--- Log opened Sun May 27 00:00:34 2018 01:30 < Apachez> "Airmen responsible for guarding nuclear missiles caught using LSD" only in murica... 01:34 < spaces> eh ? 01:37 < Apachez> cbs reported yesterday 02:39 < spaces> Apachez ok 02:40 < spaces> this channel is really dead lately 02:41 < linux_probe> life, life life 02:41 < linux_probe> better? 02:41 < agent_white> Only on weekends. 02:42 < Whiskey`> my toxicity has killed them all 02:44 < ouemt> anyone have any experience with ubiquiti equipment? I've got a strange issue with my edgerouter and DNS that I can't figure out 02:46 < precise> ouemt: ##ubnt ? 02:46 < ouemt> precise: dead when I've tried 02:46 < precise> ouemt: It's relatively active 02:46 < precise> But it is Memorial Day weekend stateside, so it's quiet online overall 02:47 < ouemt> hmm... must have been bad luck, I posted in there a few weeks ago and saw no traffic after several hours, so I never went back 02:47 < precise> ouemt: It's quite active at times, but it can look dead. IDK about you, but once I join a chan I idle in there permanently 02:47 < precise> Cuz, ya know, logs, n shit 02:48 < ouemt> yeah, I do on some, but other's I just leave 02:48 < ouemt> I might be misremembering, isn't there a ##ubiquiti or something? 02:48 * ouemt gets the channel list out 02:49 < precise> I think ##ubnt is the only IRC chan on freenode for such topics 02:49 < ouemt> there is ##ubiquiti, and it has 13 users 02:49 < ouemt> I bet that's where I tried 02:50 < ouemt> so thanks for the heads up on ##ubnt! 02:50 < precise> np :) 02:51 < spaces> linux_probe got yourself an AED ? 02:51 < spaces> Whiskey` heh lol are you also still drunk in here ? 02:52 < Whiskey`> spaces: I do not know what you are talking about 02:53 < spaces> Whiskey` you don't know what your names says ? 02:53 < Whiskey`> I know what my name says 02:54 < Whiskey`> stop assuming my sobriety!! 02:55 < spaces> Whiskey` are you afraid people find out you are lying ? 02:55 < Whiskey`> What am I purportedly telling lies about ? 02:57 < Whiskey`> what has me confused is the 'still drunk' part. i do not remember the last time i talked to you, drunk or not. 02:57 < Whiskey`> im very sure ive been sober at least once since then, if not more then once. 02:57 < Whiskey`> now, how sober, or not, that i am right now has not beens stated in here, so, meh 02:58 < spaces> Whiskey` prove it, you name shows us you are alcholic :P We don't know the percentage yet :D 02:58 < Whiskey`> ah well I wont tell 02:58 < spaces> at least you are flamable it seems :P 02:58 < Whiskey`> (cause im not going to go do a blood test to check my B.A.C) 02:59 < spaces> heh 02:59 < spaces> it's mostly written on your label 02:59 < spaces> ir did they took it off after your birth ? 03:00 < Whiskey`> frain I am old school hooch son 03:00 < Whiskey`> fraid* 03:00 < Whiskey`> I didnt get no makers mark 03:02 < Seraxis> !ns info sera 03:10 * linux_probe joins ##ubnt just because 03:15 < spaces> linux_probe what is ubnt ? 03:16 < light> a fork of dbn 03:16 < spaces> dbn ? 03:16 < Whiskey`> lel 03:16 < spaces> not ubuntu ? 03:16 < spaces> eh ? there is ##ubuntu 03:16 < spaces> or #ubuntu 03:17 < Whiskey`> #ubnt 03:17 < Whiskey`> ##ubnt 03:17 < spaces> Whiskey`we cannot trust you, we don't know your % yet 03:17 < spaces> or are you moonshined ? 03:18 < Whiskey`> I AM MOONSHINE BOI 03:18 < Whiskey`> 100% 03:18 < spaces> :| 03:18 < Whiskey`> they made a song about me 03:19 < spaces> even worse 03:19 < spaces> that is how druk they got 03:19 < spaces> drunk 03:19 < errst> spaces, the %, it's about 40%–68% (usually 40%, 43% or 46%) 03:20 < errst> https://www.wikiwand.com/en/Alcohol_by_volume#/Typical_levels 03:25 < spaces> errst I know but Whiskey` is some special type of creature ;) 03:25 < errst> lol 03:31 < Whiskey`> I am. I am lab grade 200proof alc! 03:32 < Whiskey`> gotta keep my ass in a slealed glass container else i start drinking water (bleh) 03:32 < linux_probe> lol 03:32 < linux_probe> there is no 200 proof =p 03:32 < linux_probe> 199.xxxxxxxx 03:33 < spaces> ok, it seems everyone is etting drunk now 03:33 < spaces> getting 03:34 < linux_probe> spaces is always so drunk he's in spaces 03:34 < linux_probe> way into the outer spaces thatr is 03:34 < precise> I should get drunk 03:34 < precise> But I cant 03:35 < Whiskey`> linux_probe: hush your filthy mouth! 03:36 < Whiskey`> spaces: have you found my song? a clue is jerry reed 03:37 < linux_probe> heh 03:38 * linux_probe thinsk either the bird or she got the gold mine :)) 03:39 < Whiskey`> linux_probe: you made me cry! now im only 193proof!! 03:40 < linux_probe> haha 03:40 < Whiskey`> barely even dollar store iso now =( 03:40 < Whiskey`> (na that crap is like 50% water) 03:40 < linux_probe> lol 03:41 < linux_probe> I usually start with 90% then I fail to close the damned lid >_< 03:42 < Whiskey`> thats alcohol abouse right there 03:51 < Whiskey`> https://www.youtube.com/watch?v=MZ35SOU9HTM was also wrote aobut me 03:52 < Whiskey`> spaces: ^ 04:14 < spaces> Whiskey` yo must be rich and famous! 05:03 < agent_white> Whiskey`: I'm not an alchoholic, just a liquor enthusiast. ;) 05:04 < Whiskey`> spaces: I am! 05:05 < Whiskey`> agent_white: Arent we all? 05:05 < agent_white> Amen. 05:12 < spaces> Whiskey` be fair and share :P 05:29 < spaces> so it seems to be happening... Orcale is going to ask money for Java! 05:35 < Epic|> haha 05:35 < Epic|> sucks dick when its 'free' 05:36 < Epic|> will probably be awesome as a pay product 05:37 < linux_probe> java needs to die 05:37 < linux_probe> they whined until microsloth no longer had it, then didnt maintain it for shart 05:41 < adamz> Hi everyone. I have a host (an IP camera connected via wifi) that I can ping reliably from a freebsd host (wired) and a macOS host (wireless). Yet from Windows and Linux hosts (wired and wifi), i'll get a reply for about 5 seconds, then "Destination Host Unreachable" for about 20 seconds. 05:41 < adamz> I can ping all other hosts, wired and wireless, from all other hosts without issue. 05:43 < adamz> I does look like the ARP entry on the linux hosts is becoming INCOMPLETE, then switches to PROBE -> STALE -> FAILED -> INCOMPLETE 05:44 < linux_probe> wifi, yup 05:46 < adamz> i know, wifi 05:46 < adamz> but still, every other wifi device works 05:46 < adamz> i eve put the camera next to the access point 05:46 < adamz> the AP is a UniFI AP-HD 05:51 < linux_probe> probably the camera 05:52 < linux_probe> or known bug with camera/ap firmware 05:52 < linux_probe> is the ap updated, is the camera updated 05:55 < linux_probe> if it's all updated, try the camera on other ap and see if the same occurs ;) 05:56 < linux_probe> if it's an older camera perhaps power supply is weak and it keeps rebooting 05:57 < adamz> yeah, its probably the camera. It has a ethernet port too, which works fine. Just on wifi 05:57 < adamz> Latest firmware for both the AP and camera. 05:57 < Whiskey`> adamz: sounds like the camera is disconecting or ip conflict 05:58 < linux_probe> ^ yeah good one also, maybe mac address conflict even 05:58 < Whiskey`> thats rate but ya 05:58 < Whiskey`> rare 05:58 < Whiskey`> i am now 500 proof! 05:58 < linux_probe> he didnt say if it was total chinesium camera or not lol 05:58 < Whiskey`> my typing shows it 05:59 < linux_probe> id still eyeball the camera powersupply or watch and see if it keeps reseting, the wifi would use more power than wired eth 06:00 < Whiskey`> ^ 06:00 < Whiskey`> yup make sure its not dropping off 06:00 < adamz> its chinesium 06:01 < linux_probe> watching DHCP requests is likely a good idea also, assuming you didnt set it static 06:01 < adamz> not a MAC conflict, as far as I can tell 06:01 < Whiskey`> in fact can you login to the router nad see the wifi uptime 06:01 < adamz> it makes one DHCP request when it powers on 06:02 < adamz> on the access point admin page (Unifi controler) it has an uptime of hours (since I last power cycled it) and a signal stength of 99% (-16 dBm), which makes sense since the camera is practically on-top of the AP. 06:02 < Whiskey`> ok THAT can be issue 06:02 < Whiskey`> move it away 06:02 < Whiskey`> hot wifi is as bad as cold wifi 06:02 < adamz> if it was dropping off the wifi network, why are the pings from the macos and freebsd hosts 100% reliable, yet from linux they arent? 06:02 < Whiskey`> it needs to be juuuust right 06:03 < Whiskey`> adamz: you said they were NOT 06:03 < Whiskey`> [20:42:54] I does look like the ARP entry on the linux hosts is becoming INCOMPLETE, then switches to PROBE -> STALE -> FAILED -> INCOMPLETE 06:03 < Whiskey`> that should not happen while pinging 06:03 < linux_probe> half are good, half are bad he said, and showing some funky "MAC" arp entries 06:03 < Whiskey`> oh i missed that 06:03 < adamz> on macos i see every reply from the ping sequence 06:04 < adamz> ie, 0% packet loss, and every ping gets a reply 06:04 < linux_probe> what about the ping responce times though 06:04 < adamz> ~1ms 06:04 < Whiskey`> ok on the mac is the mac correct 06:04 < adamz> reliably 1ms 06:04 < linux_probe> so no lag hmm 06:05 < adamz> i was thinking maybe something different with how ARP entries are cached/purged between macos/freebsd and linux? 06:06 < Whiskey`> not likely 06:06 < Whiskey`> make sure the MAC is the sme on all hosts that ping it 06:08 < adamz> yep, looks like the cam has the same MAC on both the freebsd and linux ARP entries 06:08 < adamz> which is the same MAC that requested the DHCP lease, and thats connected to the AP 06:10 < Whiskey`> ok power it down and do pings 06:10 < Whiskey`> there isnt antoher switch in the middle someplce is there 06:12 < adamz> network setup is: PFsense box -> EdgeSwitch -> UniFi AP -> Camera. PFsense box is the DHCP server. Unifi AP is a pure wifi access point. The edgeswitch configured as a layer 2 switch. 06:13 < adamz> the freebsd box is wired into the edgeswitch 06:13 < adamz> my macos laptop is connected to the same wifi AP as the camera 06:13 < adamz> the freebsd and macos boxes can ping the camera 100% reliably 06:14 < adamz> multiple linux boxes wired into the switch can't ping the camera reliably 06:14 < adamz> nor can my linux laptop connected via wifi 06:15 < adamz> with the wired freebsd box pinging the camera (on wifi), i pulled the power on the camera. The pings stopped as soon as i pulled the plug. No "Destination Host Unreachable" messages. 06:15 < linux_probe> if you keep refreshing the pfsense "ststus>dhcp lease page, the camera or any of the clients are changing to offline status are they 06:17 < adamz> with the power pulled on the cam, the PFsense DHCP leases page still shows it as "online". The other hosts (macos box, freebsd box, linux boxen, etc) are all "online" too 06:17 < linux_probe> and maybe check and refresh the switch ma/arp list to see if there's an issue there 06:25 < adamz> the switches ARP table is empty since it's only in l2 mode 06:26 * linux_probe faceplams, 06:27 < linux_probe> well, hit console on pfsense and do arp -a and keep watching it 06:27 < linux_probe> i guess other than that, make sure all the packet sizes are 1500 lol 06:29 < adamz> the cam is plugged back in. the output of `arp -a` on the pfsense box shows the cam: ? (192.168.1.164) at 9c:8e:cd:12:a7:28 on igb1 expires in 1099 seconds [ethernet] 06:29 < adamz> which is the right MAC 06:30 < Whiskey`> adamz: how long did you leave the cam off while pinging 06:30 < adamz> about 5 mins or so there 06:31 < Whiskey`> ok so more thne long enough for a alt ip to pop up 06:31 < Whiskey`> well im going to blame the pfsense and call it good 06:31 < linux_probe> or some switch bug 06:32 < linux_probe> check the switch for firmware updates/bugs? 06:32 < adamz> i have. its on the latest too 06:33 < Whiskey`> its the pf... 06:33 < Whiskey`> always is 06:34 < adamz> this issue occured even when pfsense wasn't involved. Origianlly I had everything on a separate VLAN that didn't even trunk to the PF box and one of the other linux boxes (and even at one point the switch) was offering DHCP leases. Saw the same problems. 06:35 < adamz> i spent most of today reconfiguing everything to disable vlans, etc so that the network is as "simple" as can be. 06:37 < dogbert2> gah - National Australia Bank on Saturday suffered what it described as a "nationwide outage" to some of its technology systems, leaving customers unable to access banking services or withdraw money. Customers took to social media to vent their frustrations, with some saying they were left unable to pay for groceries or refuel their cars... 06:40 < superkuh> So use cash. 06:41 < superkuh> Relying on some third party service to make all your purchases is stupid. 06:41 < jessica523> or loot stores 06:44 < local_host> Can an individual or institution buy ads to target your specific ip address/computer? 06:48 < local_host> Does one have to buy the ad or can your local isp just inject ads into YouTube videos? 06:49 < adamz> im going to blame the IP camera. I was haing issues with it even respecing DHCP leases before. If i was offering an address without a gateway, it'd accept the offer, but then assign 192.168.1.108 statically to its interface anyway. Yahoo 06:50 < adamz> piece of crap chineseum 06:50 < Whiskey`> local_host: no only google can inject ads to youtube 06:51 < linux_probe> lol adamz 06:51 < Whiskey`> what brand of chineseum 06:51 < local_host> Whiskey:Can an individual or institution pay Google to target my address specifically? Is there some pay to harass a specific person just because you don't like them form. 06:52 < Whiskey`> local_host: not at all 06:53 < local_host> Whiskey:What about SEO don't they have it for direct ad targeting. Someone in power is abusing their authority then. 06:53 < Whiskey`> uhm 06:53 < Whiskey`> im not up on exactly how the back end works, but ive never heard of google serving abusing ads 06:54 < Whiskey`> if you are getting suspect ads i would think you are infected with some malware 06:57 < adamz> Whiskey`: Amcrest 06:58 * linux_probe suggests adblocking 06:58 < adamz> i've used other cameras with veeeeery similar web interfaces before. So similar I think they might have just modified the CSS and replaced a few brand logo images. 06:58 < linux_probe> if you cannot use adblocking, then dont use the web/ga,mes on said dummy devices 06:58 < linux_probe> :) solved 06:58 < Whiskey`> thats odd arcrest is pretty good 06:58 * linux_probe prefers not paying to see bullshit spammed at me 06:59 < linux_probe> and they want to charge more for intertubes? and still spam the fuck out of me? 06:59 < Whiskey`> well in fairness google doesnt charge you for intertubez 06:59 < linux_probe> no, they just track and spam the fuck out of everything 06:59 < linux_probe> :)) 07:00 < linux_probe> slowing the intertubes for all 07:00 < Whiskey`> yea well thats how they charge you for the intertubez 07:00 < Whiskey`> ....=) 07:00 < linux_probe> slowing and infecting machines 07:00 < RudyValencia> OK so I currently use two Mikrotik routers to do an IPsec tunnel between me and a colleague in Florida. I want to switch to something a bit more modern that can do the same tunneling between our sites, any suggestions for prosumer gear that can? 07:00 < Whiskey`> uhm, no google doesnt do shit to slow the tubez for anyone 07:00 < Whiskey`> they build more backbone then any ISP does 07:00 < linux_probe> all the ads = slowing and browser lagging 07:01 < Whiskey`> google ads are some of the lightest resource wise there is 07:01 < linux_probe> burn it all with fire 07:02 < Whiskey`> so how would you support google searvice that you use for free? 07:02 < linux_probe> what google services 07:02 < linux_probe> other than chrome lol 07:02 < Whiskey`> if you dont use thier stuff, stfu about them 07:02 < Whiskey`> damn probe you on troll mode tonight 07:02 < linux_probe> becauswe they are the #1 biggest adware, malware and spyware corp lol 07:03 < linux_probe> troll mode? I'm being serious 07:03 < Whiskey`> and i still trust them more then facebook, yahoo and the us gov combined 07:03 < linux_probe> the rest got the idea from google 07:04 < Whiskey`> na others did it, google just did it better first 07:04 < linux_probe> well, that and stupidity of sheeple not knowing they have no privacy =p 07:04 < Whiskey`> yea well you cant do anything online with privacy 07:04 < Whiskey`> not anymore 07:05 < linux_probe> I mean it's one thing knowing about the provacy loss and still using it, fact is most do not have a clue 07:05 < Whiskey`> yea most dont 07:05 < Whiskey`> the facebook stuff slapped a lot of ppl tho 07:05 < Whiskey`> dammit where is my kindle, fkn kids ran off with it 07:09 < linux_probe> kindle lol 07:19 < local_host> So who has control the isp or YouTube because somebody rich people related to AT&T and the universities in my area are definitely paying for this crap. Are they directly contacting the company or are they going through the isp? 07:20 < local_host> Also could someone tell me how this works on the backend or send me a link to some uncensored code? 07:22 < local_host> You are fucking children...if I had access to the code I wouldn't act like a little entitled shit. 07:23 < tohsa> why cant I access old.reddit.com with the ip address from nslookup? 151.101.21.140? Trying to redirect reddit.com to go to old.reddit.com 07:23 < linux_probe> o_O 07:23 < tohsa> with the hosts file 07:25 < DSee> can someone give me some ideas to transform my SOHO/home network into a low enterprise or mid-grade business thing? firewalls, VPN, etc, anti-penetration 07:33 < local_host> You're heads of international companies and you're over 60 with insider information and you're using it to fucking insult me? Now I have a goddamn filter are you people tired or jacking off? 07:33 < local_host> You're heads of international companies and you're over 60 with insider information and you're using it to fucking insult me? Now I have a goddamn filter are you people tired of jacking off? 07:35 < tohsa> lolwhat 07:35 < linux_probe> what kind of drugs is that fella/bot on 07:39 < local_host> Wait I forgot you can't you need a penile stint to even function. 07:39 < linux_probe> local_host~ has peniles in his arse and mouth 07:40 < local_host> I'm serious they are reading my packets and I don't even have access to the code or knowledge to see who is doing this. 07:40 < The_Shadows> 30min of troubleshooting why connection between firewall and switch was only 100M..., Changed 10 cabels and switch but real problem was between firewall and router :D. Intel nic green light 100MB and i was so sure that green meant 100 that didn't even check anything :D 07:42 < The_Shadows> I mean green = GBe and amber = 100Mb 09:09 < pabed__> hi guys , is there anyone who implementes failover with "opnsense" I follow this manual "https://wiki.opnsense.org/manual/how-tos/multiwan.html" but it doesn't work . any idea? 09:10 < sql00_> Hello 09:40 < sql00_> I want to configure Port Mirroring for outgoing traffic on my home network, but how outgoing ssl traffic will be decrypted on monitoring port ? 09:43 < skyroveRR> sql00_: you'll have to take a packet dump on some machine, and most of it will be garbage. 09:43 < skyroveRR> Without a proper decryption key. 09:45 < sql00_> Where should I connect switch to analyze traffic from VLAN and Wireless Clients ? 09:46 < skyroveRR> You have to set a mirroring port on a manageable switch. 09:46 < Aleksandar86> I have Ubiquiti UAP AC PRO, I set VLANs on him. On Mikrotik I have DHCP for VLANs but not working good. I connect to UAP via Wifi and I got IP from Mikrotik, but after 5 secunds all wifi networks going down... 09:47 < Aleksandar86> Anybody here had same problem? 09:49 < sql00_> Yes, I have to set a mirror port on managaeble network switch, but where exactly switch needs to be placed ? Between Router and ISP Cable ? 09:51 < sql00_> At the moment ISP cable is connected directly to my Linksys router, but I am going to buy network switch which supports port mirroring and need to know where I should to place the network swtich 09:51 < sql00_> because I want to monitor not only Vlan users but wireless users. 09:56 < iPaq> Hey lads. I've got a setup at home involving all linux hosts (and the router), VLANs 10, 20 and 30 for servers, mystuff, and 'guest', the guest wifi also being forced into Vlan30. It's all very nice and all. But some of my servers are (CentOS)KVM Hypervisors. And I'm wondering, should I be setting them up as trunks and passing eth0.10,20 and 30 through to VM's as per the vlan they need to be in? or should I be handling this more sec 09:58 < iPaq> Like I don't use eth0 on either hypervisor, only eth0.10 has IP's assigned for both box, being servers, therefore in VLAN10. But this way new VMs could be bridged onto eth0.30 if they're to be untrusted. Instead of eth0 itself. Does.. this all sound like the right thinking? Or is this pretty stupid. 10:15 < detha> iPaq: I generally run a trunk to the hypervisor, then bridge each VM to the appropriate vlan on the trunk 10:16 < detha> If a VM needs to be in more than one vlan, give it two virtual interfaces, one bridged to the one vlan, one to the other vlan 10:17 < iPaq> Thanks @detha that's exactly what I wanted to hear <3 10:17 < iPaq> Welp, I'm off to push that setup. Have great nights 10:28 < sql00_> Can anyone suggest me network switch with port mirroring support for home network monitoring? 10:29 < skyroveRR> sql00_: most manageables can do that.. 10:42 < Korisnik_> is posible use Ubiquiti UAP AC PRO VLANs with Mikrotik DHCP? 10:42 < Korisnik_> in my case not working 10:47 < sql00_> ISP CABLE --> Router(DHCP) --> SWITCH(Port Mirroring) --> On one of the Switch source ports I will connect router2 with WAP enabled. On other ports on switch I will connect PC's and on destination port I will plug Monitoring PC. What do you think ? The idea is to fully monitor home network traffic + wireless 12:29 < luc4> Hello! I'm trying to configure a router as a switch to connect to my network and extend it with new eth ports and wifi signal. What I see is that any system which connects via wifi to it cannot get an address via DHCP 90% of the times. Static IPs work properly instead. Any idea of a possible explaination? 13:28 < luc4> Anyone who knows if a wifi router should be able to act as a switch with wifi AP? 13:31 < detha> "it depends". crappy all-in-one things often have the option to disable parts of the firmware, but not always. Proper way: use a device that knows what it is, i.e. separate switch, and separate access point. 13:40 < longxia> luc4s: yes, i have one running (Mikrotik RB951G), although RouterOS now treats it as a bridge with "hardware offloading". 13:41 < longxia> luc4, did you just gain an 's' in your nick? 14:16 < grawity> oddly, it doesn't offload VLAN filtering on the RB951G, even though the switch chip seems capable of it 14:19 < grawity> I wonder why my iperf3 tests between two servers start at 200 Mbps but then slowly drop to just 100 Mbps within 10 seconds 14:20 < grawity> is that some QoS stuff or 14:23 < dostoyevsky> I have very unreliable internet at this hotel here... so I keep ping running all the time to see when it goes down again. One odd thing: Sometimes I always see "Request timeout" but then I just press CTRL-C restart ping and I get pings again 14:24 < dostoyevsky> it's like I restart the network by pressing CTRL-C 14:36 < spaces> so life sucks as we need to work again tomorrow 14:36 < batch> anyone here got some script to join a sambaserver to activedirectory? 14:37 < grawity> `realm join` if you have realmd installed 14:38 < batch> oke wow thx let me check it out 14:41 < spaces> grawity we don't mix I think 14:41 < grawity> yes I prefer tabs 14:41 < dogbert2> yeah...I werk tomorrow, but at double time and a half :) 14:42 < Apachez> grawity: how fast does it drop? 14:42 < Apachez> grawity: tried differnt settings? 14:42 < spaces> dogbert2 I just hobby all day long :P 14:42 < Apachez> get the same drop with lets say 2 concurrent transfers? 14:42 < Apachez> normally qos allows a small burst and then it throttles down to whatever speed is configured 14:43 < grawity> Apachez: approx 10 seconds 14:43 < Apachez> sounds too large 14:44 < Apachez> the burst is more like max 1-2 seconds 14:44 < grawity> kinda like this https://ptpb.pw/496g.txt – same with SSH file transfers, not iperf-specific 14:44 < Apachez> sounds more like some other thing is kicking in 14:44 < Apachez> like congestion control or such 14:44 < Apachez> whats the latency between the endnodes? 14:45 < grawity> ~40 ms, it's over WAN from my VPS (from two different VPSes at different locations) to my server at $WORK 14:45 < grawity> I mean, I don't really mind it but a bit curious if it's intentional or something else 15:12 < realbadhorse> i dont know if its relevant here but i want to proxy everything through burpsuite which i already know how to but now i also need to connect to a proxy server while being connected to burp 15:12 < realbadhorse> how do i do that? 15:13 < Apachez> grawity: unless you have really small send/receive buffers 40ms shouldnt be a problem 15:13 < Apachez> you can do the maths with bandwidth product delay 15:13 < Apachez> bandwidth delay product 15:14 < Apachez> delay bandwdith product 15:14 < Apachez> ehh whatever that formula is called :) 15:15 < Apachez> https://en.wikipedia.org/wiki/Bandwidth-delay_product 15:15 < Apachez> so with 40ms delay 15:15 < Apachez> and lets say 200Mbps 15:15 < grawity> realbadhorse: https://i.imgur.com/4bDSejS.png 15:16 < Apachez> 200M * 0.040 = 8000000 / 8 = 1 000 000 bytes buffer 15:16 < Apachez> so you need in theory 1Mbyte send/receive buffer at each end 15:17 < Apachez> but thats somewhat flawed 15:17 < Apachez> I can get 1G with less than that 15:42 < Apachez> not even animals like snowballs =) https://imgur.com/zxWvLYS 15:43 < shtrb|laptop> Where is the snow there ? 15:47 < mnemon> Apachez: https://www.youtube.com/watch?v=kT8sTEDtUAI nah, horses are just evil. 15:49 < quarterback> Can anybody tell how much bandwidth and speed is required for setting up a dedciated dns server like 8.8.8.8 ? Are two dns servers needed to setup root dns? 15:50 < mnemon> quarterback: you cannot setup a root dns for other people, the bandwidth depends solely on the number of clients. 15:50 < moosebumps> hey i have a question 15:50 < moosebumps> can i ask it 15:50 < shtrb|laptop> !ask 15:51 < moosebumps> its about politics and horses 15:51 < mnemon> moosebumps: read the topic. 15:51 < quarterback> mnemon, What do you mean by "cannot setup root dns for other people"? Can a dns server be setup for many countries? 15:51 < mnemon> quarterback: what do you mean with "root dns"? 15:51 < shtrb|laptop> quarterback, you are using root dns, I don't think you mean what we mean by that 15:52 < shtrb|laptop> quarterback, you can force english epaking countries to add a new character and open yourself a possition for a new root tomain 15:52 < shtrb|laptop> *domain 15:52 < moosebumps> dont talk back to the quarterback 15:52 < quarterback> shtrb|laptop, I am also new to dns, I just know some basics of networking. I have a high speed lan internet and hoped to setup some server. Be it dns, ftp or ircd. 15:53 < shtrb|laptop> I think you just wish to setup a DNS server (not root dns ) 15:53 < quarterback> shtrb|laptop, No, I dont mean to open a new language to the dns system. I intend to setup a english dns server. Bare with me as this is somewhat new to me. 15:54 < tds> in general I'd avoid running a public dns resolver, since it's relatively likely it'll be abused for reflection attacks 15:54 < quarterback> mnemon, By root dns , I mean a core dns server of the internet which resolves Ip addresses into TLD's. 15:54 < tds> if you just want to run your own dns resolver for internal use, sure, go for it 15:54 < quarterback> Tds, a firewall can be setup and if you add ddos protection, its not that hard I believe. 15:55 < quarterback> tds, No, its for personal use. I mean it for public use. For corporations and public, academia in India. 15:55 < quarterback> tds, And also for other nations. 15:55 < tds> well the ideal solution for reflection attacks is for everyone to start filtering source addresses (see bcp38), but it'll be a while off before that's implemented everywhere 15:55 < quarterback> tds, Its not for personal use only * 15:56 < quarterback> tds, Those kind of attacks are rare in India I believe. 15:56 < tds> if you want to run a service for use in multiple locations, you probably want to look into anycast, otherwise latency will be terrible compared to other public resolvers 15:56 < mnemon> quarterback: I'd suggest you read up on how the DNS infrastructure works. short answer is that you cannot set up a root dns server. You can set up a DNS server for your domain or a resolver/cache for client devices. https://en.wikipedia.org/wiki/Root_name_server 15:57 < shtrb|laptop> quarterback, you wish to create just a DNS server, the new letter was to express to you that root dns server (are one of the 13 letters used to create TLDs) , there are alternative options to ICANN mandated(?) , you just need to check about "normal" DNS servers 15:57 < quarterback> mnemon, The internet in India is a different network. Can't I own a chunk of it in Asia? I dont have to bother about other nations in western world. 15:58 < shtrb|laptop> quarterback, google ICANN 15:59 < shtrb|laptop> or you could take over some ISPs and just push your own service only for Indian customers (inventing your own tlds) 15:59 < mnemon> quarterback: it is not separate as far as the whole dns system is concerned, specifics such as subdomains under the national TLD's are usually controlled by countries or the control is delegated by them. 16:00 < tds> if you actually want to run a public dns resolver and have random people using it though, you'll need to give them a compelling reason to do so, which I suspect you don't compared to the other big public ones 16:00 < quarterback> shtrb|laptop, There is a .in domain which comes from India. I see that many .in domains are hosted in usa or elsewhere. I want to change that. Let indian domains be in India and their names be resolved from a dns server in India. 16:01 < mnemon> you just need a normal dns server for that. 16:02 < quarterback> mnemon, So is it possible that I start a dns service and tell ISPs in India.. they are free to use it or for some yearly charge. Would it work? 16:03 < mnemon> you need to tell whoever owns the domain, but yes in principle it is possible. 16:03 < quarterback> mnemon, Where does domain comes here? do you mean any .in domain ? 16:03 < shtrb|laptop> quarterback, If you wish to take over .in tld you need to a permission from ICANN and from National Internet Exchange of India, but in reallity you can start a register , interact with some officalls to get things done and in time you could start register stuff under .in 16:04 < quarterback> shtrb|laptop, I am not solely interested in web hosting or being a reseller of .in domains. I am interested in setting up some infrastructure which is hardware and a few servers which could be greatly put to use or be exploited. 16:05 < shtrb|laptop> nixi is friend, but first you would need to prepare good sums of money to pay for the infra and legalization 16:05 < Apachez> tds: also tier1's and 2's could start filtering which ranges they see based on bgp AS info 16:06 < quarterback> shtrb|laptop, well I've got a ISP who agreed to give me fixed IP addresses. What else do I need? 16:06 < shtrb|laptop> lol 16:06 < shtrb|laptop> not sure if trolling or serius 16:06 < tds> Apachez: out of interest, do you know if any of them do at the moment? 16:06 < quarterback> Apachez, I think its a tier 3 ISP which is offering me ip addresses. Do I need to approach a tier 1 or internet backbone provider for the bandwidth? 16:07 < quarterback> mnemon, I am curious if there any legal matters with ICANN which need to be addressed first for setting up a dns server, I mean a normal dns server in your terms. 16:08 < tds> quarterback: if you want to run a public dns service, you'll likely want to run multiple servers in different locations with anycast (announcing the same prefix in all these locations), and ideally multiple transit providers and local peering (especially if you plan on pushing lots of bandwidth) 16:10 < mnemon> quarterback: you can run dns server for individual domains as long as the owners point to your service without any extra hassle usually, some registrars might have special rules. 16:10 < quarterback> tds, Yes, I intend to go in that direction. It seems setting up a dns is easy with ready to use software. Maintenance can be a bit of work which many people can learn. First I start in one location and scale it into three or four cities where there are international submarine cables. 16:10 < Apachez> tds: dunno, its been spoken about at NANOG and the other conferences for some time 16:11 < Apachez> there is a ASDB or whatever its called that could be used to lookup ipranges per AS 16:11 < Apachez> and get answer which ranges should be seen through each AS (even if that AS is uplink to others) 16:12 < quarterback> tds, I also live in a country which is geographically and demographically very big, its about 3000km from one end to another with a population density of over 500/ sq mile. So there would be need for servers as this. 16:12 < shtrb|laptop> Apachez, bgp.he.net/AS714#prefix 16:12 < shtrb|laptop> is one way 16:13 < tds> lots of providers are using the data already to generate prefix filters on sessions, use of the same data for source address filtering seems to be much less common though 16:13 < Apachez> shtrb|laptop: the thing is that the prefixes listed are the ones you "own" 16:13 < Apachez> the problem is that you as an upstream ISP will provide other prefixes 16:14 < Apachez> like lets say Telai have prefix X 16:14 < Apachez> and telenor have prefix Y 16:14 < Apachez> if you are connected to telenor and telia do have a routing through telenor then you will see from telenor both prefix X and Y 16:14 < tds> tools like bgpq3 can work on as-sets, so that'll cover downstreams and downstreams of downstreams and so on with no issues 16:14 < Apachez> and thats the tricky part 16:15 < Apachez> because which prefix is seen by whom may differ 16:15 < tds> (that does rely on everyone keeping as-sets up to date though, which likely isn't the case :/ ) 16:15 < quarterback> What are the prefixes you are talking about? 16:15 < Apachez> just because telia uses telenor as uplink in sweden doesnt mean that they will do that in lets say usa 16:15 < Apachez> so if you are connected to telenor in usa you shouldnt see prefix X at all 16:16 < Apachez> quarterback: prefix is the iprange assigned to a specific AS 16:16 < Apachez> iprange(s) 16:16 < Apachez> well as-sets are up2date through RIR's 16:16 < Apachez> at least about who owns which range 16:17 < Apachez> but its not updated who uplinks through who and where 16:17 < Apachez> and for such acl to have some kind of meaning you need a way to figure this out in an easy and fast way 16:17 < Apachez> preferly if bgp itself could be extended to do this 16:17 < mnemon> quarterback: a fix already exists for the "large amount of people connecting", it's the ISP resolvers/cache. 16:18 < Apachez> mnemon: resolers have nothing to do with bgp 16:19 < mnemon> Apachez: I was commenting on the earlier DNS discussion 16:21 < quarterback> mnemon, Does every ISP have dns servers of its own? I see many companies in India use google' 16:22 < quarterback> mnemon, use google's dns server 8.8.8.8 and 8.8.4.4 16:22 < shtrb|laptop> Many ISP have their own (all?), many use Google's as the forwarded to (secondary) and some have signed an edge agrement 16:22 < quarterback> mnemon, What could be the meaning of that? Don't they have dns servers of their own? 16:47 < spaces> I need to whine 16:48 < spaces> Apachez let me borrow your lap 16:52 < pk2010> hello 16:53 < pk2010> suppose i buy a server from a host and there is lots of traffic on it...then i cancel the server subscription..now if that traffic keeps coming on that IP address 16:53 < pk2010> how hosts give this IP to new users 16:54 < pk2010> i mean this excess traffic will be useless for new customer..no? 17:10 < Apachez> spaces: here here, sit in my lap and Ill sing soft kitty for ya ;) 17:12 < Apachez> Soft kitty, Warm kitty, Little ball of fur, happy kitty, sleepy kitty, purr purr purr... 17:24 < spaces> Apachez oh I love you :D 17:24 < spaces> but don't touch my kitty! 17:25 < Epic|> ... 17:26 < superkuh> https://juliareda.eu/2018/05/censorship-machines-link-tax-finish-line/ - the next step in the Euro attack on the internet after GDPR. 17:27 <+catphish> superkuh: time to leave i guess :) 17:28 < spaces> Epic| you might don't know Santa Claus in person... 17:28 < superkuh> US is already copying GDPR with some bills. Once they show the gov can use these types of excuses to grab more power it'll happen here too. 17:28 < superkuh> Think of the communists/terrorists/children/privacy. 17:28 <+catphish> i mostly like GDPR, as far as i can tell, it achieves what it sets out to achieve 17:28 <+catphish> the only downside is the administrative costs 17:29 < superkuh> It has the implicit premise that people are too stupid to make the right choices and not use shit services so the government must do it instead with the monopoly on violence. 17:30 < superkuh> s/with the/with their/ 17:30 <+catphish> i don't think a user can be expected to know what what will be done with their data 17:30 < superkuh> And the other premise that it's "their data" even when it's not their service. 17:31 < superkuh> It's only your data if you aren't using third party. 17:31 <+catphish> wha? 17:31 < superkuh> Like making it illegal to take a photo of someone who came over to your BBQ. 17:31 <+catphish> well that's not covered by GDPR 17:32 < superkuh> Yes. It's an analogy. 17:32 < detha> I'll stick to the original 'Click here to confirm you are not a citizen of the EU to enter this site' 17:32 <+catphish> detha: i've never understood that, if it's a non-eu company, they can just tell users they don't comply with EU law 17:33 <+catphish> they aren't even obliged to do that, but seems polite 17:34 < detha> EU seems to intend to make their law reach outside the EU; and even if that doesn't hold up, lawyers costs to prove it will be too high 17:34 <+catphish> whose lawyer costs? 17:34 < detha> Mine, should someone ever try to slap GDPR charges on me 17:35 < detha> s/charges/fines/ 17:35 <+catphish> detha: you'd travel all the way to europe, to answer the complaint? :| 17:35 < superkuh> Anyway, the newly proposed regulations are fairly clear cut in their shit-ness. 17:35 < superkuh> (ie, what's in the linked article, not gdpr) 17:35 < detha> No. But they seem to want to make various treaties work for them 17:35 <+catphish> detha: if someone tried to serve me a DMCA notice for example, i'd just politely tell them it doesn't apply to me 17:36 < detha> That you can do. The whole intent of this GDPR mess is to make that difficult/expensive to do even for people outside the EU 17:36 <+catphish> of course, there's the argument that if you're supplying services in the EU, you must follow laws there, but that really only matters if you have some kind of presence there 17:37 < detha> Exactly. Which is why I don't want to provide services to the EU under these terms 17:37 <+catphish> detha: why not anyway? 17:37 <+catphish> as a consumer, i'd be pretty unhappy if you weren't complying with it :( 17:38 <+catphish> detha: if for example you won't delete my data on request, i don't want to give it to you :( 17:39 < detha> As a consumer, I expect companies to take whatever I give them, and regulators to stay well out of the way 17:39 <+catphish> detha: well then i'm glad with people like you around, the laws are coming 17:40 <+catphish> fuck having my data that i give compnies for one purpose being sold off 17:40 < spaces> catphish get a profit from it! 17:40 <+catphish> not my cup of tea 17:40 < detha> You didn't see that coming? There is a reason I never had any facebook/twitter/... account 17:42 <+catphish> well for things like facebook, you essentially sell them your data in exchange for their service, i guess that's fine as long as everyone involved understands / accepts it 17:43 <+catphish> anyway, it's mostly working for me 17:43 < BT709> Hi All, anyone got any experience with packetfence? Looking at this compared to just freeradius for a wired 802.1x project to handle around 110 switches with 3000 linux/windows clients. 17:43 < detha> And therein lies the problem. Most people don't. And this is why the regulators now put all this ridiculousness in place, to protect the people against themselves 17:44 <+catphish> the only problem i've had with GDPR so far is one person who has set up about 10 free accounts with my service with different email addresses, total mess (and clearly against our terms), is now attempting to use the regulations to ask for a copy of all the data held about him, admin nightmare 17:44 <+catphish> detha: that much i agree with 17:44 <+catphish> detha: but we don't really like letting people who *are* stupid get abused here 17:45 < ryao> Why is it that DECT phones always have the base station integrated with a phone charger and sometimes also an answering machine. It seems to me like it would make things much easier if it were just a base station that could be powered using PoE with the handsets placed around the house. :/ 17:46 < tds> catphish: aren't you at least allowed to charge an admin fee for requests like that? 17:46 < ryao> BT709: I don't use packetfence, but I use freeRADIUS through pfSense. I'd be comfortable using freeRADIUS for what you are doing if I were you. 17:46 <+catphish> tds: no 17:47 <+catphish> tds: you're only allowed to charge a fee if the requests are excessive, but a single request has to be free 17:47 < ryao> catphish: I assume that you are referring to GDPR. I suspect that anyone without a presence in the EU can ignore it, although the way people are acting is as if they expect the EU to try to get them extradited if they don't comply, even if they don't do anything with the EU. 17:47 < detha> I would call 10 identities on one service excessive 17:48 <+catphish> ryao: i agree, i'd expect non-eu companies to ignore it, as long as they don't have a significant presence in the EU, i don't see what anyone could do about it 17:48 < tds> catphish: ah, has that changed with gdpr from the original data protection legislation? 17:48 <+catphish> tds: yes 17:48 < tds> for some reason I thought you could charge a small admin fee by default, I think the only source for that might have been ICT GCSE though :P 17:48 < ryao> catphish: It annoyed me though. The iOS speedtest app has a GDPR privacy notice that is on an infinite loop. You accept it and then it shows up again. It makes the app unusable. :/ 17:49 <+catphish> tds: yeah, with the old DPA you could charge a free, with 2018 DPA it has to be free 17:49 < spaces> catphish I like a cup of tea! 17:49 < tds> catphish: now that whole gcse was useless, I think that's the only thing I remember and it's wrong now ;) 17:50 <+catphish> i wouldn't mind if this guy had one account, but 1) he has like 6 accounts across various of our apps with different email address 2) he's asked a bunch of other pointless questions that he could easily find the answers to in our (very nicely written) privacy policy 17:50 <+catphish> it's my opinion that he's got a standard letter from somewhere, and sent it to every company he's ever dealt with 17:50 < ryao> catphish: lol 17:51 < BT709> ryao: I have been told this too, but haven't found much online regarding building this out 17:52 <+catphish> a quick google search says yes, this is the letter he's sent us: https://m.forums.theregister.co.uk/post/reply/3285234? 17:53 < ryao> BT709: I haven't deployed 802.1x for wired stuff in part because it is broken unless you use the macsec extensions that almost nobody supports, but setting it up for wireless was basically something I had to figure out on my own. pfSense made it somewhat easy to do though. 17:54 < ryao> BT709: If you setup pfSense, you can use it to make an internal CA. Then you can use it to generate certificates, setup freeRADIUS, etcetera. There is a nasty bug where revocation lists break things if you use them, but I get around this by just never reusing usernames and putting them into the certificates. If the username isn't in freeRADIUS database, then it won't authenticate it. 17:55 < ryao> BT709: https://en.wikipedia.org/wiki/IEEE_802.1X#Vulnerabilities_in_802.1X-2001_and_802.1X-2004 17:56 < ryao> BT709: You need this to make it secure: https://en.wikipedia.org/wiki/IEEE_802.1AE 17:57 < ryao> BT709: By the way, are these L2 or L3 switches? ^_^;; 17:57 * ryao prefers to use router to describe a L3 switch. 17:57 < ryao> BT709: If you have a broadcast domain with 3000 clients... ouch. 17:57 < spaces> indeed BUT if it can only do static routes it's kinda sucky 17:58 < BT709> ryao: Yeah this is what im finding, there is not much out there regarding wired deployments. This is for an enterprise environment, I would aim to attach onto the existing CA infra and machine based certs for TLS auth. MACSEC is not what i am looking for, that is L2 encryption 17:58 < ryao> spaces: If what can? 17:58 < ryao> BT709: 802.1x has a vulnerability where you can attach a switch in between it and a machine and then get free reign to do whatever you want. 17:58 < BT709> ryao: I hope no one here has a broadcast domain with 3000 clients tbh :P 17:58 < ryao> BT709: I do too. 17:59 < ryao> BT709: I need to get ready for Sunday Mass. I'll be back in 90 minutes. 17:59 < BT709> These are multilayer switches, but for the purpose of 802.1x it is purely layer2 which controls vlan assignments and MAC bypass. 18:01 < ryao> BT709: You could just require all clients to use IPSec and be done with it. Not that I want to discourage you, but the fact that 802.1x is easy to circumvent kind of makes it pointless. :/ 18:01 < ryao> At least on wired. 18:01 < ryao> BT709: Also, I suspect that there is little information on how to do it on wired because this is part of the material needed to get various certifications. 18:02 < ryao> Which switches are these and who made them? Maybe the vendor has some documentation avaliable. 18:02 < BT709> ryao: No preventative security is 100% secure, this is why you must employ defense in depth. 18:02 * ryao really must step out now. 18:02 < Apachez> but relying only on 1x is bad 18:02 < Apachez> since it has designflaws 18:02 < Apachez> but its great as part of layered security 18:02 < BT709> Apachez: totally agree 18:02 < Apachez> it protects from accidently connected unwanted devices or networks 18:03 < Apachez> but it doesnt protect from somebody who knows what they are doing 18:03 < Apachez> setting your own switch in between is an easy bypass 18:03 < Apachez> instead of 1x device connected to 1x switch 18:03 < Apachez> you connect your own switch in between so it becomes 1x device <-> your switch <-> 1x switch 18:03 < Apachez> and then connet the evil box to your switch 18:04 < Apachez> this way you not only find out the mac of the 1x device but once 1x device opens up the interface at 1x switch its open until reauth 18:04 < Apachez> so you shutdown the interface in your switch that goes to 1x device 18:04 < BT709> Apachez: how would that work, if the mac addresses over the line would be unique? Only the switch in that case would be authed. 18:04 < Apachez> and put 1x device mac on your evil device connected to your switch 18:04 < Apachez> and tada 18:04 < Apachez> the 1x switch will never notice wtf happend 18:04 < Apachez> and you as evil user will have full access to the 1x protected network until reauth occurs 18:04 < Apachez> which by default they occurs like once an hour or so 18:04 < BT709> If you spoof the mac you mean 18:05 < BT709> yes that is a vulnerability 18:05 < Apachez> you want me to explain this once more? 18:05 < BT709> Nope, got it 18:05 < Apachez> the thing is that from the 1x switch point of view the interface never goes down 18:05 < Apachez> and it will never receive any EAPOL-logoff frame 18:06 < Apachez> since evil switch (who sits in between 1x device and 1x switch) just shutdown the interface towards the 1x device 18:06 < Apachez> and then enable the interface towards evil host 18:06 < Apachez> evil host now use the same mac as 1x device (who is disconneted) 18:06 < Apachez> so if you want to protect against that you should use vpn at your clients 18:07 < detha> Apachez: your scenario assumes you have a 'good' and an 'evil' device to begin with. What if you don't have a 'good' device ? 18:10 < Apachez> detha: at most places there are a "good" device 18:10 < Apachez> otherwise you wouldnt have an 1x enabled interface running there 18:11 < BT709> I was lead to believe that there are newer versions of the 802.1x standard which allow mapping vlans to mac addresses, and therefore different devices can be on the same int with access control. You are talking about 802.1x only being able to up or down a port once authed. Correct me if im wrong obviously 18:12 < Apachez> well thats the basic of 1x 18:12 < Apachez> doesnt matter if you then put the device in various vlans 18:12 < BT709> VPN is unfortuntely not an option due to requiring as close to wirespeed as we can for users work 18:12 < Apachez> the evil device will look like the good device from the 1x switch point of view 18:13 < Apachez> there are 10G vpns :) 18:13 < Apachez> so anyway, 1x is often a good choice but dont rely on it 18:14 < Apachez> we use it as countermeasure against people connecting the wrong cable in the wrong interface and creating a loop 18:14 < Apachez> since we got multiple physical networks in the same area 18:14 < BT709> yeah i get what youre saying, its totally not the only security method we have but it addresses the issue of ports not being shut on the corporate vlans in meeting rooms for example :P 18:14 < BT709> at least as a first method of prevention 18:15 < BT709> multiple physical networks? Wow interesting, due to security or performance? 18:15 < Apachez> you should check the secured enduser connection guidelines 18:15 < Apachez> other methods is to limit to max 1 mac address per interface 18:15 < Apachez> etc 18:15 < Apachez> logging all mac addresses and which physical itnerface they connect to 18:15 < Apachez> logging mac overflows 18:15 < Apachez> etc 18:16 < Apachez> well both 18:17 < Apachez> like only voip devices on the voip network 18:17 < Apachez> this way we dont need poe switches where we dont have any voip devices 18:17 < Apachez> and no need to qos either since there are only voip devices on the voip network 18:17 < Apachez> and then some other networks 18:17 < Apachez> so with 1x you got a first line of defence where somebody connects unwanted device or loop networks 18:18 < Apachez> its not foolproofed against somebody who have intentions to fuck things up as I described but it protects from the "oops" 18:18 < BT709> Are your IDFs not a bit messy then? 18:18 < Apachez> IDFs? 18:19 < BT709> patch closets/rooms 18:19 < Apachez> nope 18:19 < Apachez> you can colorcode things :) 18:19 < Apachez> black = encrypted traffic 18:19 < Apachez> red= cleartext sensitive traffic 18:19 < Apachez> grey = regular prod (client/server) 18:19 < Apachez> green = mgmt network 18:19 < Apachez> and so on :) 18:20 < BT709> But it requires physically going to a site and patching new connections, we have all pre patched. Anyone call can from a site and we can remotely enable and provision from our desks 18:20 < Apachez> well you dont patch things where you dont expect to have anything 18:20 < spaces> Apachez are still holding whiel I'm sitting on your lap ? 18:20 < spaces> are you.. 18:20 < Apachez> so a new site gets fully patched for the purpose it will be used for 18:21 < Apachez> like if there will be no sensitive network at site X then you dont have any red cables and red switches there 18:21 < Apachez> spaces: whiel? 18:21 < spaces> while 18:21 < spaces> I'm whining you know... I cannot type straight 18:21 < Apachez> dont get horny... 18:22 < spaces> how can I ? I'm full of emotions 18:22 < BT709> True, if its a quite static setup then I see that working. My place scales up and down quite a lot so we just have to be prepared for any port on any network. 18:22 < spaces> are you trying to get an advantage out of it Mr Whinefield ? 18:22 < Apachez> well then you reallyu should consider vpn 18:22 < Apachez> because its those kind of arguments who fucks things up 18:23 < Apachez> and suddently unwanted client sits on sensitive network doing bad things 18:23 < Apachez> because you were lazy 18:23 < Apachez> I have seen many bad implementations during the years 18:23 < Apachez> where the main argument was that "its so hard to make it secure and it takes time" 18:23 < BT709> I still dont see VPN as solving what im trying to do tbh, I see where it may fit for low performance situations but not for users that need fast disk access 18:24 < Apachez> while implementations who did stuff properly had far less downtime and troubleshooting time 18:24 < spaces> Apachez is now known as Mr. Whinefield 18:24 < BT709> Its nothing about being hard or slow, its just about implementing the correct technology where its required. 18:24 < Apachez> sure an dyou are doing it wrong ;) 18:26 < BT709> So you implement machine based vpn on all your systems? 18:26 < BT709> Sounds great in terms of a purely L3 infra too, I can see the appeal 18:29 < raefe> hey guys can someone help me connect to //server? 18:29 < spaces> try to make it \\server 18:31 < transhuman> hi! I its been a while since I have done this sort of thing. Can't remember on a 10.0.0.0/8 network is the default broadcast address 10.255.255.255 or is it 10.0.0.255? 18:31 < transhuman> I think its the first but just want to be sure 18:31 < raefe> sorry i did mean \\server 18:31 < raefe> no connection 18:33 < zamanf> hello 18:34 < transhuman> never mind I was right thanks 18:34 < zamanf> I am trying to do this: iptables -t nat -A PREROUTING -p tcp --dport 110 -j REDIRECT --to-port 8080 but unfortunately it doesn't show on iptables -L 18:34 < raefe> i can connect to the server via the standard "remote desktop connection" 18:34 < zamanf> I get no error also 18:34 < raefe> so there is an internet connection between both pc and server 18:36 < detha> zamanf: iptables -t nat -L 18:36 < raefe> @spaces ... 18:36 < zamanf> ty 18:37 < raefe> detha can you advise pls? 18:37 < detha> raefe: that sounds like it is windows 18:39 < raefe> correct 18:39 < detha> in that case, all I can say is 'No Idea, haven't used it for years' 18:40 < raefe> maybe someone else could help? 18:52 < raefe> anyone with windows knowledge for my question? 18:52 < spaces> windows sucks and we all know it :P 18:53 < spaces> still I like windows 10 18:53 < raefe> so how to approach? 18:54 < spaces> raefe tias while you are waiting for an aswer 18:55 < raefe> tias? 18:55 < Apachez> raefe: spaces is drunk 18:55 < spaces> do you actually use google for your problem ? 18:55 < Apachez> raefe: we told him several times before "dont drink and irc" but nooo 18:55 < spaces> Apachez no, you didn't feed me Whiskey` 18:55 < skyroveRR> :D 18:56 < rewt> tias = try it and see 18:56 < raefe> no i use irc chat relay 18:56 < raefe> thx rewt 18:58 < raefe> so how do i check this valid //server path? 18:58 < raefe> \\server 18:59 < raefe> i cant call it up in windows explorer 19:00 < rewt> does it work with the ip address? like \\192.168.x.y 19:01 < raefe> in windows explorer or cmd? 19:01 < raefe> the “remote desktop connection” works, so the ip address will be fine too 19:03 < rewt> there is no "1 solution for everything"... you have to troubleshoot problems, which involves trying things to figure out what the problem actually is before you can fix it 19:04 < rewt> saying "oh that will work because some other thing works" is just an assumption that has to be validated 19:04 < raefe> i think it may have something to do with the windows-share filename 19:04 < raefe> how can i check what \\server is related to? 19:05 < rewt> you have to try things to figure out what the problem is 19:05 < raefe> ok 19:05 < rewt> see if \\ip works 19:05 < rewt> then see if \\ip\share works 19:10 < yawkat> is there a way to configure port security for one vlan only? 19:10 < yawkat> i want port security on the untagged vlan (which will be tagged by the switch) but not on the other vlans 19:13 < raefe> @rewt i tried the //192.168.0.250 but no connection in windows explorer 19:14 < raefe> i mean \\192.... 19:14 < rewt> and with the share name on the end? 19:15 < raefe> windows cannot access \\192.168.0.250\\server 19:15 < rewt> the share name is "server"? 19:15 < rewt> why do you have \\ between the ip and the share name? 19:16 < rewt> should be just a single \ 19:16 < rewt> by share name, i don't mean server name; i mean share name as in what you shared the folder as 19:16 < raefe> still no connection 19:17 < rewt> have you checked the firewall on that server? 19:18 < raefe> there used to be a connection months ago when i last used it and didnt change the firewall 19:19 < raefe> the name of the remote computer in remote desktop connection is server 19:21 < raefe> there is a subnet mask but no standard gateway on the server ipconfig 19:21 < raefe> its empty 19:28 < raefe> @rewt should there be a standard gateway? 19:29 < skunkz> Hello, what do I need to do so that clients connected to my vpn are able to access other vpn users by their hostname ? Isn't setting up a DNS server a bit overkill for that since I'm the only user of the vpn ? I know Avahi but the version installed on some of my devices is broken and not fixed in debian packages yet (well actually it's nss-mdns which seems to be broken) so I'm open to new suggestions 19:30 < rewt> only if it needs to connect to hosts outside its local network 19:33 < Whiskey`> spaces: i dont think your my type, so need you aint getting fed 19:34 < spaces> Whiskey`don't think, let it happen... 19:35 < Whiskey`> spaces: uh huh i bet to say that to everyone your try to roofie. wont work here. 19:36 < spaces> Whiskey` everyone his own choice... if you don't provide people an option they will never chose ;) 19:58 < raefe> i see the microsoft windows network “workgroup” and shared ‘Server’ on the server, but not on the windows 10 laptop 19:59 < raefe> how do i connect to same workgroup in win10? 20:00 < raefe> @rewt 20:25 < Laki> I have a server on my LAN running VNC software , and it's also connected to a VPN, how can I connect to the VNC service? port the vnc service forward to the VPN or how? 20:27 < rewt> you should still be able to access it from the LAN 20:28 < Laki> rewt: so I thought, it doesn't say connection refused, but it does time out after not connecting for a while 20:29 < rewt> then the server's routing tables are not set up right 20:31 < Laki> rewt: ive not touched any routing tables, is that iptables? 20:32 < tds> no, iptables is for firewalling (and mangling packets in various other ways) 20:32 < tds> what's the output of "ip route" on the server? 20:33 < crng_init> are you connecting with the right port and ip? 20:35 < Laki> rewt: https://bpaste.net/show/ef18efa05467 now is also a good time to mention I'm running it inside of a docker container 20:35 < tds> ifconfig is deprecated, you should be using ip a these days ;) 20:35 < rewt> ^ 20:35 < Laki> oh really? I must be oldschool ;) 20:35 < rewt> and where's the vpn? i don't see it there 20:35 < tds> is the docker host NATing the container and also running the VPN client or something? 20:36 < Laki> rewt: hmm i just ran ip route for you at the bottom there 20:36 < tds> as rewt said, there's no interface or routes that you'd expect from a vpn client (ie a tun device) 20:36 < Laki> ah, sorry hang on, that's all before the vpn connects, one moment lol 20:40 < Laki> rewt: https://bpaste.net/show/eab1d6eeec10 sorry i took a while there :-) 20:41 < tds> what ip are you connecting to with your VNC client; is docker doing some NAT horribleness for you? 20:42 < Laki> im using 192.168.1.113 (the machine running docker) to connect to the vnc, here's the host machine ifconfig if it helps https://bpaste.net/show/1fc2b1f559e2 20:42 < Laki> tds: ^ :) 20:42 < Laki> it ofcourse works fine with the vpn turned off 20:42 < tds> is that 192.168... network a plain flat network with a single /24? 20:43 < Laki> yes I think so 20:43 < tds> if so, does "ip route add 192.168.1.0/24 via 172.17.0.1" sort it? 20:43 < Laki> on the host machine yea? 20:43 < tds> no, in the container 20:44 < Laki> 192.168.1.0 should be the gateway right? (actually 192.168.1.1) 20:44 < tds> since the destination of the packets to 192.168.1.113 will be switched with DNAT, but the source address will still be on the 192.168.1.0/24 network, so the container will try to route back out over its new default route rather than via the host 20:44 < tds> the gateway for what? 20:44 < Laki> the network/router 20:45 < tds> anything on that 192.168.1.0/24 network probably wants a default route via the router on that network (could be 192.168.1.1) 20:45 < tds> you shouldn't need to change that to sort routing in the container though 20:45 < Laki> alright, i'll try having the container route 192.168.1.0/24 to 172... :-) one moment 20:46 < Laki> should this be done before connecting to the vpn or after tds ? 20:46 < Laki> i suppose it doesnt matter 20:46 < tds> after 20:46 < Laki> ok 20:46 < tds> but yeah, it probably doesn't matter 20:50 < Laki> tds: okay, that seemed to of sorted everything out! :D 20:50 < Laki> tds: thank you very much for your help! :-) fantastic, you too rewt! 20:51 < tds> docker likely has some way to automatically add the route for you, I'm not familiar with it though, so google that :) 20:51 < Laki> tds: havent a clue, I've only just started playing with docker today, it's pretty darn nice! :-) 21:32 < skunkz> Hi, how can I make it so that when users connect to my vpn server they are able to access other vpn users by their hostname ? 21:38 < nbro> Hi 21:39 < nbro> I am facing a network issue. Right now, I am able to connect to certain websites, but I am not able to connect to most of them. 21:39 < Kingrat> by any chance are you getting ipv6 only? have you checked that ipv4 is working for you? 21:41 < nbro_> If I used ping to connect to the Skype website, I get: "ping: cannot resolve https://www.skype.com/en/: Unknown host" 21:41 < tds> nbro_: you want to ping just the domain, not the full url 21:41 < tds> ie ping www.skype.com, rather than ping https://www.skype.com/... 21:42 < nbro_> Anyway, I get "ping: sendto: No route to host" 21:42 < tds> what's the output of ip route and ip -6 route? 21:42 < tds> (and ip addr and ip -6 addr) 21:43 < nbro_> tds: How do I get that output? 21:43 < tds> run those commands 21:43 < tds> stick the output on paste.debian.net or a similar site 21:43 < tds> that'll output the state of your interfaces and their addresses, as well as your routing table, for both ipv4 and ipv6 21:44 < nbro> I am on a Mac, btw 21:44 < tds> oh, oops, I just assumed a linux box 21:44 < tds> if those ip commands don't work, I guess you could try ifconfig and route 21:46 < skunkz> No idea how to do what I want ? DNS seems to be what I need but I'm not sure, can anyone confirm? 21:46 < nbro> tds: I have this ifconfig command 21:46 < nbro> And I used it in the past 21:46 < nbro> The output looks stranger than usual 21:47 < tds> skunkz: yes, plain dns with openvpn hook scripts to update records is probably the best solution, it's likely that your devices won't all have decent support for mdns/similar 21:48 < nbro> I can access https://www.experts-exchange.com/questions/28929489/ifconfig-output-on-OS-X.html… 21:48 < nbro> WTF! 21:49 < skunkz> thanks tds, I was afraid of this because I know nothing about DNS but I guess it's time to learn 21:49 < tds> nbro: that sounds a lot like working ipv6 but broken ipv4 as Kingrat suggested 21:49 < tds> can you get to ipv6.google.com but not ipv4.google.com? 21:51 < nbro> tds: exactly! 21:51 < nbro> I can connect to ipv6.google.com but not ipv4.google.com 21:52 < nbro> Who is Kingrat? 21:52 < tds> I'm not familiar enough with osx to help, but I'd suggest to check that you have a working dhcp server on the network and that it's handing out addresses 21:52 < tds> he replied to you earlier and suggested that v4 might be broken (but v6 working) 21:52 < nbro> I was probably disconnected in the meantime, because I don’t see his/her message 21:53 < nbro> But I can’t even search on the web 21:54 < compdoc> dont you know Kingrat? hes married to Queenrat 21:54 < nbro> So, does anyone know how to solve this problem? 21:54 < nbro> I mean, I can’t even search for a solution 21:58 < nbro> So, do certain websites have a IPv6 but not all of them? Is this the probable reason why I can connect to certain but not all websites? 21:58 < nbro> *I can’t connect 21:58 < nbro> It’s been a while I have studied computer networking 21:58 < nbro> But I am aware of the transition from IPv4 to IPv6 that people is doing... 21:58 < tds> yes, sadly lots of sites still don't have ipv6 21:59 < nbro> But where do you think is the problem? In my router? 21:59 < tds> are there other devices on the same network that have working ipv4 connectivity? (ie they can get to ipv4.google.com in a browser) 22:00 < nbro> I can’t connect to ipv4.google.com using my phone 22:01 < ryao> BT709: Usually defense in depth requires each layer to be solid. If each one can be circumvented, it is just annoying the attacker, but not stopping him. :/ 22:01 < nbro> Kingrat: what does it even mean for "v4" to be broken? What did you mean? 22:01 < ryao> BT709: Of course, adding 802.1x so that an attacker gets annoyed before seeing that you have a solid VPN setup is sadistic in a very satisfying way. 22:02 < Kingrat> nbro, can you ping 8.8.8.8? 22:02 < ryao> BT709: Anyway, you can get close to wirespeed with a VPN if the CPU has AES acceleration. 22:02 < nbro> No, I get "ping: sendto: No route to host" 22:02 < nbro> What does this address represent? 22:03 < nbro> https://en.wikipedia.org/wiki/Google_Public_DNS 22:03 < Kingrat> sounds like you have no ipv4 gateway, can you pastebin the output from ifconfig and route -n 22:03 < ryao> BT709: You also need your VPN gateway to be able to handle it. 22:03 < nbro> I can access Wiki... 22:03 * ryao is responding to a conversation from earlier where he had to step out. 22:03 < tds> you can only access the superior parts of the internet ;) 22:04 < Kingrat> pastebin should support ipv6 i hope ;) 22:04 < Kingrat> pastebin.ca is ipv6 at least 22:04 < tds> pastebin doesn't, https://paste.debian.net/ does :) 22:04 < Kingrat> or that 22:08 < nbro> How exactly should I use "route -n"? "-n" is an argument, but if I use just "route -n", I get "usage: route [-dnqtv] command [[modifiers] args]", so I suppose this command is to be used with another command as argument 22:09 < tds> does netstat -rn get you anything useful? 22:10 < nbro> tds: I get some output... 22:11 < tds> stick that on https://paste.debian.net/ then :) 22:12 < crng_init> I'm trying to connect to my global ipv6 address on port 80. I can connect from inside my LAN, but not from the outside. Why is that? Is my router blocking traffic or my ISP? 22:12 < nbro> Can I share this output with you? lol, I mean, does this output contain any condifidential info that would break my security? 22:13 < nbro> I have a few IP addresses 22:13 < nbro> -n should show the network addresses 22:13 < nbro> Which ones? 22:13 < nbro> -r should show the routing tables 22:14 < linux_probe> you have to open the port in the firewall/s crng_init 22:14 < linux_probe> on isp modem/router and your machine 22:14 < crng_init> I assume it's open on my machine since I can reach it from other machines on my LAN 22:16 < linux_probe> then open/allow the port on router/modem 22:18 < crng_init> Well I succesfully port forwarded other ports with ipv4 already. How do I do that with ipv6 though? 22:20 < linux_probe> similar but it's not forwarding, it's allowing the traffic to pass 22:21 < crng_init> so disabling a firewall? 22:22 < crng_init> Is it correct that ipv6 doesn't use NAT? 22:22 < linux_probe> dont disable the whole firewall, just allow that port and ipv6 address to pass through 22:27 < memelover> I want to connect a cell phone to the internet with a router that sends all traffic through tor. With that, I'm a little limited in hardware. Would it be possible to bridge the wireless connection on a laptop to the wired connection, but to make the traffic from the wireless go though tor somehow? 22:27 < Epic|> Looking for some presumption of guilt eh, 22:27 < Epic|> ? 22:27 < crng_init> I can only connect to my router over an http interface, which limits my options. I cannot set specific firewall rules, I can only set it to "low,medium,high". And setting it to low does not work. 22:29 < linux_probe> dont know what to tell you crng_init, but there should be a page similar to the port forward one that allowyou to "open" pass through ipv6 traffic 22:29 < linux_probe> if not, maybe ipv6 was an afterthought on the device and time for an upgrade 22:39 < djph> replace it with something that'll let you do what you want? 22:39 < jurislav> any idea what could cause _very_random_ wifi connectivity issues? majority of the users are fine, but _some_ of them _sometimes_ report DNS resolution issues (the browser message). if they wait a couple minutes, or reconnect to a network, issue disappears :/ 22:39 < djph> gremlins 22:39 < jurislav> it sure looks like that :/ 22:40 < djph> distance from the AP, you forgot to make a sacrifice to the radio gods, etc. 22:40 < jurislav> they have APs right above their heads.. 22:40 < jurislav> or in the next room. coverage and signal are good, as I was. also the APs are not overloaded 22:41 < djph> could be too close as well... 22:43 < crng_init> linux_probe: Well I think I'm out of luck with this router. Thanks for your help! 22:44 <+pppingme> jurislav how many ap's? how many wifi users? when they are in this "dns blackout" can they ping anything on the lan by ip? 23:01 < jurislav> pppingme: 28APs, ~150 clients (varies). haven't asked them to troubleshoot this particular thing (the lan access) 23:03 < spaces> bedtime! 23:03 < spaces> (with dog :)) 23:05 <+pppingme> jurislav thats a few ap's, I'd start to question if they are interfering with each other.. how big of an area are these covering? 23:05 < djph> ^ 23:07 < jurislav> 2 floors in a hotel, 2 halls each, one obove the other. every 3rd room there is an AP. the aim was to cover 3 rooms with 1 AP so that the clients don't need to reach further than behind 1 wall. 23:10 <+pppingme> how are you setting channels? are the ap's between floors directly above one another or are they offset? 23:15 < jurislav> pppingme: they're offset. channel setting is set to auto, and in monitoring, I see evenly distributed 1,6,11 for 2,4GHz, and random higher channel numbers for 5GHz 23:16 <+pppingme> are these individual ap's, or part of a larger centrally controlled and configured system? 23:16 < jurislav> ruckus zonedirector 23:20 < nbro> OMG!! 23:27 <+pppingme> are they running full power or reduced power? 23:31 < jurislav> pppingme: we wanted to give a try the Ruckus' Self Healing feature, which requires pwoer setting at automatic as well. it's supposed to "inteligently" help with exactly these issues, but perhaps there is some space for improvement.. :/ anyway, I don't know if that's what *causes* the issue. i sure can reconfigure everything to manual. I just wanted to ask first, whether there could be another issue, say, 23:31 < jurislav> with mikrotik being a router, or just some 3rd party method of monitoring the radio for exactly these kinds of issues. but I guess there are not tools for this, and all we can do is try various settings..? 23:36 < djph> there are loads of tools - you jsut have to be there *when* things are acting up 23:42 < jurislav> yeah, thats the tricky part :/ 23:42 < jurislav> i cant really be there all the time 23:43 < jurislav> thats why i was hoping for another way --- Log closed Mon May 28 00:00:35 2018