contactful) cards 11:38 < djph> Kryczek: nobody cares, because the suits are too dimwitted to see why it's a good idea (or how much money they're wasting because *the users* suck) 11:42 < Kryczek> yeah :/ 11:44 < djph> they just see that *you* spent 80 hours last pay-period doing "???????" so you're a cost-center 11:45 < djph> had one BOFH who was on good terms with the CEO, he got OK'd to use "dealing with people who should know better in YYYY" as a time bucket (we just had to tag tickets into it on the sheets) 11:45 < Kryczek> djph: yep... and those 80 hours were probably spent writing emails trying to convince people that "password" is not a good domain admin password, and that sort of waste of time 11:47 < djph> I was only there for like 2 years (college) - but there was a *sharp* decrease in luser behavior by the end of it. 11:49 < djph> I mean, there were still a couple of "un-firables" who kept being able to be useless, but the rest of them became competent enough that we got christmas bonuses, since the CEO realized the only reason they got whatever couple of contracts in at the "early bonus" was because we were allowed to use a clue-by-four 11:49 < Kryczek> djph: how where the users encourages to change? The time bucket slots were attributed to each user who wasted the operator's time? 11:50 < Kryczek> lol I didn't know the clue-by-four expression, love it 11:54 < djph> Kryczek: "users are useless" bucket -> notes -> list the tickets 11:54 < Kryczek> :) 11:55 < djph> it effectively got sold as a "hey look, we know helping them is our job, but we're burning 20+ hours a week dealing with 'I'm too stupid to remember to breathe' type issues" 12:04 < djph> and once we proved that the major "delay" wasn't "IT are meanies" ... well, CEO started taking a hard line on "computer issues" as an excuse 12:19 < darsie> What are better keywords to search for 'mobile router vpn'? 12:22 < darsie> cellular, 3g 12:23 < darsie> Is VPN common in cellular routers? 12:24 < djph> darsie: what're you trying to do? 12:25 < darsie> Connect a device (e.g. raspberry pi or microcontroller with wifi) to a VPN via a cellular router. 12:27 < darsie> Trying to find out if an EPS8266 or EPS32 is viable for this. 12:28 < darsie> Or if the VPN has to be implemented in the EPS. 12:32 < djph> the device using the network needs to do the VPN 12:32 < djph> I mean, I don't fully recall how the EPS works - it's more than just a "dumb(tm)" bridge, isn't it? 12:32 < darsie> I read about routers doing VPN and devices connecting to the router with wifi. 12:33 < Apachez> I read about big breasts 12:33 < Apachez> doesnt mean they are good 12:34 < djph> darsie: sure, if the router has a VPN client, and then routes downstream (wifi) clients over that VPN connection 12:34 < djph> Apachez: because you're *reading* about them. "A picture is worth 1000 words" 12:36 < darsie> ESP8266 * 12:36 < djph> darsie: sounds like you need (1) a Cellular modem (2) A router that can do VPN, and (3) a wifi access point for a client device, right? 12:37 < darsie> I haven't dived too much into the ESP. It's a wifi enabled SoC with a scripting language (NodeMCU – A Lua-based firmware.) https://en.wikipedia.org/wiki/ESP8266 12:38 < djph> yeah, I know 12:38 < djph> have one around here somewhere, I think. 12:38 < darsie> Then you are ahead of me :). 12:39 < djph> can't remember if I pulled the trigger on it though when I got all the other bits 12:39 < darsie> We're trying to decide using that or something with Linux. 12:40 < djph> anyway, for your modem / router / ap - look into say a Cradlepoint. They're not cheap by any means, but they do everything you listed (IIRC) 12:41 < jurislav> does freeradius support password expiration? 12:41 < Apachez> I doubt it 12:42 < Apachez> thats for the software using the ldap server to maintain 12:42 < djph> jurislav: I *think* so; although it may actually rely on an outside service (e.g. LDAP backend) 12:42 < regdude> darsie: we have been playing around with ESP, for now it seems to be quite limited, a VPN might not be possible. We did manage to make a wifi connection 12:42 < Apachez> you could do this on your own with a script 12:42 < djph> regdude: they are - I mean, they're intended for low-power arduino projects, afterall 12:42 < djph> well "intended for" 12:43 < Apachez> jurislav: see freeradius as a dbserver 12:43 < Apachez> same as mysql uses sql as api and myisam (among others) as table format 12:43 < Apachez> freeradius uses radius as api and ldap as table format 12:45 < djph> I'm not sure "LDAP" is actually a table format 12:45 <+xand> it's not 12:45 < djph> maybe you meant x.500? 12:46 < Apachez> well whatever 12:46 < Apachez> its up to you what you fill in those tables and how to use them 12:46 < djph> I think it's x.500 ... x.509 is what's on certs, and that looks different ... 12:46 < Apachez> freeradius just serves the data same as mysql in this context 12:46 < djph> meh 12:48 < darsie> djph: Right now we use a cellular modem/wifi router and a pi with vpn. I don't think we'll use cradlepoint. 12:48 < djph> darsie: then it sounds like you have what you need 12:48 < jurislav> trouble is, freeradius doesn't allow me to connect to the network, unless a valid password is specified, does it? and a valid pwd doesn't exist once it's expired in the backend (ldap, ad...). at least this is how I understand it, and i'd expect many people dealing with this, but to my surprise, googling isn't getting me anywhere :/ 12:48 < darsie> Yeah, but I've been asked to look for more reliable solutions. 12:48 < darsie> "industrial" 12:48 < djph> darsie: Cradlepoint. 12:48 < darsie> k 12:49 < darsie> That doesn't eliminate the pi. 12:49 < djph> Okay, now I'm confused 12:49 < darsie> I think they are concerned about the reliability of the pi. 12:50 < Apachez> darsie: here you got more reliable solutions: http://www.consilium.europa.eu/en/general-secretariat/corporate-policies/classified-information/information-assurance/eu-restricted/ 12:51 < djph> darsie: Okay, so you have a cell router already, great. The RPi is doing ... what, exactly? 12:51 < darsie> turning something on and off. 12:51 < darsie> with gpio. 12:51 < djph> darsie: I misunderstood before, and thought the Pi was acting as the router 12:51 < Apachez> why dont you let the rpi doing the vpn too? 12:52 < Apachez> new rpi's have two rj45's too 12:52 < darsie> Apachez: We do, but it seems they think the pi is unreliable, as in might crash or so. 12:52 < djph> OK, you're not going to find anything much better than that solution. I mean, an "industrial" solution would probably have a ton of extra RF shielding, and a warranty against catastrophic failure (i.e. it would fail "safe" on the machine it's runnign) 12:53 < djph> which, may be worth it, depending on what the "thing" it's power-cycling is. 12:56 < Apachez> darsie: so if it crashes then you have nothing to use your vpn anyway so point being? 12:56 < Apachez> you have the "industrial" solutions above when it comes to vpn 12:58 < darsie> Apachez: They appearently want to replace the pi (which turns the thing on and off) with something more reliable which will not crash for years. 12:59 < darsie> the pi is the wifi client 13:00 < Apachez> you are doing it wrong 13:00 < Apachez> use two rpi's then? 13:00 < Apachez> one as cold standby 13:00 < Apachez> problem fixed 13:00 < Apachez> NEXT! 13:04 < detha> darsie: there are industrial modems that do VPN, can switch the odd thing on or off, and some have a built-in wifi access point. Different price class than a raspberry though 13:06 < darsie> detha: That's cool, but there may be several things in one location and we don't want a separate cellular router in each one, I think. 13:06 < darsie> Rather connect 4 things to one router. 13:07 < detha> router and ethernet? 13:07 < darsie> cellular modem/router/wifi 13:07 < darsie> in one box 13:08 < detha> that's one device, hook the other points up to it via wifi or ethernet 13:08 < darsie> yes 13:11 < detha> darsie: I would use one of the cheaper 3G modems, Maestro E200 or E220 or so, hook odd devices up to it over the wifi 13:11 < Apachez> your mum is sweatty and you eat hear spaghetti 14:39 < Apachez> https://www.youtube.com/watch?v=dJRsWJqDjFE 15:28 < MrNaz> assuming the same hardware, will I get better performance if i use a NAS as an iSCSI target than if i just use it as a SMB share? If so, how much of a difference? 15:32 < Assid> hi, so im re-evaluating a few things. i was just wondering would it make more sense to host your own DNS servers, or use free ones .. like dyn / he .. etc 15:33 < cluelessperson> MrNaz: depends, also, I think you'll find it slightly more difficult to manage/backup iSCSI depending on the size. Also, I would suggest NFS over SMB 15:34 < Assid> 1 major advantage of your own.. is you can move your dns around .. /interchange servers without really any down time . since the records are already present.. doing that with changing free dns providers would be much much more difficult 15:37 < MrNaz> Assid realistically, even free DNS providers have propagation time that is measured in minutes 15:37 < MrNaz> do you change DNS settings often enough that you can't plan around that? 15:38 < Assid> MrNaz: currently i run my own with a free slave from dyn .. but the propogation time is pretty slow 15:39 < MrNaz> cluelessperson what are the advantages of NFS ? 15:39 < Assid> i was planning to having my own subdomains etc running a dyn type script.. but i scrapped that for dyn anyways. 15:43 < eto> hello does anybody know about other reasonably priced network taps (besides sharktap) ? 15:49 < MrNaz> if i understand correctly, you can get the same functionality if you have a good switch by turning on port mirroring 16:01 < OnkelTem> Hi al 16:02 < OnkelTem> I have problems with my OpenVPN connection on Kubuntu 17.10. I have it configured in NetworkManager, it's a regular OpenVPN connection. For some reason once I start it, it just disconnects after few seconds 16:03 < OnkelTem> https://apaste.info/xfj6 - this is how it looks in logs 16:04 < OnkelTem> From user perspective it looks like it disconnects when I try to "use" it 16:04 < OnkelTem> For example, when I open a page in a browser 16:04 < OnkelTem> And this connection is not the only one which I have problems with. Before I had the same behaviour with so called "StaticVPN" service 16:05 < OnkelTem> There is used just pptp 16:15 < ||cw> OnkelTem: connection reset could be anything between you and the provider. is your ISP connection pretty stable? 16:16 < ||cw> maybe you can up some timeout value in the openvpn config? 16:20 < OnkelTem> ||cw: can it be related to MTU size? 16:20 < OnkelTem> ||cw: well, connection is stable enough, it is a 4G one 16:20 < ||cw> why does everything think everything is MTU related? 16:21 < ||cw> mtu is pretty much never the problem unless you've set it to something oddball 16:21 < OnkelTem> Sorry was disconnected 16:21 < OnkelTem> ||cw: can it be related to MTU size? 16:21 < OnkelTem> ||cw: well, connection is stable enough, it is a 4G one 16:22 < ||cw> mtu is pretty much never the problem unless you've set it to something oddball 16:22 < OnkelTem> I don't set it at all - neither in server config not in the clients one 16:22 < OnkelTem> nor* 16:22 < djph> ||cw: or you're using something oddball, like VPN over xDSL, or xDSL itself, or a cell 3/4G modem ... 16:23 < OnkelTem> djph: what's wrong with 3/4G? This is my case 16:25 < djph> OnkelTem: just that *sometimes* they do funny things with MTU, because of encapsulation overhead. 16:26 < OnkelTem> Oh that, yeah I'm familiar with DSL related mtu issues :) 16:27 < OnkelTem> 10 years ago I had to use something like 1420 or near 16:27 < djph> yeah, it's usualy like 149x with 1452 mss-clamp 16:27 < OnkelTem> But it worked anyway, just that some websites didn't work becaue of the fragmentation 16:30 < regdude> Anyone had success setting up bonding with arp ip target in Debian? 16:32 < regdude> I have seen some 3G/LTE modems do weird stuff when receiving packets over 1480 bytes long 16:35 < ||cw> regdude: balance-alb? I think I've done it once 16:35 < ||cw> I usually just bond for switch redundancy though 16:36 < regdude> nvm, I needed to remove bond_miimon value, for some reasons I think arp_ip_target will override it 16:36 < regdude> obviously it does not 16:41 < OnkelTem> Lol, I just had a call with mobile operator and they told me that haven't been paying for this number for about 5 months and then I shouldn't have Internet at all 16:42 < OnkelTem> So probably they deliberately drop openvpn connections due to this limitation 16:43 < CarlosSutana> hello . can someone help me with an issue? i have a tp-link 1043ND router. in this router i have connected my PC and an Allied Telesis AT-FS750/16 managed switch 16:44 < Apachez> CarlosSutana: good for you, and the question is? 16:44 < CarlosSutana> the problem is that when i start the PC it won't connect to the internet unless i unplug / disconnect the switch from the router 16:44 < regdude> RSTP? 16:44 < regdude> or BPDU/Root guard 16:45 < CarlosSutana> adn if i try to acces the router on 192.168.0.1 it points me to the management interface of the switch 16:45 < waqstar> In windows, when I want to ping IP 10.1.0.11, how do I reroute this so the traffic actually goes to a different IP address. Basically map 10.1.0.11 to another ip address instead? 16:45 < regdude> somebody has a conflict 16:46 < CarlosSutana> regdude sorry but idk what is rstp ( real time streaming protocol maybe ) 16:46 < Apachez> so how did you configure this switch? 16:46 < Apachez> how do you connet everything? 16:46 < Apachez> which are the interface settings for each box? 16:46 < CarlosSutana> Apachez i did not configure it at all jus bought it second hand and used it 16:46 < Apachez> like link/duplex along with ip/subnet/defgw/dns 16:46 < regdude> CarlosSutana: ignore RSTP and BPDU guard, you have an IP conflict, change one address 16:46 < Apachez> well then you should check the settings first 16:47 < Apachez> most likely some ip conflict 16:47 < ||cw> CarlosSutana: so you configured the switch's management interface to 192.168.0.1? that's a problem 16:47 < regdude> waqstar: one way is to add a switch or a router that will rewrite this address 16:47 < Apachez> or vlan configured so your box cannot reach your tplink 16:47 < CarlosSutana> the problem is i don't have the credentialss for the switch 16:47 < ||cw> waqstar: you don't 16:48 < ||cw> waqstar: what are you actually trying to do? 16:48 < ||cw> CarlosSutana: factory reset it 16:48 < CarlosSutana> ||cw i would but i checked and it does not have a reset button wtf ?? 16:48 < CarlosSutana> do i have to open it ? 16:49 < CarlosSutana> maybe it is inside the case ? 16:49 < waqstar> regdude, what about without a router, i.e. in windows only. I have an application hardcoded to use 10.1.0.11, however this IP has moved to 10.1.0.12 and the application has not yet been updated (will be in a few days). 10.1.0.11 doesnt exist anymore so I want to map/route 10.1.0.11 to 10.1.0.12 locally on Windows 16:49 < ||cw> CarlosSutana: or, change the IP block of your LAN on the router. 192.168.0 is overused anyway 16:49 < waqstar> ||cw, ^ 16:50 < ||cw> replace that 0 with any number you want as long as it's less then 256. or use a 10.x.x range 16:50 < ||cw> waqstar: you can't add .11 as an additional IP to the server? 16:51 < ||cw> waqstar: and while you're making changes, reconfig the app to use a DNS cname instead of an IP, then you'll never had to deal with this again 16:51 < waqstar> ||cw, Thought of that, but this is in aws and they allow you to have only 2 Ip's per interface, this server already has a second IP assigned at 10.1.0.31 (for a different purpose) 16:51 < CarlosSutana> ||cw i will try to change the ip of the router . i hope i won't fuck up something . i'm a complete noob on networking 16:52 < ||cw> waqstar: if you don't have local DNS, you can use hosts files 16:52 < CarlosSutana> i would put 192.168.1.1 16:52 < ash_work> anyone have experience with rancher-os? do you use user accounts or just expect people to log in as `rancher@rancher` ? 16:52 < waqstar> ||cw, Well i did try and tell the developers this but they didnt want an "extra overhead" of dns. 16:52 < ||cw> CarlosSutana: change the DHCP first, then change the router IP and save/reboot once. then release/renew your PC 16:53 < ||cw> waqstar: lol 16:53 < waqstar> But in any case, is there a way to do what im trying? I know it sounds stupid but maybe at firewall level etc? 16:53 < ||cw> your devs are idiots 16:53 < ||cw> no, there is no way to what you want. 16:53 < waqstar> ||cw, oh mate, dont get me started on my devs. They are a bunch of wankers 16:54 < waqstar> ah man. ok thank you ||cw 16:54 < ||cw> your devs premature optimization is costing you downtime 16:54 < ||cw> bill then for it. 16:54 < waqstar> exactly. and i always get the blame 16:55 < waqstar> i said use dns. it can return multiple ip's and we can turn off servers and move ip's with ease. but they had none of it 17:08 < FireSnake> hi. if a router drops ip fragments, is it a practice or a "MUST" in some rfc to also send an icmp message to the originating host? 17:09 < darsie> FireSnake: That might add to the load of an overloaded link. 17:10 < regdude> FireSnake: RFC is not a must, IEEE is a must. As far as I know, none routers does that, then again many people filter out almost all ICMP messages 17:13 < FireSnake> what i'm asking is: is it common to not inform the sender that you dropped his packet? 17:14 < FireSnake> i mean, is it widely adopted to not inform, or is it widely adopted to inform? 17:14 < regdude> quite common, yes. Mostly set action=drop instead of action=reject 17:15 < FireSnake> when i say 'router', i mean not a home router but isp grade 17:15 < FireSnake> sorry for not saying that first 17:15 < djph> If you DROP the packet, the whole idea is it disappears silently. 17:15 < regdude> ISPs tend to drop everything that they don't like silently 17:15 < FireSnake> ofcourse, but i want to understand if majority drop or reject 17:16 < regdude> this does keep the link less crowded 17:16 < djph> If something else happens (e.g. a packet with the Don't Fragment flag set) that causes a problem, then send a "heyo this isn't gonna work" response to the sender. 17:16 < FireSnake> no, the DF is not set 17:16 < FireSnake> (in my case) 17:18 < FireSnake> isp was dropping a single large fragmented udp packet. i kept banging my head until i setup the ipsec client to use ike fragments before sending the data to the wire 17:18 < djph> I'd only ever consider "reject" on trusted networks (e.g. my lab, or the IOT network ... well, not that I trust it, but you get the idea) 17:18 < djph> UDP is a bit weird, since it's stateless 17:52 < CarlosSutana_> ||cw thanks for the advice . i changed the LAN IP of the router . i will see it there is still a conflict next time when reboot the PC 17:53 < CarlosSutana_> as for the switch , idk why they designed it withour a reset button 17:54 < CarlosSutana_> this is kind of stupid but at the same time is a security measure 17:54 < CarlosSutana_> but i saw the newre models have a reset button 17:55 < Wernis> Hello. I have an AWS machine running ubuntu, I have pointed my domain to the machine. How do I run a service on a port (say 17171) and connect to it via something like domain.xyz:17171? (Without using nginx) 17:56 < Wernis> I have a Minecraft server on it at 25565 and I can connect via a client just by using domain.xyz and somehow Minecraft knows what port. I am a little lost understanding how this works. 17:59 < tpr> maybe it's the default port for minecraft? 18:00 < Wernis> Yes that is correct. 25565 is the default port. Is there a way I can make my applications default port 17171? 18:00 < tpr> minecraft also supports srv records, but if you haven't touched your dns that's not the cause I suppose 18:01 < tpr> you modify your application to use that as a destination port 18:02 < Wernis> So somewhere inside my application it would have to connect to my domain and application like domain.xyz:17171 knowing* that 17171 is the default, is that right? 18:03 < tpr> no, generally you use some sort of highlevel socket api which allows you to use hostnames (which resolves domain.xyz to the ip address), and you pass any port you want to use as where to connect to on that host 18:04 < Wernis> Genius. So I don't connect directly to the domain, I resolve it first. That's awesome. Because my application works if I use IP:Port. Thanks man, I really application it! 18:06 < tpr> yes, check out getaddrinfo() if you are doing some low-level stuff 18:06 < tpr> usually it's simply better to let some higher-level library handle all those nasty details tho 18:23 < n0c> anyone here in an AD environment where you're using a non microsoft dhcp server? wondering about getting dns zone updates done from for instance, a fortigate 18:24 < n0c> microsoft dhcp has always and continues to suck badly, but it's nice to have the secure dynamic dns updates handled 18:24 <+pppingme> what issues do you have with ms dhcp server? 18:24 < n0c> it being crappy 18:24 < n0c> management / querying wise 18:25 < n0c> surely i am not the first person you've heard this sentiment from right? 18:25 < n0c> anyway, that isn't the question.. just looking for folks who have done this well / successfully 18:25 <+pppingme> not that I'm a ms fan boy, but this is an area that when there are issues, it tends to be the person behind the server's keyboard, not the service itself.. 18:26 <+pppingme> in an AD environment, you're best to let MS do its thing, on all parts 18:26 < n0c> so I assume you've run several dhcp services then, and you are of the mind that Microsoft's is... good? 18:26 < n0c> right 18:27 <+pppingme> Its not my favored, but in an MS AD environment, its really the only thing that works smoothly, and when it doesn't, its always an issue with the admin, not the service 18:27 < GenteelBen> n0c, I strongly recommend migrating to MS-DHCP servers. 18:27 < GenteelBen> However 18:27 < GenteelBen> 3rd-party DHCP should be just as good. 18:27 < n0c> gee whiz thanks 18:28 < GenteelBen> What does DHCP have to do with DNS zone updates? 18:28 < n0c> anyway if anyone has a clueful response drop me a line. thank you 18:28 < GenteelBen> Ok, go fuck yourself. 18:28 < skyroveRR> lol 18:28 < GenteelBen> He might be using DHCP reservations on servers. 18:28 <+pppingme> n0c you still haven't stated what your actual problem is, just seems you have a vendetta against MS 18:28 * GenteelBen twitches 18:29 < GenteelBen> There's nothing special about MS-DHCP - it's a standard implementation. It's just much easier to manage than foreign DHCP services. 18:29 < GenteelBen> E.g. MS-DHCP integrates into MS' IPAM role. 18:29 < GenteelBen> Has anybody here used NordVPN? I'm weighing up my VPN options. 18:30 < GenteelBen> My thinking: buy a Synology RT2600AC router, configure a VPN service on it, and rest easy. 18:31 <+pppingme> why do you think you need a vpn? 18:31 < GenteelBen> pppingme: privacy. UK has intermittently looked at central registers for people who want to look at porn online, and I figure I'll beat them to the punch and just go dark. 18:32 < GenteelBen> privacy/piracy, I forget which. 18:32 <+pppingme> you realize that just attracts their attention, right? 18:32 < GenteelBen> Well, NordVPN is based in panama and doesn't log anything. 18:33 < GenteelBen> Also, posting a tweet being critical of government censorship is more likely to garner their attention than the ISP noticing you're using a VPN. 18:33 <+pppingme> ha ha ha ha, doesn't log anything, you actually believe that? 18:33 < GenteelBen> Yes. The risk is that they become compromised and then start logging stuff. 18:34 < eahm> https://torrentfreak.com/vpn-services-keep-anonymous-2018/ 18:34 <+pppingme> no, thats not a risk, thats a guarantee! 18:34 < GenteelBen> Yeah that's the one I looked at eahm. 18:34 < eahm> :) 18:34 < GenteelBen> "Express VPN International Ltd. is a BVI (British Virgin Islands) company. Being under BVI jurisdiction helps to protect user privacy, as the BVI has no data retention laws, is not party to any 14 Eyes intelligence sharing agreements, and has a dual criminality provision that safeguards against legal overreach." 18:34 < GenteelBen> This one looks more promising. 18:34 < GenteelBen> The UK government will never, ever threaten the BVI's status as a tax haven and wild west for all things. 18:35 < GenteelBen> Most tax havens / money laundering islands are UK territories, funnily enough. 18:35 < GenteelBen> E.g. the Cayman Islands. 18:35 < GenteelBen> Anyway 18:36 < GenteelBen> pppingme, there's risks all round, but fuck the Tories, I'm getting a VPN. 18:37 < eahm> also the first two links here can be useful https://www.reddit.com/r/Piracy/wiki/megathread#wiki_.25BA_vpns 18:37 < GenteelBen> Thanks eahm. 18:38 < n0c> I'm impressed. The topic says 'if you have a question, ask it!' since Jan 1 pppingme has asked a question in 26.9% of his 2,696 utterances. bravo! 18:38 < n0c> no wonder I thought I was in #philosoraptorz 18:39 <+pppingme> I doubt I've asked that many questions.. 18:39 < GenteelBen> Probably things like 18:39 < GenteelBen> "Oh yeah?" 18:39 < GenteelBen> "You feeling lucky punk?" 18:39 < GenteelBen> "Are ya?" 18:39 < eahm> oh damn damn, Proton makes VPNs too now, they take privacy very seriously. 18:42 < n0c> assuage your doubt, sir > http://paste.debian.net/1024167/ 18:46 < n0c> fukken prochamp inquisitor sir, bravo for srs 18:49 < eahm> the graph shows that BolehVPN may be the best 18:49 < eahm> not may be, according to that it is 18:50 < eahm> and Mullvad is the only one with all green BUT the first one 18:51 < n0c> to the authorities, vpn technologies only definitively proves that conversations are indeed yours. tread veeeery carefully padawan 18:51 < n0c> he who holds the keys, becomes the jailer 18:51 < eahm> i dont use vpns 18:52 < eahm> personally i think theyre useless but thats my opinion 18:52 < n0c> maybe not useless, but misused 18:53 < eahm> encryption is the only measure to keep stuff safe, not VPNs 18:53 < eahm> once you plug the eth cable youre exposed, vpns or not 18:53 < djph> for some value of "safe" 18:53 < n0c> yeah it's an important distinction for sure, one that's probably conflated by the unwashed ignorant masses 18:53 < eahm> youll only protect yourself from your ISP, not from bigger govt agencies 18:54 < sielicki> can anyone recommend a simple (ie: CLI, database free) long-term connection monitoring program? Basically something that can run in a tmux/screen window that will watch a ping and log longterm when an outage occurs or whether jitter is high at some point, etc. 18:54 < djph> VPN's are *great* when you use them right (e.g. getting from starbucks to "home") 18:54 < Apachez> sielicki: mtr ? 18:54 < n0c> second mtr^ 18:54 < eahm> yes for sure, but you could just enable one on your home router for that 18:54 < djph> eahm: exactly (although, I just use ovpn on a rpi) 18:55 < GenteelBen> " to the authorities, vpn technologies only definitively proves that conversations are indeed yours. tread veeeery carefully padawan" 18:55 < GenteelBen> This was always my principal objection to VPNs. 18:55 < GenteelBen> If they log, or start logging, you're fucked. 18:55 < eahm> i use privatetunnel occasionally 18:55 < GenteelBen> The only solution is to VPN through a VPN, inside another VPN, and in turn, another VPN. 18:55 < sielicki> Apachez: perfect! thanks! I think I have heard of this before but never have actually used it 18:55 < GenteelBen> It's like the chicken-goose-turkey thing. 18:55 < eahm> my god paid what, 6-7 years ago? still have like 20-30 GB left 18:56 < n0c> GenteelBen: or control the endpoints, or not even that, but a path just beyond the endpoints (which they for sure do) 18:57 < eahm> oh noes, they dont even offer data plans anymore, only monthly payments 18:57 < eahm> i guess they like bling bling too now 18:57 < n0c> so it's moot, and guess what? they already know GenteelBen prefers dragon-prons 18:57 < Apachez> sielicki: mtr as far as I know doesnt store the stats (do a "man mtr" to find out) 18:57 < Apachez> but I once forgot it running over a weekend towards ping.sunet.se :) 18:58 < n0c> i stick it on -i5 or -i10 and let it ride for long periods 18:58 < hugge> Apachez: your not alone. 18:58 < hugge> we have about 200mbit of ICMP at any given time to that node 18:59 < n0c> 90% of that is deprioritized or dropped no? 18:59 < n0c> i guess if the hostname is ping they don't interfere heh 19:00 < n0c> anyway I have been using zerotier and have been happy with it 19:00 < n0c> stitching together islands of jump hosts can be super super handy 19:03 < Apachez> hugge: :) 19:03 < Apachez> hugge: its a great node 19:04 < Apachez> great for quick and easy troubleshooting 19:06 < at0m> GenteelBen: yes, and pay all for these VPN with your visa card. 19:06 < at0m> GenteelBen: then log in to your fb 19:20 < n0c> just buy your lifetime subscription to the vpn service on facebook marketplace duh! 19:20 < hugge> n0c: no, we never drop icmp to that node(s) 19:20 < hugge> thats kinda the point :P 19:21 < ash_work> can network configurations be tested in a vm? like firewalls and routers? is that wise? 19:21 < n0c> you had me a testing and wise.. yes 19:22 < hugge> a few years ago that ping-node was actually just a single node, answering on ping, and when it died (NPE just got completetly toasted) 19:22 < hugge> we had alot of weird people calling in to the noc 19:23 < hugge> asking why our pingnode was gone, because it was integrated into their monitoringsystem to look "is internet working yes/no ?) 19:23 < hugge> so we quickly built it into a anycastservice 19:28 < Apachez> hugge: but you do policing it? 19:28 < Apachez> otherwise its a great ddos reflector 19:31 < ||cw> ash_work: sure, cisco even has a VM system for learning their routers and switches 19:35 < E1ephant> "great ddos reflector?" I think is questionable 19:35 < E1ephant> okay for hiding sure, but most want amplification too 19:35 < E1ephant> where there always seems to be a bigger fisdh 19:35 < E1ephant> fish even 19:42 < skyroveRR> Heya E1ephant 19:42 < E1ephant> hey-o! 19:43 < hugge> Apachez: nah, its open pipe, but it kinda sucks to use for DDOS :P 19:43 < hugge> each node cant really do more then like 500mbit best case of icmp echo reply 20:08 < Apachez> E1ephant: reflector != amplificator 20:08 < Apachez> hugge: enough to put most connections offline 20:27 < subvhome> I have a two switches connected together via fiber. When i ping the switch that I am connected to via copper i get <1ms sometimes 4ms... when i ping the switch that is connected via fiber i get <1ms.. but randomly spikes to 10,30,40ms.. the spikes seem random and well spaced out 20:28 < subvhome> what could cause this. I tried replacing the switch im connected to via copper.. the fiber patch cable... the sfp module... i am hoping that its not the 300 ft of fiber 20:29 < djph> teh SPF acting up, or the other switch being busy 20:38 < Apachez> most likely because icmp is handled by the mgmt plane and that is doing something when you ping it at the same time 20:38 < Apachez> so which gear is this? 20:39 < Apachez> also check the statcounters for each involved interface 20:44 < subvhome> its an HP 1820 20:45 < Apachez> that has like an arm cpu as mgmtplane 20:45 < Apachez> and some asic as dataplane 20:45 < Apachez> so ignore the latency for icmp replies from the switch itself 20:45 < Apachez> what do you get from the device connected to this switch? 20:56 < subvhome> I will test that.. Thanks 20:59 < subvhome> so far it looks like its behaving.. i will let it run.. pinging attached devices so far is showing <1ms 21:00 < subvhome> thanks...we see the spikes on the switch itself but not on attached devices.. 21:01 < subvhome> was going crazy for a few days wondering why thank a bunch 21:01 < OnkelTem> Guys, I think I'm stupid, but I'm not sure what exactly I do wrong. Recently today I was reporting about a connection problem via OpenVPN. Basically the connection was dropped after few seconds. Now when I'm exploring OpenVPN server logs I see a lot of messages like: client_name/11.22.33.44:56193 MULTI: bad source address from client [192.168.129.100], packet dropped 21:02 < OnkelTem> I'm connecting to the OpenVPN server from my working machine, not a router. So I wonder why I see such messages on the server-side 21:02 < OnkelTem> Because to my understanding there should no be 192.168.x.x addresses as they are local to my machine 21:06 < OnkelTem> https://apaste.info/4nAD - here are both server and client configs 21:07 < OnkelTem> https://apaste.info/yrRw - here are my routes, after connecting to the OpenVPN 21:10 < tds> OnkelTem: that site seems to be broken 21:10 < tds> doesn't load over ipv6 21:10 < OnkelTem> tds: would you recommend some other good (fast) paste? 21:10 < OnkelTem> pastebin 21:10 < tds> see the topic ;) 21:10 < OnkelTem> ooh 21:11 < tds> someone should probably let apaste know that their site is broken though 21:11 < tds> I would, but I can't view the site to find an email address :P 21:11 < OnkelTem> tds: I will try to report this in #httpd, maybe they know 21:13 < OnkelTem> https://paste.debian.net/1024186/ 21:18 < tds> OnkelTem: is it possible you have incoming connections from the LAN side with public IPs in other subnets, so the response packets would hit your default route over the tunnel? 21:18 < tds> I think the source address of those would end up being the 192.168... address, assuming the connection was made to that IP 21:21 < OnkelTem> tds: I have a virtual machine working locally, or rahter not vm but docker. But I believe docker containers shold act as local clients 21:22 < mawk> not really 21:23 < mawk> containers act like hosts on a LAN, with your computer 21:24 < AlexPortable> how do i prevent wireless errors and dropped packets? 21:25 < mawk> OnkelTem, who's 192.168.129.100 exactly ? 21:25 < mawk> your computer LAN ip ? please paste the output of iptables -t nat -L -v --lin 21:25 < mawk> with sudo in front 21:27 < OnkelTem> mawk: let me create a picture of my connections 21:27 < hfuller> n0c: We are running non-Microsoft DHCP, and we delegate our AD domain DNS to the domain controllers. Works well. 21:27 < qman__> AlexPortable: you don't - you just give yourself the best chance by improving signal to noise ratio, removing interference and choosing clearer channels 21:28 < hfuller> the platform we are on is BlueCat DNS+DHCP (which is standard BIND and ISC DHCP underneath) 21:28 < AlexPortable> cant choose clearer channels 21:29 < AlexPortable> how do i improve signal to noise ratio? 21:29 < xamithan> Get dirty stuff out of the line 21:31 < qman__> by picking clearer channels, choosing appropriate antennas and locations, shielding noisy equipment as appropriate, etc. 21:32 < djph> cable :) 21:35 < qman__> Yeah, if you want to not have this problem, run wires instead 21:36 < OnkelTem> mawk: https://i.gyazo.com/60e26aad10eeeee8dce9cb6bbe96395d.png 21:36 < AlexPortable> i dont have any noisy equipment 21:37 < AlexPortable> can't really put wires to smartphones 21:37 < AlexPortable> and how do I put wires on a lawn? 21:37 < mawk> I see OnkelTem , and can you paste the output of the following ? sudo iptables -t nat -L -v -n --lin 21:37 < OnkelTem> yeah, doing it 21:37 < mawk> ah, thanks 21:37 < qman__> Under it 21:38 < AlexPortable> yes but the connection points 21:38 < qman__> think of it like being in a crowded venue where everyone is talking loudly 21:39 < qman__> The only way to talk to someone is to speak really loudly at close range or find a quieter place 21:39 < tds> OnkelTem: is that router configured to DNAT any traffic from the original WAN IP to 192.168.129.100? 21:39 < tds> since that would make sense for having packets going back over the tunnel with that source IP 21:39 < OnkelTem> mawk: http://paste.debian.net/1024191/ 21:40 < mawk> tds, my theory is that it's docker who's doing that 21:40 < mawk> with the docker containers 21:40 < tds> ah oops, missed that we were dealing with the networking mess of docker ;) 21:41 < mawk> yeah ok it's a masquerade rule, it shouldn't masquerade to 192.168.129.100 21:41 < mawk> unless openvpn did something unusual with the routing 21:41 < mawk> ip route get 8.8.8.8 shows the tun0 interface as oif right ? 21:42 < mawk> right after "dev" 21:48 < n0c> hfuller thanks 21:49 < AlexPortable> would putting the signal higher help? 21:50 < djph> AlexPortable: no. 21:50 < AlexPortable> oh 21:50 < djph> if you're in RF soup, having one side louder just makes it worse for everyone. 21:50 < djph> Remember that WiFi is *bidirectional* 21:50 < AlexPortable> as long as it works for me it's fine 21:52 < djph> go out to a football pitch with some friends, you get a megaphone, and they don't. Now stand at both ends of the pitch. Is it "easy" to hold a conversation with them? 21:52 < AlexPortable> well they can hear me better then 21:53 < AlexPortable> right now wifi is not working every one minute or something 21:53 < AlexPortable> its broken now 21:53 < djph> AlexPortable: they can hear you, sure. But *you* have to /also/ hear *them*. 21:54 < AlexPortable> now it works again for a bit 21:54 < AlexPortable> well if neighbours are interefering at the location of my AP, then it's fine if i give my AP a megaphone 21:54 < djph> what frequency (2.4 or 5 Ghz), and what channel? How many other APs are on that channel? 21:54 < djph> AlexPortable: that's not how wifi works. 21:54 < AlexPortable> 2,4 ghz 21:54 < AlexPortable> as for other ap's depends on where i go to 21:55 < djph> okay, 2.4 GHz - what channel are you on? 21:55 < AlexPortable> the areas im in the most has the least overlap on channel 6 21:55 < AlexPortable> err i mean 5 21:55 < djph> channel 1, 6, or 11 - you can use those three, and only those three. 21:55 < AlexPortable> well neighbours are exactly avoiding 5 21:56 < djph> doesn't matter 21:56 < djph> 5 is interfered with by 6 21:56 < AlexPortable> oh it's set to 'auto 6' now 21:57 < djph> every channel is a 5 MHz step, starting at 2412 MHz on channel 1. channels are 20 MHz wide - so channel 1 is from 2402 to 2422 MHz. Channel 6 (2437 MHz) is from 2427 to 2457 MHz 21:58 < djph> channel 5 (2432) is 2422 - 2442, so everyone who is sharing channel 6 will be stomping all over you, since you just look like noise to them. 21:59 < OnkelTem> mawk: sorry for the delay. Yes, ip route get 8.8.8.8 shows: 8.8.8.8 via 10.8.0.5 dev tun0 src 10.8.0.6 22:05 < AlexPortable> so channel 6 is better 22:06 < djph> AlexPortable: than 5? absolutely. However, you should compare channels 1, 6, and 11 to find the least busy of the three 22:06 < AlexPortable> dependso n where i am 22:06 < AlexPortable> some positions 6 is better, some 11 22:07 < djph> so then either (1) you need more APs transmitting quietly, to take advantage of the different places in the office having different "best case" channels, or just figure out the best looking one for your one AP, and call it a day. 22:07 < djph> s/, or /, or (2)/ 22:10 < mawk> alright OnkelTem , from the server side you can't get precisely in the logs where does that .100 address come from ? 22:11 < OnkelTem> mawk: I'll try to enable it, I can increase the verbosity 22:12 < AlexPortable> so what can i do more to improve wifi? 22:13 < AlexPortable> it still breaks every two minutes or so 22:14 < qman__> Buy some 5ghz equipment so you have more channels to work with 22:14 < AlexPortable> not enough coverage for 5 22:15 < qman__> Your statement is invalid, please clarify 22:17 < AlexPortable> don't want to have an AP in every room since that requires a lot of cables 22:18 < djph> AlexPortable: what's the place you're trying to cover? What're the walls made out of? 22:20 < AlexPortable> house and garden, and no idea 22:20 < AlexPortable> just normal walls, i think concrete 22:20 < djph> If they're "normal(tm)" drywall-over-studs, 5 GHz will (usually) cover the room it's in, as well as traverse through one wall. 22:21 < djph> CONCRETE is hardly a "normal" wall ... also, you're fighting physics - wifi doesn't like to penetrate dense things like concrete / masonry / etc. 22:21 < AlexPortable> why is it not a normal wall? 22:21 < AlexPortable> i dont know any buildings that don't have concrete walls 22:22 < AlexPortable> well 2.4 ghz works fine, that's why i dont use 5 22:24 < detha> Apparently is does not work fine, or you wouldn't be complaining about it. 22:24 < djph> because most buildings use wood / drywall as interior partition walls 22:25 < detha> tl;dr: wifi sucks, and different continents have different ideas of how to build houses 22:31 < AlexPortable> well anything else i can use to fix my 2.4ghz? 22:31 < detha> More access points, at lower power. 22:31 < AlexPortable> but coverage is good 22:38 < qman__> Just because you see a loud signal does not mean you have coverage 22:41 < djph> ^ 22:41 < AlexPortable> then why more 22:41 < djph> detha: yeah, true ... 22:41 < AlexPortable> how will more AP's solve it? 22:42 < djph> AlexPortable: why more APs? So that you're not trying to fight physics (and your concrete walls) 22:42 < AlexPortable> just put them next to each other? 22:42 < qman__> more access points will mean less distance and obstacles to traverse improving the odds of success 22:42 < djph> no, the APs go in places where you need better signal (i.e. everywhere not the room you already have an AP in) 22:42 < AlexPortable> well the issues are in the same room as the AP 22:43 < djph> o_O 22:43 < MarkusDB1> Looking for a nice nms, that has cli views, think of something that has views easily used with tmux. 22:43 < djph> then go 5 GHz 22:43 < AlexPortable> not all my devices have 5 ghz 22:43 < qman__> then get new devices 22:43 < djph> good thing that 5 GHz APs also have 2.4 usually 22:43 < AlexPortable> then those devices will use 2.4, how will that solve the problem 22:43 < djph> also, it could be as simple as "the AP you have is dying, so you need a new one anyway" 22:44 < AlexPortable> how can an AP die? 22:44 < qman__> Yes, or the tx power could be too high causing its own interference with nearby devices 22:45 < djph> AlexPortable: electronics get old and die, same as anything else. They don't last forever 22:45 < MarkusDB1> usually it's the PSUs that age most 22:45 < AlexPortable> i've set output to 'low' 22:45 < qman__> given concrete walls, it's probably set pretty high to try and penetrate them 22:46 < qman__> And yes, APs do die 22:46 < djph> MarkusDB1: or the RAM, or the CPU, or the tranceiver (although that one's rare), or the firmware 22:46 < djph> s/firmware/nvram/ 22:46 < qman__> Not.just the power supplies although that's a common failure 22:46 < AlexPortable> so how do i know if it died or not 22:46 < MarkusDB1> djph: I've rarely seen that, way more common is psu, or that there is a small fan cooling the cpu, what gets covered in dust, so the thing constantly overheats. 22:47 < djph> AlexPortable: (1) is it disconnecting frequently, (2) is it more than 3 years old? 22:47 < MarkusDB1> never ever seen ram suddenly go bad 22:47 < AlexPortable> djph: in the evening and night yes, during the day not so much. 2 yes 22:47 < qman__> 3 years is generous 22:47 < djph> MarkusDB1: I've seen it all. RAM usually is "open it up and "oh hey, there are melty marks on the RAM chips ..." 22:47 < qman__> The cheap consumer stuff can go bad much quicker 22:48 < djph> AlexPortable: then it's dying. 22:48 < AlexPortable> why does it only die during the night 22:48 < MarkusDB1> djph: ah, I've got that on a hdd cache once 22:49 < djph> qman__: because that's when you're using it heaviest (and/or it has to fight with all the other stuff nearby because *everyone* is busy blasting WiFi to get thru their concrete walls) 22:49 < MarkusDB1> On stuff dying, it usually dies now in the coming months, since summer 22:49 < djph> errr 22:49 < djph> AlexPortable: ^^ 22:49 < AlexPortable> well these problems have been here for some time 22:49 < AlexPortable> they got better after i switched from b/g/n to n only 22:49 < djph> qman__: yeah, I didn't wanna give him the harsh reality of "is it just out of warranty" 22:50 < sammm> is there such a thing as a NBNS storm? i'm not a networking guy generally as you will soon learn but I am having a switch drop packets, andfiring up wireshark shows me about 70mb/s of fucking NBNS broadcasts 22:51 < AlexPortable> sammm: from which IP? 22:51 < djph> sammm: sure, if you've got a winbox misbehaving 22:51 < sammm> AlexPortable: its from a shitty sql server,im trying ot remote in but it's proving difficult 22:51 < sammm> djph: we had a power outage and a surge broke some equipment.. 22:52 < sammm> djph: wouldnt surprise me 22:52 < djph> sammm: uhoh :) 22:52 < sammm> djph: uh oh indeed 22:52 < qman__> the netbios protocol is essentially a shouting match, so it doesn't surprise me 22:52 < djph> sammm: note that "misbehaving" may also be "malware" (one would hope not, but :) ) 22:53 < sammm> djph: :) time for INVESTIGATIONI 22:53 < djph> sammm: or to format and upgrade to Linux :) 22:54 < qman__> Hey, at least it's not sending 70mb/s of emails 22:54 < sammm> djph: i've been converting systems otlinux, web servers etc,, i wish we could use linux 100% 22:55 < sammm> djph: our devs are WINDOWS ONLY and dont know how to develop for anytihng other than MSSQL, etc 22:55 < qman__> .net core 2.0 runs on linux 22:55 < djph> qman__: hah, quite 22:56 < qman__> I work at a .net shop and that's the general direction we're headed 22:56 < sammm> qman__: linux scares these people,i had to tell one that it was possible fora machine to have more than1 nic 22:57 < sammm> qman__: not that multiple nics have anything to do with linux, but you get an idea of how these people (dont) think 22:57 < djph> and they're DEVS?! 22:58 < sammm> djph: :^) 22:58 < djph> This is how we get shit like Docker and systemd!! 22:58 < sammm> djph: oh god how i wish we could containerise their crap 22:59 < djph> ... only container it should be in is the wheelie-bin 22:59 < djph> hangon, I just had an idea 22:59 < djph> ima make a new app called wheeliebin for all these millennial crap "devs" ... 23:00 < sammm> hahaha do it 23:01 < sammm> and make it write everything to/dev/null 23:01 < djph> no no. 23:01 < djph> it saves everything in its folder 23:02 < djph> then deletes it all at 9 AM on Wednesdays (or whatever day you configure as "trash day") 23:02 < E1ephant> Apachez: yeah that is the entire point, miscreants want amp+hiding, not just hiding. 23:05 < sammm> djph: beautiful 23:13 < djph> sammm: unless it randomly decides monday was a holiday, then it's one day later 23:14 < sammm> djph: HAHAHAHA i disabled netbiosover tcp ip 23:14 < sammm> no packetloss 23:14 < sammm> i just took over an overnight shift 23:14 < sammm> and the poor bastards were going to RMA the switches 23:14 < sammm> :^) 23:15 < djph> hooray, now you have more responsibility, and the same crap pay 23:16 < sammm> wtf, these servers are set up so badlyt 23:16 < sammm> 2 NICS, 2 gateways each 23:16 < sammm> of course they are broadcasting like mad 23:16 < sammm> the two nics go into the same switch 23:16 < sammm> different vlans 23:16 < sammm> but... wtf isgoing on 23:17 < sammm> okay, now another serveris shouting NBNS 23:17 < AlexPortable> cleaning up someone else's mess is always fun 23:17 < voices> Hey, say I have a service listening on port 8080 of a raspberry-pi (Device Z). And it's behind a typical NAT enabled residential router (Device Y). The other device, say a laptop in a different city (Device X), should connect to the routers external IP on port 8080 (Device Y), which should be configured to forward packets to port 8080 on the listening device (Device Z). Is that correct? 23:18 < djph> yes 23:19 < djph> or you could use 8081, 9000, whatever on the router 23:19 < djph> sammm: time to get a network guy involved 23:21 < djph> sammm: s/network guy/network guy who knows what he's doing/ 23:22 < Apachez> 25min to go for livefeed https://www.youtube.com/watch?v=yYJWeK-kVB0 23:22 < voices> djph: yeap. In which case, X should connect to 8081, or 9000 on Y, to reach 8080 on Z? I just used the same number for simplicity. 23:22 < djph> yup 23:22 < sammm> djph: i hada network guy here from 8pm to 5am 23:22 < sammm> idk what they were doing, 23:23 < sammm> now another server is broadcasting and clogging up the link 23:23 < sammm> hopefully i can just go and stop all these broadcasts 23:23 < djph> unplug le server 23:28 < voices> djph: so when the port forwarding is configured on the router (probably via it's http server), an nmap scan from the pi should show that port 8080, 8081, 9000 (or whatever we've chosen) is open on the router, right? 23:34 < ||cw> voices: only if somethings is listening on them 23:35 < ||cw> voices: but if the PI is on the lan side, not all routers do port forwards for the lan side, only the wan 23:36 < voices> ||cw: well, it has to be open and listening in order to forward the port, no? 23:36 < ||cw> no 23:36 < voices> Otherwise the connection request will hit a closed port on the router and go nowhere 23:36 < ||cw> well, sort of. if the final isn't listening it drops it 23:37 < voices> Z is listening 23:37 < ||cw> at some level your kernel is listening on all ports. forwarding works like that. 23:38 < voices> so if the port is closed on the router, that's not indicative if a problem? 23:38 < ||cw> if what it's forwarding to is not listening, the forward behaves as though it's a closed port 23:39 < voices> Z is listening. A scan shows the destination port is open. 23:39 < voices> A scan to the router Y shows the forwarded port is closed 23:41 < djph> check the firewall on the router (assuming you set DNAT rather than a "port forward" that takes care of the firewall for you). Also check to make sure you didn't specify anything like "only from " if you used a firewall rule. Finally, check that Z is listening to the right (or all) IP address(es). 23:43 < Apachez> T minus 5min... 23:44 < voices> djph: Z hasn't specified a specific IP for this exercise. 23:47 < ||cw> voices: a scan from where? 23:47 < Apachez> abort at T minus 58 secs... 23:48 < ||cw> ? 23:48 < ||cw> oh, spacex 23:49 < voices> ||cw: well, from everywhere. Including Y and Z 23:49 < voices> X and Z 23:49 < voices> i meant to say 23:50 < djph> Apachez: YOU BROKE IT 23:50 < voices> The router is Y 23:50 < djph> voices: err, if Y can't talk to Z, there's a problem 23:53 < voices> Y is the router. It provides Z with an internet connection. So they have to be communicating. 23:53 < djph> but from Y to Z, you can hit port 8000. What about from another host on the same network as Z? 23:53 < ||cw> voices: no, lan or wan? many router will only forward if the request is from the WAN 23:54 < djph> voices: also, you're not dealing with any CGNAT shenanigans, are you? 23:58 < voices> Here are the scans. Here is the router config: http://i.imgur.com/FCLAXRU.jpg https://www.irccloud.com/pastebin/lgqoaMtp 23:59 < djph> did you click the "apply" button on the router? --- Log closed Fri May 11 00:00:05 2018