--- Log opened Fri May 18 00:00:24 2018 00:06 < spaces> Apachez is your network still gay ? 00:11 < electricmilk> Jeez. I apologize for keep disconnecting 00:11 < electricmilk> If it happens again I'll stop reconnecting 00:16 < Apachez> spaces: my packets are always gay 00:22 < cthulchu> do you guys think IP is a personally identifiable information? 00:22 < varesa> sounds like GDPR :p 00:22 < cthulchu> yeah 00:23 < cthulchu> I'm in a meeting. we're deciding what to do with the data 00:23 < cthulchu> more like what to hide 00:24 < cthulchu> I mean, GDPR is ridiculous 00:24 < cthulchu> but it's in Europe. 00:24 < cthulchu> North America is smart enough to watch and learn first 00:24 < varesa> I mean from the perspective of the end user it is a good thing but from the admin side it can be a pain 00:25 < cthulchu> I don't think if it's good 00:25 < cthulchu> it seems good from an uneducated perspective 00:28 < Gambit15> Going from piracy court cases, I'm not sure it's entirely agreed. I've seen outcomes both where the IP has been accepted as an ID of the user, other times when it hasn't 00:28 < varesa> I mean I might not agree with all the fine details but the basic principles are good if you ask me 00:28 < Gambit15> I don't think keeping IPs for logging purposes would run afoul though 00:30 < varesa> https://eugdprcompliant.com/personal-data/ 00:30 < varesa> according to that page: "The conclusion is, all IP addresses should be treated as personal data, in order to be GDPR compliant." 00:31 < cthulchu> we decided just to encrypt all names, addresses and phones 00:31 < varesa> so unless you can explain the logging with something like security logs / audit trail then you probably shouldn't collect them without permissions 00:32 < djph> That's entirely contradictory to the two immidately previous sentences 00:32 < varesa> them = IPs 00:32 < djph> great logic there 00:32 < cthulchu> ahahah 00:32 < cthulchu> we don't even consider IP to be PII 00:32 < djph> ^ 00:32 < cthulchu> to the hell with GDPR. 00:32 < cthulchu> let it boil 00:33 < djph> I mean "it's personal information so long as the ISP was subpoena'd" 00:33 < cthulchu> right! 00:33 < cthulchu> good point 00:33 < djph> well, given that *they have to be subpoena'd* in order to make it "personally identifiable" (and even there, llolololol NAT) 00:33 < cthulchu> ahahahahah 00:34 < varesa> exactly this is the part that makes GDPR a mess, nobody knows what is the correct interpretation of this stuff 00:34 < cthulchu> I wish they thought about a subject before judging 00:34 < cthulchu> and deciding 00:34 < cthulchu> it's more politics and less service to the public 00:34 < electricmilk> Ah much better. Darn Opera's built-in VPN kept disconnecting me from Freenode 00:35 < electricmilk> Should I add a dmarc setting if using O365? 00:35 < djph> I mean, okay, so the ISP finds out that 192.0.2.127 (some mall) downloaded $bad_stuff on $date ... and then they have to go and ... it was uh, uhmmm, uhh, the MAC address 09:F9:11:02:9D:74 00:36 < electricmilk> mail-tester.com is saying I should add a txt record for v=DMARC1; p=none 00:36 < varesa> https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en 00:38 < djph> GDPR in short -> "We have no fucking clue how to behave 'on the internet'" 00:39 < electricmilk> Also what are optimal RDNS settings to try and make an IP as transparent as possible? 00:39 < electricmilk> Does an IP even need to have an RDNS setting? 00:40 < djph> Seriously, I don't get it. We get brought up our entire lives "don't talk to strangers", "don't take candy from the creeper in the van", "watch out for your friends so they don't get roofie'd" ... and we can't fucking apply the same goddamn though-processes to "on the internet". I don't want to live on this planet anymore. 00:42 < electricmilk> Is it simply best practice to have no RDNS entry? Wonder if the ISP will allow that 00:46 < Gambit15> electricmilk for email, yes, PTR helps 00:46 < electricmilk> No email 00:46 < electricmilk> Not anymore 00:46 < electricmilk> Switched to O365 00:47 < Gambit15> Well the DMARC stuff is also only relevant for email 00:47 < Gambit15> Probably just recommended settings for using exchange 00:48 < electricmilk> Gambit15, I have SPF and DKIM set...Microsoft never recommended a DMARC change. 00:48 < varesa> DMARC seems like it would be still relevant with O365, no? 00:48 < electricmilk> I suppose it would hurt to add v=DMARC1; p=none 00:48 < electricmilk> That I don't know 00:48 < electricmilk> I did a mail-tester.com with another O365 server and they have identical settings. 00:49 < electricmilk> Also the RDNS settings don't resolve correctly..for both O365 instances 00:49 < varesa> irrelevant of what is handling the mail some recipients will want to see SPF, DKIM and DMARC 00:50 < electricmilk> Ah okay. Thank you. I'll add v=DMARC1; p=none 00:55 < electricmilk> Seems useless to use p=none though 00:55 < electricmilk> Perhaps I should implement p=quarantine 01:05 < Gambit15> Apachez: So just for a test, I enabled src-dst IP based balancing & set off 6 servers to grab a 4GB file from my proxy. It still only maxed out a single member of the BAGG 01:07 < Gambit15> I'm actually impressed, it got to 993Mbps on a Gbit interface! But still, not the desired outcome :/ 01:35 < likcoras> I have a setup that routes all traffic through an openvpn server. From the looks of it, when I try to do too many connections through the vpn, it dies on me, no errors anywhere (that I could find at least). 01:36 < likcoras> What should my next steps be to verify exactly what causes my connection problems and start trying to address it? 01:36 < likcoras> For one, trying to torrent eg. linux ISOs will immediately just kill my connection unless I severely limit the download speed. 01:36 < HEROnymous> by "dies" do you mean the vpn session dies, or the openvpn process? 01:37 < HEROnymous> openvpn can be configured to log problems. I'd say figure out the config you need to log what you want, then watch the logs that it generates. 01:37 < dw1> weak DNS server? 01:37 < dw1> try 1.1.1.1 01:38 < likcoras> Dies, as in no errors absolutely anywhere, the connection just comes back on after ~30 seconds (and dies again if the torrent is still running) 01:38 < dw1> i had similar issues with my crappy ISP DNS 01:38 < likcoras> It's not the DNS, I get packet drops. 01:39 < likcoras> and torrenting should not trigger DNS lookups, anyway. I do have an unbound server forwarding to 1.1.1.1 and co., has not given me trouble ever, at least from what I can notice. 01:39 < likcoras> HEROnymous: I guess higher verbose? 01:44 < HEROnymous> likcoras, yeah I generally use pfsense to manage openvpn configs for me so I don't know the specifics off the top of my head, but I know you can get it logging more. 01:44 < HEROnymous> are you connecting to openvpn from behind a nat ? 01:44 < HEROnymous> could be that whatever's doing the nat is taking a dump with all that udp traffic or something. 01:48 < likcoras> Just did some rudimentary testing before restarting with verbose, as low as 4 tcp connections (curl speedtest.server...) disconnects me after ~30 seconds. 01:57 < likcoras> Hrm. 01:57 < likcoras> Server side: Fri May 18 08:56:06 2018 us=404618 ram/$client-public-ip MULTI: bad source address from client [192.168.0.2], packet dropped 01:58 < likcoras> client: Fri May 18 08:56:09 2018 us=359791 PID_ERR replay-window backtrack occurred [42] [SSL-0] [000000000000000000000000000000000__________000000000000000000000] 0:26706 0:26664 t=1526601369[0] r=[-4,64,15,42,1] sl=[5,64,64,528] 01:58 < likcoras> No idea how to interpret this. 02:00 < likcoras> Ah, I'll try tuning --replay-window. Fingers crossed... 02:00 < chendricks> hi guys - is it possible to see what connects to the vpn I use? for example, when I use a vpn I don't see any track of udp connections as when I dont use it 02:30 < likcoras> HEROnymous: it got fixed! I think. I still see some occasional errors, but packets are no longer dropping. ... and my connection dropped just as I was writing this. 04:35 < Peng_> Is it possible to contact AWS's NOC? Without a $xxxx support contract? 04:36 < Peng_> If so how? :D 04:46 < tds> Peng_: if you run your own network, they have contact details available on peeringdb 04:47 < Peng_> I don't. :< 04:48 < Peng_> It would be easy to contact either of the ISPs affected, but I don't want to give up :P 04:48 < Peng_> easy to contact the ISPs and ask them to contact Amazon* 05:42 < BeastyBSD> hi team i need help with layer3 switch allied telesis 06:43 < ibn-batot> hi 07:17 < zrx> eyo's 07:25 < WizJin> 12 07:25 < GenteelBen> WizJin: you take that back. 07:26 < WizJin> haha 08:50 < GenteelBen> I really wish my router's web login page didn't 1) list the router company name, and 2) list the router OS version 08:51 < GenteelBen> :| 08:53 < Roq> You can probably configure an accesslist on the specific webinterface port 09:01 < GenteelBen> This is for home use, Roq. I'm only concerned with access over the WAN port. 09:01 < GenteelBen> Good news: it has 2FA 09:01 < GenteelBen> Bad news: 2FA applies to both LAN and WAN logon attempts (I'd only want 2FA for WAN connections). 09:02 < mAniAk-_-> why would you wan to expose it on wan 09:02 < Roq> Can you close access to the webinterface on the wan port and connect via VPN or something? 09:02 < Roq> You dont want it publicly open 09:02 < GenteelBen> I'm just playing around with it, until I decide which VPN service to pay for. 09:03 < GenteelBen> Web interface is disabled already over the WAN - I think it's disabled by default anyway. 09:03 < GenteelBen> I guess I'm complaining about nothing. There is an option to strip all branding from the router logon page, but IMO it should be debranded by default. 09:13 < Atro> its funny that "cur" means ass in romanian, and hp switches have "display cur" 09:13 < Atro> hehehehehehehehehehehehe 09:17 < Apachez> Gambit15: contact support, according to the manual it should work and no hardware limitations 09:45 < easy_ref123> Hi. Trying to understand basic switch configuration. 09:45 < easy_ref123> http://termbin.com/peqo 09:45 < easy_ref123> Do the configuration snippets in the link above align with the descriptions I've given of them? 09:45 < Phil-Work> easy_ref123, no 09:46 < Phil-Work> an access port (0/1) doesn't accept tagged traffic 09:46 < Phil-Work> it simply puts all traffic it receives on vlan 123 09:46 < Phil-Work> it also doesn't tag traffic that it sends 09:46 < Phil-Work> what you say about the trunk port (0/2) is fine 09:48 < easy_ref123> Phil-Work, thanks. 09:49 < easy_ref123> Couldn't all the traffic that port (0/1) receives, be put onto the LAN rather than the VLAN, to achieve the same thing? 09:50 < Atro> into the what now 09:50 < Atro> easy_ref123: there's Access and Trunk, Access does not encapsulate VLAN ID, Trunk Does 09:51 < Atro> So switchport access vlan 123, means all untagged traffic coming through that port, gets tossed into vlanid 123 09:51 < Atro> switchport trunk allowed vlan 123, means all TAGGED traffic with vlanid 123, gets tossed into vlanid 123 09:52 < easy_ref123> thanks 09:54 < Phil-Work> easy_ref123, everything is a VLAN on a managed Cisco switch - if you don't set a VLAN specifically on a port, it goes into the default VLAN (1 I think??) 09:54 < Atro> ye its 1 09:54 < Atro> 0 for for juniper 09:56 < regdude> and juniper forwards everything across the network with VLAN 0 or does it only keep this VLAN ID internally? 09:58 < Atro> regdude: only internally 09:58 < ibn-batot> what is the easist simulator for learning networks ? 09:58 < Atro> ibn-batot: you can use packet tracer 09:59 < ibn-batot> it is not generic in addition it cannt simulate manet 09:59 < regdude> ok, then all good 09:59 < regdude> GNS3 seems to be the most popular "simulator" 10:00 < easy_ref123> So switchport access vlan 123, for port (0,1), would drop frames that arrived tagged with vlan id 123 10:01 < easy_ref123> (because it's Access and only accepts untagged) 10:01 < Atro> easy_ref123: drop frames that arrive with ANY tag 10:02 < Atro> be 1-4096 10:03 < regdude> internally all switches should look for 0x8100 tag after SRC-MAC address in a packet. If it is anything else, it is untagged 10:03 < regdude> except, of course, if you switch to 802.1ad 10:05 < ibn-batot> does any1 have the tetcoss network simulator "netsim"? 10:34 < r0n0x> heyo 10:35 < r0n0x> i have a question, i wanna get an Asus AC87A 10:35 < r0n0x> do fakes exist and how do i verify if what i buy is a fake? 10:36 < r0n0x> AC87U* 10:36 < Phil-Work> buy it from a reputable retailer and you'll be fine 10:37 < ibn-batot> does any1 have the tetcoss network simulator "netsim"? 10:38 < r0n0x> reputable retailers sell it for heaps 10:38 < r0n0x> im buying one off ebay second hand 10:39 < r0n0x> possibly considering from china 10:39 < hyperair> if you can't tell the difference, does it matter? :) 10:39 < hyperair> 10:39 < r0n0x> this is in case i can tell the difference 10:39 < r0n0x> but need to prove it 10:39 < ibn-batot> does any1 have the tetcoss network simulator "netsim"? 10:39 < ibn-batot> plz help me guys 10:39 < ibn-batot> i need that sim urgently 10:39 < hyperair> r0n0x: can't you just open a dispute with ebay? 10:39 < mardraum> hyperair: that doesn't look like anything to me. 10:40 < r0n0x> yes, but not unless i can prove anything 10:40 < ibn-batot> hyperair mardraum r0n0x 10:40 < hyperair> ibn-batot: no 10:41 < hyperair> r0n0x: well some considerations are the first three octets of the mac address, which are specific to vendor 10:41 < hyperair> r0n0x: apart from that i don't think there's a reliable way of telling the difference. just play spot the difference with it and just look for discrepancies 10:42 < hyperair> r0n0x: i would think that the webui would be the most likely bet -- cheap chinese clones are likely going to have shitty english 10:42 < hyperair> r0n0x: and at the end of the day, if you can't tell the difference, then it doesn't matter so just enjoy your cheap but good router :) 10:43 < r0n0x> well, i wanna install openwrt on it too 10:43 < hyperair> ah 10:43 < hyperair> does openwrt support it? 10:43 < r0n0x> i guess if it cant that might be a giveaway 10:43 < r0n0x> yes 10:43 < r0n0x> very well so 10:43 < hyperair> interesting, i didn't think that there were any asus routers supported by openwrt 10:43 < hyperair> afaik you needed asuswrt 10:43 < r0n0x> eh, same thing isnt it? 10:43 < hyperair> which was a modified version of the stock asus firmware 10:43 < hyperair> no 10:43 < hyperair> asuswrt is based on the stock asus firmware. it's got no relation to openwrt 10:44 < r0n0x> oh 10:44 < r0n0x> well, for this one it has support 10:45 < r0n0x> ah shit 10:45 < r0n0x> theres some issues it seems 10:46 < r0n0x> ah well, its still a kickass router 10:47 < r0n0x> what features might asuswrt and openwrt not share? 10:47 < hyperair> r0n0x: everything 10:47 < hyperair> the whole config mechanism is different 10:47 < hyperair> the webui is different 10:47 < hyperair> every feature that's of a higher level than the linux kernel is different 10:47 < r0n0x> so, i cant use password protection? 10:47 < hyperair> what's password protection? 10:47 < r0n0x> or change my ssid name? 10:47 < r0n0x> lol 10:47 < hyperair> lol 10:48 < hyperair> you mean wpa passwords? 10:48 < r0n0x> when you put a password on your wifi 10:48 < hyperair> you can do that in stock 10:48 < r0n0x> you said they dont share functions 10:48 < hyperair> everything you can do in stock firmware you can do in asuswrt too 10:48 < r0n0x> ok, so, what else then can asuswrt do that stock cant? 10:48 < hyperair> okay more specifically, they don't share the same implementation of functions 10:48 < hyperair> i forgot 10:49 < hyperair> i wasn't too happy with asuswrt so i largely ignored it and turned it into a dumb accesspoint 10:51 < zrx> Got a pfsense question. I am not able to connect to https sites. Is this because of my certificate authority? 10:51 < r0n0x> im just curious about what i could do with asuswrt that stock firmware doesnt support, or, is asus stock firmware pretty full of features? 10:51 < hyperair> stock has quite a number of features 10:51 < r0n0x> one thing specifically i want to do is ban access to a certain IP address 10:51 < hyperair> oh whoops asuswrt is stock 10:52 < hyperair> https://www.asus.com/ASUSWRT/ 10:52 < r0n0x> my current shitbox router seems to support it but doesnt enforce it 10:52 < hyperair> asuswrt-merlin is the one i was talking about: https://asuswrt.lostrealm.ca/ 10:52 < hyperair> https://asuswrt.lostrealm.ca/features <-- features page is here. see for yourself 10:52 < r0n0x> also theres IP logging, i was hoping for, to aquire said IP 10:52 < r0n0x> ty 10:53 < hyperair> i'm pretty partial to tp-link routers, personally 10:53 < hyperair> they tend to run really well with openwrt 10:53 < hyperair> cheap and good chinesium equipment 10:54 < linux_probe> tp-stink =p 10:54 < r0n0x> i rather like asus 10:54 < r0n0x> havent been let down so far in mid range but good value for money 10:55 < r0n0x> dd-wrt is supported too, but maybe i wont have to use anything 10:56 < hyperair> pfft dd-wrt 10:56 < r0n0x> is it not good? or probably worse? 11:04 < zrx> I've been looking all around. Can't seem to connect to an https website cleanly since installing PFSense. Is concentrating on the SSL cert what I should be doing? Or is there something else that could cause issues with connecting to https sites? 11:05 < djph> MTU is the usual culprit 11:06 < djph> at least for me (lotta DSL people around here) 11:06 < zrx> i'm using coax 11:06 < zrx> let me try forcing to 1500 11:07 < easy_ref123> VLAN question. Is untagged traffic actually tagged with VLAN ID 1? 11:08 < zrx> ha aha ha!!! 11:08 < detha> easy_ref123: no. it has no tag 11:08 < zrx> I've been on this all later half of the day. Didn't know MTU could have been the issue 11:08 < TotallyNotKim> zrx: it worked I suppose? Get djph a cookie 11:08 < zrx> thanks. much graz from here 11:09 < zrx> testing my other machine... 11:13 < djph> odd that forcing 1500 is the fix, usually here (for DSL) it's 1492 MTU / 1450-something MSS 11:16 < easy_ref123> detha, thanks 11:17 < easy_ref123> is vlan 1 significant in any way? 11:17 < Phil-Work> easy_ref123, depends on the vendor 11:17 < detha> protocol-wise, no. vendor-wise, some vendors will not let you delete vlan 1 11:18 < djph> yeah, it's the one you should never fucking use, because that one vendor does things funny-like, and it WILL bring your network down. 11:18 < easy_ref123> Cisco? I'm looking in a config with the line, "switchport trunk allowed vlan 1, 5, 6, 7" 11:18 < easy_ref123> 5, 6 and 7 are used for application traffic. I'm not sure why 1 is allowed. 11:19 < easy_ref123> The config is autogenerated so it may just be an "artifact" 11:19 < detha> some people put management on 1 11:20 < zrx> back 11:21 < detha> (because there are some stupid vendors that hardcode management to vlan 1, or can only handle vlan1 as default for untagged traffic, or some such nonsense) 12:29 < leafwiz> Hey. I'm sitting here pondering what people use for generating network configs. Do people make their own tool or is there a tool people use more often? I have been googeling a bit, but it seems there is no good answer excpet for the solarwind Network Config Manager 12:30 < chrustler> A horde of higly trained monkeys 12:30 < Roq> I use ansible sometimes 12:31 < Roq> puppet and chef are other alternatives 12:31 < leafwiz> it is kinda simple problem, but when you start to think about variable contraints (eg. vlan ids are integers between 0-4096 ) and stuff like that 12:32 < leafwiz> And how to organize the snippets, how to edit the snippets and stuff around that (eg edit from CLI, or a web gui) 12:32 < leafwiz> yeah, I have been looking into ansible 12:34 < chrustler> OpenDaylight? 12:39 < mAniAk-_-> leothrix: ansible with dynamic inventory and jinja templates maybe? 12:40 <+daemonkeeper> leafwiz: A lot of people built their automation around pyeznc or ansible/salt. 12:43 < leafwiz_> daemonkeeper: cool. oki. I can google that then. 12:44 <+daemonkeeper> If you have a heterogenous environment, or an environment where you also cover serevers the latter two might be better. pyeznc is for Junos only, the more agnostic framework for network devices is NAPALM 12:45 <+daemonkeeper> yada yada: if you care only about network devices use NAPALM, if you have servers or funny stuff salt/ansible. Which is is a matter of preference. 12:45 < mAniAk-_-> you can run napalm through ansible as well 12:46 <+daemonkeeper> But then you still have ansible :p 12:46 < leafwiz_> daemonkeeper: sure. I'm kinda into how people organize their global variables. Do they use a db, or yaml files, do they use some form of constraints on their vars and so on 12:46 <+daemonkeeper> We have a git repo with tons of semistructured textr 12:47 < leafwiz_> Because making the templates seems fine. Its just all of the vars , and the work flow around those 12:47 < leafwiz_> because my team kinda wants it presented in a web-form 12:47 <+daemonkeeper> Both, salt and ansible have that 12:47 <+daemonkeeper> Alreeady included I mean 12:48 <+daemonkeeper> Personally I'd hate that 12:50 < winsoff> Does anyone know of any decent traceroute utils (even browser-based) that will give me at least a geolocation for each hop? 12:50 < winsoff> Also, I just tried the "modern tcp method" given in linux for traceroute, and it still gets filtered by level3's firewall back to my home network. Any tips? 12:50 <+daemonkeeper> A browser based traceroute would be super useless 12:51 < winsoff> daemonkeeper, webrtc? 12:51 < mAniAk-_-> leothrix: should be easy enough to create some django page that can modify yaml files that ansible uses for vars 12:51 < winsoff> I don't see how it couldn't work. 12:52 <+daemonkeeper> It's either server based, which makes it useless or client based which makes it very limited as a lot of traceroute methodologies need privileged operations 12:54 < leafwiz> but yeah, its just how to organize the variable files for ansible I have to figure out I think 12:56 < mAniAk-_-> leothrix: we have platform vars, group/function vars and device specific vars 12:56 <+daemonkeeper> And mAniAk-_- just disclosed why I hate ansible :p 12:56 < mAniAk-_-> :) 12:56 < mAniAk-_-> what choice do we have 12:56 <+daemonkeeper> salt :p 12:56 <+daemonkeeper> ansible's scoping terribly sucks 12:58 < leafwiz> My other thoughts is to just use plain python with jinja for the templates and yaml files for the vars 12:58 < mAniAk-_-> never had a good look at salt 12:58 < leafwiz> To generate the configs 12:58 < leafwiz> and then to use eg ansible or something like that to push them 12:58 <+daemonkeeper> It's the sane version of ansible also based on Python, mAniAk-_- :p 12:58 < mAniAk-_-> daemonkeeper: im sure it has its own insanities :p 12:59 <+daemonkeeper> It definitely has, but these do never ever counter for loops in a yaml dictionary as syntax. 12:59 < mAniAk-_-> maybe next time i start over from zero 13:00 <+daemonkeeper> As soon as you read http://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html your thinking should be ABORT ABORT EJECT 13:03 < mAniAk-_-> nooo, they are "fun" 13:04 <+daemonkeeper> Was it Telia that caused your brainsickness? :p 13:04 < regdude> Anyone is familiar with EtherType 0x9100? Does any switch even support this "compatibility 802.1ad mode"? 13:04 < dionysus69> is it good idea to use https over ssh ? 13:05 < dionysus69> or it doesn't add ANY security over http over ssh 13:05 <+daemonkeeper> It won't hurt at least. 13:05 <+daemonkeeper> Sure it does, you probably mean a SSH tunne 13:05 <+daemonkeeper> tunnel 13:05 <+daemonkeeper> Which means everything behind would be unencryted to the final destination 13:05 < dionysus69> yea, doing a ssh port forwarding 13:05 <+daemonkeeper> Unless you use HTTPS 13:05 < dionysus69> ssh tunnel is encrypting 13:06 < dionysus69> you said unencrepted 13:06 <+daemonkeeper> The SSH tunnel endpoint is not the final destination. It will forward the packet to the actual destination. 13:06 <+daemonkeeper> That part would be unencrypeted. 13:06 < Kryczek> dionysus69: it would be better to use it over a datagram-based tunnel like IPsec or a UDP configuration of OpenVPN, otherwise you have the TCP-over-TCP problem: http://sites.inka.de/bigred/devel/tcp-tcp.html 13:06 < dionysus69> daemonkeeper: the actual destination is also on the same machine 13:06 < dionysus69> you are assuming machine could be compromised? 13:06 <+daemonkeeper> In that case it won't make a difference. 13:07 < easy_ref123> hi, still trying to understand this Cisco config file :) 13:07 < easy_ref123> it has statements, "interface Vlan123", but I can't see the name Vlan123 defined anywhere else in the config 13:07 < dionysus69> ok thanks daemonkeeper Kryczek 13:08 < easy_ref123> I have "vlan 123", followed by "name APPLICATION_DATA", but that's not important as I can tell 13:09 < easy_ref123> I can guess - when I allow a vlan on a trunk, an "interface" is created with name VlanXXX? 13:09 < mAniAk-_-> daemonkeeper: it was tele2 13:09 < mAniAk-_-> daemonkeeper: they didnt use ansible, salt or anything like it :p 13:10 < mAniAk-_-> daemonkeeper: they did buy tailf, but wasnt in production then 13:10 < Phil-Work> easy_ref123, not inherently 13:10 < Phil-Work> the VlanXXX interface is an internal interface on the switch and allows you to give that switch an IP in that VLAN 13:11 < Phil-Work> ordinarily this is used for managing the switch, so you'd only have an IP in 1 VLAN... however layer 3 switches may have an IP in multiple VLANs 13:11 < chendricks> hi guys - is it possible to see what connects to the vpn I use? for example, when I use a vpn I don't see any track of udp connections as when I dont use it 13:11 < easy_ref123> I have something like this 13:11 < easy_ref123> http://termbin.com/nfhj 13:11 <+daemonkeeper> mAniAk-_-: Not sure if that was good or bad news now :D 13:11 < skyroveRR> Hi daemonkeeper :) 13:11 < skyroveRR> daemonkeeper: haven't been seeing you around these days. 13:11 < easy_ref123> Phil-Work, thanks 13:12 <+daemonkeeper> I am 24/7 here. 13:13 < mAniAk-_-> daemonkeeper: hah 13:13 < purpleunicorn> Hey 13:14 < purpleunicorn> Has anyone used cryptocat 13:14 < at0m> nope 13:41 < easy_ref123> can somebody shine some light on what these statements might be for 13:41 < easy_ref123> http://termbin.com/fhaq 13:41 < easy_ref123> ctrl-f "redistribute" in the switch docs yields nothing 13:42 < mAniAk-_-> annonounces static routes and connected networks in bgp 13:42 < mAniAk-_-> in ospf* 13:43 < easy_ref123> thanks 13:43 < easy_ref123> how about the network statement? 13:46 < Roq> The area commands looks a little weird 13:46 < Sepultura> HAlloa 13:46 < skyroveRR> HELLO 13:46 < Roq> easy_ref123: what vendor is that? 13:47 < Sepultura> are ipv6 beginning with fe80 private IP ranges like 192 and 10 in ipv4? 13:47 < Dagger2> Sepultura: no. they're mostly like 169.254/16 13:47 < Roq> the network command tells the device to send hello's out of the interface within the subnet, and places it in an area X. Your area looks like a wildcard mask 13:48 < Sepultura> Dagger2 aren't 169 local? 13:48 < Dagger2> 169.254/16 is link-local, yes. as is fe80::/10 13:51 < Sepultura> Dagger2 I am wondering why my router is not assigning the router a normal IPv6 from my ISP 13:52 < Sepultura> the other devices have a IPv6 :O 13:53 < easy_ref123> Roq, cisco 13:53 < Dagger> that's a bit more of an involved question... but it might be relevant to note that Linux ignores RAs on an interface if forwarding=1 for that interface, unless accept_ra is set to 2 13:55 < easy_ref123> Roq, thanks. It's saying "send hellos out of the interface with IP 10.123.2.1"? 13:56 < easy_ref123> how does the "area 0.0.0.123" effect this? 13:56 < mAniAk-_-> easy_ref123: its just the area id 13:57 < easy_ref123> Why is the ID in dotted quad form, I wonder 13:58 < mAniAk-_-> the area id is a 32bit value, just like an ip is and can be represented in that way 13:59 < easy_ref123> thanks 14:51 < chendricks> have you guys tried using vpn only for 1 specific destination IP? 14:52 < skyroveRR> chendricks: a VPN typically only connects to 1 destination IP/host.. 14:52 < chendricks> I am not sure if you understood my question, I will explain better 14:53 <+xand> chendricks: yes you could do that by just routing one IP via it 14:53 < chendricks> xand, preroute it? 14:55 < mAniAk-_-> just a /32 route over the vpn? 15:16 < lavenders> hello, i 'dig' it 15:27 < aruns> Hi, anyone got a good way of identifying the hosting provider for a site? I have been checking the response headers for a few sites I'm testing against, and have been able to identify a few sites' hosting providers that way 15:27 < aruns> But not all hosting providers send a header in the response. 15:28 < aruns> And lookup tools such as dig don't tell me much. 15:28 < flying_sausages> hey guys did anyone ever run into a problem where udhcpd is straight up not printing anything into the standard output? 15:28 < lavenders> with $ dig www.yahoo.com // i get two ips, is this normal, do you know another host? 15:28 < flying_sausages> when using it with -f it just ends immediately, no errors, no logs, no messages, nothing 15:28 < lavenders> 87.248.98.8 and 87.248.98.7 15:32 < detha> lavenders: that is a perfectly normal beast^Wbehavior 15:33 < lavenders> do you have another example hostname? 15:33 < lavenders> noteven dig http//google.com does that 15:34 < detha> pool.ntp.org normally gives a few addresses 15:35 < lavenders> wow thanks 4 even 15:36 < detha> aruns: do reverse lookups in the site's IP address, sometimes that shows it, otherwise check which AS the IP belongs to 15:40 < likcoras> aruns: also whois lookups on the IP addresses. 15:43 < loganrun> I am trying to program a server in python. The server will start a new thread for each connection. The server will mainly send data but will be able to received commands to stop the flow of data or whatever. I am not sure what the best approach is. It seems like setblocking and select apply only at the server level not for each connection. 15:48 < djph> probably best to ask in #python ... 16:17 < rcvu> Hey I am trying to use the ignore.auto-dns option with NetworkManager to simulate offline situation 16:18 < rcvu> but it isn't working as expected 16:18 < djph> in what way? 16:18 < rcvu> It will work when I apply the setting to the device but this is only temporary so best practice is to change the connection 16:18 < rcvu> but this isn't working at all 16:19 < rcvu> Anyone have any experience with this? 16:19 < rcvu> I've tried reloading the connection after making the change and bringing it up and down but no dice 16:22 < lavenders> how do you use wireshark in linux/debian 16:23 < rcvu> Maybe I am not understanding the change *ignore-auto-dns* is supposed to make, but in the docs it says "automatically configured nameservers and search domains are ignore" 16:23 < kuahara> A user in network A is trying to VPN into network B. The edge router in network A is a Cisco RV320. The edge router in network B is a SonicWALL TZ600. The sonicwall is also the VPN endpoint in network B. The world outside of network A can connect to network B just fine. No users in network B can connect to network A. 16:23 < kuahara> Anyone familiar enough with the RV320 to know what we might need to be looking at to find out why those users can't connect? 16:24 < djph> first choice would be a firewall rule (Tunnel's up, right?). Possibly also routing tables. 16:25 < kuahara> I should probably also mention that we are not using any 3rd party software to connect. Just the built in Windows VPN client. The windows firewall is turned off and there's no hardware firewall aside from whatever is on by default on the RV320. 16:26 < kuahara> Windows firewall is off just for testing. 16:26 < kuahara> The offices that can VPN in without trouble have their Windows firewalls turned on and I think most even have hardware firewalls like the sonicwall in place. 16:26 < kuahara> And they have no trouble connecting. Network B is using L2TP/IPSec. 16:27 < kuahara> I can connect to it fine from my work PC and home PC. It's just these network A users that can't get in. 16:27 < djph> so again, check firewalls and routing at network A. 16:28 < djph> e.g. the cisco is misrouting traffic, or it's blocking VPN, or ... 16:31 < SoniEx2> anyone knows how LTE redirection is supposed to work? 16:35 < marin__> my router firewalll blocks vpn connection,IPsec passthrough and PPPTP passthrough are both checked and it still doesnt work, turning off router firewall seems to enable me to use VPN 16:35 < marin__> please help 16:36 < marin__> i am using openvpn 16:38 < mnemon> marin__: openvpn doesn't need those passthroughs, it should work as long as you can establish a TLS connection to the port 16:38 < mnemon> so probably the firewall is just blocking the destination port? 16:38 < pekster> mnemon: openvpn uses a single UDP port for all traffic, so there's not usually anything special you need to do when making an outbound connection to a server. Are you using the "multi-client" mode, or the stateless PSK (pre-shared-secret) mode for openvpn? 16:39 < pekster> Or are you acting as the server here? 16:39 < kiokoman> marin__: default port for openvpn is 1194 , u probably need to open it on the firewall 16:40 < pekster> For inbound yes, but if this is an outbound connection there should be no need to open anything on properly configured stateful firewalls 16:40 < marin__> I am using it as aclient 16:40 < pekster> Is your egress (outbound) firewall policy permissive of both TCP and UDP traffic, and configured to "keep state" to accept return traffic that your internal clients initiated? 16:41 < pekster> Also, make sure your VPN server pushes (or your client sets) a --keepalive or --ping value in order to keep the UDP state open 16:42 < pekster> If the server is yours, seeing your server config might help (the full config, but redact any inline private keys you may be using) 16:42 < kiokoman> idk, my default firewall policy is to block all out/in if not specified 16:42 < pekster> That's not usually a good design unless you _really_ know what you're doing 16:43 < marin__> wait i need to reconnect 16:43 < marin__> i am currently connected to it 16:43 < marin__> *without firewall 16:44 < marin__> i have software firewall but iam not sure if it helps mutch 16:44 < patarok> hi 16:45 < patarok> what does a "search www.somedomain.com" do in resolv.conf 16:45 < pekster> Often client-side firewalls, either from the OS or a 3rd party vendor, need to be told to permit client applications to make (or accept) connections. Depends on the firewall settings really 16:45 < patarok> ? 16:45 < marin__> strange, it seems to work now 16:45 < pekster> patarok: Sets that as a search domain suffix for unqualified host names, like "somehost" would try to look up "somehost.www.somedomain.com" before asking for the more unlikqly FQDN of "somehost." 16:47 < pekster> Often the search suffix list is supplied by DHCP, but there's usually a way to tell your DHCP client to ignore it if you don't want that 16:49 < patarok> thank you guys... 17:04 < c_cinap> laptop repair 17:05 < marin_> ok it seems that irc is using a port that my firewall blocks 17:06 < marin_> so my router firewall basiccly blocks irc and vpn 17:06 < marin_> https://www.manualslib.com/manual/1176643/Technicolor-Tc7200-20.html?page=48#manual 17:07 < djph> if your router is blocking on inbound connections that're related to something else, the router's screwey (NOTE though that if you turn on the firewall, it won't necessarily have conntrack entries; so you have to reconnect) 17:07 < kuahara> djph, so I got on and completely turned off the RV320 firewall. Still no dice. 17:08 < djph> kuahara: o_O 17:08 < djph> routing? 17:08 < LegalDrokz|PI> several switches are logging frequent (every 20 - 40 sec) STP topology changes, what could be causing that? 17:09 < djph> STP topology changes 17:09 < kuahara> There are no additional rules setup under advanced routing. 17:09 < Phil-Work> lol 17:09 < djph> probably one of the ports is flapping 17:09 < marin_> So what should i do, foward 1194 port so ican use vpn and foward other port for irc chat? 17:10 < djph> no 17:10 < LegalDrokz|PI> djph yes that is also being logged 17:10 < LegalDrokz|PI> genious 17:10 < marin_> or i can just turn it off and use software firewall? 17:11 < LegalDrokz|PI> there is a Cisco AP on that port 17:13 < Aeso> LegalDrokz|PI, so there's either a problem with the cable or the AP. Test each individually. 17:13 < LegalDrokz|PI> ive disabled bdpuguard and portfast on the AP port 17:16 < marin_> Does router firewall block irc and vpn ports. Is this normal or is it just my router? 17:16 < LegalDrokz|PI> its probably the AP thats going bad, Cisco WAP 321 crap 17:22 < SoniEx2> nvm I think I figured it out 17:25 < LegalDrokz|PI> it was a newer AP actually 17:25 < LegalDrokz|PI> an HPE Aruba IAP305 17:26 < LegalDrokz|PI> it's probably the patch connection 17:34 < kuahara> Is there another, easy-to-setup and run with VPN option I can use instead of this L2TP connection that seems to get stopped at the door by the RV320? On network B's end, I have the sonicwall TZ600 and a Windows server at my disposal. 17:34 < jim> is there a way I could get a true/false (or something) where I get true if my host is running ipv6 addresses on the interface with the default route, or false if it's running ipv4? 17:34 < kuahara> That easy to setup bit is critical as it'll be for a customer and I won't be maintaining it. 17:36 < Dagger> jim: that's an underspecified question -- there's no such thing as "the default route" 17:36 < skyroveRR> Dagger: o.O 17:36 < batch> default via 192.168.1.1 dev enp0s25 proto static 17:36 < batch> isn't that the default route 17:36 < Dagger> you can have zero or more default routes for v4, and the same for v6 17:36 < batch> xD 17:37 < skyroveRR> Dagger: that's something new for me, care to enlighten a bit? :) 17:37 < Dagger> no, that's *a* default route for v4. you might have more of them, and you made no mention of any v6 default routes 17:38 < djph> Dagger: explain how "zero" default routes is going to work 17:38 < tds> you just need two /1 routes ;) 17:39 < Dagger> it doesn't affect the basic packet routing algorithm. if there's no matching route then the packet is presumably dropped 17:39 < jim> I'm expanding an existing program that generates iptables rules which taken together form a masqing firewall... and I need a way to know whether I should be generating iptables of ip6tables rules 17:40 < batch> jim what program is it to generate iptables? 17:40 < jim> it's an old package that used to be in debian called ipmasq 17:41 < jim> it's a bunch of scripts 17:42 < jim> batch, I put my copy on github if you want to see it 17:42 < batch> yes plz j 17:42 < batch> yes plz jim 17:42 < jim> ok 17:43 < jim> let me find it :) 17:43 < batch> allrighty 17:44 < jim> it includes everything you need to build the debian package 17:44 < Dagger> you'd need to generate both if both are in use (is there even much of a reason not to just generate both all the time?) 17:45 < Dagger> but remember it's also possible to have default routes pointing out of different interfaces, e.g. on a system where v6 is provided via a tunnel 17:45 < jim> Dagger, probably not... and, I'm just starting on this, and I don'[t know much about ipv6 yet 17:45 < Dagger> or v4, for that matter (hello DS-lite) 17:46 < jim> let me find the git repo 17:47 < jim> found it, now let me see if the remote is set up properly, or if I have to look somewhere else 17:48 < jim> hmm, I see one at gitlab, but I don't think that's the latest code 17:49 < batch> what project is it? 17:49 < batch> or is it own code? 17:49 < jim> no, someone else wrote it then abandoned it 17:50 < jim> I grabbed it from an old version of debian and I've been keeping it running at home 17:50 < kiokoman> marin_: home router with firewall usually don't block outgoing traffic by default 17:50 < batch> oh ok nice jim 17:50 < batch> tell me when you have it 17:51 < jim> I found one from 2016 at gitlab, but that's not the latest code... you see, it has helper scripts that used to parse ifconfig, and I wrote versions of them that parse ip instead 17:52 < jim> so I didn't find the right repo yet, it must be on my gateway box 17:52 < batch> i could really use some iptables generator lol 17:54 < Dagger> ferm is nice, however it has some minor annoyances that make dual stack firewalls more of a pain than they should be 17:54 < jim> ok, I found it, let me get the public repo clone address 17:55 < Dagger> or there's nftables, which seems to have a pretty similar syntax to ferm 17:55 < jim> what's nice about nftables is they made an iptables conversion layer :) 17:56 < jim> so I didn't have to write whole new sections for nftables (and, I was going to until I found out about the conversion layer) 17:56 * batch not impressed 17:56 < batch> xD 17:57 < batch> i mean about nftables then 17:57 < jim> in later kernels, iptables is actually -gone- and just nftables and the conversion layer remains 17:59 < jim> go to this url and see if you see the github page: https://github.com/jwlynch/ipmasq 18:01 < batch> allright looks nice jim thx! 18:01 < jim> welcome 18:02 < jim> if you're interested in how the helper scripts changed from ifconfig to ip, look in the helper-scripts dir, also it's the latest work, clone it and look at git log 18:04 < jim> if you want to build a debian package, look in debian/control and install the build depends, then... 18:04 < jim> fakeroot debian/rules clean 18:04 < jim> fakeroot debian/rules build 18:04 < jim> fakeroot debian/rules binary 18:04 < jim> look in .. 18:05 < jim> you have to be in the top level dir when you do that, you'll see a dir debian with the rules and control files there 18:05 < batch> oke nice 18:06 < batch> it'll make rules into a file? 18:06 < batch> or just directly run the command? 18:06 < jim> the rules file is actually an executable make file 18:06 < batch> cause i kinda want to make it and transport the rules in a file via scp to another distro maybe 18:07 < jim> which one? 18:07 < batch> ah hmmm 18:07 < batch> ubuntu but hmm 18:07 < batch> maybe that'll be no issue idk? 18:07 < batch> and maybe centos aswell 18:08 < jim> it will build on ubuntu just fine :) just install the build depends and you'll be fine 18:08 < batch> but centos using firewall-cmd aswell bleh 18:08 < batch> ah nice 18:08 < jim> (because: ubuntu is a debian deriv) 18:08 < batch> sweet thx 18:08 < electricmilk> When hosts are behind NAT using port address translation it uses unregistered TCP ports. How come a port scan never shows these ports as open. 18:08 < jim> but centos is not, you'd have your work cut out for you 18:08 < batch> electricmilk maybe because icmp is disabled? 18:09 < batch> via iptable rules then or so 18:09 < electricmilk> It is but why would that mater? 18:09 < batch> icmp is ping 18:09 < electricmilk> sure but... 18:09 < batch> yeah hmm idk 18:09 < likcoras> Is there some service similar to canyouseeme that works for ipv6? 18:09 < electricmilk> If I scan my WAN IP I see the open ports I've forwarded 18:10 < electricmilk> But I don't see the port address translation ports even though I'm scanning all 65,535 18:10 < batch> ooh 18:10 < electricmilk> Not sure why denying pings would matter 18:10 < batch> damn i rememberd that some time ago 18:10 < tds> electricmilk: only established connections will be allowed 18:10 < batch> to change from filtered to open 18:10 < electricmilk> They don't even show as filtered in nmap 18:10 < tds> so random new tcp connections from other IPs and source ports will just be rejected/dropped 18:10 < electricmilk> ah I see 18:11 < electricmilk> Anyway to tell if my PAT ports are close to being exhausted? 18:11 < tds> what kind of router is this? linux? 18:11 < electricmilk> SonicWALL TZ500 18:11 < tds> ah, not a clue in that case 18:11 < electricmilk> I have a block of IP's and want to see if its worth my time to setup a NAT pool 18:12 < electricmilk> I know how to do this on Cisco but on SonicWALL...not so much 18:12 < electricmilk> Perhaps I'll just call them 18:12 < electricmilk> You'd think the logs would tell you if the ports are exhausted 18:12 < batch> how would you fix it on cisco electricmilk 18:13 < electricmilk> I'd implement a NAT pool so hosts would use multiple WAN IP's 18:13 < electricmilk> The commands are fairly simple 18:13 < batch> oh right hmm wait 18:13 < batch> i have some NAT settings in my tplink 18:13 < batch> but to use NAT it requiers something 18:13 < batch> forgot what, let me see 18:15 < pekster> You can often lower the TTL on established connections to something on the order of an hour or serval; that breaks applications that actually want to keep a long-lived but idle TCP socket, but IMO if they can't send 1 keepalive per hour minimum, they can just re-connect, in most cases 18:15 < batch> in my tplink i can enable NAT and hardwareNAT 18:15 < batch> probably not what you are looking for i guess hmm 18:15 < pekster> That combined with a sufficiently large port-range for ephemeral outbound connections tends to be sufficient unless you have a LOT of sessions going on 18:16 < cowsay> Hey this is related to Azure virtual networks, but I assume the same applies to standard networks. When this virtual network was set up, the primary subnet was set to 10.0.0.0/24. I need to open up the address space so I can create other subnets, so I need to change primary to, say, 10.0.0.0/8. How will windows servers react to this change? 18:17 < pekster> A /8? You want up to 256^3 or 1.7 _million_ hosts on a single network? 18:17 < pekster> I suspect that will end badly for you 18:18 < pekster> If by "other subnets" you mean discrete networks you plan to route between, you wouldn't set the /8 as all on-link. Maybe you'd be happier with a /20 (up to 4k hosts, which is still a LOT for a single subnet in most cases) 18:19 < cowsay> pekster, or /16, whatever.. just an example. I need to create a 2nd subnet on the same network, but only 255 addresses were reserved on the primary subnet. I need a secondary subnet on the same interface in order to connect azure AD to an existing VM 18:19 < cowsay> I'm not a network guy 18:19 < pekster> A single NIC can have multiple networks, but unless you're doing VLANS (802.1q tagging) they'll all be sharing the same Ethernet broadcast domain 18:20 < cowsay> there are already servers in the 10.0.0.4-7 range, and i don't want to have any impact on them 18:20 < batch> cowsay google vlsm 18:20 < cowsay> ok thanks guys.. will explore other things 18:24 < cowsay> gah, this is confusing. I admire you network people lol 18:27 < batch> there's an online calculator for vlsm cowsay 18:27 < batch> http://www.vlsm-calc.net/ 18:28 < batch> how many total networks do you actually need in future? 18:28 < cowsay> I am going to try to better explain where I'm at here. Maybe my thinking is just off, I'm not big on networking. 18:29 < cowsay> I'm setting up Azure AD. It is recommended to set AD up on its own subnet. There is a caveat on the instructions: "must exist in the same virtual network as the one that contains the network interface currently attached to the VM". The virtual network attached to the VM is currently the one with a primary subnet of 10.0.0.0/24 .. I need to add a secondary subnet to that network and this is where I'm stuck 18:30 < batch> oh i see 18:31 < cowsay> there are live machines on 10.0.0.5 thru 10.0.0.7 and I don't want any impact on them 18:31 < shibumi> basic questions: When I want to connect two bgp peers that are in a seperate LAN, which options do I need to set in FRR or Quagga for bgpd? I tried it with the same settings as the others but doesn't seemt to work :S 18:31 < batch> yeah like what pekster said last cowsay 18:32 < batch> virtual ethernet adapters would be best 18:32 < batch> vlans or virtual ethernet adapters 18:32 < acoctres> Think they gonna make vnex4 anytime soon? 18:33 < cowsay> hmm, ok.. I'll look into that.. thanks 18:36 < jim> batch, if you build the package on the ubuntu box and it has a few interfaces, it will arrange to start it on boot, at which time it will find the default route and the appropriate ip addresses, and spit out the iptables rules to make ipmasqed (NATed) networks out of the non-default interfaces, and route machines on them through the default route 18:36 < jim> works great :) 18:37 < batch> yeah i hope to get it done once soon :p 18:37 < jim> there's a couple things I didn't finish yet, like the point to point thing, if you have point to point 18:38 < acoctres> What's the point? LOL I will see myself out. 18:44 < batch> jim no sorry hmm 18:50 < CounterPillow> Hi, apparently my distro's default ufw config does not play nice with Hetzner's ipv6. I lose ipv6 connectivity after a few minutes, and I can see the dropped counter in the INPUT chain increase when I try to ping -6 something. 18:51 < CounterPillow> Here's ip6tables: https://0x0.st/seWx.txt here's some ip -6 stuff https://0x0.st/seW3.txt 18:51 < CounterPillow> I've basically spent all afternoon trying to chase down what causes it 18:52 < CounterPillow> and now my shoulders ache, my cat is about to start a hunger-induced mutiny, and I'm about to disable IPv6 and try again in a decade 18:54 < acoctres> Good luck amigo 18:54 < CounterPillow> t-thanks 18:54 < cowsay> Ok, so I think the only reason Azure recommends setting up a separate subnet for Azure AD Domain Services is to keep the resources separate for administrator use (just to keep things organized). Can anyone see a reason why not to just stick it on the default 10.0.0.0/24 subnet? 18:54 < jim> if your networking doesn't do point to point on any of your interfaces, that's good... I just haven't finished that part yet 18:54 < cowsay> It's a small organization, the grouping doesn't matter really 18:56 < jim> anyone know where the git repo of iproute2 is stored? 18:56 < Dagger> CounterPillow: have you tried disabling the firewall? 18:57 < Dagger> CounterPillow: those packet counters are kinda weird. it looks like you have no outbound ICMPv6, but you would surely expect `ping` to generate some of that 19:01 < CounterPillow> may have been due to a ufw reload, here's ip6tables after sending 11 unsuccessful pings to google https://0x0.st/seW0.txt 19:02 < CounterPillow> but yeah, hmmm, still 0 19:02 < Dagger> I see this: 13 1352 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp echo-request 19:02 < CounterPillow> I just tried a ufw disable, and ping -6 still doesn't work, hmmm 19:03 < CounterPillow> $ ip -6 neigh 19:03 < CounterPillow> fe80::1 dev eno1 lladdr cc:e1:7f:ac:7f:17 router REACHABLE 19:03 < Dagger> can you at least `ping fe80::1%eno1`? 19:09 < CounterPillow> Dagger: will try after dinner, currently numbing the pain with beer and tortelloni 19:18 < CounterPillow> Dagger: yep, I can ping that 19:20 < Demos[m]> Why are techs always totally unable to use google while looking for parking? 19:22 < CounterPillow> https://0x0.st/seWn.jpg let's do this! 19:22 <+xand> Demos[m]: driving and using the internet together aren't very wise 19:23 < Dagger> CounterPillow: at least something works... can you try pinging 2001:19f0:7000:8005:1234:1234:1e42:cbe4? 19:24 < zenix_2k2> guys, how can i get the maximum amount of backlogs in python ? 19:24 < CounterPillow> that doesn't work :( 19:24 < zenix_2k2> sock. i think but don't really remember 19:24 < zenix_2k2> socket* 19:24 < Dagger> 21:24:01.372915 IP6 2a01:4f8:202:6310::2 > 2001:19f0:7000:8005:1234:1234:1e42:cbe4: ICMP6, echo request, seq 3, length 64 19:24 < Dagger> I'm getting it 19:25 < CounterPillow> interesting 19:25 < Dagger> do you see anything relevant in `tcpdump -ni eno1`? 19:25 < Dagger> either incoming pings, or maybe ICMPv6 from the router 19:26 < CounterPillow> can I filter that to v6 only? 19:26 < Apachez> CounterPillow: dont drink and ping 19:27 < Dagger> `tcpdump -ni eno1 ip6` 19:27 < CounterPillow> hmmm, not seeing anything there 19:27 < Dagger> while you're pinging, I should say 19:28 < CounterPillow> oh, sec 19:29 < CounterPillow> seeing some stuff https://0x0.st/seWF.txt 19:29 < zenix_2k2> uhm... hello ? 19:29 < CounterPillow> (that's ping -6ing google) 19:31 < Dagger> it looks kinda like the problem is somewhere upstream then. outbound packets make it out to the internet, but there's no sign of even an attempt to deliver the return packets to you 19:32 < CounterPillow> welp 19:32 < CounterPillow> weird that it worked for a tiny bit after a reboot then 19:32 < Dagger> you'd expect to see either the reply packets themselves or a neighbor solicitation from the router. since there's neither, I don't think it's even trying to deliver them to you 19:32 < Dagger> yeah, that's weird :/ 19:34 < CounterPillow> Maybe I should ask Hetzner and hope they don't answer with "is it okay if we try rebooting your server?" again 19:38 < jason85> Can iptables detect and block SSH traffic by inspecting the TCP packets, so that it could detect SSH traffic on ports other than 22, too? 19:38 < Dagger> https://lists.debian.org/debian-ipv6/2016/09/msg00006.html this seems vaguely related, but doesn't really have an answer... except that their server has two network interfaces, and disabling v6 on one makes the other one work fine 19:38 < zenix_2k2> Uhm, hello ? 19:40 < tds> jason85: https://github.com/betolj/ndpi-netfilter 19:43 < zenix_2k2> guys, how can i get the maximum amount of backlogs in python ? 19:43 < zenix_2k2> with the socket module 19:44 < CounterPillow> Dagger: hmmmm, "net.ipv6.conf.all.use_tempaddr = 2" on my system 19:44 < CounterPillow> but "net.ipv6.conf.eno1.use_tempaddr = 0" 19:44 < Dagger> they'll be in `ifconfig` if they're being used 19:45 < jason85> tds: Thanks 19:47 < CounterPillow> I don't see anything suspicious in ifconfig 19:50 < CounterPillow> well, sysctl.d/10-ipv6-privacy.conf did have the tempaddr stuff set to 2 19:50 < CounterPillow> I changed that and also ran sysctl on the values 19:50 < CounterPillow> Should that be enough to theoretically make it give me my packets again if that was it? 19:51 < CounterPillow> or do I need to reset the ipv6 stuff somehow 19:52 < Dagger> they weren't being used anyway, so it seems like it shouldn't make a difference 19:52 < Dagger> unless maybe it changes something in early boot, but if so then you'd need to reboot to see a change 19:53 < CounterPillow> https://0x0.st/se4X.png there's also this fun file 19:55 < CounterPillow> which may be conflicting with ufw's sysctl stuff, which has this (hopefully inversely labelled?) section https://0x0.st/se4K.png 20:04 < CounterPillow> okay, rebooted and I have ipv6, for now. let's see if it goes away again 20:06 < electricmilk> omg TPx support is embarrassingly bad. 20:19 < CounterPillow> for future reference, here's some output of ipv6 working https://0x0.st/se4m.txt 21:14 < Atro> Guys, how do I networking 21:14 < Atro> These people are ignoring me 21:16 < turtle> Start with a "Hello" finish with a happy ending 21:16 < xamithan> What doing networking? 21:18 < detha> Atro: you take some data. you strap a header to it, and call it a packet. 21:19 <+catphish> Atro: basically you working, but you get first 21:19 < Atro> xamithan: but what about the MTU? 21:20 < Atro> Errr detha^ 21:20 < Atro> catphish: wot 21:21 <+catphish> Atro: *net first 21:22 < detha> MTU only applies to unionized packets 21:23 < Atro> catphish: do i need a PSK to understand you? 21:23 <+catphish> Atro: take the red pill and all will be clear 21:23 < pekster> Only if cätphish is using Phase Shifted Keying to talk to you 21:23 < Atro> catphish: you mean the PFS? 21:24 <+catphish> yes http://www.thepfs.org/ 21:24 < tyzoid> PSK is mostly useful for low-bandwidth ota communication 21:25 <+catphish> perhaps we should simplify and use CW 21:25 < detha> IP-over-Morse? 21:26 < tyzoid> problem with cw is it's not exactly the most reliable of communication protocols, especially when it's entered by hand a lot 21:26 < tyzoid> the SNR needs to be sufficiently high with cw 21:26 < tyzoid> where afaik, psk can be a bit lower with SNR 21:26 <+catphish> i disagree 21:26 < tyzoid> been a while since I've worked with them, though 21:27 <+catphish> i'd say CW requires by far the least SNR of any protocol 21:27 < tyzoid> I wouldn't say that, given that there are other encoding schemes that can work below the noise floor 21:27 <+catphish> it's so easy to detect 21:28 < detha> And every operator has a distinct 'key' that other operators can pick up. Authentication taken care of 21:28 < tyzoid> lol 21:28 <+catphish> i've only ever done CW once, required to get my radio licence lol 21:29 < tyzoid> no longer required for ham radio in the states, which imo is pretty cool, but also somewhat sad 21:29 <+catphish> shame, it's kinda fun 21:29 <+catphish> you don't have to learn it here, or use it with any skill 21:29 < tyzoid> yeah, I've been meaning to learn it, but haven't had time to practice 21:30 <+catphish> you just have to send and receive one message at any speed you like with a cheat sheet for the test 21:30 <+catphish> to deminstrate that you understand the concept 21:30 < tyzoid> Well, I've already got my license, so I don't need to do it for a test 21:31 <+catphish> i have a 10W licence, one day i should actually get a radio and see how far i can get with that power 21:31 <+catphish> probably a decent distance with the right antenna 21:31 < tyzoid> catphish: What country? 21:31 <+catphish> tyzoid: UK 21:32 < tyzoid> ah 21:32 < tyzoid> catphish: With the amateur radio licenses we have here, I can broadcast at an insanely high power if I needed to 21:32 < tyzoid> up to 1.5kw, depending on intended communication 21:34 <+catphish> tyzoid: in the UK there are 3 licences, with different powers, 10W, 50W and 400W, i know some places allow 1kW+, but we don't 21:34 < detha> "intended communication: CW to neighbour. Receiving device: one fluorescent tube" 21:34 <+catphish> tyzoid: on the other hand, they're not frequency-restricted, so unlike some places, i can do 10W on *any* band 21:34 <+catphish> detha: lol 21:35 < tyzoid> Yeah, ours are differentiated by frequency, so I can only operate VHF/UHF, with a little HF 21:35 <+catphish> so i can do 10W HF, which is actually kind of a cool challenge to see how far you can get with so little power 21:36 < detha> that will need a rather large antenna 21:36 <+catphish> yep :) 21:37 < tyzoid> Yeah, I should really study up for the next class of license 21:37 < tyzoid> the Technician/beginner license is really easy to get 21:37 <+catphish> actually, not totally true about bands 21:37 < tyzoid> but anything more requires a lot more knowledge 21:37 <+catphish> i'm not allowed to use 2.4GHz 21:37 < tyzoid> ah 21:37 < tyzoid> shame 21:37 <+catphish> but if i had a 50W licence i could do 50W on 2.4GHz 21:37 < detha> and on 10GHz ? 21:38 <+catphish> yes 21:38 <+catphish> 10000-10125 - 50W 21:38 < tyzoid> Not sure if it's the same where you are, but here in the States, Amateur / Licensed operation is prioritized over ISM use, which means if a neighbor is interfering with my 2.4ghz operations, they'd legally be required to change frequencies / shut down their router 21:38 < tyzoid> I've got a funny anecdote about that 21:39 <+catphish> not here, 2400-2450 - Secondary. Users must accept interference from ISM users 21:39 < tyzoid> Where I went to college, there was a policy against students running wireless networks in the dorms, as they interfered with the campus wifi 21:39 < tyzoid> but one student was a licensed user 21:39 < tyzoid> which means he has priority 21:39 <+catphish> lol 21:39 < tyzoid> so the college's IT staff used to go around and essentially dos the student's networks 21:39 < tyzoid> trying to take them offline 21:40 < tyzoid> so he went to the FCC and claimed purposeful interference 21:40 <+catphish> that is illegal in most places 21:40 < tyzoid> and long story short, they got told to quit it 21:40 <+catphish> here pretty much all radio users much tolerate each other, deliberate interference is always illegal 21:41 <+catphish> although many bands are secondary to the military 21:41 < tyzoid> I think it's the same, but I'm sure there are details I'm missing, since this is a story I've heard second (third?) hand. 21:42 <+catphish> your story is only semi-plausible 21:42 <+catphish> to be an amateur radio user, you have to follow some conventions, no encryption, you must prefix communications with your cllsign 21:43 <+catphish> so using wifi as-is wouldn't really qualify 21:43 < detha> set SSID to call-sign ? 21:43 < tyzoid> There's multiple different interpretations of that - encryption can't be used for the purposes of obfuscating the data 21:43 <+catphish> also, while interfering with someone's wifi signal is illegal, the college could probably just expell you if you didn't follow their rules 21:43 < tyzoid> but it could possibly depending on the interpretation be used to enforce authentication 21:44 < tyzoid> detha: That's what most people do, set ssid to call sign, then set network open 21:44 <+catphish> tyzoid: well here you can't use encryption, full stop, the data must be readable 21:44 <+catphish> setting SSID to the callsign might be considered OK 21:45 <+catphish> but you also couldn't use TLS 21:45 < tyzoid> catphish: That's actually standard practice, though usually it's a microwave link, and not normal wifi 21:45 <+catphish> the internet would be pretty useless 21:46 <+catphish> on the plus side, you can so it at 100W and cook your food on the antenna :) 21:46 <+catphish> i don't own a radio :( really should get one 21:47 <+catphish> wonder how much a HF and VHF radio costs 21:48 < tyzoid> catphish: http://www.broadband-hamnet.org/images/stories/DataEncryptionIsLegal.pdf 21:49 < tyzoid> This applies in the US, but essentially the argument is that some encryption is required to ensure only hams can connect 21:51 < siix> hey folks - what's the best way to track down which device on a LAN is using up the internet bandwidth? 21:52 < tyzoid> siix: do you have the ability to capture the packets on that segment? 21:52 < tyzoid> if so, it should be pretty easy to measure relative packet count 21:52 < tyzoid> otherwise, you'll need access to the router 21:52 < tyzoid> iptables has a feature where you can count packets of traffic 21:52 <+catphish> tyzoid: just read that, i'm really not convinced 21:53 <+catphish> tyzoid: i guess it holds up where it was written, but it has the side effect of making the connunications themselves unreadable to other licenced users 21:53 <+catphish> which IMO is unacceptable under the rules here 21:53 < tyzoid> The rules here make no mention of needing to be able to intercept traffic 21:54 < siix> tyzoid: i have access to the router, yes, so i should be able to grab packets. router has several wired clients but i believe the majority of the traffic is coming from one of the wireless clients 21:54 <+catphish> tyzoid: the actual rule in the UK is: "Messages sent from the station shall not be encrypted for the purposes of rendering the Message unintelligible to other radio spectrum users." 21:55 < Alina-malina> https://pastebin.com/raw/Za6iyAWM someone ban this idiot from here please....or at least dont provide any help, hes harasing in PMs to people for many years, and using different nicknames like Neo4, just sayin... 21:55 < tyzoid> Then this argument might still apply 21:55 <+catphish> now, you could try to argue you were encrypting for some other purpose 21:55 <+catphish> but IMO if you wanted *authentication* you can do this without encrypting the payload 21:56 < siix> tyzoid: ideally something like a real-time bar graph of traffic load by client on an interface would be great 21:56 < tyzoid> not with 802.11, though 21:56 <+catphish> tyzoid: that's correct, and IMO that makes encrypted 802.11 unsuitable for amateur radio usage 21:56 < tyzoid> siix: there is custom router firmware for that, ubiquity makes some great stuff for the edgerouter 21:56 < siix> tyzoid: i'm limited there. the router is an asus 21:57 < tyzoid> catphish: No, any 802.11 authentication scheme uses encryption, which means it's impossible to 802.11 and have auth 21:57 <+catphish> tyzoid: well i agree 21:57 <+catphish> hence you would need to make a new protocol 21:58 <+catphish> however it's also clear that unencrypted 802.11 also fails to meet the requirements 21:58 < CounterPillow> Dagger: looks like you pointed me to the right direction. IPv6 hasn't died yet. 21:58 <+catphish> because it can communicate with non-licenced users 21:58 < CounterPillow> Dagger: <3 21:58 <+catphish> so basically, in my opinion (which doesn't count for much), 802.11 can never be used as-is for amateur communications 21:59 <+catphish> tyzoid: the argument in that article is interesting, but i would not be happy about it 21:59 < Dagger> CounterPillow: note that I'm pinging you every 15s, that might potentially have something to do with it 21:59 < Dagger> CounterPillow: I'll stop that now 21:59 < CounterPillow> oh D: 22:00 <+catphish> the UK rules also say " The Licensee may use codes and abbreviations for communications as long as they do not obscure or confuse the meaning of the Message." 22:00 < CounterPillow> If you're the only one keeping me alive then that would be hilarious 22:00 <+catphish> it's pretty clear they don't want encryption at all 22:06 < detha> the entire 'no encryption' thing is to make it easy to check if someone violates some of the other conditions, like 'Not carrying commercial traffic' 22:12 <+catphish> detha: not entirely 22:12 <+catphish> although i'm sure that's one reason 22:12 <+catphish> but the whole point of amateur radio is that people can enjoy both transmitting and listening 22:13 < detha> I'm pretty sure it's the main reason. There are others, but those serve to prop that one up 22:25 <+catphish> since it's quiet here, i'd like to express 2 controversial opinions 1) the USA should ban guns 2) the UK royal family need to go away 22:28 < tyzoid> catphish: But what about all the people who participate in Hunting? 22:29 < tyzoid> Game hunting is a huge thing here 22:29 <+catphish> i don't know much about that 22:30 <+catphish> but here guns can be licenced for hunting, there are lots of conditions, they have to be stored securely, and it's not a problem, so as long as it's properly controlled, i see no problem 22:30 < tds> I don't care that much about the royal family still being around, bbc news sending out push notifications every 5 mins about it is getting annoying though 22:31 < tyzoid> Also, you don't have a right to a gun put into your country's founding documents 22:31 <+catphish> i used to be ok with the royal family, figured if they mind their own business, they're not harming anyone 22:31 < tyzoid> plus, the context in which that exists makes it very difficult to push any legislation through that limits it 22:31 < petemc> they mostly do, apart from Charles 22:32 <+catphish> but today i read about homeless people having their belongings confiscated by anti-terror police just because some rich folk want to get married nearby 22:32 < Dagger> I have to go into London tomorrow 22:32 <+catphish> and i think "fuck them" 22:32 < Dagger> it shouldn't be too busy, right...? 22:33 <+catphish> tyzoid: honestly, the USA has way too much time for those old documents, they need to start making laws for today 22:33 < petemc> might be a few around windsor area 22:33 < tyzoid> catphish: That old document is the rules by which our country operates and is what gives power to all of our institutions 22:33 <+catphish> tyzoid: it's not that hard to amend the US constitution, you just need a large majority, but instead they treat it like some kind of holy document that must never be questioned 22:34 < tyzoid> "not that hard," - it is that hard to get people to agree 22:34 < tyzoid> esp. when there's major financial incentives to keeping it as is 22:34 <+catphish> tyzoid: in fact, the right to bear arms is itself an emendment! 22:34 < petemc> if a load of you children being shot in their school doesnt change peoples minds, nothing will 22:34 < tyzoid> ^ 22:34 < steevo> catphish, not really, only kind of. 22:34 <+catphish> so IMO treating is as gospel is bullshit 22:34 < petemc> s/you/young/ 22:35 < steevo> the bill of rights just defines natural rights, it doesn't actually _give_ rights 22:35 < tyzoid> steevo: Incorrect 22:36 < tyzoid> it actually does 22:36 < steevo> tyzoid, no, it actually doesn't 22:36 <+catphish> tyzoid: and yes, i realise it's hard to get people to agree, and it's right that it requires a huge majority to change these things 22:36 < tyzoid> steevo: it does so by limiting what congress, and the states have a right to regulate and restrict 22:36 < tyzoid> it gives that power to the people 22:37 < steevo> tyzoid, you are correct, before you explained I thought you meant something different 22:37 < tyzoid> and there has only ever been one time where an amendment to the constitution has been repealed, and that was when rights/abilities were being taken away 22:37 < tyzoid> (a la prohibition) 22:37 < tyzoid> steevo: I see 22:38 <+catphish> tyzoid: sadly a lot of (arguably more important) rights have been taken away, because they happened not to be relevant when those old documents were written :( 22:38 < tyzoid> catphish: I agree wholeheartedly with that 22:39 < steevo> catphish, can you give an example? 22:39 < tyzoid> steevo: The "right" to privacy? 22:39 <+catphish> steevo: privacy is the obvious one 22:39 < steevo> catphish, tyzoid, I agree with that. Makes sense why they didn't think of it though 22:39 < tyzoid> exactly 22:40 < tyzoid> because people weren't in the habit of carrying around magical devices that could report precise position at any moment 22:40 <+catphish> tyzoid: and lets not forget the really obvious one - freedon 22:40 < tyzoid> nor were communicating via electromagnetic signals that could be intercepted without either party noticing 22:40 < tyzoid> catphish: freedom, how so? 22:40 <+catphish> the USA had quite a long period where they thought enslaving humans was ok 22:40 < tyzoid> (not disagreeing with you, just curious) 22:41 <+catphish> because there was nothing in the original constitution prohibiting it 22:41 < steevo> catphish, the humans were actually enslaved elswhere, just after they got to the USA, they weren't freed 22:41 <+catphish> steevo: technically true 22:41 <+catphish> but i'm not sure the black people would say that was an important distinction :) 22:41 < tyzoid> steevo: You could also argue the other way, by the fact that people could be born into slavery on US soil 22:42 < steevo> tyzoid, true 22:43 <+catphish> i actually genuinely can't comprehend how "We hold these truths to be self-evident, that all men are created equal" was so ignored 22:43 <+catphish> "that they are endowed by their Creator with certain unalienable Rights, that among these are Life, ***Liberty***"... 22:43 <+catphish> bafflng 22:43 < steevo> catphish, aye 22:45 <+catphish> the only conclusion i can arrive at is that the constitution is interpreted to convenience the rich 22:45 <+catphish> and this remains the case 22:46 < steevo> catphish, I don't know. Sometimes it does seem that way 22:48 <+catphish> i believe that in most developed countries, rule is bought with cash 22:48 < steevo> catphish, I am sure that's true in some cases. I know for a fact the 'little guy' wins on occasion though. 22:49 <+catphish> i mean, do we really believe that people like donald trump just happened to be the best person for the job, or maybe there might be some element of being able to buy your way to the top 22:49 <+catphish> steevo: fortunately, the judiciary in most countries seem to provide some balance 22:49 < steevo> catphish, he did have to posess the resources required to campaign, which most people don't have 22:50 < UncleDrax> "8-Port Gagabit w/POE".. is a Gagabit more, less, or equal to a Gigabit? 22:50 <+catphish> UncleDrax: lol, i'd say it was the same, but more musically talented 22:50 < S_SubZero> LadyGagaBit (caught in sad packet loss) 22:50 <+catphish> :) 22:51 <+catphish> steevo: this is the problem, the pool is really rather reduced to those people that have already flourished under the existing regime 22:52 < steevo> catphish, or those who can convince the conventions and such that they are worth supporting 22:53 <+catphish> steevo: well sure, but i fear that rarely includes anyone who isn't either extremely rich, or already part of the family 22:53 < steevo> catphish, in national governments that is very true. More localised governments are much easier to "break into" though 22:54 <+catphish> consider that the USA escaped monarchy, only to end up with a new kind of inherited power 22:54 <+catphish> steevo: yes, that is certainly true, i always advocate moving as much power as possible to local government 22:54 < steevo> catphish, which is why states rights should be a much bigger deal in the US 22:55 <+catphish> steevo: i agree entirely 22:55 <+catphish> i think there's a good balance to be had between areas of control (state vs national vs international treaties) 22:56 < steevo> catphish, that is actually what the confederacy wanted when they seceded from the union 22:56 < UncleDrax> so Gagabit aside, anyone have suggestions for a 3-4port GigaBit PoE/PoE+ VLAN capable switch with an SFP+ uplink. Looking for something that's easy to keep managed for ~100 units without much fuss/fiddly-bits 22:57 <+catphish> steevo: consider that in the UK, it was deemed too much control was being given to the EU, so we're leaving 22:57 < UncleDrax> MTs seem to fiddy to me for this.. but if someone does em at that (or larger) deploy, i'd be curious to know 22:57 < steevo> catphish, my understanding of the situation is limited, but it seemed to me that brexit was a good idea 22:57 <+catphish> steevo: personally i like the EU, i wish more control could have stayed where it belonged 22:58 <+catphish> i wish we have delegated to the EU where it was a good ideal but kept control nationally where it was a good idea, but even more so, i think a lot more control in the UK should go to even smaller regional government 22:58 < tds> UncleDrax: any reason for wanting so few gbit ports, but with a 10gb uplink? 22:58 <+catphish> because i believe in retaining control, but not being isolationish 22:59 < tds> I'd have thought a bonded pair of 1g links might work better for that 22:59 <+catphish> *isolationist 22:59 <+catphish> UncleDrax: you really need 10G uplink? 23:00 < UncleDrax> tds: catphish: sorry.. just regular SFP.. i got carried away with the + signs.. stupid PoE 23:01 <+catphish> UncleDrax: well, mikrotik definitely make such a device 23:01 <+catphish> UncleDrax: you need managed? 23:01 < detha> UncleDrax: '3-4 port' and 'sensibly managed' narrows the options somewhat. 23:02 <+catphish> i'd say mikrotik may be the only such device 23:02 <+catphish> https://mikrotik.com/product/RB260GS 23:02 < detha> There's industrial stuff that fits that bill, but I don't think you want to pay for 100 of those 23:02 <+catphish> The RB260GS is a small SOHO switch. It has five Gigabit Ethernet ports and one SFP cage powered by an Atheros Switch Chip. 23:03 < UncleDrax> detha: $100? not out of the budget. whatchagot? 23:03 < HJJHJH> pictures my sister in bikini - https://volafile.org/r/jt77w9w8 23:04 < detha> UncleDrax: don't think $100 will do that, but lemme look 23:04 <+catphish> somehow i doubt that link is what it claims to be 23:04 < UncleDrax> these will live in an levinton box in a garage in a subtropical climate.. if there's a sub$200 industrial-grade box that fits thebill, i'm definately all ears 23:04 <+catphish> UncleDrax: did you see my suggestion? 23:05 < UncleDrax> ya, I got a HEX POE at home actually.. do those boot faster and more rugged? size wise they are awesome, but I worry about the fiddly-bit nature of MTs a lot for rolling out to remote locations 23:06 <+catphish> UncleDrax: maybe https://www.tp-link.com/uk/products/details/cat-39_T2500G-10TS.html 23:06 < UncleDrax> are those passive PoE only? def will need 802.3af/at though.. going to hang APs off them 23:07 <+catphish> twice the price of the mikrotik 23:07 < UncleDrax> catphish: ya I was looking at the TP link options.. might just have to pick up a couple just to test em 23:08 <+catphish> personally i'd go with the tp-link, i have a weird inexplicable personal dislike of mikrotik's software 23:08 <+catphish> the tp-link just seems more rugged too 23:08 < UncleDrax> ya I don't dislike it, but it's definately what i'd call 'fiddly'.. sometimes too many knobs is A Bad Thing 23:08 < detha> UncleDrax: https://www.moxa.com/product/EDS-P506A-4PoE.htm 23:08 < UncleDrax> the MTs 23:09 <+catphish> also, plastic case is never a winner for me on anything serious 23:09 <+catphish> detha: those looks great 23:09 <+catphish> ...Starting From $1,490.00 23:09 <+catphish> no 23:09 < UncleDrax> detha: need Gig (and I'll poke at their other offerings) 23:09 < detha> catphish: those things are quite nice. $$$ though. 23:09 < UncleDrax> ya.. 23:10 < UncleDrax> but that's like certified rugged stuff, you'd put that in a metal traffic control box type thing 23:10 < UncleDrax> or in the middle of a steel mill 23:11 < detha> yup. they can handle that. cisco-like CLI, nice and easy. 23:12 < UncleDrax> and they do modbus.. *vomits a little* 23:12 < UncleDrax> but ya if I was running a factory, i'd be all over that 23:13 < UncleDrax> was just curious what else might be in teh space I was missing.. hard to keep from getting blinders 23:15 < detha> The 'sensibly managed' part is the difficult one here, plenty Netgear and similar stuff that fits, but either unmanaged or GUI only 23:15 < UncleDrax> appriciate the input, please resume your regularly scheduled political conversation 23:15 < UncleDrax> ya unmanaged irks me as thing. pure CLI isn't a big deal, but i'd have to write some glue to expose stuff to our HellDesk 23:15 <+catphish> the tp-link i linked was managed 23:16 <+catphish> seems idea if you want reasonable quality but not enterprise 23:16 < UncleDrax> well, I want enterprise/SP quality, but not enterprise/SP price.. like most people :] 23:16 <+catphish> of course :) 23:17 < UncleDrax> putting questions out to a few VARs too.. we'll see 23:17 <+catphish> i still believe netgear provide that when it comes to switches 23:17 < UncleDrax> speaking of which, found one of those old 4-port Netgear 10base-T HUBs at our CO the other day.. classic stuff that 23:17 <+catphish> they have some crappy devices, but most are seriously reliable, and because of lifetime warranty, they replace the crappy ones 23:18 < detha> Let us know if you find anything, always interested in more cost-effective things that still do the job 23:18 < UncleDrax> the kind with the 'uplink' mode button. ahh memories 23:18 <+catphish> those hubs are iconic 23:18 <+catphish> this one? https://images-na.ssl-images-amazon.com/images/I/715NRWW6N0L._SX355_.gif 23:18 < UncleDrax> that's the one 23:18 <+catphish> :) 23:19 < detha> memories.... 23:19 < UncleDrax> we used them for ethernet drops on our Nortel JungleMUXs I think.. .. homie don't do TDM 23:20 < UncleDrax> had to be a hub because of how they did the SONET fast ring or some such.. I am not a SONET tech (IANAST?) 23:20 < UncleDrax> anywho 23:20 < UncleDrax> ya appriciate the input, i'll poke at it and if I find some amazing box, i'll report back --- Log closed Sat May 19 00:00:25 2018