--- Log opened Thu May 17 00:00:22 2018 00:00 < mnemon> catphish: naw, that's just the different waveforms for different symbols 00:01 <+catphish> sure, but it's not a sine wave right, so there must be other frequencies mixed in there somehow? 00:01 < mnemon> hmm, sorry, there's two different 00:02 < mnemon> which modulation is that? 00:05 < mnemon> nvm, one frequency just shifted ... long time since I looked into the basic keying stuff 00:15 < HEROnymous> another day, a little more ibgp, a little less ospf/static routes 00:35 < zeldafan78> How the fuck can they know if the people I'm e-mailing really have (previously) signed up to receive my newsletter if I just somehow grab a ton of random e-mail addresses? 00:35 < zeldafan78> (They do detect this and don't make them actually go out) 00:36 < Apachez> who are "they"? 00:39 < S_SubZero> it's me. I'm 'they' 00:49 <+catphish> who? 00:51 <+catphish> afaik every email sending tool just trusts you to provide legitimate lists 00:51 <+catphish> though they will monitor spam complaints and quickly ban you 00:52 <+catphish> plus you have to pay, it's not cost effective to send unsolicited spam with a professional paid email service 01:17 < sleepy6> poll: should i watch the sunset this friday at the beach? 01:37 < sla3k> Hi guys, I am going for a new 10G swtich, from a point of view of an SMB, what would you suggest, D-link or Netgear? 01:38 < sla3k> It will be hammered with traffic (basically it will connect 8 10G ethernet links on 8 servers to a centralized NAS box over 10GBe link) 01:38 < HEROnymous> sla3k, neither. those are both garbage brands. 01:38 < sla3k> Bummer! What would you suggest then, apart from Cisco, that's way above what our pockets allow 01:39 < HEROnymous> will 48x SFP+ (10gig) ports and 4x QSFP (40gig) ports do? if so, check out Nexus 3064's on ebay. 01:39 < HEROnymous> how many ports do you need? 01:39 < HEROnymous> ubiquiti makes a 16x SFP+ switch. 01:39 < sla3k> minimum 16 for now, right now we have 8 servers, but I want to keep some room for growth. 01:39 < HEROnymous> but you can get older cisco gear for cheap on ebay a lot of the time 01:40 < sla3k> RJ45 would be more preferable, otherwise I would need to buy ether SFP+ enabled network cards, or the convertors. 01:40 < HEROnymous> that's gonna get more expensive, but you can find nexus 3064TQ or 3172TQ switches on ebay. 01:48 < sla3k> Damn, they are expensive, cisco nexus ones. I don't think we can afford that at this moment. So no other brand would do any good apart from Cisco? 01:48 < HEROnymous> what's your budget look like? 01:49 < HEROnymous> part of it is just the copper thing - SFP+ is a fair bit less expensive and like I mentioned, ubiquiti has a 16port offering... 01:49 < sla3k> Budget wise I'd say below $2k or max $2.5k 01:49 < sla3k> I'll look at Ubuqiuty.. 01:49 < sla3k> Ubiquity 01:50 < HEROnymous> you can't find a 3064TQ for under $2k on ebay? used to be they were around $1700 01:52 < sla3k> Maybe a used one, but that too minimum I could find on ebay was $2600 02:11 < VincentHoshino> hmmm downstream -4.9 dBmv avg and fluctuates upstream 57.3 dBmv and stuck .. packet loss comes and goes 02:12 < VincentHoshino> Comcastic! 02:21 < spaces> anyone having a bitchy network at the moment ? 02:22 < xamithan> Nah my network is male 02:22 < spaces> xamithan following the transgender hype it might be the biggest bitch around then ;) 02:26 < spaces> xamithan ask if it wants children 02:26 < xamithan> It is getting too fat, need to remove the children and find homes for them 02:28 < spaces> xamithan what about the alimony ? 02:28 < spaces> you will lose it 02:29 < xamithan> child trafficking has no alimony. They just give me a few bucks and take them away 02:29 < xamithan> Then I shift the work to one of the other siblings that has too light a load =) 02:30 < spaces> xamithan you reinvented slavery ? 02:30 < xamithan> Machines have no soul 02:33 < spaces> xamithan heh so you are a machine ? 02:58 < arooni> anyway to find given an ip address; any urls taht are hosted on it? 03:00 < xamithan> You mean like this?: https://reverseip.domaintools.com/ 03:01 < xamithan> Only shows you three results but I'm sure there are better lookup tools 04:14 < patientplatypus> i have a server i can ssh into but i cant make any curl requests out of 04:14 < patientplatypus> does anyone know whats going on? 04:23 < linux_probe> jailed/sandboxed? 04:23 < xamithan> Check the firewalls 04:24 < linux_probe> failwalls =p 04:24 < xamithan> It'll be a firewall after proper configuration though O.o 04:25 < linux_probe> maybe i is proper, keepign them from curling junk in 04:25 < xamithan> Might be if he isn't the admin 04:27 * linux_probe random guesses further, no dns address, no route lol 04:29 < patientplatypus> hi 04:29 < patientplatypus> i have a server that just decided not to respect any curl commands curl: (6) Could not resolve host: google.com 04:30 < xamithan> DNS issue 04:30 < light> check your resolv.conf 04:30 < patientplatypus> does anyone know how i could go about debugging this? this is a new one on me 04:30 < light> run an nslookup 04:30 < linux_probe> lol 04:30 < light> could not resolve host is pretty clear 04:31 < patientplatypus> you mean like this https://hastebin.com/ahoxahedoh.rb 04:31 < light> well that's a problem isn't it 04:31 < light> you'll need at least one nameserver 04:31 < patientplatypus> it is? treat me like an idiot - what should i do? 04:32 < light> turn your computer off and on again 04:32 < patientplatypus> lets say that's not possible 04:33 < light> then I question how you've been updating your system 04:33 < linux_probe> updates, bah, who needs'em 04:33 < xamithan> First you should google "could not resolve host $yourOSandversionhere" then follow some steps 04:34 < patientplatypus> look - my environment admin is at home for the night and i cant get a hold of them and they have the log in for the server restart - but i need to get this project done. so i cant restart. is there another way to fix this? 04:34 < xamithan> There is an easy temporary fix 04:34 < patientplatypus> sure whats that 04:34 < light> if you don't have permission to restart, what makes you think you can modify system files to add a nameserver? 04:34 < xamithan> sudo echo "nameserver 8.8.8.8" > /etc/resolv.conf 04:35 < xamithan> If you don't have sudo or root access though... 04:36 < patientplatypus> @light - man come on. i have root, i dont have gui cloud access. start from the assumption that i know *maybe a little* about the environment. i dont want to argue about what is and isnt possible to do. i just can't restart the box ok? 04:36 < light> if you have root you can reboot the box 04:37 < patientplatypus> *possible* or i could nuke the environment entirely. 04:37 < patientplatypus> but this temp solution worked. 04:38 < patientplatypus> but weird ... i have no idea why that file was deleted. 04:38 < patientplatypus> hmmmm 04:38 < patientplatypus> docker apparently fucks it sometimes 04:39 < xamithan> I'm not even sure how the normal services like that work in docker, dnsmasq or systemd-resolve services takes care of that file 04:50 < BeastyBSD> hi people i need help with a allied telesis at9924t l3 switch 04:53 < BeastyBSD> my problem it's that i need to make that five vlans with different subnets /28 on network 192.168.10.0/24 use one ip addr inside switch as gateway 04:54 < BeastyBSD> i mean every subnets will use the switch ip as gw, that's could be possible to do? 09:35 < regdude> Does anyone know if by standard (R/M/PV)STP should work in QinQ (802.1ad) setups? Can't find anything why it shouldn't work 09:39 < Gollee> it should work 09:44 < regdude> Gollee: have you used a similar setups anywhere? 10:08 < Apachez> how many of you are utilizing per-packet loadbalancing over ECMP/LAG links? 10:11 < regdude> LACP 10:12 < Phil-Work> Apachez, yes 10:18 < Gollee> Apachez: I haven't heard anything good about it, usually per flow or based on ip/mac hash is more consistent 10:29 < Apachez> Gollee: Im not after rumours but rather reallife experience :) 10:29 < Apachez> like a regular file transfer you have buffers on receiving end so packets arriving out of order shouldnt be too much of a problem 10:29 < Apachez> unless they arrive with like seconds out of order 10:30 < Apachez> looking at some ix stats many seem to already utilizing per-packet loadbalancing 10:37 < mAniAk-_-> doubt it 10:37 < Gollee> running voip and per-packet loadbalancing is asking for trouble, I don't know what network you run though. I just don't see any good coming from possibly causing out-of-order packet delivery, what do you gain from per-packet loadbalancing really? 10:37 < mAniAk-_-> you think you can tell that from an ix graph? 10:38 < regdude> TCP 10:39 < mAniAk-_-> not like its hard to test this either if you want to 11:07 < Tazmain> wow, I really hate cisco umbrella, it blocks 1.1.1.1 dns queries and proxies. Unless that is just how it was setup here 11:07 < Gollee> 1.1.1.1 proxies? what's that? 11:07 < Tazmain> 1.1.1.1 dns 11:07 < Gollee> you said 1111 dns and proxies 11:08 < Gollee> 1.1.1.1 only does dns, not proxies afaik 11:08 < Tazmain> yes dns , and proxy 11:08 < Tazmain> so query to 1.1.1.1 and any access to a proxy 11:11 < Tazmain> what kind of internal dns had 40 open ports 11:11 < Tazmain> with 88 as kerberos-sec 11:19 < Apachez> Gollee: the gain from per-packet is to better utilize available links 11:19 < Apachez> imagine you got 8x1G and per-packet enabled 11:19 < Apachez> this way a single flow/session can push 8G 11:19 < Apachez> with per-flow a single flow can only do 1G 11:20 < Apachez> and if you are unlucky two flows are hashed into the same physical link so now you are down to 0.5G 11:20 < Apachez> while the other physical links remains unused 11:20 < Apachez> it seems like vyos/vyatta/edgeos defaults to per-packet for ecmp 11:20 < Apachez> same goes for some other vendors 11:21 < Apachez> so other than VoIP who wants pakcets within 10-30ms (depending on codec) are there any other reallife scenarios where this really matters? 11:21 < Apachez> I mean a modern box today have plenty of receive window buffer 11:21 < Apachez> so if the packets arrived 1, 2, 3 or 1, 3, 2 shouldnt really matter since packet no2 is in the RX buffer in both cases 11:25 < Gollee> "If too many packets are received out of order, TCP will cause a retransmission of packets similar to what happens with dropped packets." 11:25 < Gollee> how is that ever a good thing? 11:28 < jurislav> anyone experienced issues with consumer skype accounts, when more than 2 people join a call, the audio quality decreases rapidly? i mean, can that be a network issue at any of the 3 places? 11:28 < jurislav> esp. if the side that was heard OK, was suddenly heard very bad, once 3rd participant joined.. 11:32 < veegee> Hey guys, what's the special name (if any) for ethernet cable whose outer insulation is more tightly wrapped around the twisted pairs? 11:33 < Gollee> shielded maybe? 11:33 <+xand> more tightly than what 11:33 < Phil-Work> veegee, you mean the thin stuff? 11:33 < veegee> such that you can see the bumps of the twisted pairs over the insulation 11:33 < veegee> I'm not sure that it's thin, I just like that kind of cable 11:33 < veegee> the opposite would be having too much space between the insulation and the wires inside and therefore too much play 11:34 < veegee> it's not wrapped tightly enough around the twisted pairs so it looks like smooth insulation 11:36 < veegee> Let me give you an example. Here's a pic of the smooth one whose insulation is loose: http://www.pccableworld.com/images/cat6_1.png 11:38 < veegee> And here's an example of a cable whose insulation is tight: http://www.webro.com/wp-content/uploads/2014/02/Webro-U.UTP-Cat6-Cable-1024x275.png 11:39 < veegee> You can see the bumps from the twisted pairs inside on the cable insulation itself 11:43 < Apachez> Gollee: define "too many"? 11:43 < Apachez> is it when packet no2 arrives 2 hours later? 11:43 < Apachez> then yeah I get the point 11:44 < Gollee> Apachez: http://www.jacn.net/vol3/170-E012.pdf I found that 11:44 < Apachez> but if packet no2 arrived 0.001ms after packet no3, how is that an issue since packet no2 will be in the RX buffer once the stack wants to process it? 11:45 < Gollee> unfortunately, I don't know. I tried reading the PDF I sent you but I kept losing interest 11:45 < Apachez> veegee: the standard defines how many twins per inch you are supposed to have 11:45 < Apachez> I have never seen any tp cable with less twinning (or more) than what the standard defines 11:45 < Apachez> what you do have is various shielding 11:45 < Apachez> where either the full cable can be shielded or a single pair 11:45 < Apachez> or both 11:45 < Apachez> and the method to shield either foil or a meshed net 11:46 < Apachez> S = meshed net, F = foil 11:46 < Apachez> so S/FTP means (if I recall it correctly) each pair is shielded with a meshed net and then the whole cable is shielded with foil 11:46 < Apachez> there is also S/STP, F/FTP and F/STP 11:51 < veegee> I'm talking about purely UTP 11:52 < veegee> one of my cat 6 cables seems to hug the twisted pairs inside harde 11:52 < veegee> I like that because it feels a bit more stiff 11:53 < Apachez> ? 11:53 < Apachez> perhaps that vendor used the same machine as for the cat7 cable? 11:53 < Apachez> but then later only verified it for cat6 and stamped a cat6 mark on the cable? 11:53 < Apachez> usually the higher cat's have more twists and more distance between the pairs etc 12:17 < zamanf> hello 12:17 < zamanf> I would like to find a firewall for windows that can be equivalent to iptables 12:18 < zamanf> iptables -A INPUT -p udp -s 1.2.3.4 -m length --length 100:1000 -j DROP for example set rules in this art 12:18 <+xand> good luck with that. 12:28 < Reventlov> Does linux subsystem for windows can run iptables? :D 12:41 < easy_ref123> is there a command I can run to see which interface packets for IP N.N.N.N are sent through? 12:43 < Kryczek> easy_ref123: route 12:54 < MarkusDBX> I've used authssh and reverse tunnels to for have various servers out on the open internet contact a central hub of mine, and I then use that hub to connect to the various ssh, since then no server needs to expose their ssh ports. Is this a good approach? 12:55 < MarkusDBX> I contact the servers having auto-ssh'ed and forwarded their ports, by using just local host on the "hub" 12:55 < light> And when that single point of failure goes down? 12:56 < Kryczek> MarkusDBX: the hub has the SSH port open? 12:59 < MarkusDBX> Kryczek: yes, but not the standard port, and also each of the "nodes out in the open" contacting it, has their IP whitelisted. 13:00 < MarkusDBX> light: currently it's single point of failure, but I can just shell into the various nodes through their various vps providers also. But two hubs, wouldn't hurt, yes. 13:01 < Kryczek> MarkusDBX: it is not a bad approach but may I suggest one that I believe is even better: OpenVPN (to the central hub and/or not) since it does not have to run as root like OpenSSH but you can reduce its privileges to the minimum with the user/group/chroot/setcon options, and to solve the single point of failure I add a Tor hidden service protected by the HidServAuth option 13:02 < MarkusDBX> Kryczek: thanks for the feedback 13:02 < Kryczek> and for machines that require me getting on a plane to go fix in case SSH dies or something, I add telnet-ssl :P 13:03 < Kryczek> ...with both client & server certificate authentication 13:03 < MarkusDBX> Kryczek: I got all these on various vps providers, so I can always shell that way 13:04 < Kryczek> nice 13:05 < MarkusDBX> Kryczek: I mainly use ssh, since it's often not as filtered as openVPN, think traffic filters from 4g rate limit and such. 13:05 < MarkusDBX> mobile providers limiting vpn 13:05 < Kryczek> really? 13:05 < MarkusDBX> it happens 13:05 < Kryczek> I believe you, just hadn't heard of it 13:05 < Kryczek> VPNs on phones are common for business use 13:05 < MarkusDBX> vpn is promoted and common 13:05 < MarkusDBX> also advertized to gamers and what not 13:06 < MarkusDBX> ssh is more rare 13:06 < MarkusDBX> so rarely filtered or limited 13:06 < Kryczek> is it that they block port 1194 for example, or they actually have heuristics detecting OpenVPN traffic? 13:06 < MarkusDBX> depends on provider 13:07 < MarkusDBX> thats my reason anyways =) 13:07 < Kryczek> I have my OpenVPN accessible on all UDP and all TCP ports, then I connect with whatever works / whatever I feel like using (e.g. UDP port 4500 to make people think it's IPsec :P ) 13:07 < Kryczek> but having it at least on TCP 443 should be enough 13:10 < MarkusDBX> Kryczek: good advice 13:10 < MarkusDBX> I might consider open vpn. 13:11 < MarkusDBX> the tor advice was also solid 13:11 < MarkusDBX> thanks 13:12 < Kryczek> :) 13:13 < Kryczek> MarkusDBX: is there a vps provider your would particularly recommend? I don't really need one, but I've been curious about using one if it's really cheep 13:13 < Kryczek> cheap* 14:20 < regdude> Anyone knows a popular protocol that uses 01:80:C2, I know LLDP, 802.1x, STP, but there must be other widely used ones 15:05 < peter111111> hello folks 15:05 < peter111111> anybody familiar with skolelinux (debian) 15:05 < peter111111> ? 15:06 < shtrb> DebianEdu and #debian might have some users 15:34 < foo_> When I'm capturing packets in Wireshark, how do I find all ICMP requests with certain source and destination IPs? When I enter just "icmp" I get all of them. How to specify src? Typing "icmp src host ..." etc. doesn't work. 15:35 < kottt> i think you want icmp && src host 15:35 < kottt> you're combining two filters 15:37 < Sout> icmp && ip.src_host == 192.168.1.1 and nice connec foo____ 15:39 < foo_____> Sout: Thanks, and thanks, lol. 15:40 < Sout> tobe fair kottt answered it first but you dced :D 15:41 < kottt> =( 16:26 < hiya> There is email server running on a Windows PC with static IP, when I setup VPN client on it. My friend wishes to exclude email server from VPN 16:26 < hiya> How is that possible? 16:28 < tds> hiya: you likely want to do policy routing; have two routing tables with one having a default gateway over the vpn and one over the local gateway, add marks to smtp connections (could just do it based on port), and have traffic with the mark use the second routing table 16:28 < hiya> tds, all this on windows is possible? 16:28 < Phil-Work> hiya, what type of VPN? 16:28 < tds> ah oops, sorry, I was assuming linux 16:29 <+xand> > email server 16:29 <+xand> > windows PC 16:29 <+xand> oh boy 16:29 < tds> ah, I'm an idiot, completely missed in the first message that it's "running on a windows pc" 16:29 < tds> but yeah, email server = linux in my mind ;) 16:29 <+xand> that's a sane mind tho 16:32 < Smallville> hello folks 16:40 < paradis> Is there any free secure VPN for me? 16:40 < paradis> is hola safe? 16:41 < Thebe> Hola allows others to user your system as a gateway. Definetly not ideal. 16:41 < Thebe> Secure and free are a difficult combination, imho 16:41 < paradis> imho? 16:41 < Thebe> In my humble opinion 16:41 < paradis> lol 16:44 < Smallville> paradis: watch this video about free VPNs it's really informative https://www.youtube.com/watch?v=vDbPjgXstHg 16:45 < regdude> nothing is free, just the payment is in different form 16:46 < Smallville> regdude: yes, usually it's in the form of personal info 16:46 < Smallville> like facebook 16:46 < paradis> what about opera vpn browser? 16:46 < Smallville> paradis: please stay away from VPNs, they're more trouble than they're worth 16:47 < paradis> okey 16:47 < Smallville> from "free" vpns 16:47 < regdude> if you do need to protect your traffic or access blocked content, then use a paid VPN, they are so cheap these days or hack a server and use it as a VPN 16:47 < regdude> though you will be in for a surprise 16:48 < Smallville> Use PIA 16:48 < Smallville> wait for a deal, when the prices drop 16:48 < Smallville> it happens every few months 16:48 < Smallville> they also don't keep logs and have decent speed 16:51 < Smallville> can you guys help me figure out an alternative for the IP phone service I have? I work for a company that pays a local voip phone service monthly, but we're having issues with the phones disconnecting 16:58 < Smallville> What’s the best voip service to have? 16:59 < hiya> Phil-Work, OpenVPN but built-in L2TP or IKEv2 is also an option 16:59 < hiya> Sorry for late 16:59 < hiya> tds, no problem 17:00 < regdude> your own VoIP...idk, I set up one here for LAN use 17:01 < qman__> I've had good luck with vitelity in the past, but if you'e getting poor service it's most likely your local internet loop 17:01 < qman__> Which won't be fixed by changing voip providers 17:56 < jarlopez> Is there a tool for measuring baseline TCP throughput on loopback with fixed buffer sizes? 17:57 < jarlopez> (currently on Debian) 17:59 < Poster|n> iperf? 18:02 < jarlopez> Poster|n: Aha, that is perfect. Thanks :) 18:12 < Poster|n> =D 18:24 < Smallville> qman__: hmm 18:26 < Smallville> regedit: i'm not too familiar with voip, how do you assign a phone number to the voip network? You still have to pay a service provider for a phone number, right? 18:27 < Phil-Work> Smallville, depends which country you're in 18:28 < Smallville> USA 18:29 < Smallville> pretty sure you have to pay for a phone number anyway 18:29 < Phil-Work> so yes, you take a "SIP trunk" or similar from a telco and they provide numbers on that 18:29 < Smallville> might as well let that service provider manage the voip 18:29 < Smallville> pbx 18:29 < Phil-Work> usually best 18:29 < Phil-Work> (says the guy who works for a VoIP telco) 18:30 < Smallville> you do? 18:30 < Phil-Work> I do 18:30 < Smallville> cool. you like it? 18:30 < Phil-Work> it's alright, as IT goes 18:30 < Phil-Work> pretty diverse in terms of techologies - better than, for example, the web hosting stuff I was doing prior to this 18:31 < Smallville> I prefer to work with domains and computer networks. it's more fun for me 18:31 < Phil-Work> we have networks ;) 18:31 < regedit> Smallville: you probably meant another re here in the channel? 18:32 < Smallville> ? 18:32 < regedit> "12:26 PM regedit: i'm not too familiar with voip...." 18:32 < hiya> Phil-Work, any suggestions? 18:32 < Phil-Work> I believe it was for regdude 18:33 < Phil-Work> hiya, oh - sorry. Got distracted 18:33 < regedit> 👌 18:33 < Smallville> probably was 18:33 < Phil-Work> if the OpenVPN server pushes routes to the clients, it can also push route exclusions 18:33 < Phil-Work> e.g. route 1.2.3.0/24 except 1.2.3.4/32 18:33 < Phil-Work> (that's not the right syntax) 18:35 < Sarah8086> Hello 18:37 < Sarah8086> I have two questions: 1) Is the WPA 4-way handshake same as WPA2 4-way handshake? 2) In the 3rd step of the 4-way handshake, how is the GTK protected against being sniffed by an attacker? 18:38 < cthulchu> guys, what VNC do you use to connect from Windows to MAc? 18:38 < mAniAk-_-> Phil-Work: a route exclusion? 18:39 < Phil-Work> uhu 18:40 < mAniAk-_-> that would just be another route 18:40 < hiya> Phil-Work, Yes, I will try it 18:40 < Phil-Work> mAniAk-_-, that's what the client does with it, yes 18:42 < mAniAk-_-> weird terminology, but whatever 18:42 < Phil-Work> yes, that was my terminology rather than OpenVPNs 18:42 < Phil-Work> push "route 1.2.3.0 255.255.255.0" 18:42 < Phil-Work> push "route 1.2.3.4 255.255.255.255 net_gateway" 18:42 < Phil-Work> that's the syntax 18:43 < mAniAk-_-> it's just a more specific route 18:43 < Phil-Work> indeed 19:07 < LiquidatorBrunt> sup networks 19:07 < test1337> soup 19:07 < chrustler> sup bru 19:09 < LiquidatorBrunt> how does Lets Encrypt verify you own a domain? 19:09 < DoctorDick> DNS 19:09 < DoctorDick> You can use a txt record too 19:09 < LiquidatorBrunt> so the DNS record needs to be configured before you try and get a cert? 19:09 < tds> ^ they can do dns-01 where they confirm a txt record is in place, or http-01 where they make a http request to a specific url and confirm the get the right reply 19:10 < electricmilk> Whats the best free network monitoring software that has SNMP v3 capability? I'm using Spiceworks and quite disappointed. 19:10 < LiquidatorBrunt> and they are trusting that, if the A record matches the IP address from where you are running the client, it's you? 19:13 < tds> LiquidatorBrunt: no, they make a http connection to that IP and verify that you return the right file (for http-01) 19:14 < Phil-Work> electricmilk, Zabbix is alright 19:14 < electricmilk> Phil-Work, I don't need anything fancy. Only need to monitor like 12 devices 19:14 < electricmilk> if that 19:15 < Phil-Work> Zabbix isn't particularly fancy 19:16 < electricmilk> awesome thanks 19:18 < electricmilk> Phil-Work, Is it a terrible idea to run Zabbix from a fairly decent workstation that is always left on? 19:19 < electricmilk> Our server is old as hell but about to upgrade. Was thinking I just run it on my workstation for the time being 19:19 < d3r3k> Does macOS have a built in IPv4 tunnel thing or something? I'm on a IPv6 only network, and for some reason macOS claims that it's possible to connect to my IPv4 VPNs... (it doesn't work though.) 19:25 < electricmilk> Ah crap it looks like Zabbix is Linux only 19:26 < DoctorDick> Put it in a VM 19:26 < d3r3k> Anyone have suggestions for a tool to NAT a IPv6 subnet to a IPv4 subnet? 19:27 < d3r3k> Guess it's NAT46 I'm trying to do? 19:27 < Dagger> most v6 subnets are far too big to NAT into a v4 subnet of any size 19:29 < d3r3k> Dagger: I could map a /96 into a /0, no? 19:30 < electricmilk> DoctorDick, Wont that eat up a lot more processing, disk space, and memory than just using a Windows based Network Monitoring Tool? 19:30 < Dagger> I guess, but what are you trying to do? 19:30 < Dagger> connecting to v4 hosts from a v6-only network would be done by mapping the v4 space into a /96, not the other way around 19:31 < d3r3k> Dagger: i'm at a CTF event where they only provide a IPv6 network; a lot of pentesting tools only support IPv4. 19:32 < d3r3k> I was going to use socat for each individual host to provide IPv4 to each IPv6 host, but that's a lot of manual work. 19:32 < DoctorDick> electricmilk, No? 19:32 < d3r3k> Dagger: Is there such a thing as like NAT46? 19:32 < Dagger> oh... well. time to start hacking on the tools then, or getting better ones :) 19:33 < Dagger> tayga can do NAT46 for individually-configured IPs 19:33 < Apachez> or look how the other scriptkiddies does it at this CTF event =) 19:33 < d3r3k> Apachez: socat :) 19:33 < d3r3k> Dagger: orly? :D Thanks, lemme look into tayga again. Is nat-pt similar? 19:36 < DoctorDick> electricmilk, my debian container only uses 45 mb 19:36 < d3r3k> my DOS uses less. 19:36 < electricmilk> ah ok 19:36 < Dagger> I guess it must be similar. but that's a Cisco thing, isn't it? so meh 19:37 < sla3k> I have a weird situation here, there are 4 machines on the same network, and h1, h2, h3, h4; h4 has a static IP set, h1 and h3 can ping it and access h4 but h2 cannot, they are on the same network though, makes no sense 19:37 < Dagger> (also RFC 4966) 19:37 < SporkWitch> TFW your ISP's website 404's on "/" 19:37 < d3r3k> Dagger: where do you see TAYGA supporting NAT46? 19:39 < Dagger> "map" directive, IIRC 19:39 < d3r3k> Dagger: would I have to restart the service every time I need to add a new host? 19:39 < djph> sla3k: firewall in teh way? 19:40 < d3r3k> Dagger: hmm, is it DNS46 that I'm probably looking for? 19:40 < Dagger> it probably needs a restart. like I said, individually-configured IPs 19:45 < d3r3k> Dagger: hmmmmm.... I'm debating if I should try to write my own DNS46 server tonight/tomorrow morning. 19:46 < Dagger> https://packages.debian.org/jessie/net/tnat64 <-- there is also this thing 19:47 < d3r3k> Dagger: how is that NAT64? Isn't that NAT46? 19:49 < Dagger> it's bump-in-the-API, to allow accessing v4 hosts via a NAT64 with AF_INET sockets 19:49 < Dagger> maybe not the best name they could've picked, but still 19:50 < d3r3k> Dagger: it's providing IPv4 access to IPv6 servers, isn't that "46"? 19:51 < Dagger> there are no v4 packets being generated though, so not really NAT46 19:52 < d3r3k> oooh. So it's not really NAT64 either, since there's no "4" involved :p 19:52 < d3r3k> okay, so I think it's going to be the most fun to implement a DNS46 and NAT46 server quickly :p 19:52 < Dagger> but there is a NAT64 service involved somewhere in the background :p 19:53 < Dagger> just not implemented by that particular bit of software 19:55 < d3r3k> so I need two little services: one that's a DNS server for A->AAAA, and then that needs to inform another service about the 4->6 mapping. 19:58 < d3r3k> Dagger: heh, just found out about 464XLAT.. 19:59 < zeldafan78> Lately, both YouTube and Twitch have been buffering and buffering constantly. My own connection is 100/100 fiber, but I use a VPN. Could this be related to "net neutrality" somehow and how my video streams don't get prioritized because they go through the "dirty" VPN? 20:00 < Dagger> ...right, that's also a thing. apparently it's also a thing that I have a hard time remembering exists :/ 20:00 < zeldafan78> Fucking unwatchable. :/ 20:00 < zeldafan78> It seemed to start just after I paid for a full year in advance. 20:00 < d3r3k> Dagger: I'd only want half of it though, not sure how trivial it would be to the 4XLAT part... 20:01 < d3r3k> *to remove the 4XLAT part 20:06 < sla3k> djph: not really, I've checked that already. 20:07 < dionysus69> hey all 20:07 < dionysus69> can't nmap -p somePort hostIP a guest VM from my host 20:08 < dionysus69> I am using a bridged adapter for connection, I can ping the guest, but cannot access the port 20:08 < dionysus69> guestIP I meant 20:13 < d3r3k> Dagger: oh nice, there's a golang project for OVS! https://github.com/digitalocean/go-openvswitch/tree/master/ovs <- I'm thinking I can make a DNS46 server that simply adds a new route for each DNS request. 20:14 < shtrb> is it normal to employ "connection has timeout" on forbiden sites ? (couldn't understand why I can see anything with fb/twitter .. on a corporate net only later to be told there is a new anti social rule that interrupt traffic ) 20:15 < Sout> my work firewall, inserts a warning page saying this paged is blocked for reason xyz 20:16 < shtrb> That it was like before, but that slow approach is just amazing 20:17 < Sout> hmm we must have the same firewall. As know im just getting time outs shtrb 20:17 < shtrb> lol 20:17 < shtrb> fortigate ? 20:17 < Sout> I think so. 20:17 < shtrb> it did start this morning 20:17 < shtrb> :D 20:18 < Sout> know i have to ask do you happen to work in ottawa canada? 20:18 < shtrb> no 20:18 < Sout> ah k. I would have laughed really funny if we were on the same network :D but yeah i know the vpn i connect to is a fotigate. 20:20 < WishBoy> what channel can i ask about ransomware? 20:20 < shtrb> victim or developer ? 20:20 < WishBoy> victim 20:21 < WishBoy> my customer 20:21 < shtrb> assume all lost, restore from backups, assume any "smart applience" had been hacked 20:21 < WishBoy> shabius some ransomware can be decrypted 20:21 < d3r3k> Sout: do you have the WPA2 enterprise stuff deployed yet? 20:21 < chrustler> they can all be, isn't that the point? 20:22 < chrustler> if it's really ransomware that is 20:22 < shtrb> WishBoy, forget decrypt , if you pay / decrypt it does not mean it will not hit you again and this time worse 20:22 < Sout> I'm just an end user of this system. d3r3k. 20:22 < d3r3k> Sout: the fortigate stuff is so useless, Windows itself can do IPSec... nobody in the city seems to know what group policies are. 20:23 < d3r3k> Sout: well, do you have wireless as an end user yet? :p 20:23 < shtrb> d3r3k, fortigate make it look intellectually chalenged easy 20:23 < Sout> the vpn, is interesting. woot not letting user save there passwrods. 20:23 < d3r3k> Sout: probably cached on disk somewhere knowing them. 20:23 < shtrb> miraculous auto replace , removed the word `stupid 20:24 < d3r3k> Sout: e.g. crash dumps with memory to extract from 20:24 < shtrb> Sout, why are using fortinet vpn and not some foss client ? 20:24 < d3r3k> shtrb: because his employer doesn't know IPSec is already included in Windows. 20:25 < d3r3k> and wants to pay a vendor to provide a worse solution but say they "support" it. 20:25 < d3r3k> oh and it needs to be in French. 20:25 < shtrb> vu application merde ? 20:25 < shtrb> 'applicasion 20:25 < tuppabox> hey i would need help with apache anyone here? 20:27 < Sout> shtrb, because good luck finding one on linux. 20:27 < shtrb> Sout, shrew ? racoon ? 20:27 < shtrb> openswan ? 20:28 < Sout> and d3r3k I work at a small start up and technially our IT is done thew the people we rent the space from. ie we have next to 0 control over it 20:28 < Sout> those work with fortinet? 20:29 < d3r3k> Sout: oh. Thought you were working for the large employer. 20:29 < d3r3k> Sout: you kanata or downtown? 20:29 < shtrb> depending on the config, but yes, Fortinate even give you explanation how to use openswan 20:29 < Sout> kanata :D 20:33 < kottt> client wants to 'block all vpns' on our simple stateful firewall. no DPI, nothing fancy, just wants to shut down the ports. sigh... 20:34 < d3r3k> inb4 they want to block all UDP. 20:35 < shtrb> Sout, http://kb.fortinet.com/kb/documentLink.do?externalID=11835 http://kb.fortinet.com/kb/documentLink.do?externalID=FD33774 20:35 < shtrb> kottt, can you afford to block access to cloudflare and amazon (because of domain fronting) , UDP and ICMP ? 20:36 < HEROnymous> kottt, I hear lots of vpns run on port 443/tcp. I recommend blocking that first. 20:36 < shtrb> also have a script that will try to connect to any server someone try to connect to 80 , 443 and check if there is sslh running 20:36 < shtrb> 443 will do a lot of harm (no https) 20:37 < HEROnymous> clearly they don't care - they just want to block "all vpns" by closing ports. 20:37 < shtrb> checking for sslh and domain fronting (blocking) is a good way 20:37 < Sout> thanks shtrb will take a look. 20:37 < detha> HEROnymous: easy. block all ports, both tcp and udp, and you have blocked all vpns 20:37 < shtrb> Sout, that are just two options , I do not know your config but fortinet are good with complaince in their docs 20:38 < shtrb> detha, and then someone uses ICMP tunnel 20:38 < shtrb> !whitelist 20:38 < shtrb> no factoid for whitelist ? 20:38 < detha> shtrb: don't tell them, in case I need to work from there 20:39 < HEROnymous> detha, there ya go, now you're thinking 20:39 < detha> besides, they said 'block ports'. ICMP no can haz ports 20:39 < HEROnymous> right? 20:39 < Sout> it's easy to block all vpns. just cut the ethernet line 20:39 < shtrb> lol , let's hope they do not don't use fortigates new and amazing feature , we don't block stuff we make it SO slow that your browser go to lunch 20:40 < shtrb> and then someone uses his phone line as a dialup servoce 20:40 < shtrb> *service 20:40 < HEROnymous> I've gotta write an email response to someone who thinks all vpn protocols are compromised and that changing his system's mac address every time he reboots improves his privacy, and that we blocked him because of his changing mac address (which we'd never see because internet.) 20:41 < shtrb> HEROnymous, I do not know where your client lives , but MAC address and IMEI are begining to be registered ... so he does have a point if hes from Turkey or far east 20:42 < HEROnymous> still doesn't cross layer3 boundaries 20:43 < HEROnymous> and if someone is "registering it" then changing it once when you buy the system should be sufficient 20:43 < turtle> he's got a point of view from the jive turkey 20:43 < turtle> all my vpns are hacked so i deleted all my routes and you guys broke my internet help 20:43 < shtrb> He does not know that ... (also ipv6 can be constructed using a MAC , so are some ISP providered routeres leak macs back to the provider ) 20:44 < shtrb> :D 20:44 < shtrb> forget the IPV6 comment , I need coffee 20:48 < eahm> it will be logged for your grand children to see 20:48 < shtrb> Grandma I have found your old address ... 21:00 < biax_> anyconnect ocserv complains: main: TCP wrappers rejected the connection (see /etc/hosts->[allow|deny]) 21:00 < biax_> i suppose i need to add something to hosts.allow 21:01 < biax_> any idea how to add it? i suppose 443 : something.... but im not very sure how. i havent found much google results 21:01 < BenediktXVII> Hello everybody. Is there a tool in Linux to mask my public IP when connecting to a remote server through the command line ? 21:03 < Aeso> BenediktXVII, what you're asking for is a VPN, not a tool. 21:04 < shtrb> BenediktXVII, vpn/proxy/socks/ssh etc 21:04 < Aeso> Consider: If you spoof your source IP address, how would the remote server know where to pass your traffic back to? 21:05 < BenediktXVII> Aeso: I will go through VPN then. It's for a stress test on a server I am maintaining. 21:06 < Aeso> BenediktXVII, you'll want to choose your VPN provider carefully. A lot of them rate limit common DDoS attack vectors for obvious reasons. 21:07 < BenediktXVII> Aeso: I suppose so indeed. 21:07 < biax_> tcp wrappers is so damn annoying 21:07 < BenediktXVII> Aeso: TOR ? 21:08 < shtrb> BenediktXVII, you could find some skiddies to ask for a DDOS to do a stress test 21:08 < BenediktXVII> shtrb: skiddies ? :p 21:09 < shtrb> think of brats, but with enough time to run some scripts 21:10 < BenediktXVII> Just need to find them skiddies now ... :) 21:10 < shtrb> just post , I built an amazing system you will never be able to hack it :D 21:10 < shtrb> or DDOS it 21:11 * shtrb plays die hard music and imagine an old cop with a card board get's into the right hood 21:13 < BenediktXVII> shtrb: any idea for a channel or forum ? 21:13 < shtrb> no 21:14 < shtrb> BenediktXVII, but if you will post stuff like that , expect to get hit by a crowd of packets that will come as a hail storm from all directions, and when you think it ends it will start again 21:16 < BenediktXVII> nice 21:16 < BenediktXVII> the server sits behind a dmz, a hard firewall and a soft firewall 21:31 < zeldafan78> Do you never get tired of perpetuating this bullshit lie about "script kiddies" who supposedly can launch DDoS attack to the left and right? 21:31 < zeldafan78> No such thing exists. 21:32 < shtrb> ha ? 21:32 < turtle> there are definitely a couple of them 21:33 < shtrb> You know what is the best way to get the correct answer on stackoverflow ? Write a wrong one . which to get a free DDOS boast about your unbrakable system 21:34 < joro_> hi guys, how can i check what version of Apache a web uses ? 21:34 < shtrb> joro_, HEAD to the server 21:34 < joro_> it gives just the Apache 21:34 < joro_> nothing more 21:34 < shtrb> I meant HEAD http command 21:35 < Aeso> zeldafan78, skiddies don't build botnets, they buy time on other people's botnets to DDoS with mommy's credit card 21:35 < joro_> shtrb, i do that with telnet to port 80 21:35 < shtrb> ah ok 21:35 < Aeso> not all DDoS attacks are launched by skiddies, but certainly some of them are 21:35 < Apachez> Gollee: http://www.cl.cam.ac.uk/~as2330/docs/reorder.pdf https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt tcp_reordering tcp_max_reordering 21:37 < shtrb> joro_ , try to access a forbiden oage (it might have the version there 21:38 < joro_> sorry, what do you mean by forbiden page ? 21:39 < shtrb> forbidden anything that will give you a 403 result 21:41 < joro_> name or service not known 21:42 < Llama052> alright guise, whats a free serial client that can space out large pastes so it doesn't fuck the output? Putty aint cutting it 21:43 < shtrb> Llama052, nc ? 21:43 < shtrb> ssh 21:43 < joro_> minicom 21:43 < Llama052> shtrb: serial 21:43 < shtrb> oh feces , you need "serial" 21:43 < joro_> Llama052, minicom 21:44 < shtrb> minicom or socat 21:47 < joro_> how noisy is sU in nmap guys ? 21:47 <+catphish> i need to have a little chat with my neighbour about bandwidth: https://i.imgur.com/HkItoQa.png 21:47 <+catphish> also, sky, this is quite an antisocial default configuration 21:47 < shtrb> catphish, the shared single account ? 21:48 <+catphish> shtrb: no, look at the image 21:48 < shtrb> I have seen , who needs their own wifi range anyway 21:48 <+catphish> they have somehow managed to consume the entire 5GHz spectrum with one SSID 21:49 < shtrb> The fun part would be if that it's a faulty router that does not work anymore 21:49 <+catphish> 2.4GHz is fine: https://i.imgur.com/HiopWn8.png 21:49 <+catphish> and weirdly a BT and Sky are different ISPs, i have no idea why he'd have CPEs from both 21:54 < shtrb> MOFO , I was able to log in blindly #@%@ (some genious manged to disable the screen and I remember where on screen should be the user / pwd input menus ) 21:55 < shtrb> sorry , had to choose a better place to share 22:05 < HEROnymous> I'm becoming an msp for msp's 22:05 < HEROnymous> little msp's without their own infrastructure are leasing infrastructure from me and it's awesome. 22:08 < drathir> mornin/evenin... 22:09 < drathir> catphish: lol nice graph ^^ 22:10 <+catphish> HEROnymous: sounds like a special kind of hell 22:10 <+catphish> i did that very briefly, then threw my toys out of the pram because i got fed up of spam and fraud 22:10 < HEROnymous> catphish, actually not bad for the most part 22:11 < HEROnymous> oh yeah we're pretty exclusive to where we don't really attract that sort of stuff, and the msp's we work with are the sort who deal with small local businesses 22:11 < HEROnymous> so I enforce some sane security rules on them and things run pretty smoothly 22:11 <+catphish> that's not too bad then 22:12 <+catphish> we just accepted signups from the world because we had no particular funnel of trusted customers 22:12 < HEROnymous> we've tried mass marketing to the mass market... got nothing out of it, waste of money 22:13 < HEROnymous> so instead we've been focusing on developing local relationships and stuff 22:13 < HEROnymous> which has worked out very well, along with throwing more and more value adds at customers as they come to trust us 22:14 < drathir> btw 4x4 mu-mimo looks nice... 22:18 < ironpillow> hi all, noob question: what do you call when ipaddress+prefixlen are together: 192.168.0.1/24. thanks! 22:20 < grawity> the /prefixlen notation is called "CIDR notation", but I'm not sure if the whole combination has a specific name 22:21 < ironpillow> cool. the reason I am asking is because I am trying to name a variable which is a string "192.168.0.1/24" 22:23 < HEROnymous> I'd just call it the cidr 22:23 < HEROnymous> kind of a shorthand thing, but common 22:23 < ironpillow> got it. makes sense :) 22:23 < grawity> or just "address" tbh 22:24 < ironpillow> I want indicate that the string not only contains an address but also prefix 22:24 < ironpillow> length 22:25 < spaces> is there a network my are allowed to messup ? 22:41 < Gambit15> Hey guys 22:42 < Gambit15> With regards to LACP/Link-Aggregation & load-balancing, is the ingress port defined as the individual physical port, or the aggregated VIF? 22:43 < Aeso> Gambit15, depends on your vendor 22:43 < Aeso> and what context 22:43 < patientplatypus> hi guys 22:43 <+catphish> from what i've seen, the aggregated vif 22:43 <+catphish> once ports are bonded, i've never seen the raw ports used for anything 22:44 < Gambit15> For example, traffic going from LAGG 1 to LAGG 2, would the ingress hash count just the VIF, or the LAGG member it was transmitted from? 22:44 <+catphish> but technically it may be vendor dependent 22:44 < spaces> Gambit15 what do you need ? 22:44 < Gambit15> Just trying to work something out 22:44 < spaces> tell us what 22:44 < patientplatypus> im using a ravello instance and im finding that i'm getting 502 Bad Gateway request every time i try and either http in or out of the collection of Ravello instances 22:44 <+catphish> my money'd on VIF, but you should test or RTM to be sure 22:44 < spaces> or is it a secret ? 22:44 < Gambit15> This particular stack is HP 5130s 22:44 < grawity> in some switches the VLANs get configured on the raw ports 22:45 <+catphish> spaces: what are you talking about? his question was quite clear 22:45 < spaces> catphish depends on vendor but I think both can be possible 22:45 < grawity> always fun to find out that *half* the LAGG ports are missing a vlan 22:45 < spaces> catphish we don't have any good info 22:45 <+catphish> spaces: sure, but your reply was "odd" 22:45 < spaces> grawity depends on vendor as well 22:45 < spaces> catphish you know we share love ;) 22:46 < spaces> I'm not that bad 22:47 < Gambit15> On the note of VLANs, I read today that VLANs (other than the default) are only supported in static mode or with a certain function enabled/disabled 22:47 <+catphish> yeah, it's messy if things are configured on the raw ports :( 22:47 <+catphish> i always configure vlans the same on both to be extra sure 22:48 < spaces> indeed 22:48 < spaces> and is also nicer when you make it a single one later on 22:48 < spaces> but some vendors remote the tag when it's a lag 22:48 < spaces> lagg 22:48 < Gambit15> IIRC, when I configure VLANs on the LAGG, the switch configures the members 22:49 < Gambit15> Not sure what happens if you add a member after that though 22:50 < Gambit15> Come to think of it, I don't know what that doc was talking about. My LAGGs are all a mix of tagged, untagged, & hybrid 22:53 < Gambit15> Anyway, re the original question, "the ingress port is *probably* the VIF, but it's worth checking". 22:53 < Gambit15> Cheers chaps! 23:06 <+catphish> Gambit15: you're welcome, good luck 23:15 < Apachez> Gambit15: hashalgo is performed before physical interface is selected for the particular frame 23:16 < Apachez> usually it takes available physical links and use that as divider 23:16 < Apachez> so if you got like 4x10G and link no2 goes poff (and you are left with 3x10G) then the loadsharing will be on the remaining 3 links 23:25 < Gambit15> Apachez, I was referring to the load-sharing algorithms 23:26 < Apachez> Gambit15: what about them? 23:27 < Apachez> in comware5 there two settings 23:27 < Apachez> one for L2 links and one for L3 links 23:27 < Gambit15> These switches only support XORs for the src-dst MACs & IPs, which is a problem between my streaming server & reverse proxy, all connections are sent over a single link 23:27 < Apachez> I use this for my comware boxes: link-aggregation load-sharing mode destination-ip source-ip destination-port source-port 23:28 < Leonarbro> hey networking guys, any of you have a favorite cloud storage provider? 23:28 < Apachez> that was for 5820 23:28 < Apachez> the command for 5120EI goes: link-aggregation load-sharing mode destination-ip source-ip destination-port source-port 23:28 < Apachez> so I dunno why comware7 on 5130 should have changed that 23:28 < Gambit15> Apachez, in my case, all of the packets are between the same two servers, as everything is routed through my proxy 23:29 < Apachez> you do this in the global system-view 23:29 < zeldafan78> Hmm... 23:29 < Gambit15> I'm trying to see if I can configure the proxy to round-robin outbound IPs 23:29 < Gambit15> (nginx) 23:30 < zeldafan78> The only possible way that any e-mails are gonna get delivered seems to be to do a "double opt-in" mechanism, where SOMEHOW, people "express their interest" in my e-mail list and then get a verification e-mail that they need to click on some link or reply to it in order for the subscription to be complete, but how in the hell do you get people to do that?! Back to square one... 23:31 < Gambit15> It's interesting, the switch shows source-port as an option in the global load-sharing config, but it says the hardware isn't supported when I try to use it 23:31 < Gambit15> source-port would be perfect 23:31 < zeldafan78> And don't tell me "by offering something for free if they subscribe to the mailing list", because I've given away stuff forever without anyone wanting it. 23:32 < zeldafan78> (Or knowing it exist in the first place.) 23:32 < zeldafan78> *exists 23:33 < Gambit15> zeldafan78, did you harvest these recipients from some marketing list, or did they activley register with you? 23:34 < Apachez> Gambit15: which hardware? 23:34 < Apachez> like that productid JD938 or whatver its named 23:34 < Gambit15> HP 5130 23:34 < Apachez> and which firmware? 23:34 < Apachez> no 23:34 < Apachez> thats the family name 23:34 < cthulchu> dudes, MAC is not propagated outside, right? 23:34 < Apachez> if you look at the front there is small tag saying something like JE884 or JC123 or whatever 23:35 < cthulchu> it gets overwritten every time for a TCP/IP packet 23:35 < Gambit15> 5130-24G-PoE+-4S 5130-3207-US 23:35 < cthulchu> so, like, if I'm a website, I can't get a user's mac 23:35 < Gambit15> cthulchu no 23:35 < cthulchu> unless it's deliberately collected and put in tcp packet 23:35 < Gambit15> Not from the network at least 23:36 < cthulchu> okay, thanks, thought so 23:36 < cthulchu> people claim to be banned by mac on the web 23:36 < cthulchu> weird 23:36 < Gambit15> Probably more like some sort of OS/browser "fingerprint" 23:36 < Apachez> Gambit15: HPE 5130-24G-PoE+-4SFP+ EI ? 23:36 < Apachez> so JG936A 23:37 < cthulchu> yes 23:37 < Gambit15> Apachez that's the one 23:37 < Apachez> https://h10145.www1.hpe.com/downloads/SoftwareReleases.aspx?ProductNumber=JG936A 23:37 < Apachez> latest firmware is 5130_EI_7.10.R3208P03-US 23:38 < Apachez> so not much of a difference but I would still recommend installing the latest 23:42 < Apachez> http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c04771730-4.pdf 23:44 < Apachez> link-aggregation global load-sharing 23:44 < Apachez> mode { destination-ip | destination-mac 23:44 < Apachez> | destination-port | ingress-port | 23:44 < Apachez> source-ip | source-mac | source-port } * 23:45 < Apachez> so you should be able to type (while in system-view with enough of previleges): 23:45 < Apachez> link-aggregation global load-sharing mode destination-ip destination-port source-ip source-port 23:46 < Apachez> and do NOT set this on a particullar BAGG 23:46 < Apachez> because if you do then you can only choose from destination-ip, destination-mac, source-ip, source-mac 23:46 < Apachez> so leave this empty on the BAGG 23:46 < Apachez> and the BAGG will use the global setting 23:46 < Apachez> and tada! 23:47 < Apachez> now your lacp/bagg will loadbalance on the combo of srcip+dstip+srcport+dstport 23:53 < Gambit15> Indeed, source-port specifically would be the perfect solution, however whilst available, it's apparently not supported 23:53 < Gambit15> "The load sharing mode is not supported because of hardware limitations." 23:53 < Gambit15> ^^ anything including port based filtering 23:54 < Apachez> are you sure you are in global mode (system-view) when you type this? 23:54 < Apachez> and not on the bagg interface itself? 23:55 < Gambit15> The default is "packet-type", however I've not been able to find any details on that is exactly. Regardless, it doesn't seem to be balancing things evenly very well 23:56 < Gambit15> Yes, that's in global mode. In interface mode, it only gives the options for IP & MAC based filtering 23:56 < Apachez> file a complain with the support :) 23:56 < Gambit15> global mode show port & ingress, although I've not tried ingress yet 23:56 < Apachez> according to the manual there is no word of that that port wouldnt be supported 23:57 < Gambit15> Yeah, I know, I've been through it a couple of times now :/ --- Log closed Fri May 18 00:00:24 2018