--- Log opened Thu Jun 07 00:00:48 2018 00:02 < BenderRodriguez> ugh 00:02 < BenderRodriguez> what's with the IT industry and its fascination with RCA documentation 00:02 < BenderRodriguez> You KNOW what cause the issue 00:02 < BenderRodriguez> why do you need a document? 00:02 < BenderRodriguez> catphish: am I right or am I right 00:03 <+catphish> i dont know what that is 00:05 < BenderRodriguez> catphish: good 00:05 < BenderRodriguez> it's better not to know about these things 00:05 < BenderRodriguez> lest the cancer spread 00:25 < djph> "Root Cause Analysis" 00:25 < djph> my boss was *pissed* last time he made me write one 00:25 < djph> I started it with "shit broke, and the pencilneck paper pushers wasted 4 hours on the phone pointing fingers before they'd let us even start looking into the issue" 00:26 < djph> my plan for "make sure it doesn't happen again" was "fire management, and let us do what yo upay us to do" 00:29 < Apachez> end game: djph doesnt have to write any more "root cause analysis" any more? :P 00:34 < djph> Apachez: that's the plan 00:34 < djph> Apachez: though it didn't work this time 02:07 < MarkusDBX> Looking for a good documentation / teach material of how reverse lookup and arpa addresses work. 02:07 < MarkusDBX> Google is show lots of stuff, some stuff is just too old. 02:08 < MarkusDBX> *google is showing.. 02:08 < MarkusDBX> need to set up PTR and my skills in this area is not the best 02:15 < tds> MarkusDBX: if this is for a public IP and you don't own the IP space, you probably need to do that via your provider, I'd expect it to be an option in the control panel or whatever 02:23 < Fieldy> anybody know how to, from the client side, prevent openvpn from trying to assign an ipv6 address? i only want an ipv4 address. i've disabled ipv6 entirely in sysctl as well as a boot parameter, however the server (which I don't control) is also trying to give the client an ipv6 address, and it quits when it can't assign one. i've searched around and not really finding anything 02:24 < Dagger> dare I ask why you don't want a v6 address? you might be better served by fixing whatever the underlying issue there is 02:25 < Dagger> given that v6 is a thing you need to be deploying anyway 02:33 < MarkusDBX> tds: it's a vps provider I use, they have a controlpanel, I can create such a zone 02:33 < MarkusDBX> tds: I'm just noobish in the area 02:35 < tds> it's difficult to know what you need without knowing the provider's interface - you should be able to add a record per ip address, with a hostname as the data in the ptr record 02:35 < DF3D2> I'm having an issue with a software vendor who provides a client/server app, the app allegedly uses 443 out which is definitely not being blocked at the client site, however the user is experiencing all sorts of intermittent connection issues, but ONLY on this app and the internet is a fiber connection. The vendor of course claims the issue on our network side, I can find no such issue... 02:36 < DF3D2> I'm not sure where else to look 02:41 < djph> wireshark? see what's going out? 02:43 < DF3D2> yeah also gonna start a capture in the router soon 02:44 * dogbert_2 drops a large pizza on djph 02:54 < Fieldy> found the solution. if you want to disable ipv6 from the client side on openvpn (example: you don't control the server): https://www.snbforums.com/threads/openvpn-help-please.41683/#post-352774 02:55 < tds> Fieldy: as Dagger asked earlier, what's your reason for wanting that? 02:56 < tds> if it's for privacy or similar, you may want to null route v6 traffic rather than just ignoring the openvpn options, since otherwise you may leak v6 traffic via a native connection 02:56 * dogbert_2 spins The Stampeders - Sweet City Woman 03:32 < smallville> does spectrum provide a free router? 03:33 < smallville> or do they provide a modem only? 03:35 < dogbert_2> is spectrum a cable provider, if so, buy your own cable modem and wireless router 03:35 < dogbert_2> I have Cox here...use a Arris Surfboard SB6183 03:37 < smallville> kinda overkill, no? 03:37 < smallville> why not get one with wifi? 04:02 < Kingrat> smallville, generally they provide it for a small monthly fee, but in my experience unless you have a business account most of the ones they use for residential are not good 04:07 < dogbert_2> combining cable modem with wireless isn't a good idea, IMO...that's what the D-Link AC1750 is for :) 04:08 < dogbert_2> the SB6183 just passes the stuff thru to the D-Link :) 04:16 < UserUS> is it normal to have a lot of incoming icmp packets from google? 04:16 < rewt> omg they're trying to hack you 04:20 < UserUS> lol well follow up, how about from russia, japan, and poland? 04:21 < UserUS> Null payloads 04:22 < dogbert_2> upgraded firmware in D-Link AC1750 06:39 < Ted33> Computer1 has 2 NICs. NIC1 on VLAN1 and the NIC2 on VLAN2. Both VLANs are routable. If I want all traffic bound for VLAN3 to go out NIC2 and all other traffic to go out NIC1, then shouldn't I configure both NICs with gateways? 08:37 < zetheroo> 2 systems in the local network - sshing into an offsite-hosted server - local system 1 can ssh into said offsite server instantly, while local system 2 timesout - suggestions? (All systems are Ubuntu Linux) 08:44 < detha> zetheroo: look at the server ssh logs 08:45 < cluelessperson> hey all. If I want to setup a dns and dhcp server, that handles internal as well as public DNS, what terminology should I be searching for to learn about it? 08:45 < cluelessperson> I'm not sure what the standards are. 08:49 < detha> cluelessperson: the standards are DNS and DHCP. Terms: resolving, authoritative, tsig update 08:52 < zetheroo> detha: apparently it's a tcp problem ... I tried to tcptraceroute the server at port 22 and it fails with Destination not reached 08:53 < detha> zetheroo: can you ping it? if yes, firewall problem 08:53 < zetheroo> detha: yes, can ping it from both local systems 08:54 < zetheroo> but if it's a firewall issue how is it that one local system can reach it just fine while the other cannot? 08:54 < detha> and from the 'working' system tcptraceroute works? 08:54 < zetheroo> yes 08:54 < zetheroo> practically instant 08:55 < detha> from the non-working, how many hops do you still see in tcptraceroute? 08:56 < zetheroo> 6 - not including the ones with *** 08:56 < zetheroo> from the working there are 7 08:56 < detha> ones with *** count just the same. Do both systems follow the same route? 08:57 < zetheroo> yes they do - up till the 6th hop 08:58 < detha> any NAT gateways involved, or do both have a public IP? 08:59 < zetheroo> ok, I just tried again from the working one and now it's showing *** after the 6th hop, get's to the 30th hop and then end ... no message 08:59 < zetheroo> very odd 09:00 < detha> and ssh still works? 09:00 < zetheroo> yes 09:01 < detha> odd indeed. still points to some firewall/IDS in front of the server though 09:02 < zetheroo> or a firewall rule on the offsite server itself? 09:02 < detha> could be that too. It sounds like rate limiting, fail2ban, something like that 09:03 < detha> easy enough to test, on the server do sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT 09:03 < zetheroo> I just had a look at the iptables rules on the offsite server and there a a bunch 09:04 < zetheroo> hmm ... maybe iptables has a log ....? 09:05 < detha> only if you use -j LOG in the rules 09:06 < zetheroo> all I see is -j ACCEPT after the rules :/ 09:07 < detha> try adding that --dport 22 rule as the first rule, that will rule out [pun intended] other issues in the ruleset 09:08 < zetheroo> sorry, not entirely sure what you mean I should do 09:09 < detha> sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT 09:09 < detha> that will create a rule to allow ssh as first rule in the chain 09:09 < zetheroo> ok 👍 09:09 < zetheroo> I see it there now 09:10 < zetheroo> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 09:10 < detha> -A is 'last rule' 09:10 < zetheroo> oh 09:11 < detha> you want it as the first rule in the input chain, so it takes priority over whatever other stuff is in there 09:11 < zetheroo> and it should be the first rule .. 09:12 < zetheroo> but all the rules have -A in front of them 09:13 < detha> when you build a ruleset, you use -A so you can write it in order. 09:13 < zetheroo> ok, how do you get it to be a first rule? 09:13 < detha> use -I instead of -A 09:13 < detha> Insert, Append 09:14 < zetheroo> that's what I did ... I copied your command 09:14 < detha> is it in there as first rule in iptables -vnL now? 09:15 < zetheroo> first line of output is: 09:15 < zetheroo> 24840 133M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 09:15 < detha> good. and if you test again with tcptraceroute, what happens? 09:16 < detha> also, that looks like an older rule - 24K packets don't happen in a minute or so 09:17 < zetheroo> do I need to reload a service on the offsite server for the change to be applied? 09:18 < detha> no 09:19 < zetheroo> tcptraceroute from non-working local system is the same as before 09:19 < detha> and from working? 09:20 < zetheroo> same as before - works instantly once or twice, and then does it's *** hops till 30 and end without message 09:20 < zetheroo> but ssh no problem 09:20 < detha> some firewall 09:22 < detha> chances are that if you wait an hour, suddenly both work. 09:22 < zetheroo> really :D 09:23 < zetheroo> can iptables be disabled temporarily for testing? 09:23 < zetheroo> as in, to see if it's the issue at all .. 09:24 < detha> I wouldn't, but yes you can. Rather look for port 22 traffic with tcpdump 09:25 < detha> If you ssh to the server, and you see the SYN packets, it's the server. If you don't see them, it's an IPS in front of the server 09:26 < zetheroo> and you see that information in a log? 09:26 < zetheroo> or with some networking traffic monitoring software? 09:27 < detha> on the server, run 'sudo tcpdump port 22' 09:27 < zetheroo> I guess I have to install something ... command not found ... one sec 09:28 < zetheroo> holy hell ... when I execute that command the output is like a torrent 09:29 < detha> ah. running it on another ssh session instead of remote console? 09:29 < zetheroo> yeah, I am ssh'ed onto the remote server 09:29 < zetheroo> doing it wrong? 09:30 < detha> ok, sudo tcpdump port 22 and 'tcp[tcpflags] & tcp-syn !=0 09:30 < detha> oh, and a closing ' 09:31 < zetheroo> ok, and now I ssh from another terminal ... 09:33 < regdude> The term "fiber drop cable" simply means a more durable fiber optics cable? (more durable shell) 09:33 < zetheroo> detha: can I PM you the output pastebin? 09:33 < detha> zetheroo: no problem 09:34 < zetheroo> Thats the output from the offsite server as I was sshing in from the working local system 09:35 < detha> that....seems to be a popular target for scanners. The question now is, which would be your attempts? 09:38 < zetheroo> in that output I don't see SYN anywhere - is that what you said to look for? 09:38 < detha> the [S] is syn, [S.] is SYN/ACK 09:39 < zetheroo> ok 09:40 < detha> zetheroo: is mrs-4b something you have any control over? 09:40 < zetheroo> that's the offsite server - I have ssh access to it (from that one local system) and can access the offsite hosting account 09:41 < zetheroo> oh wait, that's not the one I am trying to ssh into though 09:41 < zetheroo> mrs-1b 09:41 < detha> hang on, that looks like it was taken from mrs-1b . yes 09:41 < zetheroo> ^ that's the one in question 09:43 < detha> anyway, it looks like lots of things are trying to connect ssh to that server. 09:44 < VincentHoshino> heh stuck a ssh server with a public facing IP on port 22? 09:44 < zetheroo> yes, there are. and all are seemingly working - other than pretty much all local systems on our network 09:45 < VincentHoshino> ohh 09:46 < zetheroo> I heard from the other sysadmin that he created a iptables rule for a VPN connection from the offsite system to the local system that incidentally is the only system which can ssh into that offsite server without issue 09:46 < zetheroo> could that have anything to do with this? 09:46 < detha> ah. that server be set up to accept keys only by the looks of it, good. Now on the non-working system, do you have keys for it? 09:47 < zetheroo> yes, my key is deposited on that server 09:47 < detha> what is the exact message you get when trying to connect? 09:51 < potatoe> i wanted to move my ssh server to port 22222 but then again 09:52 < detha> from the earlier tcpdump, that server happily responds to connections. However, this times out, so something in front of it. I would ask whoever hosts the server 10:01 < zetheroo> if the hosting provider has a firewall they would have to be blocking all of our internal IP's other than the one which can ssh into the server ... 10:06 < zetheroo> I will contact the provider nevertheless 11:02 < screwsss> https://imgur.com/zcjlzWF are these speeds reasonable 11:02 < screwsss> over fully hardwired LAN ethernet 11:05 < regdude> I think your PS3's HDD is the bottleneck, though it might be the router that is not able to handle more than 200Mbps with TCP 11:06 < regdude> 22MB/s write seems reasonable for a 2.5" HDD 11:06 < regdude> though it can do a lot better 11:06 < screwsss> https://www.dlink.com.au/home-solutions/DSL-2890AL-dual-band-wireless-ac1750-gigabit-adsl2-modem-router 11:06 < djph> ew, 5400 RPM drive? 11:06 < screwsss> thats my router 11:07 < screwsss> MiB 11:07 < screwsss> megabits right 11:07 < regdude> the AC1750 SoC should be able to handle more than just that, but that is DLink, dunno how they have implemented the chip and if they are even using the built-in switch chip 11:07 < djph> base-2 megabytes (1024 KiB * 1024 Bytes) 11:08 < djph> er 1024 ^ 3 Bytes 11:08 < djph> vs MB (base-10) of 1000 ^3 bytes 11:09 < djph> ... fuck it's too early, s/3/2/g 11:09 < screwsss> ah a mebibyte 11:10 < screwsss> what did you mean by TCP earlier 11:10 < regdude> TCP traffic adds extra load on a switch chip (asterix) and on the CPU for the router 11:11 < regdude> if you are worried about network performance, then never use file transfers, too much factors, use iperf instead 11:12 < screwsss> iperf 11:12 < screwsss> ok. 11:12 < screwsss> thats a CMD command right 11:12 < stefy143> whats the difference of same and adjacent layer interaction 11:15 < regdude> some devices can offload to the hardware traffic that is being sent over Layer2, some can even offload some very simple routing (Layer3), but between these two layers there will be a performance drop 11:16 < regdude> screwsss: it is a tool to measure network's performance. If you are using Windows, then there should be a GUI tool as well, I think there was jperf 11:19 < stefy143> can anyone help me? 11:21 < stefy143> hello? 11:24 < screwsss> im on windows yep 11:25 < screwsss> regdude - meh. 120 megabits a second feels about right 11:26 < regdude> so the bottleneck is your PS3's HDD (or maybe your PCs HDD), or maybe the CPU, but the network is running at wirespeed, nothing to improve there 11:27 < regdude> oh wait, 120Mbps using iperf? That is not so good at all 11:28 < regdude> that is really bad then 11:37 < stefy143> anyone? 11:37 < Emperorpenguin> hi stefy143 11:38 < stefy143> hi 11:38 < stefy143> can anyone explain me the difference of same and adjacent layer? 11:39 < djph> same layer -> e.g. layer 2. adjacent layer -> +/- 1 (e.g. L1 or L3) 11:41 < stefy143> im a noob what does it mean +/- 1? 11:42 < lithiumpt> regdude: the PS3 has hard disk encryption, so every disk write goes through the encryption function, which is quite cpu heavy 11:42 < djph> "plus or minus 1". so if we're starting at "2", "2+1 = 3" and "2-1=1) 11:44 < stefy143> you lost me 11:45 < regdude> lithiumpt: it was a long time ago, but when I modded to have a 3.5" HDD I think it did better, the CPU is quite good, but I think his network might be a bottleneck if iperf shows only 120Mbps 11:45 < stefy143> whats got to do with adjacent? 11:46 < djph> stefy143: "adjacent" literally means "next to" 11:46 < djph> stefy143: so "given Layer *TWO*" the layers "next to" it are ... *ONE* and *THREE* 11:48 < stefy143> so your giving me a calculation? 11:48 < djph> no, I'm giving you primary school number lines. 11:49 < djph> one comes before two, and two comes before 3. Therefor "2" is adjacent to 1 and 3. 11:50 < djph> anyway, the layers themselves are just a model. That is, they're just a tool to make sense of the complexity of networking (and throw away everything after L4 anyway) 11:51 < detha> Wait, we can throw away L8? Yes! 11:51 < stefy143> no such thing as level 8 11:51 < djph> stefy143: (l)users. 11:51 < stefy143> unless they added it recently 11:52 < stefy143> idk why but ur example make sense in some way 11:52 < djph> stefy143: aka your cow-orkers. aka "those people you can replace with a small shell script" 11:52 < djph> stefy143: aka meatsacks 11:53 < regdude> I actually gave this guy difference between L2 and L3 from performance viewpoint 11:53 < djph> detha: you can, although better to have them leave of their own volition. Unquestioning PFYs are hard to come by these days. 11:54 < detha> djph: true. But I was more thinking along the lines of the model that puts 'Management' at L8. 11:55 < djph> isn't manglement L9? 11:55 < detha> L8 - management, L9 - finance. Or vice versa. 11:55 < djph> ah 11:55 < djph> still "getting them to leave" is generally the cleaner option. 11:56 < stefy143> i dont get the the last two comments 11:56 < djph> stefy143: it's a joke 11:56 < stefy143> but thanks for the help djph 11:56 < stefy143> okay 11:57 < djph> the OSI model has L1 - L7. L8+ are jokes (users, management, beancounters, etc.) 11:57 < stefy143> sorry not in the mood for jokes just studying djph 11:59 < djph> too bad, you're getting them anyway. It's the only way we can cope with bad users. 11:59 < djph> (well, that and alcohol ... but alcohol is frowned on at 9AM) 12:00 < stefy143> oh btw to learn networking what do i need to learn it i mean tools 12:01 < stefy143> like the physical one 12:01 < stefy143> is there a kit or something? 12:01 < djph> you need a brain, and to not be color-blind. 12:01 < stefy143> because the exam is compost of written and practical right? 12:01 < djph> no idea 12:01 < djph> what test? 12:01 < stefy143> for networking? 12:02 < stefy143> im not taking the test but i do need to learn it physically 12:02 < djph> I mean, are you talking about a *specific* test that you're planning on taking, or just some ephemeral "test". 12:02 < stefy143> is there like a kit in amazon or some idea how to get stuff 12:03 < djph> copper is simple -> TIA/EIA 568-B. 12:03 < stefy143> i hate test ill probably not take it 12:03 < djph> glass is ... well, make your employer pay for you to learn that. 12:03 < stefy143> but ill study like im going to take one 12:03 < drozdziak1> I'm trying ti ping `ff02::1` I get `Network is unreachable`. What could be the problem? I do specify an existing interface that is up and has a link-local IPv6 address 12:04 < Roq> stefy143: Which test are you studying for? A kit makes sense if you're studying for a vendor specific exam like cisco or juniper 12:04 < djph> stefy143: if you want a crimper and some cable and some ends to practice with, your local home improvement type store should have some / all of that. 12:04 < stefy143> the book says ccna 12:05 < stefy143> ccent 12:05 < Roq> Ok, cisco it is then. You can do anything you need for CCENT in "Packettracer" 12:05 < djph> Roq: I *think* he's looking for a (physical) networking toolkit -- lineman's scissors, pliers/cutters, crimpers, etc. 12:05 < stefy143> i dont have a prob with that 12:05 < djph> ... or not ... 12:05 < stefy143> more on the configuring part? 12:05 < Roq> djph: hah, or not :) 12:06 < djph> :) 12:06 < stefy143> or making ur own network stuff no idea 12:06 < Roq> stefy143: packettracer is software that simulates switches and routers etc. You can build your labs in it and test the commands etc 12:06 < stefy143> i think u need physical stuff besides packettracer 12:06 < Roq> It's free to use and saves you the costs of an actual lab 12:06 < djph> stefy143: "need" 12:06 < stefy143> u call it networking lab then? 12:07 < Roq> A virtual lab? Yeah 12:07 < stefy143> i need a physical one 12:07 < Roq> Why? 12:08 < stefy143> fuck or i need to ask someone so i can do lab stuff dammit 12:08 < stefy143> theory and physical are not the same 12:08 < Roq> You can build labs in packettracer, it will be sufficient for your CCENT 12:08 < djph> "lab stuff" is typically just "okay I have three routers, and I'm gonna make OSPF work because I can" 12:08 < Roq> It will simulate a physical lab 12:08 < stefy143> im not taking the test -_- 12:08 < stefy143> i just want to learn it 12:09 < djph> you don't actually *need* a physical lab 12:09 < djph> (unless you're studying for a test like "terminate 80-billion connections") 12:09 < stefy143> oh u mean i can buy the materials i need from there to make a physical lab? 12:09 < Roq> You will learn it by making labs in packettracer too :) It's the easiest way to start with building/configuring simulated networks 12:09 < stefy143> that sounds like ddos 12:10 < djph> no, I mean *physical* connections -- e.g. here's some 600-pair cable. have at it. 12:10 < stefy143> ok so first packet tracer and then physical 12:10 < regdude> "in todays lesson we are going to learn how to mitigate DDoS, lets build our own botnet with 1000 IoT on our desks" 12:10 < stefy143> u mean a rac? 12:10 < stefy143> *rack 12:10 < stefy143> i think its called 12:10 < djph> regdude: haha 12:10 < djph> stefy143: who, me? 12:11 < Roq> Just download packettracer and make some entry level topologies, you will learn from that 12:11 < Roq> Even if you're not taking the test 12:11 < stefy143> i already have that im just reading the book coz i never finished it 12:11 < stefy143> i want to finish what i started then go to the next 12:12 < stefy143> like programming 12:12 < stefy143> one last question 12:12 < stefy143> is networking mind different from a programming mind? 12:13 < stefy143> i mean how he logically solves problem is it a huge difference? 12:13 < djph> they're two different sets of problems 12:13 < stefy143> solve in different ways? 12:14 < stefy143> just want to know the way of thinking before i dive to this 12:14 < djph> well, it's more like asking "can I use this hammer to install screws" 12:14 < djph> logical thought processes, etc. will overlap. But the actual execution of "solve teh problem" are different. 12:14 < stefy143> fuck two way of thinking got it 12:15 < djph> I ... guess ... 12:15 < stefy143> -_- ill be crazier when i finish this 12:15 < stefy143> more drugs then okay 12:15 < stefy143> gtg 12:15 < djph> I mean "programmer" writes a program. "Network guy" ... well, fixes the network ... 12:15 < stefy143> thanks for the help 12:15 < stefy143> whats the difference? 12:16 < djph> "fixing the network" and "writing a program" are entirely different tasks. 12:16 < Jackneill> hey 12:16 < Jackneill> is RAP == vpn client? 12:16 < Roq> The type of person will be the same, pragmatic, analyticial, logical. The fields are vastly different so you can't really compare that 12:16 < djph> 'RAP' looks like an acronym 12:16 < stefy143> why do we write program? and why do we fix network? 12:17 < stefy143> seems the same to me 12:17 < djph> stefy143: (1) to solve a problem. (2) to shut the users up. 12:17 < stefy143> i just want to know if the brain pattern differs a lot or im screwd 12:17 < djph> or rather, the program is to automate / speed up some task. 12:17 < djph> the network is to move data faster. 12:18 < stefy143> speed is the common ground 12:18 < stefy143> i can go with that 12:18 < stefy143> thanks 12:18 < stefy143> gtg thanks a lot 12:20 < Jackneill> djph, remote access point 12:28 < myrat> dd 12:42 < Tazmain> Hi all, is it possible on windows 10 , that I can run my own dns server? 12:43 < Tazmain> host file entry doesn't seem to work. Seems another dns is interfering 12:47 < djph> Tazmain: probably not. MSFT is pretty adamant about how you use their various "levels" of operating system 12:47 < djph> Jackneill: huh? 12:48 < djph> Jackneill: oh, right, the "RAP=vpn" or whatever. In what context is this, exactly? 12:48 < Jackneill> replacing vpn client with hardware that does the same 12:48 < djph> Jackneill: I mean, like Cisco APs, or ... something else? 12:48 < Jackneill> is this manufacturer dependednt? 12:49 < djph> so a site-to-site VPN? I'd use ipsec right on the routers if they were capable of it 12:49 < Jackneill> djph, to connect a computer to a vpn/intranet in other country 12:50 < djph> Jackneill: well, if it's just a single computer, something like openvpn on a raspi might be sufficient 13:32 < Apachez> putin live answering questions from the public :) https://www.youtube.com/watch?v=JFyfu9um_Ts 13:42 < zetheroo> detha: the hosting provider replied saying "We are neither filtering nor blocking any traffic per default. Furthermore, the firewall feature via robot has not been activated from your end." - so that rules them out :/ 13:45 < zetheroo> how do I turn on logging for iptables? 13:46 <+xand> how did you turn it on? 13:46 <+xand> delete the LOG rule 13:48 < zetheroo> xand: I didn't turn it on 13:48 <+xand> well it isn't enabled by default, there must be a LOG rule 13:48 < detha> zetheroo: iptables -A INPUT -j LOG 13:48 < stefy143> hello 13:48 <+xand> yeah one like that 13:49 < zetheroo> gr8 thks 13:49 <+xand> you need to remove it 13:49 < stefy143> what is a session layer? 13:49 < zetheroo> remove it? 13:49 < stefy143> is it a protocol thing? or somthing? 13:49 <+xand> zetheroo: what distro do you use? 13:49 < zetheroo> Ubuntu 13:49 <+xand> mmmm 13:49 <+xand> well 13:49 < zetheroo> so to get logging to work I have to remove the rule? 13:50 <+xand> I'm sorry I misread, I thought you wanted to turn it off. 13:50 <+xand> oops 13:50 < zetheroo> k 13:50 < thelucky1ike> stefy143: it is layer out of OSI or TCP/IP stack 13:50 * compdoc slaps xand around a bit with a large trout 13:50 <+xand> zetheroo: do you actually have any rules, as there are not any by default. and do you want to log just dropped things, or everything? 13:50 < stefy143> wut? 13:51 < thelucky1ike> stefy143: https://en.wikipedia.org/wiki/OSI_model 13:51 < zetheroo> xand: there are a number of rules on the system 13:52 < stefy143> so it is about protocols? 13:52 < zetheroo> xand: I am looking for anything blocked 13:52 < detha> zetheroo: just full logging may give too much noise, maybe just log anything port 22 (or even port 22 SYN) that gets through 13:52 < stefy143> like handshake? 13:52 < zetheroo> any ssh connections blocked 13:53 < zetheroo> detha: yes, that makes sense 13:54 < detha> what is the last rule in your input chain? a DROP, or is it set to 'default drop' policy? 13:54 < thelucky1ike> stefy143: your terms doesn't make much sense, protocols, handshakes 13:54 < thelucky1ike> intro page in wiki makes it kindof clear 13:55 < stefy143> whats ur knowledge about networking? 13:55 < thelucky1ike> its my job, but depends 13:56 < zetheroo> detha: it's an ACCEPT for udp 13:56 < stefy143> you know the differnces on osi model of each? 13:56 < detha> zetheroo: then iptables -A INPUT -p tcp --dport 22 -j LOG 13:57 < thelucky1ike> stefy143: yes, even if it is not in use nowadays 13:57 < detha> that logs any port 22 traffic that falls through, and ends up in the default block or drop 13:57 < stefy143> then you know what im asking about 13:57 < detha> (unless you have specific drop rules for it before there) 13:57 < zetheroo> detha: ok ... great ... going to watch kern.log now as I attempt to SSH in .. 13:58 < stefy143> no need to send me to wiki if you understand it correct? 13:59 < thelucky1ike> sorry mate, but your question about it was too generic to answer shortly. 14:00 < stefy143> i want to know what it means L5 14:00 < stefy143> to differentiate it from transport 14:01 < stefy143> transport is tcp/udp 14:01 < stefy143> whats session? 14:01 < zetheroo> detha: ssh timeout and no output on kern.log 14:02 < detha> zetheroo: interesting. time for another log rule, now as first rule. 14:02 < Atro> most stuff uses TCP/IP which disregards L5 14:02 < Atro> but your question sounds like homework 14:03 < stefy143> so you guyz dont know? 14:03 < zetheroo> detha: ok, deleted the previous rule and created it again with -I 14:03 < djph> stefy143: look at the OSI model 14:03 < djph> that will show all the layers 14:04 < djph> (or the TCP/IP model -- but it has fewer layers than the OSI model, which may make things less clear) 14:04 < detha> zetheroo: do you know the external address you are connection from? 14:04 < zetheroo> detha: first rule in input chain: 72 41714 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 LOG flags 0 level 4 14:04 < stefy143> okay you dont get my question 14:04 < thelucky1ike> stefy143: session layer "binds" together application with actual sessions - opening, closing, mantaining, etc 14:04 < thelucky1ike> it follows what connections goes where and to what applications 14:04 < stefy143> so it is a handshake? 14:05 < detha> zetheroo: with all the ssh hitting that server, probably easier to log specifically on the address you are connecting from 14:05 < zetheroo> detha: yes 14:05 < stefy143> or security stuff? 14:05 < thelucky1ike> its a way how all your network stuff works together 14:05 < Atro> its more of a handshake 14:06 < stefy143> ok so its like packets or frames connecting to the server? or computer? 14:06 < stefy143> and vice versa? 14:06 < stefy143> data flow? 14:06 < thelucky1ike> not packets/frames, but more flow itself 14:07 < stefy143> so its the interaction between nodes or something? 14:08 < zetheroo> detha: iptables -I INPUT -p tcp --dport 22 -j LOG --> how do I apply that to a single IP? 14:08 < djph> stefy143: no. data traverses EVERY LAYER 14:08 < thelucky1ike> no, within same node. I would see it like this: your application ( example firefox ) needs to go to webpage. Firefox itself doesn't have tcp stack, it uses underlaying OS stack. If this stack operates under OSI, then layer5 would bind your outgoing tcp session to correct firefox session 14:08 < detha> zetheroo: iptables -I INPUT -p tcp --dport 22 -s 1.2.3.4 -j LOG 14:08 < detha> that logs any ssh traffic coming from 1.2.3.4 14:09 < zetheroo> ok 14:09 < Atro> its a session inside a session 14:09 < stefy143> so its not the interaction 14:09 < Atro> yo i herd u like sessions so i put a session inside your session so you can TCP RST inside the session 14:10 < stefy143> traffic is more on the transport than session right 14:10 < Atro> define "traffic" 14:10 < detha> #define traffic CARS * many 14:10 < stefy143> binaries passing through wire? 14:10 < djph> stefy143: so, your application (L7) sends a request through the presentation layer (L6), which gets wrapped in a session (L5), which gets wrapped in a transport protocol (e.g. "TCP", L4), which gets wrapped in the network protocol (e.g. "IP", L3), which gets wrapped by a data-link protocol (e.g. "Ethernet", L2), which finally gets transmitted over the physical medium at L1 14:10 < Atro> that's L2 14:11 < Atro> djph: nice :> 14:11 < Atro> djph: but what about L8 14:11 < stefy143> its not the frame i was looking for 14:12 < stefy143> but the exact definition of session in another sense 14:12 < zetheroo> detha: when watching the kern.log it's scrolling so fast I can't keep up ... crazy 14:12 < stefy143> and i dont see it 14:12 < detha> zetheroo: hmm. can't remember how to filter on flags, but maybe state will do: 14:13 < detha> zetheroo: iptables -I INPUT -p tcp --dport 22 -s 1.2.3.4 -m state --state NEW -j LOG 14:13 < stefy143> okay lets say its a phone call 14:14 < stefy143> what would be session in that case? 14:14 < zetheroo> detha ok 14:14 < stefy143> is firewalls on session? 14:14 < djph> on the receiving side, physical electrical signals (L1) are interpreted and handed off to data link for initial interpretation / unwrapping (L2), which hands off to the network stack (e.g. "IP", L3), which hands off to the transport interpreter for packet re-assembly / re-ordering (e.g. "TCP", L4), which hands off to the session manager (L5), which sends to the right presentation manager (e.g. for 14:15 < djph> "mimetype image/jpeg", L6), which hands off to the application (e.g. "firefox", L7), which draws that funny cat picture in its window, for your eyes to see (L8) 14:15 < djph> actually ... s/packet re-assembly/datagram re-assembly/ 14:16 < djph> Atro: there, took care of L8 for you :) 14:16 < thelucky1ike> lol 14:16 < thelucky1ike> L8 then is most problematic layer 14:17 < djph> indeed 14:17 < Atro> djph: yeah but sometimes the L8 is broken as hell 14:17 < djph> Atro: "sometimes"? 14:17 < stefy143> no answers? 14:18 < Atro> stefy143: phone call is SIP 14:18 < Atro> deduce the rest 14:18 < djph> stefy143: firewalls are typically L3. They MAY also take L4 into account (but they don't have to) 14:18 < Atro> They may also take L7 if they're gud 14:19 < stefy143> your sentence doesnt make sense 14:19 < stefy143> im talking about l5 14:19 < djph> Atro: true, but DPI is a pain in the ass to get right. 14:19 < djph> stefy143: which is not typically something a firewall looks at. 14:20 < Atro> stefy143: https://en.wikipedia.org/wiki/List_of_network_protocols_(OSI_model)#Layer_5_(Session_Layer) 14:21 < regdude> Sanity check: CoS 1 is less important than CoS 7 (802.1p), right? 14:21 < Roq> regdude: yeah 14:21 < regdude> Roq: thanks! then I got it working now 14:22 < stefy143> better thanks Atro 14:23 < stefy143> so security is focus on session 14:23 < djph> stefy143: ignoring L7 / DPI ... most firewalls will look at: L4 (protocol - TCP, UDP, ICMP, etc.); L3 (IP address); RARELY L2 (MAC Address - since they're only known to the local segment); and L1 (which physical interface is the traffic entering / exiting) 14:24 < stefy143> i get the rest 14:24 < stefy143> its the session im scratching my head at 14:24 < djph> L5/6/7 are typically outside the purview of a firewall's function. 14:24 < stefy143> i think its more on the syncing part 14:25 < Apachez> not a nextgen firewall :) 14:25 < Apachez> or proxybased firewall 14:25 < stefy143> access 14:25 < djph> stefy143: "sessions" in terms of networking are things like "this user is (still) authenticated to access those resources" 14:25 < Apachez> but sure a "regular" SPI based firewall only cares for L2, L3 and L4 14:26 < djph> Apachez: shutup you, I'm trying to keep this simple :P 14:26 < Apachez> djph: fuck me! :) 14:26 < stefy143> thats the problem 14:26 < stefy143> im not asking the network term 14:26 < djph> Apachez: back in the gimp box with you 14:26 < stefy143> im asking how it works and function 14:26 < Apachez> session is "this machine is still sending data within the protocol time to live" 14:26 < stefy143> i need to know how it works 14:27 < thelucky1ike> stefy143: but it is not in use anymore, why you need more than teoretical knowledge about it ? 14:27 < Apachez> stefy143: what was your question again? 14:27 < Apachez> I missed the start 14:27 < stefy143> or its useless to memorize terms and vocabs if u dont know how it works 14:27 < djph> stefy143: it depends on what SESSION MANAGEMENT utility you're using (e.g. SMB vs. SIP vs. hell, just a 3600 second counter) 14:28 < detha> stefy143: it is a model. from the olden days of networking. Some things in modern networking map to it easily, some don't. You will have to accept that. 14:28 < Apachez> stefy143: https://www.youtube.com/watch?v=8j0eqZKTjpk 14:29 < djph> stefy143: L5,6,7 are really more for the OS itself / applications. You're asking networking guys -- we rarely go beyond L4 in day-to-day work. 14:29 < Apachez> https://www.youtube.com/watch?v=8j0eqZKTjpk&t=8 14:29 < dogbert_2> Ho, Ha, Ha, Guard, Turn, Parry, Dodge, Spin, Ha, Thrust! 14:29 < djph> dogbert_2: uuddlrlrba(select)(start) 14:29 < Apachez> its like subnet ranges 14:29 < stefy143> probably one of u guyz stumbled on it so i was asking 14:29 < Apachez> aka cidr 14:29 < Apachez> most knows /24 14:30 < Apachez> and /23 and /21 14:30 < dogbert_2> I watch too much Robin Hood Daffy :) 14:30 < Apachez> and /16 and /8 and /29, /30, /31 and /32 14:30 < Apachez> but how many have in the top of their head how many ip's /9 is ? 14:30 < dogbert_2> what is a /30 useful for (good interview question) :) 14:30 < djph> stefy143: we have, but it's one of the three (OSI Model) layers that ... well, don't really matter. 14:30 < djph> dogbert_2: nothing. :D 14:30 * dogbert_2 drops an anvil on djph 14:31 < Apachez> dogbert_2: linknets with only two hosts and none of them supports /31 :) 14:31 < stefy143> no problem the wiki page might be of help 14:31 * djph steps to the left, reads 'ACME' on the side 14:31 < stefy143> ill just check what are those 14:31 * Apachez meep meep... 14:31 < dogbert_2> we had a guy inteviewing via skype and was googling da answers...needless to say, he didn't advance :P 14:31 < djph> Apachez: some 32 million and change, I think 14:32 < stefy143> okay thanks for the help more or less i get what session is more on access,handshake and flow 14:32 < Apachez> well thats what you normally do :P 14:32 < djph> oh wait, a /9 ... because I can read. *facepalm* 14:32 < Apachez> but sure its better if the person can explain things without googling first 14:33 < dogbert_2> apachez, if it's a hand's on interview, yeah, but you should possess some basic knowledge walking in da door... 14:33 < stefy143> i didnt find the list 14:33 < djph> stefy143: the list of what? 14:33 < stefy143> it should be together with the osi 14:33 < dogbert_2> I spent the better part of 2 hours adjusting Bosch IP cameras (I put 25 of 'em online in the last two days) 14:33 < stefy143> and i did google cannot find what im looking for but its ok 14:34 < stefy143> more or less i got it 14:34 < stefy143> thanks 14:34 < stefy143> gotta go 14:34 < Apachez> stefy143: https://www.youtube.com/watch?v=8j0eqZKTjpk&t=8 14:34 * dogbert_2 spins The Ozark Mountain Daredevils - Jackie Blue 14:34 < stefy143> this list djph https://en.wikipedia.org/wiki/List_of_network_protocols_(OSI_model)#Layer_5_(Session_Layer) 14:34 < Apachez> 25 bosch cameras online? 14:34 < Apachez> with no firmware update? 14:35 < Apachez> so now you have 25 VPNfilter hosts? :) 14:35 < thelucky1ike> iot :D 14:35 < dogbert_2> oh, I can update them over the webUI...had to actually get them into the VSOM 14:36 < dogbert_2> I can tunnel/port forward to work on an individual camera, given the IP of the camera 14:37 < stefy143> ciao 14:37 < thelucky1ike> anyone can suggest something like rasberry pi, but little stronger, with some gig ethernet ports, to run as soho firewall ? 14:39 < tds> espressobin? 14:40 < dogbert_2> might werk 14:40 < dogbert_2> would like to see a RPi with dual gig-e and the ARM processor from hell to use as a IDS sensor :) 14:41 < djph> thelucky1ike: an edgerouter? 14:42 < dogbert_2> ERL would probably work 14:47 < thelucky1ike> djph: something like that, maybe runing pfsense even 14:47 < dogbert_2> pfsense would be a good choice also 14:48 < Kingrat> the only small arm devices pfsense can run on are what netgate sells, arm is not supported otherwise, also a lot of people are using the pc engines apu2 with pfsense/opnsense 14:49 < dogbert_2> yeah, that makes sense, Kingrat 14:49 < tds> if you want to use one of those little arm boards as a router, just doing it yourself with your preferred linux distro may work nicely 14:50 < thelucky1ike> could also do that, but hard to expect 1g roughput via them 14:51 < Kingrat> more likely with linux than bsd, linux can handle more bandwidth on equal hardware than bsd can right now, but bsd is a little more consistent latency wise and easier to predict 14:52 < Kingrat> either case should serve you quite well, but a diy linux router is a lot more work to set up and make changes to 14:54 < Apachez> thelucky1ike: ubiquiti edgerouter, er-x if you are on a budget - or if you have some more money they look at ER4 and ER6p 14:59 < thelucky1ike> er-x might fit my needs, will definetely check it out. is there something similar, where i can install my own linux on it? 15:00 < djph> not really, no 15:00 < djph> EdgeRouters are Debian (Jessie?) based 15:01 < djph> note that the ER-X is 1gpbs *total* throughput, and if you want 1gpbs simultaneous bidirectional throughput, you won't get it 15:01 < SwedeMike> djph: what is the block diagram, is it single gige to the SoC/packet accelerator? 15:02 < SwedeMike> djph: so all three ports share 1 gige to the SoC? 15:04 < SwedeMike> https://kazoo.ga/re-visit-the-switch-in-edgerouter-x/ seems to indicate that there are actually 2 gige worth of bw between the Soc and the switch 15:04 < SwedeMike> "To recap, between the CPU and the switch is aggregate 2Gbit/s throughput. " 15:04 < djph> SwedeMike: for the ER-X? it's something with how the "switch" vs. "routing" functionality works 15:04 < SwedeMike> djph: but if it's 2 gigabits/s then it would actually be possible to get 1 gigabit/s bidirectional performance 15:05 < SwedeMike> "There are two 1Gbit/s links between MIPS 1004Kc CPU and the switch block. In common usage, one would make use of both links to achieve an aggregate 2Gbit/s throughput. So 1Gbit/s full-duplex routing between two network interfaces is made possible. For example, a symmetric gigabit WAN is well and fully served as such." 15:05 < djph> it's all the same die -- as I understand it, the backplane speed is literally only 1gbps 15:06 < SwedeMike> hm, ok, further down in the text is a lot of caveats 15:06 < djph> SwedeMike: there's something about that "second link" that makes the ER-X not work like that 15:06 < djph> IIRC, like it's only usable by an external switch chip 15:07 < SwedeMike> djph: yep, it looks like you're correct, it actually only uses one of the two gige:s to the SOC 15:07 < SwedeMike> that's silly of UBNT to design it like that for the non-SFP models. 15:07 < djph> they didn't 15:08 < djph> or well, I mean, Mediatek are the guys who made the chip stupid like 15:08 < djph> but, let's be honest here, it's a $50 router :) 15:09 < SwedeMike> djph: from what I can gather, if they made eth0 into one vlan, and eth1-4 into one vlan, they could each go on separate switch/CPU interconnects. Lots of other devices do this. 15:09 < djph> SwedeMike: it's not VLANs ... it's PHYSICAL wiring 15:10 < djph> SwedeMike: e.g. they'd have had to use a second switch chip instead of just the one mediatek CPU in order to get the 2gbit capacity 15:10 < SwedeMike> djph: or actually wired one port directly to RGMII and called this "WAN". 15:11 < djph> SwedeMike: yeah, they could've done that too, and lost the "you can use all the ports as a single switch" option 15:11 < SwedeMike> right. 15:11 < djph> personally, I'm happy with a $50 router / switch / do whatever I need 15:12 < djph> even if it means I only get 1gbps total routed throughput 15:12 < SwedeMike> right, but it's something that is not obvious to the general person buying this. But I agree, it's a very competent USD50 device. 15:13 < djph> SwedeMike: yeah, the downside of UBNT having a pricepoint stupids are comfortable with :) 15:13 < thelucky1ike> yes, seems to have it nicely, will need to put aside some 200+$ 15:14 < SwedeMike> the ER3 is better in this aspect, as long as one does things it has support for acceleration for. The mediatek has nice acceleration for a lot of things, but now instead limited by wiring. 15:27 < regdude> which SoC is that EdgeRouter using? 15:28 < regdude> probably MT7621A, those had limited data lanes when enabled a SFP or switch chip, that is the least weird thing MediaTek does, they are extremely cheap for a reason 15:37 < djph> depends on the ER 15:37 < djph> IIRC, ER-X[-SFP] are the only Mediatek chips; with the rest being Cavium 15:41 < Langley> Hello, when setting up Dovecot mail on one server, and Roundcube client on another server, both must use the same (non-self-signed) certificate, right? 15:42 < Rayben> The earliest seaworthy boats may have been developed as early as 45,000 years ago, according to one hypothesis explaining the habitation of Australia 15:43 < Rayben> There are indications as stone tools and traces left on a rhinoceros skeleton that suggest early hominids crossed the sea and colonized the Philippine island of Luzon in a time frame as early as 777,000 to 631,000 years ago. 15:43 < Rayben> Over thousands of years of human migrations and the rise of ancient civilizations, seafaring exploration led to ocean trade routes. The earliest known reference to an organization devoted to ships in ancient India is to the Mauryan Empire from the 4th century BC. It is believed that navigation as a science originated on the Indus river some 5000 years ago. 15:43 < Rayben> In the early modern period, successor states of the Adal and Ajuran empires began to flourish in Somalia, continuing the tradition of seaborne trade established by previous Somali empires. 15:43 < Rayben> The world's first dock at Lothal (2400 BCE) was located away from the main current to avoid deposition of silt.[16] Modern oceanographers have observed that the Harappans must have possessed great knowledge relating to tides in order to build such a dock on the ever-shifting course of the Sabarmati, as well as exemplary hydrography and maritime engineering.[16] This was the earliest known dock found in the world, equipped to berth and service 15:43 < Rayben> ships.[16] It is speculated that Lothal engineers studied tidal movements, and their effects on brick-built structures, since the walls are of kiln-burnt bricks.[17] This knowledge also enabled them to select Lothal's location in the first place, as the Gulf of Khambhat has the highest tidal amplitude and ships can be sluiced through flow tides in the river estuary. 15:47 < njbair> what just happened? 15:54 < djph> Langley: no (but RC MUST trust "mail.yourdomain.com", or whatever the dovecot cert is). 15:55 < Langley> djph, thanks but I guess I should have asked instead: must the certs be different? We only have this one set 15:55 < djph> Langley: although, I'm assuming you mean using the cert for SMTPS / STARTTLS on the dovecot side, and e.g. "webmail.yourdomain.com" for roundcube 15:55 < djph> the cert name MUST match the host / URL. 15:56 < djph> although SMTPS / STARTTLS can be told "meh, just go with it" (not the best idea, but ... it'll work) 15:56 < njbair> couldn't you add the Dovecot server's self-signed CA to the Roundcube server's trust chain? 15:56 < Langley> Hmm... the problem is that when switching Dovecot to the certs, Roundcube doesn't log in (just loads forever) and Dovecot's imap logs gives "unknown ca" errors 15:56 < djph> njbair: you could do that too 15:57 < djph> means your dovecot setup is wrong 15:57 < djph> e.g. you don't have the full chain in the trust store on that server 15:57 < djph> *likely means that [...] 15:58 < njbair> but that's Dovecot's logs, which means Dovecot is having trouble connecting to something? 15:58 < Langley> Roundcube is logging errors too 15:59 < Langley> SSL routines:ssl3_get_server_certificate:certificate verify failed in /usr/share/php7/Roundcube/rcube_imap_generic.php on line 1027 15:59 < djph> Langley: then you don't trust the cert on teh RC side either 15:59 < Langley> We do have our intermediate certificate set in Dovecot... and it works for other clients (desktop clients, Tine20...) 15:59 < djph> OR RC is erroring BECAUSE dovecot is erroring 16:00 < djph> njbair: Dovecot is having trouble establishing the chain of trust internally for itself (e.g. someone's asking dovecot to prove it is who it says it is, but it can't find some part) 16:01 < djph> njbair: e.g. the private key, or can't get from "end-entity" to "intermediate", or ... 16:01 < njbair> djph, makes sense. 16:03 < Langley> Hmm doesn't make sense to me... since it's only Roundcube that's not working 16:03 < djph> then dovecot is reporting the error on behalf of RC spazzing out 16:04 < w0lff_> Hi guys, I'm trying to ping a web server using its domain name. But the web server has no public IP of its own but it is part of a local network. The router to which the web server is connected has dynamic NAT enabled bot to the inside and the outside. But I'm not able to ping the web server from outside the router to which it is connected. Please help me. Thanks in advance! 16:05 < Langley> So Roundcube fails to verify Dovecot server's certificates, right? 16:05 < tds> how did you specify the server in roundcube? you'll need to make sure you use the right hostname rather than IP, since otherwise the cert won't be valid (unless you got a cert with an ip as a san) 16:06 < tds> I'd try and make a connection to the imap server with say gnutls-cli, that may help diagnose the cert issues 16:06 < compdoc> w0lff_, sounds like you need a dns service and some port forwarding 16:06 < Langley> tds, it's set to imap.company.com:993 16:07 < djph> Langley: possible 16:07 < tds> Langley: I'd try manually poking it from the roundcube server then 16:09 < w0lff_> compdoc_, Thanks for replying, I'm actually using gns3 and this situation I'm trying to achieve in gns3. I have a dns service on th router that the server is connected to (Let's call this router R2). R2 has another router connected to it on another interface(lets call this router R1). I have enabled dns on R2 and R2 is able to ping the server using its domain name. Is there no way to make R1 ping the server without configuring po 16:10 < Langley> Huh, gnutls fails too, it's receiving the old certificate... is there any other service other than Dovecot I need to restart? 16:11 < djph> recheck the dovecot configs, I guess 16:11 < w0lff_> compdoc_, I'm pretty new to networking concepts, as a matter of fact I'm using gns3 to learn about networking, sorry if this seems like a naive issue. 16:11 < djph> w0lff_: yeah, you're gonna need DNS somewhere 16:11 < tds> I guess it might be worth checking what's listening on 993 in case it's stunnel sitting in front of dovecot or something weird, that sounds unlikely though 16:12 < Langley> ..... actually I did try to set up stunnel a while back, for another issue 16:12 < w0lff_> djph_: I do have DNS running on R2, the router that the server is connected to. 16:12 < Langley> But that was on the Roundcube server 16:14 < djph> w0lff_: and is that DNS available to ... where-ever you're connecting from? 16:16 < w0lff_> djph_: Yes, I'm trying to ping the server from R1, which is also connected to R2 on another interface. R1 can resolve the private IP address of the server since it's connected to R2, but i guess it can't ping the server since R1 and he server is part of different IP ranges. 16:17 < djph> so then the DNS entry / entries provided by R2 for "host.your.tld" are not available for R1 16:17 < w0lff_> djph_: I'm sorry i didnt mention this earlier, but the whole reason I'm trying to ping the server is to capture the ping on wireshark so i can study the action of NAT. 16:17 < djph> or R1 is looking at the wrong DNS server(s) (e.g. 8.8.8.8 instead of R2) 16:18 < djph> if you want to resolve "host.your.tld" from another device; that device MUST be able to communicate with a DNS server that can resolve "host.your.tld" to its IP address. 16:20 < Langley> Nah it wasn't stunnel... and gnutls shows the right certificate from the Roundcube server 16:22 < w0lff_> Well R2 is able to provide R1 with the IP address of the server. But it provides R1 with the private IP address of the server. I'll be a little more specific. The IP range between R1 and R2 is 192.168.31.0/24 and the IP range between R2 and the server is 10.0.0.0/24. The private IP address of the server is 10.0.0.2. When R1 tries to ping the server, the name is resolved to 10.0.0.2. But since the IP address of R1 is 192.168.31.45 16:24 < w0lff_> Also, the name is resolved to 10.0.0.2 only because ive configure R2 to provide DNS for R1. But what i really want is for R1 to ping the server without seeing its private IP. it should be able to ping the server by resolving the name to its Public IP address, i.e. the IP address of R2. Is there no way to do that? 16:25 < djph> w0lff_: OK, so R1 can PROPERLY resolve the IP address? 16:25 < djph> w0lff_: in that case, change the DNS to point to 192.whatever ... or just skip DNS entirely and ping the relevant IP that's supposed to initiate the NAT 16:26 < w0lff_> djph:_ Yes, R1 can resolve the private IP of the server. but cant ping it. 16:26 < djph> (NOTE - I am, of course, assuming you're doing 1:1 NAT, or otherwise forwarding ICMP) 16:26 < djph> w0lff_: and do you have a route to 10/24 via R2's 192.x interface established on R1? 16:28 < w0lff_> djph_: How would I add a route like that? I thought the router will figure that out using a routing protocol. 16:28 < djph> w0lff_: are you using a routing protocol? 16:28 < tds> if you've configured a routing protocol, sure, it doesn't work by magic though :) 16:29 < w0lff_> djph_: Also, about the NAT. I'm using dynamic NAT where the router assigns each internal IP to a port. 16:29 < djph> I mean, routing protocols are simply ways for routers to exchange routes. If you've not configured that, then a static route (e.g. 10/24 via 192.168.31.2 ) is perfectly fine 16:30 < w0lff_> djph_: So how do i go about configuring a static route on a cisco router? 16:30 < djph> w0lff_: no clue, I don't Cisco. 16:32 < w0lff_> djph:_ Okay thanks for your help. Just one last thing, If i make a static route to the server from R1, will R1 is any case know the private IP address of the server? I want R1 and the devices behind R1 to have NO clue of the internal IP of the server. 16:33 < djph> w0lff_: then you have to unfuck your DNS, and resolve "server.your.tld" to the "public(tm)" interface of R2. 16:36 < adam5isalive> Anyone here have any experience with Extreme/Avaya Fabric Connect? 16:36 < w0lff_> djph_:I did that at first but the ping stops at R2. 16:36 < djph> then R2 is not responding to ICMP 16:37 < djph> or you haven't forwarded it 16:38 < w0lff_> djph_:But wouldn't the forwarding be taken care of since I've done NAT for both outside and inside? 16:38 < djph> w0lff_: ICMP is not TCP (80) 16:38 <+pppingme> why are you nat'ing on your own network? ("inside") 16:39 < djph> pppingme: I don't even want to know :) 16:39 < djph> (I think it's gns3 / testing / fake / ohgodwhy) 16:43 < adam5isalive> NATing inside your network isn't unusual. 16:54 < bezaban> sadly 16:54 < adam5isalive> It is what it is. 17:52 < josuah> hello, I'm getting started with networking, half through practice and tldp's linux-network-administrator-guide, and running with linux issues 17:53 < josuah> what I do: brctl addif br0 eth0 17:53 < josuah> then eth0 is stuck right away: I do ping 192.168.0.1 (home router) and no response 17:54 < josuah> as soon as I brctl delif br0 eth0, eth0 is back and ping start over 17:54 < josuah> I did the same on OpenBSD and it works as expected. 17:55 < josuah> Am I doing an obvious beginner mistake (wrong toolset, forgot to enable spanning tree protocol...)? 17:55 < josuah> if not well, I bet all I got to do is go back reading that book, that sure won't hurt :) 17:56 < tds> what was the configuration of those interfaces when you added it to the bridge? normally you'll have all the IP addresses on the bridge itself, rather than on the member interfaces 17:57 < josuah> tds: I'm pasting an ip addr and a brctl show on ix.io... 17:57 <+xand> josuah: what tds said - bridge member interfaces shouldn't have IP addresses, the bridge should 17:57 < josuah> but yes I have an IP on eth0 given by dhcp. 17:58 < josuah> http://0x0.st/s_fr.txt 17:59 < josuah> 260226th interface created yeah :P (auto restart overnight) 17:59 < josuah> thank you a lot, I'll try to remove the address from eth0 and add it to the bridge instead. 18:04 < josuah> THAT WORKED! :D 18:04 < josuah> thank you a lot tds and xand! 18:04 < tds> glad that sorted it :) 18:05 < josuah> I was simply not getting how a bridge works, I'll read more on that. 18:12 < deepy> anyone got a cable model to recommend? 18:12 < gentoo> josuah: can you get me out of here? 18:12 < deepy> bonus points if it can be powered by PoE 18:12 < gentoo> deepy: none 18:12 < gentoo> cable is trash 18:12 < GenteelBen> I only buy BenCo Gold cables. 18:13 < deepy> My options are cable model or 4G modem 18:13 < GenteelBen> gentoo is right, do the sane thing and make your own. 18:13 < deepy> As soon as the 4G stops having silly bandwidth caps I'm ditching cable modem 18:13 < GenteelBen> lol 18:13 < gentoo> deepy: cable is limited in ways that make you a slave to some unknown dev 18:13 < GenteelBen> You're both terrible people, for different reasons. 18:14 < gentoo> it caps below 2600mhz 18:14 < GenteelBen> gentoo because he's trolling, and deepy because he genuinely believes what he's saying. 18:14 < deepy> GenteelBen: hey, so far it adds up 18:14 < deepy> I've never had a non-shit experience with cable modems 18:14 < gentoo> cable is not internet 18:14 < gentoo> anything which requires a gateway is garbage 18:14 < gentoo> not internet 18:14 < GenteelBen> Wireless tech is currently half-duplex and shitty. So far there's no way to make it more than like 1/10th as fast as a cabled connection. 18:14 < gentoo> paying for the shopping cart to spy on you 18:15 < gentoo> that is about what it amounts to 18:15 < GenteelBen> You're even worse than I imagined, gentoo. 18:15 < GenteelBen> Change your nick to ubuntu. 18:15 < gentoo> if you cannot make a direct peer connection it is not internet 18:15 < deepy> Honestly, my ISP is bad enough that anything is a sane alternative 18:15 < deepy> Well not 3G because of the latency 18:15 < GenteelBen> Are you in the US, deepy? 18:15 < deepy> Nope, Sweden 18:16 < GenteelBen> What's your connection like? 18:16 < deepy> 50/10 on paper, usually about 30/10 for 28/30 days a month 18:16 < superkuh> gentoo++ 18:16 < gentoo> deepy: if you are a prisoner sure buy cable 18:17 < gentoo> pay for your chains 18:17 < GenteelBen> And you think 30/10 is bad? 18:17 < deepy> the other 2 I get about 15% packet loss 18:17 < GenteelBen> There are Africans who get like 3KB/s 18:17 < GenteelBen> 30/10 is perfectly fine for anything except like, 3 people streaming Buttflix at once. 18:17 < GenteelBen> Buttflix in 1080p 18:17 < deepy> The problem is that I have to call my ISP about twice a month 18:18 < GenteelBen> Fuck, even then the bitrate's going to be much less than 10Mbit/s. 18:18 < superkuh> I'd rather have lossy 56k than a mobile connection without an ipv4 behind carrier-nat with no real ports or ability to interact with the internet except via http/s. 18:18 < GenteelBen> deepy, move to Norway - problem solved. 18:18 < deepy> I can move to most of the other places in town and not have to suffer ComHem as an ISP 18:19 < superkuh> Comcast at least gives you a real connection. 18:19 < deepy> Still, anyone got a cable modem without a router to recommend? 18:20 < gentoo> the cable possibly attaches to a fake internet in a NAS box 18:21 < deepy> Some days I question if the cable is even attached on the other end 18:21 < Aeso> deepy, SB6183 (if your ISP supports it) 18:21 < superkuh> ARRIS SURFboard SB6183 18:21 < gentoo> it isn't uncommon to find the town decides to impliment sharesall law 3 days after install 18:21 < kottt> have had no trouble on spectrum/twc with the SB6121 but it is definitely an old model 18:21 < kottt> if you're just really hard up for cash 18:21 < superkuh> SB6141 is fine too. 18:22 < kottt> basically the Surfboard line 18:22 < gentoo> you pay for the town's internet 18:22 < Aeso> yeah, 6141 and 6121 are fine so long as you don't need the additional upstream channels 18:22 < kottt> moto/arris SB#### is pretty good 18:22 < Aeso> err downstream 18:22 < gentoo> 3 days after install your line is spliced for everybody in town 18:22 < deepy> I can't seem to find arris in Sweden :-/ 18:22 < kottt> ebay? 18:22 < superkuh> My service is 50/10 so 4 channels is just fine. With a 1 TB/mo limit why bother with more. 18:23 < deepy> Shipping on ebay is about 1.5x the price of the device :D 18:23 < gentoo> for every new line of service what is it about 1million in credit fraud 18:49 < Stranger789_> best free (open source by pref) for SNMP server ? 18:50 < PowerPCM_> Hi, what is the best way to change my IP address? 18:50 < Stranger789_> public? 18:50 < PowerPCM_> public yes 18:51 < skyroveRR> A proxy. 18:51 < Stranger789_> if your isp dont provide you another ip per reboot 18:51 < Stranger789_> then you must use proxy or better a decent vpn 18:52 < Stranger789_> if you have dynamic public ip then go with reboot, or if you want to be faster, look for a release option on your router. 18:53 < Stranger789_> otherwise telnet maybe? or make a scrypt to automate it if possible. i suppose 19:01 <+pppingme> PowerPCM_ what kind of connection? 19:16 < hagbard> So, I'm reading this LoA for a cross connect and it says, "drop and tag". I get that tag means label. What does drop mean? 19:18 < pekster> hagbard: typically "supply to the endpoint." In the case of facility racks that tends to me "coil up a usable amount and leave at the rack for the customer to connect to their gear" 19:19 < hagbard> pekster: Ok, thank you very much. I'm glad I asked as that's exactly not what I want. 19:19 < hagbard> I'm writing my own LoA and was looking at this one as a guide. 19:20 < hagbard> This is one cogent gave us a while back. The weird part is that they still specified ports on a patch panel. 19:21 < pekster> Generally a cross-connect setup doesn't include actually connecting the link at the customer's end, though some facilities include (or offer, for a pro-rated hourly fee) "remote hands" support which could further make the connection to switching/routing gear 19:21 < pekster> The setup is quite literally a connection to some other part of the facility 19:22 < E1ephant> / buf14 19:24 < hagbard> ok, I see. I interpreted, "coil up a useable amount and leave at the rack" to mean that they would run the fiber to the cabinet and then let the customer terminate the end and install it in their own patch panel. 19:25 < hagbard> This is an equinix site, so, yeah, they have smart-hands, too. 19:25 < E1ephant> "smart" hands 19:25 < hagbard> E1ephant: *exactly* 19:26 < hagbard> Jesus, christ. And the tech can't speak on the phone in front of the rack, because, you know, it's kinda loud. So, they have to walk four minutes from their office to the cabinet, forget what was said on the phone, walk back to the office to call you and ask what they were supposed to do again. 19:28 < hagbard> I haven't had to use smarthands too many times, but I've had the best success supplying a link to a google docs document in the ticket. Once the tech is actually handling the ticket, write, "YOU CAN EDIT THIS, BTW." in bold, red. End up playing quite literally, multiplayer notepad. 19:28 < E1ephant> :D 19:29 < hagbard> Incidentally, it's important to wait until the after the service desk has accepted the ticket, because they will reject it if you try to communicate directly some way other than through them. 19:29 < hagbard> At least, that was my experience. 19:30 < hagbard> So, am I correct to understand, "drop," as a verb here means that they'll leave me a patch cable connected to the port on the patch panel? 19:37 <+sep> hagbard, I can reccomend these to them, about the only thing working properly inside our DC https://www.staypro.no/verneutstyr/horselvern/horselvern/3m-peltor-ws-alert-xpi-horselsvern-bluetooth-med-isseboyle. 19:39 < hagbard> sep: Interesting. Have you spoken to someone who was using one of these? How effective is the noise filtering? 19:39 < pekster> Depends on your suite, but you'll most commonly terminate a coper or fibre direct into your network gear. Patch-panels are used when you terminate unfinished cable (like 8P8C cabling without a plug attached) in a way that allows you to modify what switchport they land on. A cross-connect generally is furnished with a finished plug for the customer to connect wherever they see fit 19:40 < pekster> cross-connect is "just a really long cable" (or not so long, depending on the length of the connect. Could even technically be to the rack next to you!) 19:40 < hagbard> pekster: Interesting. Fair. All our Equinix cabinets have a patch panel at the top of them 19:40 < hagbard> Agreed, understood. 19:41 <+sep> hagbard, i use them myself fairly regularly. i can hold normal conversations inside the DC, using just the phone or the plantonics i have in my backpack are impossible. 19:41 < hagbard> I've done this process a number of times now, but I was always receiving an LoA from someone else. 19:41 < pekster> One of our suites has a cross-connect that goes down 2 floors and across half the building :) 19:42 < hagbard> We have one at NY5 that actually goes under the street to NY4 and then through another subterranean tunnel to NY2. 19:42 < hagbard> I was just worried that I might be stating the wrong thing in this LoA if I just copied what another one said without understanding it. 19:42 < hagbard> Hence my question. 19:43 < hagbard> I just want them to terminate the cross connect at the panel at the top on the first available port. If they can leave an LC-LC SMF patch cable there, that'd be neat. I've always assumed I'd have to supply my own. 19:44 < hagbard> I'd ask my CSM if my CSM wasn't worthless. We used to have a great one, but he got promoted. 19:46 < hagbard> sep: Thank you very much for the suggestion. They're $400 on amazon, but if they work as well as you claim, that sounds almost too cheap. 19:46 < hagbard> sep: Are they comfortable for wearing for an hour? four hours? 19:47 <+sep> better then most in my opinion. but you do get a set of hot ears after a day in the hot zone in the DC.. :) 19:50 <+sep> but not beeing able to talk while at the rack is just not practical. had to deploy wireless in the DC so we could use VoWIFI on the phones. POE devices is powered a relay operated outlet. so only wireless when the alarm is off (someone is working)( 19:57 < hagbard> sep: Nice. I just submitted the purchase request for one of them. 20:17 < Goop> When a wireless router can do 5GHz, does that include the 5.8GHz range? 20:22 < qoxncyha> why might a TXT record on a second-level subdomain (x.y.z.net) not be picked up (NXDOMAIN)? 20:23 < hexa> how could load-balancing (with sticky flows) two wan links on linux work? 20:24 < hagbard> hexa: in what sense, are you asking how you'd implement it? 20:24 < hexa> yep, that. I need a hint what mechanism I could use to do load-balancing on to DSL lines 20:24 < hexa> s/to/two/ 20:25 < hagbard> hexa: Well, it sounds like what you're doing is often called, "dual wan" 20:25 < hexa> funny, I was looking for multiwan and the internet wasn't exactly helpful 20:26 < hagbard> But, don't mistake it for "load-balancing" because, assuming residential ADSL, there's no way for the router to switch a connection between the two links nor to split traffic from the same connection across the two links. 20:26 < hagbard> hexa: This may help: http://www.darrylpetch.com/post/15943323883/linux-dual-internet-connections-load-balancing 20:26 < hexa> basically I want to distribute new flows according to the load on the links 20:27 < hagbard> hexa: Are both links from the same carrier? 20:27 < hexa> they could be, I'm at the design stage right now 20:27 < hagbard> Is this a personal/residential or professional/commercial endeavour? 20:27 < hexa> hackerspace 20:28 < hagbard> Ok, so that weird space in between the two. 20:28 < hexa> aye 20:28 < hagbard> I'd suggest you speak to a sales rep for the carrier and ask to speak to a technical person and explain your situation and ask for advice. (Play dumb.) 20:28 < hexa> we're only getting 25/5 Mbit/s on a single link and it's just not enough :) 20:28 < hagbard> They may be able to channel bond two DSL lines for example, as a single link 20:29 < hexa> in theory they could, but the carrier is DTAG, and they're not going to do anything custom 20:30 < hagbard> Because they're cunts or because you've asked them and they told you to sod off? 20:30 < hexa> because they have fixed radius profiles and they stick to them to reduce support effort 20:31 < hagbard> Understood. I'd still suggest asking because what's the worst that happens, they can do something for you? 20:31 < qman__> Something to keep in mind, I've done work for places that had multiple connectuons from the same carrier (comcast) and they wouldn't get the advertised speeds on all the connections at once because it's shared infrastructure 20:31 < hagbard> qman__ makes a good point. 20:31 < hagbard> I was assuming that the core of hexa's problem was the distance from the DSLAM. 20:32 < hexa> this is a DSL line, so it's a dedicated copper wire pair to the DSLAM at least 20:32 < hagbard> Another problem I've encountered with dual-wan setups is the NAT'd source address changing back and forth confusing some sites. 20:33 < hagbard> Also, when only one of the internet connections goes down, then the internet suddenly, "half works." 20:33 < hexa> yeah, sure, there are kinks involved :) 20:33 < hagbard> And not the good kind of kinks. 20:34 < hexa> multipath tcp is one option I'm considering 20:34 < hagbard> hexa: Commercial customers often get a little more latitude. I've found that by calling up, explaining a situation and asking for advice I get a better response than calling up and asking to do some thing I read on the internet Y. 20:35 < hagbard> That's just my thoughts. 20:39 < qman__> Yep, I've done a lot of work for small businesses in similar situations, had varying configs from simple backup connections to stuff like servers use connection A and users use B, or wifi on A and wired on B, to crap small business routers that are supposed to load balance, to setting up vyatta/vyos, to messing with linux routing manually 20:39 < hexa> I totally get what you're saying. The only bonding options that are offered is with DSL+LTE over GRE 20:41 < hexa> in a huawei cpe device 20:45 < ryao-outside> My neighbor's sister-in-law moved from South Africa to the US. She forgot her Google password. The only recovery mechanism that she has uses the south african phone number. She apparently still has it and is going to get it from her house. I am going to try to see if it will do international roaming to receive a text message from Google. If it does not, is there any way to port the number to a VoIP provider that can enable her to receive t 20:45 < djph> "maybe" 20:46 < ryao-outside> That was what I thought, but I am really not having fun trying to make sense of VoIP providers to figure out if that can be done. :/ 20:47 < qman__> Many voip providers have sms capability, the issue is porting the number 20:47 < qman__> US numbers have to be portable by law 20:47 < qman__> South africa could be another case entirely 20:48 < Apachez> I doubt that 20:48 < Apachez> portable are within countries according to ITU 20:48 < Apachez> I mean you have the country code to spoil that to begin with 20:48 < ryao-outside> https://www.icasa.org.za/uploads/files/Geographical-Number-Portability-Consumer-Guidelines.pdf 20:49 < ryao-outside> That doesn't mention porting to VoIP. :/ 20:49 < ryao-outside> Maybe I should ask this. Are there any reputable VoIP providers that support South African numbers? I am having a heck of a time trying to find even one. :/ 20:51 < hagbard> ryao-outside: Totally maybe and would definitely depend on the south african carrier and south african laws. 20:52 < hagbard> ryao-outside: I'd find south african voip providers and start calling them, explain the situation and ask if they can help. 20:52 < ryao-outside> Thanks. 20:53 < ryao-outside> Well, I'll know more when she returns with the SIM card. If I am really lucky, it will roam and she can pay some absurd price for a single SMS. 20:53 < ryao-outside> I don't expect to be that lucky though. I expect this to be one of those days where I will regret having gotten out of bed in the morning. 20:54 < ryao-outside> And she just called to say that she cannot find her SIM card. -_- 20:56 < qman__> Best start thinking hard about that password 20:56 < ryao-outside> qman__: Well, I might not need the SIM card to do a number port, so I can still look into that. 20:57 < ryao-outside> She just said that she found it. ^_^ 21:00 < ryao-outside> qman__: I actually have a last resort. Trying to talk to someone from Google about getting them to reset her password on my word that I am not trying to social engineer them into doing a password reset without permission. I do have access to her account via chrome on her machine, but not via thunderbird where the oauth2 token expired. That is how she realized that she forgot her password. 21:00 < ryao-outside> And if that fails, making a new gmail account, sending it as a forwarding address on the old one and configuring an autoresponder on the old one to tell people to use the new email address. 21:00 < ryao-outside> s/sending/setting/ 21:01 < ryao-outside> That last resort is setting off so many alarm bells in my brain that I have trouble imagining it being successful. ^_^;; 21:07 < josuah> josuah: can you get me out of here? 21:07 < josuah> You mean out of the local network? 21:07 < josuah> sorry that's old message ^_^' 21:20 < kottt> i cant seem to find any information online about how VPNFilter actually infects targets 21:21 < kottt> does it just scan public address space for vulnerable devices, or can it get picked up by drive-by downloads? 21:26 < godxeno> i need help 21:27 < drudge`> okay 21:27 < godxeno> so half websites 21:27 < godxeno> dont work 21:27 < godxeno> and can't play steam games 21:27 < godxeno> online 21:28 < godxeno> so facebook youtube and google work 21:28 < godxeno> but everything else times out how to fix tried restarting router flushing the dns 21:28 < godxeno> renewing the ip any solutions you may have would be much appricated 21:28 < drudge`> can you ping the web sites that do not work and/or visit a non-working website by IP? 21:29 < godxeno> they all work from my phone mobile data 21:29 < godxeno> but not from my 21:29 < godxeno> router internet :( 21:29 < godxeno> how to fix it? 21:30 < godxeno> its making em sad ;( 21:31 < godxeno> *me 21:33 < drudge`> can you ping the web sites that do not work and/or visit a non-working website by IP? 21:33 < godxeno> nope they 21:33 < godxeno> just type out 21:33 < godxeno> *time out 21:33 < drudge`> from your non-working PC 21:33 < godxeno> can't ping it 21:33 < drudge`> ping by hostname or IP? 21:33 < godxeno> both 21:33 < godxeno> won't work 21:34 < godxeno> im thinking the router died 21:34 < TandyUK> is your rotuers WAN actually connnected? 21:34 < drudge`> is your PC plugged directly in to your router or does it go through wifi/switch(es) 21:34 < godxeno> wifi 21:34 < TandyUK> oh, myabe "have you even tried accessing the router" might be a better start lol 21:34 < godxeno> router 21:34 < godxeno> adsl 21:34 < godxeno> 2 21:34 < drudge`> can you plug directly in to the router for further testing by IP/hostname? 21:35 < godxeno> how so? 21:35 < godxeno> 3 websites i can open is google youtube and facebook 21:35 < godxeno> everything else times out 21:35 < godxeno> or partially loads if ive looked at that website before 21:36 < TandyUK> what does "ping 8.8.8.8" say? 21:36 < drudge`> does your router have an additional cat5 interface for your computer to bypass wifi? 21:36 < godxeno> Reply from 8.8.8.8: bytes=32 time=15ms TTL=59 21:36 < godxeno> yeah but i have no cat 5 21:36 < godxeno> cable :( 21:36 < TandyUK> ok, dns is broken 21:37 < godxeno> how to fix tandyuk 21:37 < TandyUK> ipconfig /all and check what your dns/nameserver addresses are 21:37 < TandyUK> it oculd well be set to use your router, which in turn is set to use your ISP's dns servers, and either of those might br broken 21:38 < godxeno> pastebin works too 21:38 < godxeno> https://pastebin.com/NLfm1e4h 21:38 < TandyUK> you said you have google, so check "how to set nameservers to 8.8.8.8 in windows" 21:39 < godxeno> ipv6 21:39 < godxeno> or ipv4 21:39 < TandyUK> or for a better fix, login to your router, and set it to hand out 8.8.8.8 (google), 1.1.1.1 (cloudflare?), 9.9.9.9, (cant rmemeber) 208.67.220.220 (opendns) or any other namservers you like, which arent currently broken :) 21:39 < godxeno> whcih one 21:40 < TandyUK> v4 21:41 < godxeno> and which do i do 21:41 < godxeno> top or bottom 21:41 < deepy> 9.9.9.9 is Quad9 21:42 < godxeno> TandyUK 21:43 < drudge`> godxeno primary dns being 8.8.8.8 i beleive is what they intend for you to set 21:43 < deepy> godxeno: set the first one to 9.9.9.9 and the second to 1.1.1.1 21:43 < pekster> opendns is arguably broken as they violate RFC 21:43 < drudge`> i would define a decondary one as well, deepy suggested 9.9.9.9 21:44 < TandyUK> pekster: agreed, their redirects for nxdomains are annoying 21:44 < pekster> Annoying and standards-violating (for profit no less..) 21:45 < godxeno> nope does not work 21:45 < pekster> An old job ran split-horizon DNS and (arguments for/against that notwithstanding) ISPs that did such things caused active breakage for our remote users thanks to how the Windows resolver worked. Abuse of DNS is always wrong 21:45 < godxeno> nope doe sno 21:45 < drudge`> godxeno can you be more specific with what didn't work 21:45 < godxeno> *does not work 21:45 < godxeno> oh shit i already said that 21:46 < godxeno> the same websites 21:46 < godxeno> and blog spot works thats anothero ne of the working ones 21:46 < godxeno> https://gyazo.com/580ff0c04d6f6e857a1d3cd3d7c79f64 21:46 < godxeno> check 21:46 < godxeno> i did what u said 21:46 < godxeno> so i uploaded screen shot 21:47 < godxeno> (can't even look at gyazo image) 21:47 < godxeno> times out 21:47 < godxeno> oh it loaded but very slowly it did 21:47 < TandyUK> your isp is fucked from the sound of it 21:47 < TandyUK> or you have a line fault or somethign else interfering 21:48 < TandyUK> at this point, as an isp, id suggest phoning your isp 21:48 < godxeno> i will once they are up 21:48 < drudge`> schedule maintenance window and factory default your router as last chance...double check wiring? otherwise it's your ISP i'd think 21:48 < TandyUK> and be aware they will also want you to go physically plug your laptop or whatever into your rotuer to rule out any wifi whit too 21:48 < drudge`> your phone on wifi has same issues as pc on wifi? 21:49 < TandyUK> make sure the phone is actually on wifi, and not going 'oh this wifi is shit, fallback to 4g' 21:50 < godxeno> they open in 10 minutes 21:50 < godxeno> yes it does 21:50 < godxeno> i turned off 4g 21:50 < ryao-outside> I just spoke to VoIP.ms. They cannot help. Does anyone have suggestions for reputable VoIP providers that I can contact about porting a number from South Africa? 21:50 < godxeno> to test it :( 21:50 < godxeno> yes ask for some ebola ;( 21:51 < godxeno> jk 21:51 < godxeno> voice over ip is voip right? 21:51 < TandyUK> yup 21:52 < drudge`> being a clasically trained nerd it strikes me as odd when people state they don't have cat cable 21:52 < drudge`> cat5 21:54 < godxeno> i live at university 21:54 < godxeno> and i got the router 21:54 < godxeno> for 50 dollars from them 21:55 < godxeno> they did not supply me with a cat 5 cable only that blue cable that plugs into wall 21:55 < godxeno> that i forgot the name of :( 21:55 < godxeno> xD 21:56 < drudge`> sounds like cat5 =) but you need that to remain plugged in hah 21:59 < TandyUK> ryao-outside: I can make some enquiries, but I wouldnt wanna get your hopes up 22:00 < TandyUK> really you need to find a voip provider, who have a physical telco presence in south africa before they will be able to port numbers 22:00 < ryao-outside> TandyUK: I was afraid of that. I have no idea who there is reputable. 22:01 < TandyUK> me neither tbh, if you pm me the (or similar) number I will see what my wholesale providers say if you like 22:01 < godxeno> im surprised irc is still alive :P 22:02 < ryao-outside> Alright, although I am going to switch to colloquy on my phone. I am not sure how private messages work on the web client. I tried sending one to someone earlier and didn't get a response. Either it doesn't work or he didn't reply. 22:10 < ||cw> ryao-outside: PM from unregistered nicks are often dropped, maybe even by default. see "/msg nickserv help" to register 22:10 < ryao-outside> I thought it was private messages from unregistered users. 22:10 < ryao-outside> I thought that I authenticated with nickserv. 22:10 < ||cw> you aren't right now, or at least your nick isn't registered 22:11 < maro_> Hello. 22:11 < drudge`> hi 22:13 < maro_> Can you recommend me a therapy room? 22:20 < nobody404> wut? 22:47 < drudge`> lol therapy room? this is not social ##networking 22:53 <+pppingme> maro_ like what kind of therapy? 22:54 <+pppingme> does your internet need coax-ing?? 23:06 < Apachez> is there an emergency therapy room for snowflakes around here? 23:17 < ilikeover9kturtl> hey 23:17 < ilikeover9kturtl> So what do you guys think of the VPNFilter malware 23:31 < drudge`> it's more dangerous than we thought 23:45 < paulo_> hello 23:45 < paulo_> is sending a broadcast to 255.255.255.255 reliable for LAN game discovery? 23:47 <+catphish> reliable, by definition, no, in reality, send a few, and yes 23:47 < paulo_> catphish: i'm getting complaints that it doesn't work :( 23:47 < paulo_> i'm thinking of allowing keying-in of IP address 23:48 < qman__> That's not really a great approach, I'd suggest grabbing subnet info from the host and scanning that way 23:48 <+catphish> well it should, but you should alway allow people to manually enter the ip of the server too 23:48 < paulo_> qman__: how do I do that? 23:48 <+catphish> the correct approach is multicast, but that will be no better than broadcast, which really really should work 23:49 <+catphish> unicast requires broadcast for arp, so it really should work 23:49 < Apachez> also note that without igmp snooping running in your switch that multicast becomes broadcast 23:49 <+catphish> i really dont think brute force scanning the local subnet is the right way to do discovery 23:50 < paulo_> ok, i guess manual server IP input is best solution 23:50 <+catphish> imo multicast is the best way, also, 255.255.255.255 is ipv4, that's been deprecated for ages, you should be using ipv6 :) 23:51 <+catphish> manual ip input is something you should always offer, but coupled with automatic discovery by multicast 23:51 <+catphish> (officially multicast should be used over broadcast, but both should generally work the same) 23:52 <+catphish> many games i've played have had lan discovery that didn't work for some reason and i had to enter IPs manually, never investigated why 23:52 <+catphish> but other games it's worked fine 23:52 <+catphish> so offer both 23:56 < drudge`> created new group with TCP 389 and TCP 3899 23:56 < drudge`> ooops 23:56 < drudge`> this is not the screen im looking for 23:57 <+catphish> lol --- Log closed Fri Jun 08 00:00:49 2018