--- Log opened Fri May 25 00:00:31 2018 00:04 < horse> are the phones pingable hmig? 00:07 < hmig> they are pingable 02:17 < banisterfiend> hi, i am messing with iptables. I hvae two custom chains -- how do i get the rules in chain A to always override the rules in chain B ? 02:20 < tds> banisterfiend: what do you mean by override? if you jump to an action (eg accept/reject/drop), at that point the rest of the chain won't be traversed 02:21 < banisterfiend> tds both chains are added as a `jump` target of `OUTPUT`, i guess i want to ensure that chain A is always the one that's jumped to first 02:22 < banisterfiend> rather than chain B, regardless of when A is added, it could be added either before or after B 02:22 < tds> can you upload the output of "iptables-save"? 02:22 < tds> either way, if you insert the rules in the right order, it should traverse the chains in the right order 02:26 < banisterfiend> tds thanks: https://www.dropbox.com/s/yzl7o70pxzjxroo/Screenshot%202018-05-25%2002.24.44.png?dl=0 02:26 < banisterfiend> has to be a screenshot sorry cos it's in a VM, and copy/apste isn't workign in that vm atm 02:27 < tds> hmm, is there any reason for jumping to a return, rather than having the drop at the end of the chain and jumping to the allow_lan...? 02:28 < tds> either way, assuming you're using a tool like iptables-restore to add the rules for you, they should always get added in the correct order 02:28 < banisterfiend> tds so i basically want it so that no matter what happens, teh ALLOW_LAN chain rules have higher precdence -- the issue is that ALLOW_LAN may or may not exist, and both ALLO_LAN and KILLSWITCH can be toggled off and on indepeddently 02:28 < banisterfiend> but in any case, if ALLOW_LAN exists it should have higher precedence than KILLSWITCH 02:31 < tds> hmm, how are you enabling/disabling the chains? might it make more sense to add a -j RETURN at the start of each chain (based on if you want to disable it), then you can modify them individually rather than worrying about the order the jumps in the output chain are added? 02:33 < banisterfiend> tds hmm what if i always got CHAIN A to append to OUTPUT but always got CHAIN B to insert to OUTPUT 02:33 < banisterfiend> then chain B would always have precedence over CHAIN A right? 02:34 < tds> yeah, that would work as well, though that may change behaviour if other rules get added to the output chain as well 02:35 < tds> that was why I suggested the -j return rule, then the modification for enabling/disabling one of those chain is easily contained within the chain itself 02:36 < ac_slater> guys I know this is networking 101, but I have eth0 with 192.168.10.x and it goes to my WAN/internet, I also have eth1 that is 192.168.20.x that goes to my lan (with default gateway 192.168.20.2 to my VPN server). How can I route ONLY 192.168.20.0/24 to eth1 ? 02:36 < ac_slater> ie - multi default gw ? 02:36 < sawgood> why is the Ubiquiti channel invite only? 02:38 < ac_slater> oh I guess I just want to specify gateway, not default gw for my second interface 02:39 < tds> ac_slater: so do you want to route traffic from a certain source subnet out via a different default gateway? 02:39 < tds> if so, you want to look into policy routing 02:40 < ac_slater> yea I do want that, thanks mate! 02:40 < ac_slater> any recommended readings? 02:41 < tds> what kind of router are you doing this on; something linuxy based off those interface names? 02:41 < redrabbit> #ubnt is an open chan 02:43 < ac_slater> sadly it's a DSR-250 02:43 < ac_slater> tds: ^ 02:43 < ac_slater> (dlink) 02:44 < tds> ah, not a clue in that case, sorry 02:44 < redrabbit> My condolences 02:45 < banisterfiend> tds i dont quite understand this: "might it make more sense to add a -j RETURN at the start of each chain (based on if you want to disable it), then you can modify them individually" what do you mean exactly? apologize for my ignorance 02:46 < ac_slater> thanks guys 02:46 < tds> banisterfiend: my thought was that you could add a rule like -I KILLSWITCH_OUTPUT_RULES -j RETURN at the start of the chain in order to disable it, that way you can easily add/remove that single rule in the chain rather than having to worry about the order in the output chain 02:47 < tds> also, out of interest, is there any reason you're filtering on the output chain? normally I'd say to just leave that as accept, since you typically trust traffic originating from the host itself (there are of course reasons not to eg on shared boxes, just thought I'd check) 02:48 < banisterfiend> tds it's for a VPN, i'm hiding the host ip 02:50 < banisterfiend> tds ah i understand 02:50 < banisterfiend> that's a cool idea, but i think i want to remove the chain altogether to levae teh user's system as i found it 02:52 < tds> ah right, just removing the entire chain and your output rules makes sense then 02:54 < ac_slater> tds: I figured it out 02:54 < ac_slater> I just needed a static route 05:19 < ASmith> Hi, can someone help me spot the error and suggest the correct syntax in this Nginx default file for a Reverse SSL Forwarding Proxy for Multiple http Servers, Domains and Ports https://pastebin.com/5g9AJ1K6 05:22 < light> nginx -t -c nginx.conf 05:22 < ASmith> that pulls up the test which is going to state it fails? 05:24 < ASmith> its not locating it light! 05:24 < ASmith> looks like a bad install perhaps light... 05:43 < ASmith> I went into /var/lib/dpkg/ingo and removed all the crap nginx listings then was able to upgrade and update the files 05:44 < ASmith> I'll start over and then return if there's still a issue with the default site server blocks light, thanks 05:44 < ASmith> * /var/lib/dpkg/info 06:30 < sarthak> Hello. I wanted to learn networking so I set up GNS3 on linux mint but then I have no idea on how to start. I want thoery and practical(tinkering around with GNS3 maybe?) to go side by side while I learn. Also, I cannot buy any hardware atm. Can anyone provide any resources to help me get started? Thanks. 06:32 < light> you need images to use GNS3 06:32 < sarthak> I've downloaded the default GNS3 image 06:33 < light> I don't think GNS3 is the right place to start for someone that knows nothing about networking 06:34 < sarthak> okay 06:34 < sarthak> light: what do you recommend? 06:35 < light> get a CCNA or something 06:35 < light> or start by learning how your home network is setup and why 06:35 < sarthak> okay 06:35 < sarthak> but I can't buy any equipments rn 06:36 < sarthak> can I do CCNA without any equipments? 06:36 < light> yes 06:36 < sarthak> thanks 07:15 < amosbird> Hi, which should I use for proxy? socks or tunnel ? 07:15 < light> An actual proxy. 07:16 < amosbird> I mean the implementation of the proxy 07:16 < light> The question is a little vague. 08:50 < orlock> Anybody know what might listen on UDP 52554? 08:56 < longxia> orlock: which operating system? 08:56 < orlock> Any of them 08:57 < longxia> on windows you could use netstat -anb to see the executable using it. May not be of much help though. On linux you can use lsof. 08:58 < orlock> Yes, i'm aware 08:58 < orlock> I'm just wondering why some random hosts on the internet are sending UDP packets to that port 08:59 < orlock> On non-existent ports 08:59 < orlock> on empty netblocks 08:59 < longxia> ah, i see. No idea. Nothing on google? 09:00 < orlock> Not that i can see 09:00 < orlock> didnt check services.. but nothing there either 09:00 < orlock> i can only assume its some botnet C&C trigger/callback packet? 09:16 < tpr> are the incoming datagrams similar from all the sources? 09:17 < tpr> are they coming regularly from same networks/addresses? 10:51 < Alexander-47u> hi 10:52 < Alexander-47u> i have two network interfaces one 192.168.1.1, eth0, a huawei 3g dongle in my raspberry pi to be exact, and wlan0, connected to my local area network 10:52 < Alexander-47u> 192.168.2.1 10:53 < Alexander-47u> i want to be able to access the 192.168.1.1 from the 192.168.2.0 network, with my laptop that is also conncted to my local area network 10:53 < Alexander-47u> any quick methods? :p 10:54 < Alexander-47u> i need to tunnel out a single port, 80, i could use ssh tunneling i guess 10:54 < Alexander-47u> but are there other 'good' ways? 10:54 < bezaban> ip forwarding and routing 10:57 < Alexander-47u> :p 10:58 < Alexander-47u> thats not really clear bezaban 10:59 < bezaban> enable ip forwarding on the pi and set the clients to route via it :) 10:59 < bezaban> for the subnets in question 11:00 < bezaban> need routes both ways so you don't get in an assymmetric situation 11:00 < Alexander-47u> iptables -A FORWARD -i eth0 -o wlan1 -j ACCEPT && iptables -A FORWARD -i wlan1 -o eth0 -j ACCEPT ? 11:00 < bezaban> you can ssh tunnel, but that requires some daemon tweaks to be able to expose it on a public interface unless you want two tunnels 11:01 < bezaban> sysctl -w net.ipv4.ip_forward=1 11:02 < Alexander-47u> are these commands good that i wrote? 11:05 < Alexander-47u> https://gist.github.com/tzermias/5408466 11:05 < Alexander-47u> this will be good right? 11:06 < bezaban> don't need those, I'd get the forwarding and routing in place first and then look at iptables 11:06 < bezaban> you just want to route to directly connected networks 11:07 < bezaban> oh, you want to nat it too? 11:07 < v0Lk> Is there a way to completely backup a semtech packet forwarder container (and the host OS) within a Cisco IXM-LPWA-800 LoRa gateway? I was considering using DD as I always have but if I'm backing it up it'll eat any space left on the flash 11:08 < Alexander-47u> i want to access 192.168.1.1:80 from 192.168.2.1 11:08 < Alexander-47u> thats all 11:11 < Alexander-47u> the pi is dual homed 11:11 < bezaban> then all you need to do is enable ip forwarding and put routes on device on each side via pi 11:12 < Alexander-47u> iptables -A FORWARD -i eth0 -o wlan1 -j ACCEPT && iptables -A FORWARD -i wlan1 -o eth0 -j ACCEPT ? should be enough then right? 11:13 <+catphish> Alexander-47u: what sounds like just accepting everything, no? 11:13 <+catphish> Alexander-47u: why bother to have a firewall at all 11:13 < bezaban> Alexander-47u: ignore iptables. 11:14 <+catphish> oh, you also want NAT, fun :( 11:15 < bezaban> I'm not sure, he said no to that 11:15 < bezaban> sounds like just routing two connected networks 11:16 < Alexander-47u> i want to access 192.168.1.1:80 from 192.168.2.1 :P 11:17 < Alexander-47u> so net.ipv4.ip_forward = 1 would be sufficient i think? 11:18 < djph> and a routing entry on the 1.0/24 gateway. Unless the 2.0/24 gateway is doing NAT 11:19 <+xand> gross 11:19 <+xand> don't NAT between internal networks 11:19 < djph> xand: you know that, I know that ... everyone who uses two linksys routers thinks it's the only way ... 11:21 < bezaban> Alexander-47u: yes, and routes 11:21 < bezaban> and then add packet filtering if you so desire 11:22 < bezaban> going to lunch in the sun today methinks 11:30 < Alexander-47u> thanks :) 11:30 < Alexander-47u> it is clear now 11:54 < mnaumann> hi there. would someone offer their help indiagnosing why my iodine tunnel doesn't seem to forward packets? 12:00 < mnaumann> i have the latest version of iodined running on a kvm instance, and am using the andiodine android client (on two devices in different networks / behind the internet) as well as an older iodine version (the one in ubuntu 16.04) to connect to it. the connection + tunnel is always established fine, but traffic doesn't seem to flow properly. 12:09 < mnaumann> herre's what the server logs (and how i run it): https://paste.debian.net/1026544/ 12:10 < mnaumann> MYDOMAINWAS.HE.RE and MYPASSWORDWASHERE are obviously fake, i replaced the original values in all occasions. 12:30 < TandyUK> have you got relevant iptables rules to allow and/or forward/nat/etc traffic? 12:31 < TandyUK> also what ip are your clients using? 12:31 < TandyUK> it shoudl be a 10.10.1.x ip, with 10.10.1.1 as gateway 12:32 < TandyUK> I also dont see a subnet mask being set anywhere, so this could also be wrong 12:32 < TandyUK> "Add more -D switches to set higher debug level." also share your config, and the config/logs from one of the clients 12:38 <+catphish> did you get a GDPR cake? because we did! https://i.imgur.com/hvEh0V6.jpg 12:40 < Phil-Work> Gdpaaaaaaargh 12:41 < Phil-Work> I'm pleased to see 3 e-mails today asking for my consent to contact me 12:41 < Phil-Work> pretty sure they just did that 12:41 <+catphish> lol 12:42 <+catphish> i'm gonna contact you with or without your permission, mwahahahaahaha 12:42 < mast> :P 12:42 < mast> I swear if I get one more email... 12:42 <+catphish> it's just a friendly reminder of how many companies you gave your details to :| 12:43 < Phil-Work> it's a friendly reminder of how many companies stole my details from somewhere 13:15 < plitter> is there a way of displaying the data packets without the hex in tcpdump? 13:20 < mAniAk-_-> in ascii? 13:22 <+xand> -A ? 13:23 <+xand> or save to file and use wireshark to open it 13:23 < NeilHanlon> Anyone have any recommendation for reading material on SDN, OpenFlow, OpenCompute, etc? 13:23 < NeilHanlon> We're implementing BigSwitch's Big Cloud Fabric and I want to learn more about the underlying tech 13:30 < mnaumann> TandyUK: thanks again, but i need to run, i'll come back with these details later 13:30 < mnaumann> (and sorry about th edisconnect, still experimenting here) 13:41 < regdude> does anyone know why in MPLS when you do a traceroute, then the second hop in the MPLS "cloud" times out with TTL propagation? Without TTL propagation MPLS is hidden 14:02 < linuxconformer> guys how does cloudflare SSL work? 14:35 < AlVal> I installed a pi-hole on my home network. router/gateway (netgear nighthawk r7000) is 192.168.0.254, pi-hole acts as dns server and lives at 192.168.0.29. samsung tv lives at 192.168.0.1 14:35 < AlVal> so i think all is good, the pi-hole will block all the dodgy traffic that the samsung tv tries to initiate without you realising 14:36 < AlVal> tv has its dns server set to the pi-hole of course. but wait... get this... after it realises that it can't resolve any of the domains it wants to get to 14:36 < AlVal> the TV overriides the dns settings you told it to use, and has a hard coded fallback to 8.8.8.8 if it cant get to where it wants to by your dns server 14:37 < Kingrat> sounds like you need to block all dns traffic outbound except from your pihole 14:37 < AlVal> I find that very offensive 14:37 < AlVal> Kingrat: you're talking my language now 14:37 < AlVal> Kingrat: but i dont understand static routes 14:37 < AlVal> Kingrat: not confident in how to set up that block effectively on the netgear nighthawk 14:38 < Kingrat> nothing to do with routing, its should be a simple firewall rule 14:38 < Kingrat> block all outgoing to port 53 udp except from pihole, or if you have to allow pihole to 53 udp outgoing before a deny by default to 53 udp 14:40 < AlVal> Kingrat: the netgear doesnt give me an interface that a technical person would expect. its all more english language style which leaves it a bit unclear technically what its gonna do 14:41 < Kingrat> maybe they have some docs showing how to create firewall rules on their interface *shrug* 14:41 < AlVal> Kingrat: there's "security - block services" and i can choose dns as a service, port 53 tcp, and select the ip or ip range to apply that rule to, but should i assume that means it will block port 53 traffic outbound to the internet from the selected ip 14:42 < AlVal> Kingrat: or would it completely block that ip from dns service even across the interneal network 14:42 < Kingrat> i have some pretty ugly interfaces but ive never messed with the nighthawk, the higher performance home router/ap in a single box didnt become a thing until after i already started using pfsense/dedicated aps 14:43 < Kingrat> can you allow it from your pihole to 0.0.0.0, and then block from 0.0.0.0 to 0.0.0.0 14:43 < at0m> AlVal: my TV is MAC-blocked for that reason. if it had an option to use a proxy, i just might allow it access to some sites, but it doesnt. at least i could manage its access permissions via the proxy then 14:46 < AlVal> at0m: if it had a proxy, given how it chooses to ignore the dns server you tell it to use at-will, i wouldnt even trust that its using the proxy always 14:46 < AlVal> at0m: although the block to traffic outside proxy could fix that i guess 14:46 < at0m> AlVal: hence my mac-blocking the TV alltogether 14:48 < AlVal> at0m: yeah i just wanted youtube to still work on the tv, and some sip channels. i like not having extra boxes outside the tv and the software in there, i just wish there were trustworthy custom open source operating systems you could replace your tvs os with 14:49 < at0m> there is one for my TV, but it's quite a hack and i don't feel for bricking my tv =) 14:49 < AlVal> kind of like putting cyanogenmod on your phone etc 14:50 < at0m> #lineageOS nowadays, but yea. if i don't have root, it doesnt get to my network. 14:51 < at0m> i've stuck a media center micro-ATX PC to the back of my TV some years ago, and made the TV stupid again. 14:52 < AlVal> at0m: yeah i guess i should re-look at what mini computers can do these days, can probably get a lot of power in a small form factor now 14:52 < AlVal> and would probably have a better plex client than the native tv anyway 14:54 < AlVal> 4 amazon echos in the house, good god they go crazy for ntp servers, why the hell do they need to talk to an ntp server so often 14:54 < at0m> AlVal: one of my rpi's would do, too, but it's pretty slow. gave that to the kids. anyhow, better than a chromecast on my LAN. 14:54 < AlVal> isnt an ntp just something you would check like once a week to ensure your clock is good 14:55 < at0m> maybe they boot often? i can imagine they don't have onboard RTC so don't keep clock on their own over reboots 14:55 < dogbert2> well, a better method is to have a master NTP device in your network (which does the polling) and everyone else grabs their NTP update from it 14:55 < AlVal> dogbert2: you can't even tell an amazon echo to use a static ip 14:55 < AlVal> dogbert2: never mind which ntp server to use 14:55 < at0m> kill it 14:56 < at0m> Does It Blend? 14:56 < AlVal> hahaha 14:56 < dogbert2> well, I have no use for an amazon echo, so I don't own one :) 14:57 < AlVal> dogbert2: the only thing we seem to consistently use them for is setting a cooker timer for 10 mins or something or asking the time 14:57 < AlVal> so youre not really missing out 14:59 < AlVal> being able to say set timer for 20 mins while hands are full putting food in the oven is helpful, nothing else has much value. i turn a light on or off with it sometimes. but now i heard that even the light bulbs are talking to the internet behind your back haha 15:01 < at0m> why else would they be online 15:02 < at0m> it's not that they're hiding it from you. it's why you bought them. 15:03 < adrian_1908> Quote: "Each Class A network can have up to 16.7 million unique hosts on its network. The range of host address is from 1.0.0.0 to 127.255.255.255." 15:03 < adrian_1908> I thought each Class A network would have a unique first octet. Shouldn't the possible range of host addresses go from (fixed).0.0.0. to (fixed).255.255.255 then? 15:03 < adrian_1908> (per class A I mean) 15:03 < AlVal> the other thing that really annoyed me was that i saw that the samsung tv was consistently talking to an israeli company called giraffic, and when i looked into it 15:03 < AlVal> it looks like your tv becomes a cdn network peer 15:04 <+catphish> adrian_1908: first of all, lets get this over with: there's no such thing as a class A network 15:04 < AlVal> helping their cdn stream video to others using your bandwidth 15:04 <+catphish> adrian_1908: they have been deprectaed for 20+ years 15:04 <+catphish> adrian_1908: secondly, this is 2 totally separate facts 15:05 <+catphish> adrian_1908: 1) a class A network was a /8, with 16,777,216 IPs 15:05 < at0m> AlVal: yes, that's all in documents you've agreed to. 15:05 <+catphish> adrian_1908: 2) a class A address is defined as being in the range 0.0.0.0 - 127.255.255.255 15:05 <+catphish> adrian_1908: these are 2 separate facts, so you're correct, each network has its own leading octet, and are 128 such networks 15:06 < at0m> AlVal: my LG falls back to stupid TV for my not agreeing with their terms. 15:06 < adrian_1908> catphish: Ah I see, the second statement wasn't linked to the first, but talked about the "global" range so to speak. Thanks. 15:06 <+catphish> adrian_1908: correct 15:07 <+catphish> adrian_1908: in modern terms, a class A would be defined as any /8 subnet inside 0.0.0.0/1 15:08 <+catphish> similarly, a class B network would be any /16 inside 128.0.0.0/2 15:08 <+catphish> but we don't use these classful definitions any more 15:09 <+catphish> the original intention was that a router could look at the first octet to determine the size of the network (anything starting with 0-127 was class A), but in modern networks, the size of the network is defined separately 15:34 < AlexPortable> SOHO router is set to static LAN DNS server, yet the computers somehow forget(?) after some time that they should use those, and they just use the ISP ones, how can i diagnose/fix ? 15:35 < dan01> if the command route -n, what does the ip 0.0.0.0 mean in the destination column? 15:35 < dan01> in the command* 15:35 <+xand> dan01: what oS is that? if it's linux use "ip route" instead and provide the output 15:35 <+xand> could be IP address or netmask 15:36 <+xand> AlexPortable: umm the PCs can't just magically get the ISP DNS servers from somewhere, maybe you have two DHCP servers 15:36 < AlexPortable> pretty sure i dont 15:36 < AlexPortable> i presume the router just tells me the ISP's DNS servers, but i dont know why 15:36 < regdude> unless there are two DNS Servers listed 15:37 < dan01> xand: default via 192.168.0.1 dev wlp2s0 proto dhcp metric 600 15:37 < dan01> 192.168.0.0/24 dev wlp2s0 proto kernel scope link src 192.168.0.104 metric 600 15:37 < dan01> 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown 15:37 < dan01> that's it 15:37 <+xand> OK, what's the line from "route -n"? 15:38 <+xand> AlexPortable: tell the router to give out your desired DNS servers? 15:38 < AlexPortable> well i have 15:38 < AlexPortable> but sometimes it stops working 15:38 < AlexPortable> i check the computers dns entries and the isp ones show up 15:38 < dan01> xand: 0.0.0.0 192.168.0.1 0.0.0.0 UG 600 0 0 wlp2s0 15:38 <+xand> I believe that is the default 15:39 < dan01> xand: I guess my question is what does the first column "destination" mean, the destination where the packet is heading to? 15:39 <+xand> yes 15:40 < dan01> xand: So 0.0.0.0.is there for packets that come from outside? Because why would I send packets to myself? 15:41 <+xand> no... 0.0.0.0 IP address with 0.0.0.0 netmask (first and third columns) means the default route 16:01 < linuxconformer> is nobody here? 16:01 < skyroveRR> yup 16:02 < linuxconformer> ok cool, just wondering if it's possible to trace a browser request 16:02 < skyroveRR> yup 16:02 < linuxconformer> e.g. to trace the whole path http://google.com takes 16:02 < linuxconformer> how can i do this? 16:02 < skyroveRR> Which OS are you on? 16:02 < linuxconformer> linux 16:02 < skyroveRR> curl -v http://google.com 16:02 < turtle> first thing you have to do is yell ENHANCE 16:02 < linuxconformer> but is there no website that does this? 16:03 < skyroveRR> linuxconformer: linux already has the tools. Why do you need a website? 16:03 < skyroveRR> linuxconformer: run that command, see whether that's what you want. 16:03 < linuxconformer> skyroveRR: thought there might be a website with a nice UI, but it's not so important 16:03 < qman__> The information is only visible client side, a website cannot do that for you 16:04 < qman__> The chrome debug tools aare useful for this as well 16:04 < qman__> ctrl+shift+i, network tab 16:05 < linuxconformer> skyroveRR: i have another question, if im using cloudflare for SSL, does my app need to be served on :443? 16:17 < skyroveRR> linuxconformer: yup. 16:17 < linuxconformer> skyroveRR: for is that? 16:17 < linuxconformer> *why is that 16:19 < skyroveRR> Not really a cloudflare user, but from what I've gathered, people usually do SSL on their end, too, linuxconformer 16:19 < linuxconformer> skyroveRR: it's not *required* though is it? 16:20 < linuxconformer> i.e. if i'm serving an application from mywebsite.com:80, and i point cloudflare to it, then accessing https://mywebsite.com should work, no? 16:20 <+xand> linuxconformer: I don't think it is required 16:20 <+xand> but it's a good idea. 16:21 < linuxconformer> xand: agreed, just wanted to make sure though, because i'm using cloudflare and when i try to access my website over https, it's failing 16:21 <+xand> umm I think they have some different settings for that in the config 16:22 < ahyu84> anyone here using PIA VPN? 16:22 < fattredd> I am 16:22 < ahyu84> cool~ 16:22 < ahyu84> any feedback on their VPN? 16:22 < ahyu84> is it reliable + trustable? 16:22 <+xand> linuxconformer: see "Flexible SSL" on https://support.cloudflare.com/hc/en-us/articles/204144518-SSL-FAQ 16:22 < fattredd> Great speeds. Super reliable. Lots of endpoints. Great price 16:23 < ahyu84> okay 16:23 < ahyu84> thx 16:23 <+xand> not sure how you can tell how trustworthy such a service is 16:23 < fattredd> 10/10 do recommend 16:23 < ahyu84> ok 16:23 <+xand> unless you personally know the owners or something 16:23 < fattredd> That's fair I guess 16:23 < ahyu84> as long as there is no log should be ok 16:23 < ahyu84> I don like record our activity 16:23 < fattredd> They claim the don't log anyway 16:24 < fattredd> They also aren't US based 16:24 < fattredd> so that's good 16:24 < ahyu84> ^_^ 16:25 <+xand> ahyu84: you can't know if there's a log. 16:26 < ahyu84> hmm 16:26 < skyroveRR> And never trust any VPN provider.. 16:26 < fattredd> https://www.privateinternetaccess.com/pages/privacy-policy/ 16:27 < linuxconformer> skyroveRR: does it usually take a while for the https to start working? 16:27 < skyroveRR> linuxconformer: not used them, so can't say. 16:28 < tda> use cryptostorm. i never got on pia because they wouldnt take me money. it's probably a honey pot 16:29 < fattredd> Lol what? 16:30 < tda> try paying with a gift card over tor or another vpn. you'll see 16:30 < fattredd> Damn you're paranoid AF 16:31 < tda> they say they take anonymity and privacy seriously 16:31 < fattredd> Also you don't trust a VPN, but you trust tor? 16:31 < ahyu84> lol guy calm down.. 16:31 < ahyu84> chill 16:32 < tda> i didn't say i trust tor. i didn't want pia to get my ip until i could be sure they were legit 16:33 < fattredd> Interesting. I never thought about that. What are you worried they could do? 16:33 < EmberCrest> Hey everyone. I'm looking into my office's network problems. People's connections keep dropping. I checked on Wireshark, and when the problems start, our computers start sending out ARP requests to identify 192.168.0.1 (gateway) 16:34 < EmberCrest> Then the gateway starts sending out ARP requests for the individual IPs 16:34 < EmberCrest> There seems to be about a 20 second delay between disconnection and connectivity restoration. 16:34 < grawity> but not ARP responses to the requests it received? 16:35 < ahyu84> @EmberCrest might be switch issue, or same cable connected to same switch 16:35 < grawity> what devices do you have between your computer and the gateway? 16:35 < grawity> including switches, access points, etc. 16:36 < EmberCrest> grawity: exactly. it doesn't respond to requests and then I see it make a bunch of requests itself. 16:36 < EmberCrest> So this is on a Wireless network too 16:36 < EmberCrest> I DO have an ethernet switch connected to one of the ports on the network 16:37 < EmberCrest> on the router* 16:37 < EmberCrest> Weirdly, the one computer plugged into the switch never loses connectivity. 16:37 < grawity> is the AP integrated into the router, or separate? 16:37 < EmberCrest> Sorry, what's an AP? 16:37 < EmberCrest> oh access point 16:37 < grawity> Wi-Fi access point, yes 16:37 < EmberCrest> Not entirely sure. It's an all-in-one router+modem from the ISP. 16:37 < EmberCrest> I'm guessing yes. 16:38 < grawity> in general if you don't have a separate device for Wi-Fi, and especially if the router has antennas sticking out... 16:39 < EmberCrest> Got it. 16:39 < grawity> anyway way, I'd guess either some part of its wifi radio is dying, or there's some *serious* radio interference coming from somewhere 16:40 < grawity> just a wild guess though 16:40 < EmberCrest> Hmmm.. it's possible. We're on a 5G network. 16:40 < grawity> but if it has moments where it's able to send packets over wi-fi, but not receive them over wi-fi 16:40 < grawity> as in 5 GHz? 16:40 < EmberCrest> Yeah 16:41 < EmberCrest> Which supposedly has smaller interference susceptibility 16:45 < linuxconformer> how do i check which DNS my website is on? 16:46 < skyroveRR> linuxconformer: whois 16:46 < skyroveRR> Again, on your linux machine. 16:46 < linuxconformer> thanks 16:49 < linuxconformer> skyroveRR: is it possible that a previous attempt at using LetsEncrypt skrewed up cloudflare ssl? 16:50 < skyroveRR> IDK.. 16:51 < linuxconformer> ok man no problem 16:51 < skyroveRR> :) 16:54 < fattredd> Hey so I've got a question about an openVPN server that I've set up on my Ubiquity Edge Router. 16:55 < fattredd> The goal is to be able to access devices on my home network from afar, but it looks like OpenVPN wants to have it's own subnet. How can I connect to 192.168.1.0/24 from 191.168.2.0/24? How do I forward all traffic to the vpn? 16:55 <+xand> it has its own subnet but the router routes between them 16:55 < Barones> ^ 16:55 < skyroveRR> ^^ 16:55 <+catphish> ^^^ 16:55 < Emperorpenguin> fattredd: depends how you do it 16:56 < Emperorpenguin> with a "dev tun" you need a separate subnet 16:56 < Emperorpenguin> with a"dev tap" connected to a bridge interface that's also connected to your ethernet network, you can use the same addressing 16:56 <+catphish> fattredd: the router will route between the 2 subnets, you may need to push a route to the LAN out to VPN clients 16:56 <+catphish> once you do that, it should just work 16:57 < fattredd> Do I need to explicitly create a route for the two subnets? 16:58 < grawity> not that you should use the same addressing though... 17:02 < Windy> !#$@$ Palo Alto 17:03 < SoniEx2> I think this router is broken 17:07 < fattredd> Hold on I'm confused. Should I have to tell the router to route between the subnets? 17:08 < fattredd> Or should that just magically happen? 17:10 < grawity> you do need to tell it the route towards the VPN subnet 17:12 <+catphish> fattredd: no, because the router is connected to both subnets, it already has routes to them 17:12 <+catphish> fattredd: you just need to make sure that the clients have routes to them 17:13 <+catphish> or if their default route is the router, that's good enough 17:13 < fattredd> So when I connect to my VPN right now, I get the IP 192.168.2.24 17:14 <+catphish> ok 17:14 < fattredd> I cannot ping 192.168.1.1 17:14 < turtle> how are those two things related? 17:14 <+catphish> fattredd: and what routes do you have? 17:14 <+catphish> fattredd: my immediate guess would be you have no route to 192.168.1.1 17:14 < fattredd> I would agree haha. How do I do that though? 17:15 <+catphish> you need to push that route from the openvpn server 17:16 <+catphish> i think the syntax you want is: push "route 192.168.1.0 255.255.255.0 192.168.2.1 1" 17:16 <+catphish> assuming 192.168.2.1 is the vpn server 17:16 < fattredd> In the server config? 17:16 <+catphish> yes 17:16 < fattredd> Okay gotcha 17:16 < fattredd> What's that trailing "1" doing? 17:17 <+catphish> that will then push that config to the client, which will install that route (a roure to 192.168.1.0/24 via the vpn server) 17:17 <+catphish> metric 17:17 <+catphish> it really doesn't matter what you specify there, examples seem to use 1 17:17 < fattredd> Mmm okay. I gotcha 17:18 < fattredd> Thanks +catphish 17:42 < fnDross> anyone know any _good_ android apps that help troubleshoot networks? 17:42 < fnDross> only using Fing right now :/ 17:43 < tds> https://networktools.he.net/ is nice 17:44 <+catphish> obvious tool: wifi analyzer 17:45 <+catphish> i use this often: https://play.google.com/store/apps/details?id=com.farproc.wifi.analyzer&hl=en_GB 17:50 < redrabbit> the open source one is better and ad free 17:53 < heller_> what do you guys suggest, if i need a quick way to deploy VPN clients as gateway with minimal effort 17:54 < Apachez> which one? 17:55 < Apachez> landroid is nice for trace, dns, ssl etc 17:55 < heller_> maybe openvpn or something 17:59 < Apachez> "VPN clients as gateway"? 17:59 < Apachez> http://www.consilium.europa.eu/sv/general-secretariat/corporate-policies/classified-information/information-assurance/eu-restricted/ pick one ;) 18:00 < Apachez> I like these as vpn clients http://www.consilium.europa.eu/sv/general-secretariat/corporate-policies/classified-information/information-assurance/eu-restricted/vpn-encryptor/pgai-9421/ 18:02 < heller_> i mean so i can have LAN devices behind it and access them without caring what connection theyh have 18:02 < detha> heller_: zerotier 18:11 < heller_> but zerotier clients needs an app? 18:11 < heller_> i cant install an app to a router :L) 18:19 < fnDross> heh wishin i had an extra pc w/ wifi to test this setup :/ 18:20 < fnDross> 533mhz desktop w/ NT doesnt count 18:29 < tds> heller_: a little openwrt router + openvpn could work 19:17 <+catphish> He's making a list, He's checking it twice, He's gonna find out who's naughty or nice 19:17 <+catphish> Santa Claus is in contravention of article 4 of the General Data Protection Regulation (EU) 2016/679 19:18 < UncleDrax> I should self-comply with that. like anytime I meet someone I'll ask thier name again.. since I won't be storing it, or anything about them. 19:19 < fnDross> we could probably class action him 19:19 < fnDross> get the things we never got from our lists growing up 19:20 < UncleDrax> would you really want a bunch of Ponies/Horses/Firetrucks showing up on your lawn like.. right now? 19:20 <+catphish> UncleDrax: it doesn't apply to natural persons engaged in non-business activities, you're lucky 19:20 < fnDross> maybe 19:20 < UncleDrax> catphish: doesn't mean I can't comply with it anyway.. just means the EU won't try to enforce compliance. 19:20 < fnDross> im legal to drink now and those items would be entertaining 19:27 < AlexPortable> SOHO router is set to static LAN DNS server, yet the computers somehow forget(?) after some time that they should use those, and they just use the ISP ones, how can i diagnose/fix ? i check the computers dns entries and the isp ones show up 19:28 < ouemt> I've got an ubnt er-4 that I barely know how to use, and DNS lookups on all my devices take forever and/or fail, can someone suggest some troubleshooting? 19:31 < djph> AlexPortable: double-check the router's DHCP server that it's providing the right thing 19:31 < AlexPortable> yep it is 19:31 < AlexPortable> after rebooting it it works fine again 19:34 <+catphish> i'm legal to drink now too 19:34 <+catphish> i was legal to drink from my 5th birthday until the first time i drove a car :) 19:35 < djph> sounds like the router's misbehaving; or perhaps there's another DHCP server somewhere on your network providing the wrong info. 19:35 < AlexPortable> nope there is not 20:04 < spaces> catphish I think you are not allowed to drink from your 5th, so as little boy 20:04 < squealingcode> I've just set up two SFP+ network cards, given each an IP, but there's no connection. Systems at both ends run Ubuntu/Debian. Any idea where to start? lol 20:04 < squealingcode> No connection = cannot ping eachother. 20:04 < ouemt> squealingcode: have you defined a route? 20:04 < Apachez> so how did you set them up? 20:04 < squealingcode> They're on the same subnet. 20:04 < Apachez> 2 nics 20:04 < Apachez> one sfp+ in each 20:05 < Apachez> what kind of sfp+? 20:05 < Apachez> what kind of cable? 20:05 < Apachez> try to switch rx/tx at one end? 20:05 < Apachez> still no link? 20:05 < squealingcode> Fiber optic cable 20:05 < Apachez> suuuuuure 20:05 < Apachez> singlemode, multimode? 20:05 < Apachez> its like "I got a car" 20:05 < spaces> Apachez maybe wrong type of cable 20:05 < Apachez> its a difference of trabant vs ferrari on how you start them up 20:05 < ouemt> still looking for help with DNS troubleshooting if anyone has time, my google-fu is failing at this 20:05 < Apachez> so again 20:05 < Apachez> answer each question 20:05 < Apachez> which nics? 20:05 < spaces> Apachez no you start them the same way 20:06 < squealingcode> I know, I am sorry. This is the first time I set up this kind of equipment, but I was sure that everything was compatible. 20:06 < Apachez> yet you fail to answer simple questions 20:07 < squealingcode> OK, give me a sec and I'll see if I can answer your questions 20:07 < spaces> Apachez life is difficult so are your questions :P 20:08 < squealingcode> Yes, there's one SFP+ card in each machine. The cable is "SFP/SFP+ compatible". I have no idea how to switch "rx/tx" at one end, the cable is already terminated and "ready to go", so I guess everything should be in order inside. 20:09 < squealingcode> The cards have different vendors, idk if that means anything? One is Chelsio, the other is Mellanox 20:10 < djph> what's the cable, SM/MM patch. Is is straight-through, or crossover (if crossover, one end will have the fibres flipped around - you'll be able to see that) 20:10 < squealingcode> This is the cable: https://www.ebay.com/itm/15m-Extreme-Networks-10GB-F15-SFPP-Compatible-10G-SFP-Active-Optical-Cable/192477763064?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2057872.m2749.l2649 20:11 < djph> oh, it's a DAC? 20:12 < squealingcode> I guess? The cable itself is fiber optic and the ends are the typi 20:12 < Apachez> "SFP/SFP+ compatible cable" WHAT THE FUCK IS THAT!? 20:12 < squealingcode> look like the typical SFP transceiver ends 20:12 < Apachez> djph: AOC 20:13 < Apachez> according to that link 20:13 < djph> yeah, looked at the pic, didn't read the desc 20:13 < djph> lalalala 20:15 <+catphish> squealingcode: sorry if i'm late to this conversation, but 1) if it has a link it *should* work 2) check the link 3) use tcpdump at each end to see what happens 20:18 < squealingcode> Thank you, catphish. Afaik there is link up on both cards (constant green light) 20:19 <+catphish> squealingcode: run ping on one, run tcpdump on the other, see what arrives 20:19 <+catphish> wow, is that a fibre cable and 2 optics all hardwired together? 20:20 <+catphish> if so, what a terrible way to buy those things 20:20 < Apachez> thats why I dont like AOC nor DAC cables 20:20 <+catphish> i've never seen an AOC before 20:20 < Apachez> if/when one end breaks for whatever reason the whole thing must be replaced 20:20 < Apachez> and they often cost $130 and upwards 20:20 <+catphish> i like DAC cables, because they're cheaper than 2 optics and a fibre 20:20 <+catphish> but AOC just seems mad 20:21 < Apachez> while a fibermodule on its own goes for 16-32 USD (dependingg on multimode vs singlemode 10G) 20:21 < Apachez> catphish: no they are not 20:21 < Apachez> another downside is that they are often "branded" 20:21 < squealingcode> Nothing shows up in tcpdump:( 20:21 < Apachez> so a cisco dac doesnt work in a juniper device 20:21 < squealingcode> I'll check some things later, thank you for all your suggestions tho:) 20:21 <+catphish> 1m DAC is $10 20:22 < squealingcode> btw is it normal for the cards to get like super hot? It does not have a fan, and I can barely touch the heatsink after 10 min. 20:22 <+catphish> there's no way you can beat that with 2 optics 20:22 < Apachez> the SFP+ interface on its own have a power budget of 2.5W 20:22 < Apachez> and then the phy or whatever will use some watts 20:22 < Apachez> so you might end up with like 10W or so per nic in a computer 20:22 < Apachez> and 10W on small area = hot hot hot 20:22 <+catphish> 10G optics are more than $10 on their own 20:23 < Apachez> where do you see a dac cable for $10 ? 20:23 <+catphish> https://www.fs.com/c/generic-10g-sfp-dac-1115 20:23 <+catphish> fs.com 1m 10G DAC is $10 20:24 < Apachez> ahh right https://www.fs.com/c/10g-sfp-dac-1114 20:24 < Apachez> I would still prefer fiberoptics over dacs :) 20:24 < Apachez> some vendors put some magic id code for stacking 20:24 <+catphish> depends on the requirement, but personally i find DAC to be more reliable, more robust, and cheaper for a very short run 20:25 <+catphish> obviously for more than 3m, i'd always go proper optics + SM 20:26 <+catphish> with that said, my routers are connected with fibre patch cables, because they happened to come with the modules :) 20:26 <+catphish> but it seems kinda fragile 20:26 <+catphish> my SAN is all DAC 20:29 <+catphish> i'm 100km behind my year running target :( 20:43 < AlexPortable> Is it expensive to install fiber in a home network / house ? 20:43 < AlexPortable> Looking at around 20 meter per cable 20:52 < TandyUK> why do you think you need fiber inside your house? 20:52 < TandyUK> do you have any cable runs over 100M? 20:58 < S_SubZero> sounds like quite a house if it can go that far in all directions 20:59 <+catphish> AlexPortable: it's generally unnecessary, but assuming you want it, i'd imagine the difficulty is terminating the fiber, or getting it pre-terminated in the exact right length 20:59 < AlexPortable> they aren't easy to buy like cat6a cables? 20:59 <+catphish> yes, but you can terminate cat6a cable 21:00 <+catphish> terminating fiber is hard 21:00 <+catphish> the fiber and media converters aren't too expensive, but installing it is hard i believe 21:01 < TandyUK> tbh if you used multimode, considering the short distances, its not too hard with the shitty 'diy' connectors 21:01 < TandyUK> but personally Id want it done properly 21:02 < S_SubZero> my buddy did a stint in an Amazon data center, they taught him how to terminate fiber and he says that's the only appreciable job skill he learned there 21:02 <+catphish> i don't know much about multimode, can you just cut it cleanly and push it into a plug? 21:03 <+catphish> my only experience of terminating fibre is splicing single mode to a pre-made pigtail 21:03 <+catphish> that process was difficult and the equipment is expensive, but i believe the results are excellent 21:04 <+catphish> that's how my FTTH was done, but i guess for short runs, you can do it more easily with MM, not ideal though 21:05 < S_SubZero> At MS they just threw money at the problem. They just bought infinite numbers of fiber cable in one foot increments, so we could always do a run with their extremely rigid and precise length cables. 21:06 < Apachez> https://www.youtube.com/watch?v=VcZD9kR19a4 wonder what the geigercounters said? 21:08 < yuppie> hello all 21:08 < yuppie> anyone familiar with UBNT USG Pro? 21:08 < yuppie> im trying to create two isolated networks 21:09 < yuppie> using two different WAN connections 21:09 <+catphish> S_SubZero: that sounds man 21:09 <+catphish> *mad 21:11 < S_SubZero> Apachez: there was a rumor, which I can't confirm, that the last test they did messed the site up in some bad way and they used all of this pomp and circumstance to hide the fact that they needed to blow up the place anyway 21:25 < jvwjgames> Hello everyone i am trying to reach 162.220.209.51 but can't 21:25 < jvwjgames> i can reach 162.220.209.37 but not .51 21:29 < electricbear> jvwjgames, either the IP is offline or it is not accepting ICMP 21:29 < jvwjgames> it is online but like i siad i can't get to it 21:29 < electricbear> what does "get to it" mean 21:29 < electricbear> is it a VPS? 21:29 < jvwjgames> it is a cpanel server and i need ti get it back online ASAP 21:30 < electricbear> how do you normally access it? SSH? 21:30 < jvwjgames> i can't login to the cpanel server or ping or traceroute to it 21:30 < jvwjgames> and i cna't ssh either 21:30 < jvwjgames> .48/28 network is being routed through .37 21:31 < electricbear> who is the host 21:31 < jvwjgames> witch is the master VM Server where the cpanel server is hosted 21:31 < jvwjgames> Me 21:31 < jvwjgames> i am hosting my physical servers at a local DC here in Utah 21:32 < electricbear> perhaps the VM is down? 21:32 < electricbear> I'm really not sure. not an expert 21:32 < electricbear> but good luck 21:33 < jvwjgames> no vm is up 21:33 < jvwjgames> it can ping out but i can 't access it 21:33 < electricbear> it's a routing issue then 21:33 < electricbear> someone will help you 21:33 < tds> if it can ping out routing is likely fine, sounds more like firewalling to me 21:34 < tds> (assuming "ping out" = send out ping requests and get replies back) 21:34 < electricbear> ah good point tds 21:34 < jvwjgames> yes 21:35 < tds> if it's a web server, check that the web sever is actually running and listening 21:35 < jvwjgames> it is 21:36 < tds> in that case I'd confirm you can poke the web server eg with curl/telnet on the vm itself, then check firewall rules, do a packet capture to confirm it actually sees incoming connections 21:41 < spaces> https://www.youtube.com/watch?v=63Ja39PJdrU Wheeehoooooeee!! 21:48 < seekr> I've begun experiencing the inability to connect to a win7 machine using ssh, which uses port 22. The machine uses a combo cable modem / router provided as part of AT&T Uverse service. I configured that router several years ago to permit connections on port 22, and all has been working fine until just recently, despite the fact, that I haven't changed anything on the machine. I'm using Bitvise SSH server software, and have checked via a Putty 21:48 < seekr> connection from the machine itself that that server is responding to connection requests and working well. The firewall is being handled by the AT&T branded version of McAfee Internet Security Suite, which also appears to be configured correctly to permit connections on port 22 (though that port is not mentioned as such). Again, that software was not changed prior to the problem manifesting, so I doubt that it's involved. I attempted connecting 21:48 < seekr> on port 122, which I also opened on the router for test purposes, but I find myself unable to connect on that port also (though in that case, McAfee could be blocking the port). I used nmap on my own machine to see if I could determine what ports are open. It reported a couple of ports I use for VNC communication, but nothing else - though it indicated there are a truckload of "filtered" ports. I don't know how to unfilter such ports or whether 21:48 < seekr> such a thing even makes any sense. Ideas? 21:48 < jvwjgames> there is no firewall active 21:48 < jvwjgames> ok seekr don't paste multiple lines like that 21:49 < seekr> I pasted nothing - typed all those characters with my own fingertips. :) 21:49 < tds> jvwjgames: what about those other two parts - can you make http requests to the vm from itself, does it see incoming connections? 21:49 < electricbear> long messages are automatically spliced jvwjgames 21:49 < jvwjgames> oh ok sorry my bad seekr 21:49 < djph> seekr: so connecting from another machine *INTERNALLY* works, but connecting from a *REMOTE* location does not? 21:50 < seekr> I don't see the problem - I just provided a complete description of the problem, to save having to answer questions. 21:50 < seekr> djph: hi there - I think I recognise you from #linuxmint.* channels - you the same person? 21:51 < djph> maybe 21:51 < electricbear> seekr, its no biggie. some channels prefer pastebin, etc, but it doesnt matter i dont think 21:51 < seekr> djph: I have no other machines handy on the LAN to try connecting - so I just used Putty on that machine itself. 21:51 < seekr> Thanks for the moral support, electricbear! 21:51 < djph> you'll need something (anything) that's not "that machine" -- even an android phone running the "connectbot" app will suffice. 21:52 < djph> because testing from localhost vs. a different host would be key if the mcafee firewall went full-stupid 21:53 < seekr> Well, I don't have ready access to the machine (it belongs to my aged uncle on the other side of a vast continent), but if you can give me the name of an ssh client for an iPad, I could see if I can get him to help me test from another machine on the LAN. 21:53 < djph> ask google. iDevices and Windows are two things I don't do. 21:53 < seekr> djph: yes - I understand - the reason I mentioned that factoid is that I wanted to establish that the ssh server software is working just fine 21:54 < djph> I've yet to call the ssh server into question. 21:54 < seekr> google is evil - but I could do a search for an app using something other than evilGoogle 21:55 < djph> I don't care what you use to search the fucking web ... just go look it up already. 21:55 < seekr> djph: understood - but I think it's relevant nonetheless - I wanted to establish that I've done as much as I can to try to eliminate possible sources of the problem 21:55 < djph> you have not. You've so far only confirmed the machine lets itself talk to itself. 21:56 < seekr> yes - I have not established that a local connection is possible - so you are right that I haven't done everything - I've done as much as I could under present circumstances - that's all 21:58 < djph> go find yourself that idevice program, and check. Once you've done that, then you've (mostly) ruled out the firewall on the machine. Once you've done that, you can take a look at the AT&T modem, and make sure it's doing everything properly -- e.g. forwarding to the right IP address / firewall's properly opened / etc. 22:00 < djph> ... I mean, I guess you could triple-check nothing stupid happened like the winbox has a different IP address than you expect right now ... 22:01 < seekr> djph: It's nearly impossible that the router is to blame, unless it's maybe gone at least semi-stupid, since I've been connecting successfully for æons, having configured the router to open that port when we first got the Internet service 22:03 < djph> I'm sorry, I thought you were asking for help troubleshooting. I'll just go back to enjoying my well-deserved beer. 22:03 < djph> good luck 22:03 < seekr> djph: Ein Prosit! 22:16 < jvwjgames> sorry fro long delay no tcpdumnp dosen't see connections comming in 22:16 < jvwjgames> and there a re no firewalls on the system 22:24 < tds> I'd check on whatever router is upstream of it in that case 22:26 < Mughal56> /join #offsec 22:41 < jvwjgames> can some help me further on my issue 22:44 < ouemt> having super long DNS lookup times and some failures, how do I narrow down where the problem is? I've got an edgerouter that's doing caching and forwarding with it NATing requests to any DNS server besides my router 22:45 < djph> what DNS servers are you using? 22:45 < djph> also, it could be the router itself 22:45 < ouemt> djph: 1.1.1.1 22:45 < djph> try skipping the router, see if lookups suck less. 22:46 < djph> (i.e. point the pc directly to it) 22:47 < Poster> dig +trace may also be helpful 22:48 < ouemt> djph: will try that in a bit, requires a little rewiring 22:48 < ouemt> Poster: how's that 22:49 < Poster> https://ns1.com/articles/using-dig-trace 22:50 < ouemt> Poster: will look, thanks 22:51 < tds> jvwjgames: did you try packet captures on whatever router is upstream of that VM? 22:52 < jvwjgames> 'ya nothing also i think i found the issue the vm server uses a bridged system by default i need to switcxh it to a routed system 22:52 < tds> bridging should work fine as long as the provider has all your IP space presented as on-link; if it's routed to an IP on another subnet then you'll need to change that design 22:54 < spaces> lol facebook is down ? 22:59 < tds> jvwjgames: just to confirm about what you said earlier with it being able to "ping out" - what were you testing there? 22:59 < tds> if you're able to send echo requests to a certain address and get replies, but not do the same thing in reverse, that sounds very much like a firewall issue 23:04 < Apachez> GDPR in a nutshell https://i.imgur.com/Yj7wsHD.jpg 23:04 < spaces> Apachez eh ? 23:11 < danieli> Apachez: I've seen a lot of memes that fit well for it 23:12 < spaces> Apachez is it, like... you cannot tell my penis size now as it's private ? 23:13 < danieli> you did not understand the point of that meme whatsoever 23:14 < spaces> danieli smart one mate, that is why I ask 23:14 < linux_probe> lawl, avoid camera 101 accomplished 23:14 < Apachez> american choppers goes GDPR https://twitter.com/wbm312/status/1000040692037533696 23:15 < linux_probe> they didnt get my ugly mug on the shows 23:15 < spaces> Apachez I still wonder how much chairs they ordered each week 23:24 < Apachez> probably sposnored 23:25 < spaces> Apachez yeah and Sr. went bankrupt almost because everyone stopped sponsoring :P 23:26 < inky> is there a way to hide from my ISP my DNS lookups? 23:27 < spaces> use opendns 23:27 < spaces> oh! 23:27 < spaces> no use a HE tunnel 23:27 < tds> you can use dns over tls to hide them if you want (that relies on you trusting the remote server though) 23:27 < linux_probe> uhhhh 23:27 < spaces> for wat reason actually ? 23:27 < linux_probe> he tunnel sint hiding anything 23:28 < tds> ^ it's still a plaintext udp packet inside a 6in4 packet 23:28 < linux_probe> no a VPN on the otherhand ;) 23:28 < linux_probe> now** 23:28 < inky> spaces: whats a HE tunnel? what does HE stand for? 23:28 < tds> I suspect spaces means he.net, they run a service for 6in4 tunnels (tunnelbroker.net) 23:29 < spaces> yes if it's for hosting your small website you can use he.net 23:29 < spaces> then on IPv6 23:29 < inky> i see thanks. is there no "direct" (without vpn) solution?? 23:29 < spaces> otherwise do a VPN 23:30 < tds> inky: as I mentioned, if you have a remote dns resolver that you trust (and which supports it), you can use dns over tls 23:30 < ouemt> ok, I disabled NAT on DNS requests (I had been forcing everything to talk to my router), and it just took 15 seconds to query 1.1.1.1 for a major website using dig 23:31 < ouemt> it was like this with NAT on too, which I take to mean, it probably isn't the DNS on the router that's messing up 23:31 < inky> tds: oh i see now. thanks! 23:32 < inky> oh cool, says on wiki that android P will support dns over tls 23:32 < ouemt> inky: maybe dnscrypt? 23:34 < ouemt> djph: skipped the router as suggested, with NAT off `dig @1.1.1.1 cox.com` took 15 sec 23:35 < tds> ouemt: if you try and ping/traceroute to 1.1.1.1, do you see similar latency? 23:35 < tds> 15s response to dns requests sounds rather odd to me 23:35 < ouemt> tds: ping is ~10-12 ms 23:36 < tds> interesting - do you have mtr installed? 23:36 < tds> it might be worth trying it in both tcp mode and udp mode, with dest port 53 23:37 < ouemt> tds, I do have it but I've not used it before 23:37 < ouemt> gimme a min to sort it out 23:37 < tds> you'll want something like mtr -P 53 1.1.1.1, add --tcp and then try with --udp 23:40 < hmig> is it normal for voip phones to send multicast to 239.0.0.1 23:40 < hmig> ? 23:40 < hmig> i knwo its a multicast address 23:40 < ouemt> tds, mk, it's running, max ping to one of those steps is like 80ms, and rarely higher than 25 23:40 < ouemt> I'm thinking this is something with my router I don't understand 23:40 < ouemt> it might still be trying to handle it locally 23:41 < hmig> but ive been having weired issues with voip and I think that the access switces are not forwarding multicast packets to the correct place....possibly --- Log closed Sat May 26 00:00:33 2018