--- Log opened Wed May 23 00:00:29 2018 00:09 < BrandonM> Is it possible to have a separate vlan and tag specific ports just for pxe booting? (Already have pxe on the current network for sccm07, want this vlan specific for sccm 1802) 00:12 < xamithan> sure why not? 00:12 < Apachez> you can tag shit too if you want if you use ipxe 00:19 < BrandonM> xamithan I just want some clarification if its possible without the need of taking ccm 07 offline, heh. 00:23 < xamithan> If ccm07 can't see the separate vlan there is no need 00:27 < xirg> hello, i'm looking into a san or nas for shared storage on a home network as well as a host for a virtual machine running ubuntu desktop 00:27 < xirg> any recommendations? 00:28 < Apachez> synology? 00:28 < Apachez> hp virtual storage 00:28 < Apachez> depends on the size of your wallet 00:29 < kiokoman> readynas ? 00:30 < xirg> hello if anyone answered my question plz repeat it, I just moved to my laptop 00:30 < xirg> if not disregard 00:33 <+catphish> synology are good, for nas not sure i can recommend them for a VM host though 00:34 < xamithan> grab a synology or qnap and a intel nuc 00:35 < xamithan> Assuming cost isn't a factor 00:37 < xirg> is the intel nuc power efficient? 00:38 < petemc> yes 00:45 < drac_boy> hi 01:15 < star> Is it worth using OpenWRT/LEDE over TP-Link's probably proprietary firmware? (other than ease of mind) 01:17 < xamithan> I don't because I wouldn't get the full wifi AC speed 01:18 < xamithan> Otherwise openwrt is much more stable and robust 01:25 < RoadRunner> is this an apropriate place to ask about "how to" ssh connectivity? 01:25 < DoctorDick> ?ask 01:25 < RoadRunner> (under linux) 01:25 < DoctorDick> Just ask 01:27 < RoadRunner> if I am trying to help a friend with minimal linux knowledge to remotely repair his comp, is ssh the best way to go about it? 01:27 < xamithan> Depends on what is broken 01:28 < xamithan> If grub is broken or something in the DE, ssh isn't going to help much 01:29 < RoadRunner> DE? 01:29 < xamithan> desktop environment 01:29 < dijksterhuis> Desktop environment 01:30 < RoadRunner> let's say it's routing maintenace, where I'd have to log in, open a terminal and clean out old kernels or remove or install some apps? 01:31 < dijksterhuis> Should be fine. Just make sure you don’t do anything that bricks the system, else you won’t be able to get back in to fix it 01:32 < RoadRunner> rebuilding grub can only be done in person? 01:34 < dijksterhuis> Anything outside of the os would need to yes 01:34 < xamithan> If that was true we'd need a whole lot more people in the datacenter 01:35 < xamithan> That isn't true either, there is OOB management 01:35 < xamithan> Probably not on a consumer system though 01:36 < RoadRunner> OOB? 01:36 < xamithan> out of bounds, like IPMI, iDrac, IP-KVM, etc. 01:40 < RoadRunner> so far, I've heard advice like ssh, teamviewer, chrome and remote desktop extension; I am new to this so what's the best way to proceed? 01:40 < xamithan> Like we said, depends on what is broken. ssh is fine for what you said so far 01:40 < dijksterhuis> Use a google hangout or something to get them to show out the problem first 01:41 < dijksterhuis> ^ top tip 01:41 < xamithan> I don't see why the friend is incapable of typing "apt install" or "apt autoremove" theirself though 01:41 < dijksterhuis> If it’s a DE thing you can guide them from there, or work out next steps as you go 01:42 < dijksterhuis> Ssh should be fine for most of what you need 01:42 < RoadRunner> dijksterhuis: please explain "google hangout" 01:43 < RoadRunner> xamithan: my friend is over 80 and doesn't want to learn unix or deal with cli... 01:43 < dijksterhuis> Video call session. Like Skype. But via the web browser 01:43 < xamithan> Why isn't he using windows then? 01:43 < linux_probe> put him on ubuntu? 01:44 < RoadRunner> xamithan: I am trying to get him to transition :) (to ubuntu) 01:44 < linux_probe> only thing i've seen sticky is upgrades 01:44 < linux_probe> distro version upgrades rather 01:45 < linux_probe> at most you'll have to remove plugings from browser and creset home page lol 01:47 < xamithan> You put them on 18.04 they'll be dead by the time it is end of life 01:47 < xamithan> (sorry if that was a bad joke) 01:47 < dijksterhuis> RoadRunner: You can get him to share his screen on a google hangout FYI. 01:47 < RoadRunner> xamithan: ... 01:47 * drac_boy thankfully doesn't even support linux personally anyway ;) 01:48 < dijksterhuis> So he can show you the actual problem then 01:48 < linux_probe> maybe setup a vpn lol 01:48 < RoadRunner> dijksterhuis: is google hangout the only such service (where screens can be shared)? I thought Firefox, had something like that? 01:50 < dijksterhuis> Possibly services more out there. It’s just the one I use as it’s relatively simple to set up. 01:50 < RoadRunner> ok, that's certainly one way worth noting 01:50 < dijksterhuis> Sign in, start a session, email the link, they join... done. 01:50 < xamithan> anything that uses webRTC will work 01:51 < RoadRunner> webRTC? 01:51 < xamithan> the framework that most all those services are based on 01:51 < buscado> yes hello, I have not been able to access my home server since my ISP sent me a bonded adsl modem, i have turned off both ipv4 and ipv6 firewall, turn on DMZ for the server and also set up port forwarding but still nothing anyone have an idea why this is happening? 01:51 < buscado> is there something about a bonded pair connection that keeps it from being accessed from the wan? 01:52 < RoadRunner> does anyone have a good alternative for google's offering? 02:01 < RoadRunner> assuming ssh-server is installed on the remote comp and given that my friend is on a dynamic ip where his linux comp is one of seferal on a lan with a router set to auto dhcp; I got to call him and explain how to open terminal, enter "inxi -i" and tell me the ip (which can be diff every time he boots), do his router settings need to be changed to let me in? 02:03 < xamithan> goodluck with that, he'll need to port forward and set a static ip 02:03 < xamithan> teamviewer or hangouts might be easier to deal with 02:05 < RoadRunner> to finish off with ssh, if he gives me both his wan and lan ip's would he still need to port forward or change anything else on his router? 02:08 < djph> just use a reverse ssh tunnel if you want to ssh that bad 02:09 < RoadRunner> since its all new to me, the same question - how? 02:10 < spaces> I have the perfect hotdog! 02:11 < RoadRunner> the amount of stuff in man on ssh is intimidating so I am looking for a way to start "slow"... 02:13 < ALowther_> Idk how you'd get through properly with NAT 02:13 < ALowther_> You can try this, as suggested by djph, I've never done a reverse SSH tunnel myself. 02:13 < ALowther_> https://www.howtoforge.com/reverse-ssh-tunneling 02:13 < ALowther_> Roadrunner 02:13 < RoadRunner> xamithan: if I set him up on a router with a static ip, would the task become more doable? 02:14 < tds> -R is the option you want for reverse tunneling (look at the man page for more details), if you want to keep it running you probably want to look into autossh 02:14 < xamithan> If the comp has a static lan IP and has a proper port forward in place then you won't need a reverse ssh tunnel 02:14 < tds> I guess these days you could also write a systemd service to run ssh 02:15 < xamithan> Honestly though, programs like teamviewer connect to a central server so they traverse NAT. It is the easier option 02:15 < ALowther_> Roadrunner, the key, I believe, is the port forwarding. You can ssh to the public IP, but it has no idea where to route that information, unless you are trying to SSH into his router....You could try SSHing into his router, set up port forwarding on his router to the LAN ip, then SSH in. The port forward tells the router which computer you are trying to contact via the IP address. 02:17 < met-denise-milan> hi 02:18 < RoadRunner> xamithan: I'll certainly look into teamviewer 02:21 < RoadRunner> ALowther_: I understand the concept but it certainly doesn't sound quick or easy... So there is no way to input both the wan and lan ip's in one go during login without port forwarding on the router? 02:21 < xamithan> Nah that isn't how networking works 02:21 < ALowther_> RoadRunner. In my experience, especially with a standard consumer router with a web interface, configuring port forwarding is easy and straightforward 02:22 < ALowther_> But as xamithan said, no...At least with IPv4. You might be able to do something with IPv6, Idk, but I doubt that is configured anyhow. 02:24 < xamithan> NAT lets the router share the WAN IP. It doesn't know which lan IP is running what services on what ports so it only allows through connections that are already existing unless you forward the ports 02:26 < xamithan> The only way a round that is using UPnP (universal plug and play) which is mostly limited to IoT devices or gaming consoles and a huge security hole 02:26 < RoadRunner> his router belongs to his ip provider and you can't change nothing there; so, if port forwarding is a must which can only work predictably on a static ip, I'd have to give him one of my custom built routers built on smallWall but then he would have to learn still more stuff to use it... 02:27 < ALowther_> RoadRunner. If you can't configure port forwarding, it doesn't matter if the LAN IP is static. 02:28 < xamithan> teamviewer or google remote desktop or something else that traverse NAT sounds like your only option then 02:29 < RoadRunner> ALowther_: I get that :) - on the router I could give him I could configure everything 02:29 < RoadRunner> I guess, I'll just have to ask him to choose 02:30 < xamithan> Yeah but more than likely he has a modem|router combo that you can't bypass 02:30 < xamithan> Very few ISPs give you separate router 02:30 < RoadRunner> I can ask his provider to exchange his current router for another in bridge mode 02:30 < xamithan> You could 02:30 < ALowther_> xamithan: Is that a thing, where you can't bypass it? I guess I have been blessed with my ISP's. I have always been able to use my own router, if I wanted. 02:31 < xamithan> I've never had one that you couldn't get into the settings, but I've heard of it happening 02:34 < RoadRunner> if he is going to be willing to learn, would you recommend I give him a gateway built on SmallWall or OpenSense? SmallWall is much easier to learn, but I believe OpenSense gives better vpn options? 02:39 < RoadRunner> xamithan: ALowther_: any opinion? 02:40 < xamithan> I've never used those two, so no opinion here =o 02:40 < ALowther_> RoadRunner: No, I've never heard of either of those. I am certainly no expert, so that doesn't mean they aren't any good. 02:40 < xamithan> I'm a pfsense fan myself 02:40 < ALowther_> I personally use MicroTik with OpenVPN 02:41 < ALowther_> RoadRunner: I am just a hobbyist for networking, so I have lots to learn myself. 02:41 < RoadRunner> ok, so, I've used openWall for like a decade, smallWall is its direct decendent and OPNsense is simmilar to pfsense only, from what I understand - now more open 02:42 < xamithan> I'm sure either will work just fine, mostly stuff like that is just preference 02:43 < RoadRunner> I have not used OPNsense myself (just installed it on one gateway) but it seems WAY more complex than small/mono wall; was just wondering if it does in fact give supperior options for vpn and would my friend really be likely to benefit from that? 02:49 < birkoff> what are strings like \005\036\0141\000in ? 02:52 < S_SubZero> context? 03:00 < RoadRunner> ALowther_: xamithan: btw, even if I give him a configurable router, set his comp to a static ip on his lan and port forward the router, I am not on a static ip with my isp so what incoming ip would I be setting up in his port forwarding? 03:01 < xamithan> source ip can be set to any 03:02 < ALowther_> RoadRunner: You don't. Your IP can change and it will be on a per connection basis. You tell it to "pass along" connections on a specific port to a specific computer & that's what it does. 03:02 < ALowther_> That is why some people will tell you not to use port forwarding as it could be a security issue. Personally, if it's just a home LAN and you use basic security measures with passwords and a non-standard port I don't think it should be too big of a concern. 03:04 < RoadRunner> recommendations for a "non-standard" port number? 03:04 < xamithan> Any good vpn will have functionality similar to fail2ban 03:04 < xamithan> Anything above 1024 is good 03:05 < xamithan> I wouldn't choose something similar though, like 222, or 2222 03:05 < RoadRunner> just don't like the idea that any source could get through... 03:05 < ALowther_> RoadRunner: Just remember it, you will need to explicitly define it when you try to SSH in. 03:06 < xamithan> security through obscurity is just stupid IMO. using a certificate + a password is much better 03:06 < tds> the only real reason to change the ssh port is to drop the amount of noise in the logs, otherwise it's pointless 03:06 < xamithan> Yeah it'll stop those chinese bots 03:06 < ALowther_> RoadRunner: They can get to the computer, but they still need a password to get in. Unless a guest account or some other thing is enabled to let people in without a password. 03:07 < RoadRunner> xamithan: certificate? 03:07 < tds> just disable password authentication on everything, leave ssh on the default port, and you should be fine 03:08 < xamithan> A good vpn will run on SSL with certificates for each user 03:08 < ALowther_> RoadRunner: There may be some routers that allow you to only accept connections from certain IPs for port forwarding. That certainly would be a good tool. I don't think I've ever done that. 03:08 < xamithan> a worse vpn will user something like pptp and just a user|password to get in 03:08 < RoadRunner> xamithan: vpn recommendations? 03:08 < ALowther_> Wait, you're doing all of this over a VPN? Just have them connection directly to the VPN & they will be on your "local" network. You can SSH directly. 03:09 < xamithan> Whatever you want, they are mostly all the same 03:09 < xamithan> I think most people use IKE nowadays though 03:10 < RoadRunner> where is it based? 03:10 < ALowther_> I believe he is talking about a protocol for setting up your own VPN network, not using a 3rd party one. 03:11 < xamithan> Yeah the protocol, most all support IKE unless it is a really really old device 03:11 < RoadRunner> ok xamithan, where could I learn how to do that? 03:12 < ALowther_> https://openvpn.net 03:12 < ALowther_> This is what I use for my VPN network 03:13 < ALowther_> But you will need to make sure you configure everything properly, otherwise if the routing tables are messed up yourself/your friend may not be able to access the internet 03:15 < RoadRunner> I got much to learn about vpn's; best place to start? 03:15 < ALowther_> RoadRunner: For a more streamlined solution, turn off Password authentication on the sshd config file on your friend's computer, generate an ssh key with ssh-keygen, add your .pub to your friend's ~/.ssh/authorized_keys file and only you will be able to get in 03:17 < ALowther_> To clarify. Generate an ssh key with ssh-keygen on YOUR local computer. Then take that key, ONLY the public key, there is also a private key generated, ONLY FOR YOU. Put the public key in their authorized_keys file and you should be able to get in. The file/directories could be elsewhere. What I named is just a common configuration. 03:19 < RoadRunner> I am getting confused btw ssh and vpn solutions here... 03:20 < ALowther_> A VPN connection, is essentially, just a wrapper. It encrypts all of the data you are sending. 03:23 < RoadRunner> but you still need to port forward, right? 03:23 < ALowther_> Not if you have the VPN connection set up. 03:24 < RoadRunner> is there a place with a comprehensive right up on all of this; ie: a step by step cook book? 03:24 < RoadRunner> *write-up 03:25 < ALowther_> Which thing? VPN connections or SSH? 03:25 < RoadRunner> I guess both wouldn't hurt 03:27 < ALowther_> http://www.steves-internet-guide.com/understanding-port-forwarding/ 03:27 < ALowther_> This isn't SSH centric, but it covers port forwarding, which is really the question at hand 03:32 < RoadRunner> I was actually hoping for something specializing in vpn and ssh :) 03:33 < SporkWitch> RoadRunner: broad questions get broad, unfocused answers 03:33 < SporkWitch> RoadRunner: if you want something more specific, you need to ask for something more specific. 03:34 < ALowther_> RoadRunner: If you read up on a VPN and really start to understand it, it will answer your SSH question. Using a VPN allows you to access any other computer also connected to the network with a LAN address. 03:35 < SporkWitch> depending on configuration, anyway 03:35 < RoadRunner> SporkWitch: alright, how about this: would really apreciate links to manuals specializing in vpn and ssh 03:36 < SporkWitch> RoadRunner: man ssh :) 03:36 < RoadRunner> did that first thing and was overwhelmed by details yet still am shy of concepts... 03:36 < SporkWitch> RoadRunner: snark aside, you have to understand that these are very high-level questions; most of the people here are working at a much lower level. What you want is going to take a google search, which means you should google it 03:37 < ALowther_> RoadRunner: VPN's and SSH don't necessary go hand-in-hand like that. 03:37 < SporkWitch> RoadRunner: i'd suggest search strings along the lines of "what is / how does ssh / vpn work" 03:37 < ALowther_> Your question really seems to have a lot less to do with SSH and more to do with general networking and understanding how to contact other computers. 03:38 < ALowther_> I have found ssh.com to be a wonderful resource. It is maintained by the inventor of SSH 03:38 < xamithan> Might as well just go read some CCNA and CCNP books first 03:38 < SporkWitch> ^ 03:39 < xamithan> Any guide you going to find is going to be specific to whatever piece of software you are working with. Any guide like say, man ssh. Is going to be too broad to understand 03:42 < RoadRunner> considering I've been building lan's on gateways built by myself for a while, I don't think a basic lesson in networking or portforwarding is needed; I asked specifically about what I haven't used before which is ssh and vpn's. Have started today with ssh.com but perhaps I can do more research still. 03:42 < ALowther_> The solution to your question is to set up port forwarding. You then became concerned with security which got your interested in VPN. As I continue to learn, I keep coming to the same answer for myself. Everything is actually built of really small, really simple pieces. It's the combination of those tens or hundreds or thousands of simple pieces that give the perception of complexity. If you are willing to take the time to dig into ea 03:42 < ALowther_> ch small, simple, piece it all starts to come together. 03:44 < ALowther_> RoadRunner: Yes, I would read SSH.com it will state things more explicitly than "man ssh". 03:44 < xamithan> At a basic level ssh is simple though, ssh user@host, put in your password. You are done. Things get more complicated if you want to start doing reverse tunneling or setting up key pairs 03:44 < SporkWitch> eh, keypairs aren't that complicated 03:45 < ALowther_> Unless you decide you want to research the maths behind the algorithms :p 03:45 < xamithan> I don't know his knowledge level but I agree it isn't complicated. You could still get lost in pages and pages of documents explaining how crypto and PGP work though 03:45 < SporkWitch> sure, but even just the concepts of HOW it works aren't that crazy; don't necessarily need the maths directly 03:46 < SporkWitch> i was mostly just talking in terms of use, though 03:46 < tds> it gets a bit more complex if you want to use a gpg smartcard or an ssh ca or something, but yeah, it's not too bad 03:46 * SporkWitch hugs his yubikey :P 03:46 < ALowther_> RoadRunner: https://www.ssh.com/ssh/keygen/ 03:46 * tds should really get another one after losing his 03:47 < SporkWitch> smartcard isn't too bad; there's easily found articles that'll hand you the settings and step-by-steps. CA does get a bit complicated, have done that one before too 03:47 < SporkWitch> and if you're on windows, well, just don't even bother; windows is shit >_< 03:48 < tds> I'm still slightly uncomfortable with storing my gpg keys on smartcards though - afaik most of them don't actually encrypt the key data with the passphrase, the chip just checks that the passphrase is correct? 03:48 < SporkWitch> (WSL could almost be viable, but it is deliberately prevented from using USB devices; gpg4win can let putty and tunnelier use yubikeys though) 03:48 < tds> it's fine for ssh since that's relatively simple to revoke/swap, but pgp is more of a pain 03:48 < ALowther_> There is a command that generates it for you. If you are able to connect to your friend's computer, you can then use ssh-copy-id, https://www.ssh.com/ssh/copy-id, to handle everything for you. Then go into sshd config and turn off password authentication, https://www.ssh.com/ssh/sshd_config/. You should be fine.ss 03:49 < SporkWitch> tds: i don't know about that one way or the other, but if they do what they're _supposed_ to, they're physically incapable of revealing the privkey programmatically. The only way to extract it is destructive, requires a _very_ expensive lab, and even then has a low chance of success 03:49 < SporkWitch> tds: this obviously falls apart if there's a flaw in the firmware, but as with anything, trust has to be placed at some level of the system 03:50 < tds> ah yeah, I certainly don't think extracting data off a microcontroller's flash is easy, I'm just uncomfortable with the idea of it 03:50 < SporkWitch> tds: and i'm saying you shouldn't be; this isn't something that even the government can do easily or consistently, even if they have the motivation for it (AFAIK) 03:51 < RoadRunner> a question about another solution offered earlier: teamviewer isn't in ubuntu software, or in synaptic- just on their web page. Probably a private repository, it's not open source, is it ? 03:51 < SporkWitch> very no 03:51 < tds> iirc teamviewer on linux is just wine and their windows application bundled into a deb? 03:51 < SporkWitch> don't know, just know you shouldn't use it lol 03:52 < RoadRunner> SporkWitch: why? 03:52 < tds> SporkWitch: there's also the usability side of it, having to revoke subkeys and all that when I lose the smartcard is a pain :P 03:52 < SporkWitch> RoadRunner: huge, gaping security issues lol 03:53 < SporkWitch> tds: that's a flaw in key-based access regardless. the nice thing about smartcards and yubikeys is that most people tend to be good about positive control over their keychains and wallets 03:54 < RoadRunner> thank you for all the help :) 03:54 < SporkWitch> i strongly prefer smartcards over USB tokens for that reason: easier storage, cheap replacement, and it has the added bonus of requiring a reader, which is a barrier to casual use by unauthorized parties 03:55 < SporkWitch> i have a really nice card reader, folds up to the size of your average USB flash drive. keep that on my keychain and the smartcard in my wallet; i wasn't able to find enough information on the sigilance card though to get me to buy it. There's jsut no real documentation, while yubikey is VERY well documented and supported, so i ended up going with those 03:56 < tds> ah yeah, by "smartcard" I just meant a usb gpg smartcard (eg yubikey), I may try real physical cards at some point though 03:57 < SporkWitch> my certifying key, unique auth subkey, and shared encryption key sits on a NEO in my safe. Another NEO with the shared encryption and unique auth and signing keys for use on phone and desktop (it supports NFC). A Nano with the shared encryption, unique auth and signing, for use on laptops (I don't like the NEO sticking out of a laptop's ports, i always worry about damage; nano is perfect since 03:57 < SporkWitch> it just barely juts out enough to activate it) 03:58 < SporkWitch> i actually did cards first, because i was active duty military, so i had a reason to buy a reader so i could access some work stuff from home (DOD CAC is a smartcard, not just a photo id) 03:58 < SporkWitch> even ported a tool for feeding system entropy with entropy from a card's TRNG 03:59 < SporkWitch> (significantly reduces the time to generate random data, and as far as all testing i did, the feitian card i bought produced wonderfully random data) 04:55 < light> sublime 05:55 < toastedbread> does anyone know about shoutcast servers? 05:57 < linux_probe> just how loud do they shout? 05:59 < toastedbread> How does a shoutcast work with posting a current song playing in a channel 06:04 < toastedbread> !commands 06:43 < Al_nz1> I am trying to identify the IP address and subnet of a camera up a pole. I plug into the plain ethernet side of the injector and open up wireshark. I can see 06:44 < Al_nz1> microchi_66:99:fd broadcast ARP who was 192.168.137.22 Tell 192.168.137.1 06:44 < Al_nz1> there is a bit of other traffic, but this appears to tell me that the camera is on 192.168.137.1 ? 06:44 < Al_nz1> or am I reading this wrong? 06:48 < linux_probe> kind of sounds that way, unless there's other stuff running off that injector/line 06:49 < Al_nz1> linux_probe: just me and the camera - injector in the middle 06:49 < Al_nz1> when i put my PC on 192.168.137.50 and try to ping 192.168.137.1 I get Ping Transmit failed General Failure (Im on a windows PC) 06:50 < linux_probe> maybe your machine had that ip before on other network 06:50 < Al_nz1> my laptop had which IP? 06:51 < linux_probe> x.x.137.1 06:53 < Al_nz1> linux_probe: why would the camera want 137.1 to be told who has 137.22? 06:53 < linux_probe> are you sure that's the camera? 06:55 < Al_nz1> https://imgur.com/a/mekUr82 06:56 < Al_nz1> linux_probe: the source for that broadcast line is definitley matching the last few digits of the camera mac address 06:56 < Al_nz1> what if the camera is still on DHCP? but was last on a subnet different to the current one 06:58 < linux_probe> it could be some sort of auto-ip if DHCP went away 06:59 < linux_probe> what does your laptop get if you plug into the network there 06:59 < Al_nz1> dunno - I would have to go backonsite but they are 192.168.1.x 07:02 < linux_probe> unless the cameras are on a vlan or other network. who knows, camera may simply be firewalled except other ports, port scan it? 07:02 < Al_nz1> yeah, just got zenmap -thats my next attempt 07:02 < Al_nz1> I have used these cameras before...... 07:03 < linux_probe> binoculars? 07:03 < linux_probe> maybe you can read the label lol 07:03 < Al_nz1> nah the IP wont be labelled 07:03 < Al_nz1> lol 07:03 < Al_nz1> but I know that Mac 07:03 < linux_probe> then lookup the camera directions 07:04 < linux_probe> likely says how to connect without dhcp and what not 07:06 < linux_probe> https://www.microchip.com/ 07:06 < linux_probe> is who the mac range goes to 07:10 < Al_nz1> yeah I might try to call them tonight 07:10 < Al_nz1> thanks 07:10 < linux_probe> dont know if they make cameras though, probably just the chip manufacture 07:14 < linux_probe> may help... 07:14 < linux_probe> https://www.microchip.com/design-centers/ethernet/ethernet-devices/applications/automation-access-security/ip-camera 07:15 < linux_probe> it looks like they're firewalled and only allow specific selected tiings through 07:24 < liveuser11> A_D you were compromised? 07:24 < A_D> ...no? not that I know of 07:25 < liveuser11> StevenR hello 07:25 < liveuser11> A_D it is well that you respond. 07:26 < liveuser11> Do you recall what went on these past say 10 years? 07:26 < liveuser11> In turn it is quite a new retrospection. 07:26 < A_D> k 07:27 < liveuser11> Staying awake? 07:28 < liveuser11> A_D: shying away now? 07:28 < A_D> Sure, why not. 07:29 < liveuser11> You are Christian? 07:30 < A_D> Sure, lemme answer random questions from a random unknown user 07:30 < liveuser11> Such a primary "why not" I can go on. 07:32 < liveuser11> Have you ever met somebody who complains of repeatedly having nonsense things stolen from it? 07:34 < liveuser11> Network, what can cause somebody to become a target for such nonsense theft and what can be a motive of such seemingly unconnected thieves? 07:35 < liveuser11> I start with things almost mundane, because I have much deeper things in mind and if somebody cannot carry on simple logic somebody leaves me lonely. 07:37 < liveuser11> There are times when justice is barricaded by the some scenario. 07:38 < liveuser11> If I walk away is it just? 07:39 < liveuser11> If I hunt how shall I fall on so many? 07:40 < liveuser11> It went deeper A_D 07:41 < liveuser11> We gave the prosody context for balm. 07:41 < linux_probe> deeper than a creeper on reaper 08:07 < Bugz_> Hello 08:11 < liveuser11> Bugz_: did you really download a game of shank 08:20 < michagogo> SporkWitch: re: requiring a reader, I guess that depends on what your environment is, what country you’re in, etc. 08:21 < michagogo> Some places have national ID cards that are smartcards and are useful online 08:22 < knocksee> Super noob question: If i use a USB 4g stick in my asus rt-ac87u, does it use the antenna in the asus for the 4g or the sticks antenna? I assume the sticks? 08:22 < michagogo> Or places with public transportation smartcard systems that encode data on the card itself (e.g. Calypso-based systems), so to reload from home you either need a phone with NFC or a card reader l 08:22 < michagogo> knocksee: rt-ac87u being a router or access point or something? 08:23 < michagogo> Yeah, pretty sure it’ll use the stick 08:23 < knocksee> yeh thats what im thinking 08:24 < michagogo> Afaik WiFi and cellular connections use different antennae 08:24 < michagogo> If the router were using its own antenna, it would probably just have a SIM slot 08:24 < knocksee> we have a huawei E5180 and it only gets around 7mbit, we use our phones and we get around 22mbit, all to the same test server 08:25 < michagogo> 🤷🏼‍♂️ 08:25 < knocksee> i assume its the shitty antenna in the modem 08:26 < michagogo> Maybe 08:26 < michagogo> Or it could be the router 08:26 < michagogo> Or maybe for some reason you’re on 3G? 08:26 < michagogo> Or it could be something else about the modem, firmware or cpu or something 08:27 < michagogo> Lots of potential factors, most of them tough or impossible to isolate 08:27 < knocksee> hmm 08:27 < knocksee> true - i should take the router out of the equation and test 08:27 < michagogo> For example, I might try the modem on a computer directly 08:28 < michagogo> Now that I think about it, I don’t know what USB 2 throughput is. 08:30 < michagogo> Never mind, looks like it’s a few hundred Mbps 08:32 < linux_probe> usb 2.0 was 480Mbps or 60MBps 08:35 < linux_probe> real world is more like 20 to 40MB/s 09:07 < regdude> In Cisco world, the SVI (Switched Virtual Interface or something like that) is simply a configuration option that allows you to route traffic between VLANs or does it do something else? 10:15 < Apachez> its the vlan interface with ip address configured (ipv4, ipv6 or both) 10:16 < Apachez> once it got that packets who arrives to this (virtual) interface can be routed through other vlan-interfaces (who got ip configured) 10:16 < Apachez> thats a common mistake when people enable routing in l3 switches 10:16 < Apachez> through the "ip routing" command (or similar) 10:16 < Apachez> because now client vlan can reach mgmt vlan 10:16 < Apachez> and stuff in mgmt vlan can reach outside mgmt vlan etc 10:19 < regdude> but there is no other function that this Cisco SVI is doing other than allowing routing between VLANs on the the device, right? 10:23 < Apachez> well its a way to access the device itself 10:24 < Apachez> if you dont put up any acl's and you enabled telnet/ssh/http/https then this ip can be used to login to your switch too 10:24 < Apachez> and it will use this ip for dynamic routing protocols as source interface 10:24 < Apachez> same with syslog 10:24 < Apachez> and ntp etc 10:24 < Apachez> your switch cannot sync its time to a ntp server unless your switch have one ip configured and the ntp is reachable through this ip 10:42 < regdude> so it is simply an interface that is allowed to access the CPU 10:42 < Apachez> cpu and routing 11:04 < yumbox> is there a way I can test if DNS over HTTPS is working? 11:04 < yumbox> I have it setup on my pc, and want to know if it's setup correctly. 11:07 < grawity> make a DNS request, and use Wireshark to see where it goes 11:35 < easy_ref123> any help identifying the syntax of this route? 11:35 < easy_ref123> 0.0.0.0 0.0.0.0 192.168.1.2 11:36 <+xand> default gateway? 11:36 < djph> gateway of last resort 11:36 < djph> mornin' xand 11:36 <+xand> hi 11:37 < grawity> easy_ref123: when written like that, it's almost always " " 11:38 < easy_ref123> thanks guys 11:40 < DK2> whats the best way to prevent synflood on a linuxbox? 11:40 < DK2> iptables? 11:41 < grawity> I've *heard* that iptables' SYNPROXY is good 11:41 < Apachez> "prevent"? 11:41 < Apachez> nullroute the offending srcip 11:42 < Apachez> so the packets never reaches your linuxbox 11:43 < DK2> Apachez: hard if theres a big amount of spoofed ips 11:43 < DK2> i had ~120 IPs in the attack not counting the false positives i would also nullroute 11:43 < Apachez> so pick those out with grep and whatelse 11:43 < Apachez> do a script to create the ip route to null for these ip's 11:43 < Apachez> and then push it into your edge 11:43 < Apachez> done! 11:44 < DK2> but how i can i tell the diffrence between godo an dbad i 11:48 < dionysus69> what is the benefit of digital ocean private networking? 11:49 < dionysus69> so you can close down access to the internet while still be able to connect to other nodes in the same region? or it has other implications too 11:50 < Apachez> no idea, what does their buzzword marketing papers tells you? 11:51 < Apachez> DK2: well put up a baseline of what is the expected rate of incoming syn's per ip in your solution 11:51 < Apachez> and then you like double that number to pick out prime suspects who are synflooding you 11:52 < ShapeShifter499> hi 11:53 < ShapeShifter499> I would like to limit a single program from uploading and downloading to much at once, limiting the bandwidth. What should I use for this on Linux? 11:53 < ShapeShifter499> The program in question is duplicity 11:54 < Apachez> start by checking if this program have a setting for this 11:54 < ShapeShifter499> it doesn't 11:54 < dionysus69> you need a shaping tool, google shape a single linux process or something 11:54 < Apachez> next, can you configure this software to use a particular interface? 11:58 < ShapeShifter499> dionysus69: Apachez I came across trickle but I got a error trying to compile it on my Raspberry Pi 12:08 < skyroveRR> ShapeShifter499: well, what error? 12:08 < ShapeShifter499> skyroveRR: this one https://github.com/mariusae/trickle/issues/22 12:10 < kbaegis> Hey all. Upgrade from 4.15 to 4.16 completely broke my networking stack 12:11 < kbaegis> Anyone know why a kernel (same modules) running ovs/lacp in 4.15 would work fine, but a 4.16 version would fail to receive traffic? 12:11 < bingojingo2> ji 12:12 < ShapeShifter499> skyroveRR: seems exactly like what I wanted too 12:12 < kbaegis1> Could use some help here 12:13 < bingojingo2> can anyone here with a GOOGLE account please tell me how far back you can view your timeline's history on google maps? Please check this on your account, thanks 12:13 < skyroveRR> ShapeShifter499: what's your cross compile triplet called? 12:14 < ShapeShifter499> skyroveRR: I'm building directly on my Raspberry Pi 12:14 < skyroveRR> Like, arm-linux-gnueaabihf? 12:14 < grawity> bingojingo2: the year dropdown goes all the way back to 2009, but I only got an Android phone in 2013 so that's where the actual data starts 12:14 < skyroveRR> ShapeShifter499: what does gcc --version give you? 12:15 < ShapeShifter499> skyroveRR: gcc (GCC) 8.1.0 12:15 < bingojingo2> gravity: thanks 12:15 < grawity> actually hmm 12:15 < skyroveRR> ShapeShifter499: err sorry, gcc -v? 12:16 < ShapeShifter499> skyroveRR: this https://gist.github.com/ShapeShifter499/37af46ec37442619d6b05ed619589c0f 12:17 < bingojingo2> gravity: so you can view your timeline's data starting from 2013 up until now? 12:17 < grawity> yes 12:17 < skyroveRR> ShapeShifter499: what configure command are you passing? 12:17 < grawity> I don't remember when I bought the phone though, but sounds about right for its model 12:18 < bingojingo2> so thats 5 years of data] 12:19 < bingojingo2> my computer was seized and my data has suspiciously been deleted by the police. Seems lke some corruption has occurred now i can make acomplaint 12:19 < ShapeShifter499> skyroveRR: I was using the PKGBUILD here from the AUR for Arch Linux https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=trickle I passed "-A" flag to makepkg to ignore architecture and build anyways. "./configure --prefix=/usr \ --mandir=/usr/share/man" is what I see. 12:20 < kbaegis1> Same freaking kernel config 12:20 < kbaegis1> :/ 12:21 < skyroveRR> ShapeShifter499: try putting in --build=aarch64-unknown-linux at the end of the configure command 12:22 < ShapeShifter499> skyroveRR: it's building now 12:23 < skyroveRR> ShapeShifter499: :) 12:23 < ShapeShifter499> so what should I tell the developer? 12:23 < skyroveRR> To put in the --build option, duh. 12:24 < Apachez> ShapeShifter499: if the software can lock to srcip then I would setup a virtual interface and then use tc qdisc to shape that into whatever speed you like 12:24 < Apachez> the software locks to this virtual interface and tada! 12:27 < ShapeShifter499> skyroveRR: the PKGBUILD is maintained by a different person then trickle. 12:27 < ShapeShifter499> so tell whoever uploaded the PKGBUILD? 12:42 < ShapeShifter499> skyroveRR: I don't know where that ./config.guess file is coming from 12:49 < phre4k> docker isn't answering, so maybe you have a clue: this is my docker-compose.yml: https://paste.linux.community/view/raw/0df89428 and when I do docker network inspect it shows me "Subnet": "172.22.0.0/16" → why did this happen and why is it so huuuuge? 12:49 < phre4k> s/docker/#docker/, s/you/you guys/ 12:49 * phre4k injects coffee 12:57 < mosulica> https://i.redditmedia.com/RGhKvft_3RGTLB2SbCjtvWzMWlYpseyDe2dL1Wh5D_U.jpg?w=600&s=3639a00a20556e4339fcba25a0feecdc 12:57 < mosulica> https://www.ejobs.ro/user/locuri-de-munca/iron-hostel-cj-angajeaza-om-care-sa-nu-faca-nimic-de-la-12/1053588 13:25 < liveuser11> doot doot doot 13:25 < liveuser11> does dat be a good thing? 13:27 < liveuser11> smoove? 13:30 < rendar> can i ping an host let's say 20 times every 2 seconds, and wait like 5 minutes (so if the network is lagged i'm ok) and if i get nothing in 5 minutes, ping rertuens error? 13:31 < djph> ping should get a response nearly instantly ... 13:32 < rendar> djph: not if network is lagged, i would to wait at least 1 minute 13:32 < djph> although, if you're using a network monitor, you can usually configure something like that (although it's X pings, not X minutes, usually) 13:33 < rendar> i'm in a bash script, and the machine must check if another machine in the local lan is still up or not 13:34 < djph> have fun 13:34 < rendar> djph: ping has -W timeout option 13:35 < tpr> install nagios they said, it's fun they said 13:38 < djph> tpr: "fun(tm)" 13:38 < djph> get it right 13:44 < tpr> :P I tried but got frustrated with it (for my home network) 13:45 < tpr> but it has a ping plugin! which works at least sometimes on some platforms, maybe ;) 13:45 < djph> tpr: no, I was saying you misspelt 'fun(tm)' 13:45 < tpr> unfortunately either free disk space or memory piece didn't 13:45 < tpr> ohhHH 13:45 < djph> yeah, it's a bit of a bear to get working 13:45 < djph> especially the bits that rely on SNMP 13:51 < v0Lk> Anyone ever use the Cisco IXM LPWA 800 LoRa gateway? I have a few questions 13:56 < eschmidbauer> hello-- newb question here... we want to be able to use ecmp/ospf to distribute ingress traffic (hashed based on client (src) -> srv (dst)) out egress to a private subnet 13:56 < eschmidbauer> is this possible? 13:57 < eschmidbauer> like basically packet A comes from internet and hashed so the client traffic is consistently sent egress to subnet 14:08 < eschmidbauer> basically need stickiness... but the packets get modified on the server before getting sent out egress 14:14 <+catphish> eschmidbauer: you want NAT, not just plain routing? 14:15 <+catphish> eschmidbauer: i suppose the first question is: why do you want to modify the packets? 14:17 <+catphish> if you didn't want to modify the packets, iBGP + ECMP would do this out of the box, no need for the private IPs 14:21 < skyroveRR> ShapeShifter499: perhaps contact that dude maintaining it? 14:40 <+catphish> eschmidbauer: ? 14:40 < skyroveRR> Hey catphish 14:40 <+catphish> hi 14:42 < xirg> Hello, out of these supported options: [3.5" or 2.5" SATA 6Gb/s, 3Gb/s HDD or SSD, hot swappable] 14:42 < xirg> What is the best type of drive for a home QNAP 14:43 < djph> the one with the best features at a pricepoint you can easily swallow 14:43 < xirg> SSD or HDD? 14:44 <+catphish> well SSD is going to be faster and more expensive for the same capacity 14:44 < xirg> I know ssd is faster but isn't hdd better sometimes 14:44 <+catphish> afaik no 14:44 < djph> well, cheaper for the same capacity (or more capacity for the same price) 14:44 <+catphish> cheap SSD might be less reliable then a good spinning disk 14:45 <+catphish> but overall SSD is better 14:45 <+xand> HDD is only better for cost/GB 14:45 < skyroveRR> And for consistent writes of data. 14:46 <+catphish> skyroveRR: citation needed 14:46 < xirg> xand, yea i was just reading that. For massive amounts of data HDD is a better option, i think i'll go with ssd 14:47 < skyroveRR> catphish: database writes? 14:50 <+catphish> skyroveRR: i think modern SSDs do indeed still have write limits, perhaps 5,000 writes for a good quality one 14:51 <+catphish> but that means replacing all your data once a day for 10 years 14:51 <+catphish> so i suppose one must consider the use case 14:59 < Apachez> yes they do but they also have better whats it called underprovisioned areas 14:59 < Apachez> like your 512GB SSD is actually 600GB or something 14:59 <+catphish> yes, they have spare replacement sectors 14:59 < Apachez> so even if you write like 1TB/day you can do so sustained rate for the next 20 years or so 15:00 < Apachez> na its not spare repleacement 15:00 <+catphish> but those are more for random premature failures than the ones that will happen in bulk when you've written too much 15:00 < Apachez> they are used daily 15:00 < Apachez> since the ssd constantly remaps physical location of each LBA 15:00 <+catphish> well yes, some extra is needed to do wear leveling of course 15:01 <+catphish> but some are spare too 15:01 < Apachez> dunno if spare is used anylonger the way they used to 15:01 <+catphish> (possibly all the same, i'm sure the conteroller manages it all magically) 15:01 <+catphish> tbh the spares may all get used 15:02 <+catphish> but there's enough capacity for both wear levelling and for some to fail 15:02 <+catphish> in any case, with 2000-5000 writes, you can write your 1TB a day for several years 15:05 < Apachez> back in the days if you wrote to LBA12345 then you wrote to that physical position (unless it was marked as damaged and a spare sector was used) 15:06 < Apachez> today with SSD when you write to LBA12345 you actually write to LBA88373 and next write to LBA12345 becomes a physical write to LBA43039 15:06 < Apachez> and so on 15:06 < Apachez> and the firmware will keep track of this mapping 15:06 < Apachez> so that from the os point of view you read and write from LBA12345 15:07 < compdoc> thats too complicated. Im going back to floppy discs 15:07 < Apachez> funny note, most SSD's have their own operating system running 15:07 < Apachez> and malware have started to come this way too :) 15:07 < Apachez> which will be fun 15:07 < Apachez> when your antivirus reads the file its perfectly fine 15:07 < Apachez> but if some other process reads the same file all hell breaks lose :P 15:27 < eschmidb_> hey catphish- we are dealing with SIP so we need to modify packets 15:28 < eschmidb_> and also, the purpose of iBGP/ECMP is to do anycast on private subnet 15:28 < eschmidb_> but we need client to also get distributed to same node in subnet unless that node goes down (and another takes over) 15:29 < eschmidb_> im thinking maybe just use multiple interfaces on source egress 15:29 < eschmidb_> and use anycast IP as dest-- i thnk ECMP should distribute consistently this way ( could be wrong) 16:17 < stubbyroot> Hoping someone can help me out with this. I'm on an old 6500 series trying to sort the cam table for specific manufacturer but having issues. Right now I'm using include with 0005\.[a-z0-9]{4}\.[a-z0-9]{4} but that's not working. Any ideas? Where am I going wrong? 16:19 < stubbyroot> The regex should match but isn't at least not on ios. 16:19 < stubbyroot> The MACs Im trying match all start with 0005 16:29 < kilmanio> Hey people, I've been using my ISP's modem/router since forever and it seems like a good time to switch. Where do I start? 16:29 < Epic|> Decide on a budget 16:29 <+catphish> the first question is why 16:29 < Epic|> Look at supported hardware from your ISP 16:30 <+catphish> make sure to start by checking 1) whether the ISP allows you to use your own hardware, or 2) if they will provide a bare modem, to which you can add your own router 16:30 < regdude> is there a name for a MPLS setup where CE-PE-P-P-P-PE-CE ? Or should it just be called PE-P-PE? 16:31 < Emperorpenguin> yes 16:31 < Emperorpenguin> :D 16:31 < Emperorpenguin> it's just PE-P-PE 16:31 < Emperorpenguin> it doesn't matter how many P you have inbetween 16:31 < regdude> thanks! 16:31 < regdude> just checking if there is a nice name for it 16:31 < Emperorpenguin> I mean you shouldn't even care how many hops you pass 16:31 < Emperorpenguin> as long as it works right? 16:32 < regdude> thought there might be a difference since explicit null is not possible between Ps 16:32 < kilmanio> catphish, I can just put it in bridge mode, right? 16:33 < rendar> if some host ping me, what actually the system replies in the icmp packet? can i fill the icmp packet with some extra info that ping can grasp? 16:33 <+catphish> kilmanio: if the existing device has a real bridge mode that disables the router entirely, yes 16:33 <+catphish> kilmanio: what technology is this? cable? vdsl? satellite? avian carrier? 16:34 < kilmanio> I have a coaxcable 16:34 <+catphish> ok, cable, then hopefully you can put your existing device into a bridge mode than will disable its router, and use your own ethernet router instead 16:34 <+catphish> *that 16:35 < xirg> I'm excited i just ordered this: https://www.amazon.com/gp/product/B075N1BYWX/ref=oh_aui_detailpage_o02_s00?ie=UTF8&psc=1 16:36 <+catphish> cool, those are nice 16:38 < kilmanio> If I get something like an ubiquiti edgerouterX and an AP I should be fine, right? 16:39 <+catphish> as long as your modem will work as a pure modem, yes, and that's a good choice :) 16:43 < rendar> when someone ping me in linux, what is the facility that actually replies to the pings? where i can configure it? 16:43 <+catphish> rendar: it's the linux kernel 16:43 < rendar> catphish: as i thought 16:43 <+catphish> rendar: you can configure it through "sysctl" options 16:43 < rendar> catphish: can i say to the kernel that i want to insert some data into the ping packet? 16:43 <+catphish> there's not much to configure about ping responses, except to rate limit them 16:44 < rendar> what about data like ping -p ? 16:44 <+catphish> no, i'm pretty sure it has to respond with the same data it was sent 16:44 < rendar> i see 16:45 < rendar> i wish to check from my raspberry, with a simple ping or something simple like that if something is on or off in my local desktop machine 16:45 < rendar> can i do this with icmp? without installing servers or something 16:45 <+catphish> no 16:46 < rendar> ok, any ideas? 16:46 <+catphish> write a server to do it 16:46 < rendar> maybe i can do that with nc 16:46 < hmig> anyone know if this STP topology is actually viable? https://imgur.com/a/qPqx3HL 16:47 < hmig> i plan to stack the two core switches ordered DAC cables but they may not arrive in time 16:47 < turtle> I have a lot of ideas. a buffet style mexican restaurant where everyone eats out of a trough. a realdoll time sharing venture. 16:47 <+catphish> hmig: i don't see why not, isn't that a pretty standard setup? 16:48 <+catphish> stacking the core and using LACP for everything would be beter, but that setup should work 16:49 < hmig> thats the goal 16:50 < hmig> im my topology i have a priamry root and and secondary root, thats better than just having a single root bridge right 16:51 < hmig> i know it sounds like a dumb question 16:51 < hmig> lol 16:52 < Roq> hmig: Check if your switches supportd 'distributed trunking' this allows for an interswitch link connection between the two core switches. stack functionality without actually stacking 16:52 < hmig> they support IRF 16:53 < Roq> http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/15-18/5998-8160_ssw_mcg/content/ch04s14.html 16:53 < hmig> HPE's stacking technology 16:53 < hmig> they dont support an actual module on the back for stcking tho 16:54 < Roq> I'm not sure if IRF is the same as Distributed trunking 17:04 < fishar> hi does anyone here use Cisco ASR 903? 17:08 < Epic|> Catphish, ISPs tend to provide shit tier hardware 17:14 < eto> hello 17:15 < eto> i would like to know if there exist something like echo packet at ethernet layer level 17:15 <+catphish> yes, come on in, we have cookies 17:15 <+catphish> no 17:16 <+catphish> there is no such frame 17:16 < eto> i know there are several arp ping tools but i am mostly interested in something get get filled source and target mac and gets reflected back 17:16 < UncleDrax> OAM-EFM/CFM can do some layer-2 type stuff, but if you're tyring to do it over a WAN/Internet, it won't do that 17:17 < eto> catphish: that's a pity, so how does for example switch know link is active? it relies on what physical layer reprts? 17:17 < UncleDrax> but it also requires devices to support it 17:17 <+catphish> eto: yes that, switches don't even have a MAC address to send frames from 17:18 < eto> UncleDrax: this for use on local and "virtual networks" 17:18 <+catphish> a switch only cares that the physical link is up 17:19 < eto> catphish: wait, i understand it as switch having some switching processor inside - which learns the source and target macs to route packets - this unit doesn't have mac address itself? 17:19 < eto> UncleDrax: thanks will look into those acronyms 17:20 < UncleDrax> eto: ya see if your HW supports OAM-EFM (802.3ah-2004). 17:20 < UncleDrax> Would you like to know more? https://en.wikipedia.org/wiki/Ethernet_in_the_first_mile 17:20 < pekster> It's just associating discovered (seen) MACs to ports; a pure Layer-2 switch doesn't have or need its own MAC. A "managed" switch will have its own MAC, but that's just used for traffic being sent to the administrative address on the switch (and only for VLANs/ports the managed switch is configured to do so on) 17:21 < kilmanio> Should I use dns over https 17:21 < eto> so for example when switch actually has mac, it is "managed" interface that is inside attached to swithing core, switching core itself has no mac 17:21 < pekster> eto: Exactly! 17:21 < my_mind> place i work at has voip phones and computers connected to same router and switch, 17:21 < UncleDrax> eto: OAM-CFM (Connectiby Fault Management) can be used like a layer-2 BFD over an Ethernet link where you might not have visibility into the middle. again requires device endpoints to support it. 17:22 < eto> UncleDrax: thank you very much ! 17:22 < my_mind> I want to seperate them. 17:22 < my_mind> is this switch good for use only for the phones? https://amzn.to/2ILeori 17:22 < my_mind> TPlink 24 port unmanaged 17:23 < UncleDrax> (having not touched an unmanaged switch in forever, it correct to say an unmanaged switch still likely wouldn't be VLAN aware?) 17:23 < eto> okay because i am playing with software switches too, and both i have experience with seem to have mac attached to interface representing software(!) switching core itself 17:24 < eto> is this os architecture limitation ? (each device, even if virtual, requiring mac address) 17:24 <+catphish> eto: a simple switch indeed has no MAC itself, it doesn't need one 17:25 < eto> for example both linux and freebsd software bridges get their own mac addresses on creation 17:25 < Reventlov> Searching for a way to force mcs change on Linux (iwlwifi), any idea? 17:25 <+catphish> eto: it only needs a MAC if it's managed and things need to talk to it 17:25 < Reventlov> using iw to change bitrate / mcs works, but only temporarily (seconds) 17:25 <+catphish> eto: a linux bridge has a MAC because it has an extra port hat goes to the host itself, that's the MAC of the host 17:25 < my_mind> catphish: i need to seperate the computers and the phones. 17:26 <+catphish> my_mind: why? 17:26 < my_mind> phones are not getting calls 17:26 < my_mind> *most phones 17:26 < my_mind> bad connection 17:26 < UncleDrax> my_mind: in most 'Phone' cases, you'd want: a VLAN aware switch that does PoE. which usually means managed. TP-Link makes things that fit that bill. 17:26 <+catphish> my_mind: i don't think separating them is gong to help with that 17:26 <+catphish> as UncleDrax says, you would normally use a VLAN + PoE switch for phones 17:27 <+catphish> but that's not going to help with connectivity issues 17:27 < eto> catphish: ah i think i get it - so macs in software bridges (aka switches) actually represent host's port plugged into that switching core 17:28 < eto> and theoretically if no host conenctivity was required software switch would not need mac address - same way like real switching core 17:29 < eto> correct? 17:29 < my_mind> catphish: why wouldn't it help? the voip service company told me the network we're using is overloaded 17:29 < my_mind> we're using 2 ISPs connected to a dual wan router 17:30 < my_mind> dual wan router is connected to switch 17:30 < my_mind> and the phones and computers are connected to that switch 17:30 < my_mind> So I was thinking I need to get a seperate router and switch for the phones 17:31 < eto> it's still surprising that ethernet protocl doesn't provide a way to reflect packet from other mac in the core spec 17:32 < eto> my_mind: btw how does the voip company know that? 17:33 < my_mind> they're a small company, they are familiar with our network 17:45 <+catphish> my_mind: well they may well be right then, usually it's the WAN that gets overloaded long before LAN 17:46 <+catphish> but by having separate LANs you can route then to separate WAN connections, which will help a lot 17:50 < tds> eto: on linux the bridge interface should use the mac address of one of the member interfaces iirc (possibly the smallest/largest?) 17:52 < fnDross> catphish: see thats what i did, but i got flack 17:54 < fnDross> https://ibin.co/3wZx0gWjNDUu.jpg << wan3 & AP to wan2 is on its own, leaving the local lan i/o alone 17:59 < kbaegis> Hey guys. I'm having issues with my kernel upgrade 17:59 < SporkWitch> If you have a question, just ask! For example: "I have a problem with ___; I'm running Debian version ___. When I try to do ___ I get the following output ___. I expected it to do ___." Don't ask if you can ask, if anyone uses it, or pick one person to ask. We're all volunteers; make it easy for us to help you. If you don't get an answer try a few hours later. 17:59 < kbaegis> 4.15.14->4.16.10 17:59 < SporkWitch> that said, this is ##networking, not #whateverOSyou'reon, ask your OS's support channel 17:59 < kbaegis> OVS isn't seeing packets anymore 18:00 < kbaegis> Reverting the kernel version 18:00 < tds> now that's more like ##networking ;) 18:00 < SporkWitch> tds: i'm still waiting for a coherent question, even if it's offtopic lol 18:01 < kbaegis> So I have two lacp interfaces in a bond under ovs 18:01 < kbaegis> And everything works perfectly under 4.15.14 18:02 < kbaegis> Upgrading to 4.16, I get no network connectivity from the host and I have to access it SoL/OOB 18:02 < kbaegis> Mods are all consistent, kernel config is the same 18:02 < SporkWitch> kbaegis: ask your OS support channel 18:02 < kbaegis> And all the interfaces are detected 18:02 < SporkWitch> newlines 18:02 < SporkWitch> are 18:02 < SporkWitch> not 18:02 < SporkWitch> a 18:02 < kbaegis> SporkWitch: I roll my own. 18:02 < SporkWitch> substitute 18:02 < SporkWitch> for 18:02 < SporkWitch> punctuation 18:03 < kbaegis> SporkWitch: I'll check with my "distro support", but that's not going to be helpful. 18:03 < SporkWitch> kbaegis: so you're asking ##networking to help you fix your homemade linux distro's non-networking problem? lol 18:03 < SporkWitch> go use a real distro 18:04 < qoxncyha> corporate LAN unblocked 1.1.1.1 DNS-over-TLS \o/ 18:04 < kbaegis> SporkWitch: It is a networking problem. It's best not to speak if you have no valuable contribution. You don't have to help me if you don't want to. 18:05 < kbaegis> Can anyone help me figure out how to trace these packets? I was attempting to insert a trace rule for the raw table, and I was getting errors: iptables -t raw -I PREROUTING 18:06 < kbaegis> Thanks for the dm with offensive language, SporkWitch 18:07 <@catphish> kbaegis: if the kernel version is the only thing that's changed, it seems reasonable to assume it may be a bug, maybe worth a quick descriptive email to the appropriate mailing list 18:08 <@catphish> i've always found tracing packets through the kernel to be tricky, not sure how best to do that i'm afraid 18:09 < fnDross> ever run into clients failing >> "WPA: group key handshake"? 18:10 < tds> for ovs, I guess you could initially try tcpdump on the individual physical interfaces, then on the bond, then the bridge, and see where the issue is 18:10 <+catphish> kbaegis: have you done pcaps on the interfaces to see if anything is being phsically sent / received at all? 18:10 <+catphish> oh, what tds said 18:10 < kbaegis> tds: Did that already- I only see LACP/CDP traffic 18:12 <+catphish> it seems somewhat implausible that networking could be *that* broken 18:13 < kbaegis> Well I just checked my switch config to ensure that it's still trunking the appropriate vlans 18:13 <+catphish> also, it's worth considering that in linux, LACP is software, so it LACP frames are being exchanged, the NIC is working fine, meaning that i can't see how you could *not* be receiving other types of frame :( 18:13 <+catphish> unless LACP is what's broken and the switch is cutting you off 18:13 < kbaegis> Could it be receiving those only and not replying? 18:14 <+catphish> kbaegis: tcpdump will tell you 18:14 <+catphish> oh, well not really, it won't tell you if they physically leave 18:15 <+catphish> it could be that you're simply physically transmitting nothing, see if you can see LACP status on thw switch 18:15 < kbaegis> It's a netgear. I'll check the web interface since I don't know the command to monitor lacp from the cli 18:16 <+catphish> it might be there in the web ui, i'm not sure 18:17 <+catphish> can you plug it into another linux box and see? 18:18 <+catphish> if you can see a frame in tcpdump but confirm it's not physically leaving the interface then you have a bug you can report 18:20 < fnDross> when i'm able to dump all my consumer hw, what should i buy? 18:20 <+catphish> a log cabin by a lake 18:20 <+catphish> and a fishing rod 18:21 < kbaegis> catphish: I had been trying to trace ping packets with iptables -t raw -I PREROUTING -p icmp -j TRACE 18:21 < kbaegis> I was getting errors on that command 18:21 <+catphish> ping packets form where to where? 18:21 <+catphish> *from 18:22 <+catphish> my advice: choose one direction to attack the problem from and stick with it 18:22 <+catphish> choose *one* frame that you think is getting lost 18:22 < Windy> is there any kind of wayback machine for SSL certs? some way to see what cert was presented by a particular site on a particular date 18:23 < kbaegis1> If I had to guess, lacp. Is there a way to look for those? I've never used tcpdump/bpf to look at lacp 18:23 <+catphish> Windy: moderately unlikely, never heard of such a thing, but can't say it doesn't exist 18:23 <+catphish> well you can see them on the port with tcpdump right? 18:24 <+catphish> so see if they're physically leaving 18:24 < Windy> we started having issues with ssl decryption for two sites yesterday that both have ECC certs. i'm wondering if they changed them recently hrm 18:24 <+catphish> you'll want to look up how to display MACs in tcpdump to make sure you know which way they're going 18:24 < fnDross> heh, thats on the list catphish, and the person that gets me from A to B 18:25 < tds> Windy: you can see previous certificates issued with certain CAs through the certificate transparency logs (web ui at crt.sh), that won't tell you what cert the site was actually using though 18:25 < Windy> tds, interesting, thanks! 18:29 <+catphish> kbaegis1: good luck 18:31 < Windy> hrm, i misunderstood. it wasn't the certs in question but rather the TLS cipher suites that were EC based and causing this error 18:34 < kbaegis> catphish: Ty 18:40 < lupine> I don't suppose anyone knows if azure network security group rules are stateful or not, do they? 18:42 < lupine> https://docs.microsoft.com/en-us/azure/virtual-network/security-overview talks about flow records... 18:43 < lupine> got it: > https://docs.microsoft.com/en-us/azure/virtual-network/security-overview 18:43 < lupine> um 18:43 < lupine> "An existing connections may not be interrupted when you remove a security rule that enabled the flow" 20:45 < _AxS_> hey all -- anybody know what's going on with the internet in north america? seems there's a fairly sinificant split that isn't resolving/re-routing... 20:47 < _AxS_> (i can't reach google in cali from my rogers/comcast/whatever ISP, but i can reach a DC in kitchener and -it- can reach google but can't reach my ISP.. and there are some sites neither can reach..).. I assume there are pages where the status of such things can be looked up but i've no idea what search terms to even use to find them; anybody know of any? 20:47 < UncleDrax> well.. neither the Outages mail list, nor the NANOG mailing list seems to be freaking out today, so I would say this is far less then 'The Internet in North America'. 20:47 < UncleDrax> oh you provided details 20:48 < Dalton> traceroute is your friend 20:49 < _AxS_> Dalton: been doing that, but its not helping so much other than to confirm its not just my ISP.. 20:50 < Dalton> where in Ontario are you? 20:50 < _AxS_> Ottawa 20:50 < Dalton> and what are you tracing to? 20:50 < Dalton> and define "reach" 20:50 < Dalton> ping/www/etc 20:51 < _AxS_> various things; 8.8.8.8, google.ca (172.217.x), yahoo.ca , rogers.com , etc.. 20:52 < UncleDrax> as to the question of 'how can one see a high-level 'health' of the Internet. the Internet Traffic report, downdetector (or for .ca, http://canadianoutages.com/ ), etc aim to provide that 20:53 < _AxS_> UncleDrax: yeha i found that with searches, do they cover outages that are downstream though or just those at the ISP level? I thought it was the latter 20:53 < UncleDrax> at the Service Provider / Network Engineer level, there are some mailing lists for Serious type discussion on events.. that woudl be stuff like 'Cogent and Hurricane Electric are in a pissing match today so a buncha routes are down' 20:54 < Dalton> it's Cogent, what do you expect ;) 20:54 < UncleDrax> Dalton: hence why I picked them :] 20:54 < Dalton> i know that was hypothetical but hehe 20:55 < Dalton> _AxS_: are you on Rogers? 20:56 < Dalton> I would assume they have their own google cache for that kind of stuff 20:57 < _AxS_> Dalton: well you'd think, but that doesn't help mail services and others. 20:57 < Dalton> okay, that's why I asked how you were testing 20:57 < _AxS_> Dalton: and yeah, Rogers. I hacked a route through a VPN tunnel to my kitchener DC to get around the issue for now (i don't know what they're doing multi-homing on but at least that's an option) 20:58 < Dalton> probably Cogeco? 20:58 < Dalton> my Ontario-net is only presumptious 20:58 < Dalton> but easy enough to find out who they're peering with 20:59 < UncleDrax> Rogers maintain a looking glass? (idle curiousity.. not interested enough to google it myself..) 21:00 < Dalton> i doubt it 21:00 < _AxS_> i doubt it too.. 21:00 < UncleDrax> ya i wouldn't expect it.. none listed in peeringdb for as812 21:02 < _AxS_> UncleDrax: thx, that's the sort of thing i was wondering about.. given its more out of curiosity than anything it'll likely not be relevant for me to subscribe to those MLs, but good to know they exist. 21:03 < _AxS_> and yeah, given you guys haven't heard of anything I assume its some sort of minor intermittent event; not some sort of big issue that'll take days to resolve.. 21:03 < UncleDrax> ya I check them out in a R/O (archives) format 21:03 < UncleDrax> NANOG talks much more then just outages and a broader topic list 21:05 < _AxS_> UncleDrax: nanog-annouce generally cover outage discussions or just the main discussion list that you check? 21:11 < UncleDrax> NANOG annouce covers annoucements about NANOG itself (the organization, ie: meetings, voting member changes, etc..). NANOG list archive is a general discussion list for Network Operators (presumably of North America, but it's wider) to discuss.. Networking things. of which major outages is sometimes a topic of 21:13 < UncleDrax> Outages.org maintains a list as well, plus a wiki with more "general high level" health sites and a swath of major Network 'Network Status' pages. ( https://wiki.outages.org/index.php/Dashboard ) 21:14 < UncleDrax> in both cases, please familarize yourself with the guidelines for posting if you choose to post to those lists. having a good SNR is what keeps those lists useful 21:15 < _AxS_> Oh gawd, there's no way I'd post to a list like that unless I got a job in network ops... and even then, likely only if i was responsible for a large segment of a customer base or something. 21:16 < UncleDrax> fair enough, hard to know where pepole come from, so figure I'd say it just to say it 21:16 < _AxS_> yep, appreciated. :) 21:16 < UncleDrax> also for any idlers ;] 21:25 < hehehe> when accessing site I get 504 gateway error 21:25 < hehehe> how to overcome it? 21:26 < grawity> call the site's sysadmin and tell them to fix their cra 21:27 < hehehe> cra? 21:28 < hehehe> its lycamobile its giant site 21:28 < hehehe> crap 21:28 < hehehe> well I need to access it 21:29 < hehehe> In other words, 504 errors usually indicate that a different computer, one that the website you're getting the 504 message on doesn't control but relies on, isn't communicating with it quickly enough. 21:29 < hehehe> wtf is that 21:29 < Carll> Any ideas on which device I could use to replace a CD Changer? Really tight budget as it's out of my own money for works music 21:30 < hehehe> some computer in between? 21:30 < grawity> well you cannot 21:30 < hehehe> grawity: what if I use vpn 21:30 < hehehe> that will re route traffic 21:30 < hehehe> what does 504 means? 21:30 < grawity> you're still accessing the same site 21:30 < hehehe> so 504 means site is down? 21:30 < hehehe> or 21:30 < grawity> well, the backend is down 21:31 < grawity> you're connecting to a "reverse proxy", and it connects to the real servers 21:31 < grawity> maybe for load balancing, maybe for security, maybe for cgi 21:31 < hehehe> mm 21:31 < hehehe> http://www.lycamobile.co.uk/ 21:31 < hehehe> can you access it? 21:31 < hehehe> how dare they to go offline 21:51 < hehehe> https://downforeveryoneorjustme.com/lycamobile.co.uk 21:51 < hehehe> fck u guys lol 22:09 < tds> lycamobile.co.uk looks like an ubuntu box at ovh that just serves redirects to www.lycamobile.co.uk, try putting in the latter domain and you'll get the right result 22:23 < kbaegis> Could use help with my packet dump: https://hastebin.com/obiquhuzay.sql 22:23 < kbaegis> LACP/CDP are coming in from the switch, but my 4.16.10 kernel host isn't responding via lacp it looks like 22:27 < kbaegis> Anyone know if there's a sysfs toggle for lacp "active mode"? 22:33 < kbaegis> Anyone here used lacp_rate before? 22:37 < UncleDrax> i've never changed the default setting, no 22:37 < UncleDrax> but sounds like it's just the keep-alive/control pkt frequency 22:38 < kbaegis> UncleDrax: Well, the switch is doing its job sending the LACP information. My upgraded host doesn't appear to be. 22:38 < UncleDrax> fast = 1 per sec, normal (or 'slow?') 1 per 30s (per cisco docco) 22:39 < tds> kbaegis: out of interest, do you get anywhere if you move to plain linux bonding rather than OVS? 22:39 < UncleDrax> linux/bsd bond interface? you have it set for the correct 'mode' which I think is how they make it be LACP vs RR or something 22:40 < kbaegis> tds: let me check :) 22:41 < _AxS_> kbaegis: lacp_rate , ive used it with linux bonding and a cisco switch 22:41 < tds> also, I assume you're running the latest version of ovs and rebuilt it when you upgraded the kernel? 22:41 < _AxS_> (sorry, dell switch; my cisco was too old and/or didn't have a high enough license or something) 22:43 < kbaegis> I did get "bridge|WARN|port bond_iso: Using the default bond_mode active-backup. Note that in previous versions, the default bond_mode was balance-slb", however that's not enabled since I ran ovs-vsctl set port bond_internal boond_mode=balance-slb 22:43 < kbaegis> ^bond_mode* 22:44 < _AxS_> kbaegis: you don't want either of those you need bond_mode to be 802.3ad 22:44 < UncleDrax> iirc, 'mode=4' for linux kernel 22:45 < _AxS_> (or mode=4) 22:45 < kbaegis> "ovs-vsctl: constraint violation: "802.3ad" is not one of the allowed values ([active-backup, balance-slb, balance-tcp])" 22:45 < _AxS_> kbaegis: apparently (and oddly) it doesn't support an LACP based bonding auto-negotiation. 22:46 < UncleDrax> https://blog.scottlowe.org/2012/10/19/link-aggregation-and-lacp-with-open-vswitch/ ? old but maybe still relevant? (I've never touched OpenvSwitch) 22:46 < kbaegis> That would explain why my outward facing interfaces work and my inward facing ones don't 22:49 < kbaegis> Here's the output from ovs on the bond. https://hastebin.com/gudifumana.go 22:50 < kbaegis> idk/understand if lacp:active is interferring with bond_mode: balance-slb 22:51 < _AxS_> kbaegis: other way around if anything. balance-slb could be making the host system (which i assume is a linux kernel? I don't know anything about OVS either) ignore the LACP negotiation. can you unset bond_mode ? 22:52 < _AxS_> kbaegis: also, if the other side is active, you can make OVS passive and it'll negotiate to whatever the other side has. 22:52 < _AxS_> (again, assuming an 802.3ad mode) 22:54 < kbaegis> I just tried that 22:54 < kbaegis> so bond_mode is unset, lacp=passive 22:54 < kbaegis> Testing now 22:55 < _AxS_> kbaegis: does the command from UncleDrax's link work: ovs-appctl bond/show bond_internal ? 22:55 < Apachez> when doing lacp one end must be active 22:55 < Apachez> so best is if both are active 22:56 < Apachez> and dont forget to configure short update timer 22:56 < Apachez> otherwise it will take like 30 seconds to form the bond instead of 1 second 22:56 < _AxS_> (as long as all devices support lacp_rate=fast) 23:01 < kbaegis> Well, here's the verbose tcpdump from active->passive and an admin down/up https://hastebin.com/emalizigoh.pl 23:02 < kbaegis> huh _AxS_: https://hastebin.com/uletapoked.sql 23:03 < _AxS_> ok well that's part of your issue, the slave devices aren't up (or allowed to come up) 23:09 < spaces> guys is Whois really going to vanish for domains because of GDPR ? 23:10 < tds> how are you setting the interfaces and bonds up - ifupdown, or custom scripts or something? can you post the config for that somewhere? 23:13 < kbaegis> inquired on #openvswitch as well. This dmesg output is telling: https://hastebin.com/tonemezoxu.scala 23:14 < kbaegis> tds: I'm a gentoo user, so it's netifrc/openrc 23:14 < _AxS_> kbaegis: well i can read it fine then. you've just got config_[device]="null" essentially right? 23:15 < kbaegis> Correct 23:15 < _AxS_> tds: that's the equivalent of a bare 'ip link set dev [device] up' 23:15 < tds> thanks :) 23:15 < kbaegis> raw interfaces are configured "null !dhcp" 23:16 < _AxS_> kbaegis: !dhcp is redundant, fyi 23:16 < kbaegis> probably :) 23:17 < kbaegis> Yeah, I remember that from previous troubleshooting. OVS does. not. like. trunk interfaces with an assigned IP 23:17 < _AxS_> kbaegis: curious, is OVS installed from a package in the gentoo repo? 23:17 < kbaegis> Yeah. I don't think I enabled ~amd64 23:17 * _AxS_ should check that out later... 23:18 < kbaegis> Didn't. Just verified 23:21 < kbaegis> Just made a logging file for ovs. Let's see what we can see --- Log closed Thu May 24 00:00:30 2018