--- Log opened Thu Jun 14 00:00:11 2018 --- Day changed Thu Jun 14 2018 00:00 < ||cw> we're specifically talking about Dot1q. I'm aware there are other things called vlan 00:00 < alesan> OK I guess one can use a linuc host with multiple interfaces to do that... 00:00 < alesan> linux 00:00 <+catphish> not necessarily even .1q, you can implement port-vlan in a totally proprietary way 00:00 < alesan> well I believe most routers that have a hardware swtich also do HW VLAN 00:01 <+catphish> almost any hardware switch will do vlan processing in hardware, yes 00:01 < ||cw> many consumer/openwrt routers that have vlan support do not use hardware 00:02 <+catphish> if they're doing vlan switching, they're probably doing it in hardware 00:02 <+catphish> but they can also do vlan processing at the linux level for routing purposes which is kinda different 00:03 <+catphish> my earliest attempt at this was i tried to make an open source firmware for the mikrotik CRS125G based on openwrt 00:03 <+catphish> but i never got permission to release the open source switch drivers from qualcomm, so tht failed 00:04 <+catphish> this is why i'm interested in a truly open source switch 00:05 < ||cw> were yours based on something you got from then under NDA? 00:05 <+catphish> ||cw: yes 00:05 <+catphish> i got it working, but could never release it, shame really 00:06 <+catphish> i've been impressed with azonenberg's efforts, but there's a lot still to do, and i don't think many people have the skills required to help 00:06 < ||cw> how much would be left if you took out the bits that are NDA affected and let someone else try to fill in the blanks? 00:07 < ||cw> or even make it plugable on top of their binary blobs? possible? 00:07 <+catphish> ||cw: essentially you'd be left with what is already open source for similar switch ICs, i mostly took the existing ones and filled in the magic addresses and values from the datasheets :( 00:08 <+catphish> there are open source drivers for other more primative qualcomm switches 00:08 <+catphish> it wasnt a huge leap, just needs the proprietary data 00:08 <+catphish> you could maybe sniff it from the wire and piece it together, but i guess nobody cares to bother 00:09 <+catphish> the thing is, the switch is awsome, you can do so much more functionality if you have the datasheet 00:09 <+catphish> i only did the basics to begin with (implementing the most basic vlan functionality) 00:12 < ||cw> I never understood that. seems like it would increase sales. I guess it might leak some clue to competitors, but they'll get it eventually anyway 00:13 < johnpringa> Hi everyone - I would like to deliver Fiber to some of our clients in USA but want it to be under a reseller program. I don't mind if the fiber is using our backbone ip transit or if it is from a big ISP. Do you know of any reseller programs I can use? 00:14 <+catphish> ||cw: it's not clear to me either why it's secret, but i assume there's a reason 00:17 < ryao> I noticed that manufacturers of garbage consumer grade gear are now demanding enterprise level pricing for them. Is it just me or do others find that situation perverse? 00:17 <+catphish> johnpringa: i don't know the USA but it makes sense to ask major carriers, zayo comes to mind 00:17 <+catphish> ryao: like what? 00:18 < ryao> I sent messages to a few publications asking them to do a comparison of Ruckus' APs with mesh and gaming wifi solutions to bring the matter to light. So far, everyone has told me to talk to SNB. ^_^;; 00:18 < ryao> catphish: The latest Asus ROG Wireless Router costs $480 off Amazon. A Ruckus R510 can be purchased for $307 off eBay and it will mop the floor with the Asus in just about every metric that matters. 00:19 < ryao> s/Ruckus R510/Ruckus Zoneflex R510/ 00:19 <+catphish> oh you mean things like asus supermegasamingXstation16000ROG type products 00:19 < ryao> That and also the mesh stuff. 00:19 <+catphish> the mesh stuff is IMO a bit more involved and worthwhile, they run dedicated backhaul networks 00:20 < djph> how about "product state: New in box" 00:20 < ryao> Even the Zoneflex R310 would mop the floor with the Asus. Few clients support more than 2 streams and the Zoneflex does a better job of handling multiple clients than just about anything consumer grade. The test results whenever anyone checks to see how the consumer grade stuff does are embarassing. 00:20 <+catphish> definitely worth more than a standard AP because they likely have 3 radios and some clever software 00:20 < ryao> catphish: Well, only the Netgear Orbi. 00:20 <+catphish> but i think we can all agree those "gaming" routers are like gold plated hdmi cables 00:21 < djph> catphish: _Monster_ gold-plated HDMI cables 00:21 <+catphish> maybe they're reasonable quality build, but they have no technical merit and likely use the same soho chipsets 00:21 < ryao> catphish: However, here is the thing. The Ruckus APs basically have dozens, hundreds or even thousands of emulated low gain directional antennas inside them (called antenna patterns). Versus 2 or 3 directional APs, the Ruckus should match or exceed the coverage and be a better deal price wise, while having fewer problems and in general handling multiple clients more gracefully. 00:21 <+catphish> ryao: i assumed that's what you meant by mesh 00:22 < ryao> catphish: Also, the Ruckus APs are able to operate in a mesh. :) 00:22 < ryao> I have never met anyone who needed 2 ruckus APs in their house though. 00:22 <+catphish> oh yeah i remember they can do that 00:22 <+catphish> you haven't been to my house :) 00:22 < ryao> The range is just that amazing. Professional installations of Ruckus APs use 2 to 3 times fewer APs than installations of other vendors' solutions. 00:22 <+catphish> i do wonder how a ruckus would do actually, i have 2 unifi pros atm 00:23 < ryao> catphish: I replaced my 2 unifi AC Lite APs with a single ruckus 7982 and got better coverage. 00:23 <+catphish> yeah, i covered a major uk city with ruckus, they're sexy 00:23 < ryao> That is a 802.11n model. I later upgraded to the 802.11ac wave 2 R710 in anticipation of gigabit fiber. 00:24 <+catphish> "covered" may be an overstatement, but it didnt take many to cover a wide area 00:24 < ryao> catphish: The Unifi AC Lite APs and Unifi AC Pro APs have the same coverage on paper, so I expect a single Ruckus to do a better job. 00:24 < ryao> catphish: I am able to get coverage outside from my indoor AP at 100m on my cellphone, although it is slow. 00:24 <+catphish> ryao: actually what i have are the unifi-ac-lr (not pro at all) 00:24 < MarkusDBX> Putting swap on a remote machine over rdma, useful or stupid? 00:24 <+catphish> i hope the lr has slightly better antennas than the regular ones 00:24 < johnpringa> catphish: thanks - zayo has their own fiber or broker from other providers? 00:24 <+catphish> but i don't know the details 00:25 < ryao> catphish: This might be the case where the ruckus is only able to match 2 competiting APs in coverage. 00:25 <+catphish> johnpringa: zayo have their own fiber, but really you need to take advice from someone who really knows the US market, i don't 00:25 < djph> catphish: it does 00:25 < ryao> I think zayo has a map somewhere showing where their network end points are. 00:26 < ryao> Google can find it. It is in a PDF. It was either zayo or lightower... 00:26 <+catphish> in any case, it would be cool to try a ruckus, might be neater for my house, and we have problems in the office with unifi and apple products 00:26 <+catphish> the apple users blame unifi, i blame apple ;) 00:26 < djph> UBNT agrees with you 00:26 <+catphish> they would 00:26 <+catphish> lol 00:26 <+catphish> apple does have a pretty bad history with wifi anyway 00:26 < djph> They've been trying to work with apple for ages, IIRC ... but Apple keeps saying they're not giving enough info or something 00:27 < ryao> catphish: That is funny. A previous employer had the same issues. I had a Ruckus AP and said "I have no clue what you mean". I do recall UBNT having a bug report saying that they disabled TxBF because of compatibility issues with Apple. Also, Apple uses broadcom. ^_^;; 00:27 < ryao> djph: I am confused. Wouldn't they say that Apple isn't giving enough information? 00:27 <+catphish> anyway, maybe i'll try ruckus and see how it compares 00:27 < djph> ryao: no, they're giving apple anything and everythign they can to be like "unfuck your stuff" 00:27 <+catphish> what's their current entry level ac device? 00:28 < ryao> catphish: Anyway, the Ruckus APs do fine with all of the Apple equipment that I have tried using with it. Mostly iOS devices, but I did connect a Mac Mini to it before running wired ethernet and I did try out a MacBook Pro (that I returned). They had no problems. 00:28 < ryao> djph: lol - I think this is broadcom's fault. 00:28 <+catphish> R310 maybe? 00:29 < ryao> Speaking of which, I do remember 1 problem that I have had with Apple. Every few months, I encounter an iOS device that behaves like its radio's microprocessor hung. 00:29 < ryao> catphish: Well, if you want 802.11ac with full bells and whistles at the lowest price possible, then that is a good choice, although the prices on eBay are $30 higher than they were yesterday. 00:30 <+catphish> ryao: i'm more interested in stability than bells 00:30 < ryao> catphish: If you don't need alot of throughput and are okay with a bare bones AP, then the zoneflex 7982 can be purchased for $45. 00:30 < ryao> catphish: I haven't had stability problems with 1 exception. Some clients don't like it when the AP changes channels dynamically. You should turn off channelfly to avoid issues. 00:31 <+catphish> i don't need serious throughput, ideally something that can sustain 80MBit with half a dozen users lightly active 00:31 <+catphish> yeah i always use static settings 00:31 < ryao> catphish: My two uncles are using zoneflex 7982 models at each of their homes with the standalone firmware. They love them. The only real issue that happened was due to a buggy PoE injector that wouldn't provide power after a power cut if the network cable was plugged into it first. It was weird. 00:31 <+catphish> can always reconfigure manually if interference changes 00:32 < ryao> catphish: You should love the 7982. If you don't need 3 streams, you can go with the 7962 to save money. That is the 2 stream version. 00:32 < ryao> The 7962 costs between $25 and $30. You might need to flash the standalone firmware. You can download it from ruckus after signing up for a free account on their website. 00:32 <+catphish> is zoneflex 7982 an old model? 00:32 <+catphish> i don't see *any* zoneflex on their site 00:32 < ryao> catphish: Yes. 802.11n. They declared all 802.11n models EoL. 00:33 < ryao> catphish: Zoneflex is their wi-fi AP brand... they should be there. 00:33 <+catphish> oh ok, i was kinda hoping for ac 00:33 <+catphish> but if n is a lot cheaper i'd be happy to try it first 00:33 <+catphish> it may be fast enough, and more stable 00:34 < ryao> catphish: It looks like they dropped the zoneflex brand. They had a change of ownership recently. 00:35 < ryao> catphish: The 802.11n stuff is much cheaper. They are equally stable in my experience. The bells and whistles are missing from the 802.11n stuff without the expensive dedicated controller, but you still get all of the basics like multiple SSIDs, radio settings, WPA2 encryption setup (including RADIUS support), network configuration, etcetera. 00:35 <+catphish> wow i can get Zoneflex 7025 for £5 each, guessing they're only good for very small installs 00:36 <+catphish> or ZoneFlex 7341, where do i find the specs for these old devices 00:37 < ryao> catphish: Well, the 7962 and 7982 were their top of the line models that cost $995 if I recall. Those other ones were lesser models. Googling for a specification sheed should bring it up. 00:37 < ryao> catphish: https://a030f85c1e25003d7609-b98377aee968aad08453374eb1df3398.ssl.cf2.rackcdn.com/datasheets/ds-zoneflex-7300-series.pdf 00:37 <+catphish> thanks 00:38 < ryao> Ugh.. while that came up, it isn't for the 7341. One moment. 00:38 <+catphish> remind me, does 11n run on 5GHz? 00:38 < ryao> catphish: You need to be careful with some of the lower end 802.11n stuff. I recall hearing that it didn't have standalone support. 00:38 < ryao> catphish: Yes. 00:39 < ryao> The datasheet says: "Offered in single and dual band models, the ZoneFlex 7300 series can be deployed as a standalone access point or as part of the centrally-controlled Smart Wireless LAN with the Ruckus ZoneDirector." 00:39 <+catphish> i'll make sure there's a standalone firmware, unless the controller is free? in which case thats fine 00:39 < ryao> The controller is a 1U and is not free unfortunately. 00:39 <+catphish> right now we use the unifi software controller which is fine 00:40 <+catphish> ah, don't want that 00:40 <+catphish> i'm wondering if 11n ruckus might be a cool thing to try 00:40 <+catphish> at work nobody cares much about speed, they just want it to work 00:41 <+catphish> at home, i only use 2.4GHz because of range issues 00:41 < djph> well, if you didn't live in a place with meter-thick stone walls ... 00:41 <+catphish> lol 00:41 <+catphish> my home is my castle 00:41 < ryao> catphish: The 5Ghz range on the APs that I tried is equal to the 2.4GHz range on the Unifi AC Lite in my informal tests. 00:41 < ryao> catphish: https://support.ruckuswireless.com/products/30-zoneflex-7341#documents 00:41 < zOthix> nslookup 00:41 < zOthix> > help 00:41 < zOthix> The 'help' command is not yet implemented. 00:41 < zOthix> > 00:41 < zOthix> can anyone help me with this ^ ? 00:42 <+catphish> yeah but with 11n, i see no benefit to 5GHz anyway 00:42 <+catphish> since there's no ac with more speed :) 00:42 <+catphish> zOthix: try just typing a hostname :) 00:42 <+catphish> or reading its manual 00:43 < S_SubZero> zOthix: hang on let me implement the 'help' command 00:43 < S_SubZero> *patches nslookup* 00:44 < ryao> catphish: Less congestion. Anyway, this model seems somewhat cut down, but it looks like it would be roughly equivalent to the modern R510, except it is a 802.11n model. 00:44 <+catphish> well that seems like a reasonable midrange device 00:45 <+catphish> i can get 7341 for £10 each! 00:46 <+catphish> if they meshed, that would be a dream 00:46 < zOthix> S_SubZero, how can i impliment the help comand 00:46 <+catphish> could just put one in every room and lol 00:46 < ryao> catphish: The 7025 that you mentioned earlier looks super entry level. It is 2.4Ghz only, it lacks beamflex+ and maximum power output is cut. I wouldn't recommend it: https://c541678.ssl.cf2.rackcdn.com/datasheets/ds-zoneflex-7025.pdf 00:46 < ryao> catphish: Well, they actually are able to do that, but not without a zonedirector. 00:46 <+catphish> zOthix: why would you want to do that? if you did want to you'd just find the source code and write it 00:46 < S_SubZero> zOthix: well, you need to 1) write ALL of the help material. Then 2) submit that to the people who maintain nslookup 00:47 < zOthix> right xD thanks! 00:47 <+catphish> maybe i could buy an old zonedirector 00:48 < ryao> catphish: You'd want a ZD1000. I am looking it up to double check. 00:48 < djph> it's pretty simple -> nslookup domain.tld <- 00:48 <+catphish> ryao: but they're practially giving away 7341 and other n models 00:49 < ryao> catphish: https://support.ruckuswireless.com/answers/000002018 00:49 < ryao> catphish: True. 00:49 <+catphish> found some 7962 - £17 each 00:49 < ryao> catphish: I think that the zonedirector 1000 has per AP licenses that come in 6 packs. I never really looked. 00:50 < ryao> catphish: That is less than they cost here. 00:50 <+catphish> i think it's just luck, when someone strips some out of a corp who upgraded 00:50 < ryao> catphish: Here is their smart mesh datasheet by the way: https://ruckus-www.s3.amazonaws.com/pdf/feature-sheets/fs-smartmesh.pdf 00:51 < ryao> catphish: It has been like this for years. Prices keep dropping. 00:51 <+catphish> i'd love to put them in every room of my house and try the mesh 00:51 < ryao> catphish: Businesses don't want these because they are EoL, even though they are still good. They want to upgrade to 802.11ac. 00:51 <+catphish> i only have one ethernet per floor, so could benefit form some mesh 00:52 < ellyacht> can you remove busybox from an Asus router using telnet? 00:52 < ryao> catphish: This is the lowest price that I can find: https://www.ebay.com/itm/Ruckus-ZoneDirector-1012-1000-ZD1000-Wireless-Controller-12-APs/142750840724 00:52 <+catphish> ellyacht: why? that sounds like a really bad idea 00:52 < ryao> ellyacht: Why would you want to do that? It probably would break the router by the way. 00:52 < ryao> You would need to do far more than just remove busybox. 00:53 < djph> ellyacht: given that busybox is what's running the show ... 00:53 < ryao> You would need to download the sources and heavily modify the userspace. 00:53 < ellyacht> catphish: ryao: no reason was just curious, so in theory could someone remove busybox and replace it with their own "version" 00:53 <+catphish> ellyacht: it would be as simple as replacing the binary in the image 00:53 < ellyacht> let me rephrase that 00:53 < ryao> ellyacht: In theory, you can put your own custom OS onto it. In practice, it is not so easy. 00:53 < djph> ellyacht: sure, but given it's an embedded device, busybox is probably the best option there 00:54 < ellyacht> could someone remotely flash a router? Whether it was with firmware, WRT, etc...? 00:54 <+catphish> you'd usually compile a whole new image rather than trying to patch it in, but it might be possible just to cp it into place 00:54 <+catphish> ellyacht: yes 00:54 < ryao> ellyacht: The way you would do things (assuming that the router is not locked against firmware updates requiring the bootloader recovery be used) is to build a new image and update it to that. 00:54 <+catphish> all routers can be remotely flashed 00:55 < ellyacht> catphish: seriouisly? 00:55 <+catphish> so yes, you could install a replacement remotely, this is done all the time for both good and evil reasons 00:55 < ellyacht> seriously* 00:55 < ryao> Well, US models now are locked down due to the FCC's order. 00:55 <+catphish> ellyacht: look in your router's gui, you'll find an "upgrade firmware" option 00:55 < ryao> For the most part. 00:55 < ryao> You need to use the a bootloader to flash it. 00:56 < ryao> catphish: Supposedly, they do code signing now. 00:56 <+catphish> there you can replace the firmware, in some cases it must be signed by the manufacturer as ryao says 00:56 * ryao never really checked to be certain. 00:56 <+catphish> i've never had one that needed signing, but maybe some do now 00:56 < ryao> catphish: Only on US models and only on most of them. 00:56 <+catphish> i've never been to the US for more than an afternoon so meh 00:56 < ellyacht> catphish: ryao: yes there is a firmware upgrade option. I usually upgrade my Routers firmware via the recovery mode GUI 00:57 < ellyacht> interesting 00:57 < ryao> catphish: There was a wave of firmware updates sent out implementing firmware signing to comply with a FCC order meant to prevent people from using OSS firmware. 00:57 <+catphish> ellyacht: same thing :) 00:57 <+catphish> ryao: that was very silly, but i heard that too 00:57 < ryao> catphish: And I know for a fact that Asus was one of them. I have an affected model. I dodged the bullet by never getting that update. 00:57 * ryao ran asuswrt-merlin instead. 00:58 <+catphish> well if its only a softare protection you can always jtag openwrt on there :) 00:58 <+catphish> but much more annoying 00:58 < ryao> catphish: Now they need to be flashed this way: https://www.reddit.com/r/HomeNetworking/comments/4q09b9/guide_to_downgrading_from_the_asuswrt_380_version/ 00:58 < ryao> catphish: At least the FCC was stupid and didn't think to order them to lock down the bootloader too. 00:59 < ellyacht> ok heres a even better question. What command could I use in telnet (terminal) that would indicate to either you guys or myself, whether or not my router had been compromised or "attacked" having had malware installed? 00:59 <+catphish> unless the fcc were retarded their regulations wouldn't be that specifically worded 00:59 <+catphish> they'd just say that the mfgr must prevent custom software to be run 00:59 <+catphish> this would mean at all relevent levels 01:00 < ryao> ellyacht: Oh, I see why you are interested in that now. No idea. It depends on the attack. 01:00 <+catphish> i found a 6-AP zonedirector here, £125 01:00 < ryao> catphish: Is that enough for you? 01:01 < ryao> ellyacht: It is funny though. I said years before the malware was discovered that the router firmware was incredibly insecure. The engineering is shoddy. 01:01 <+catphish> ellyacht: you'd cat the flash and run it through an md5 hash 01:01 < ellyacht> by the way, is it just me or have Router manufacturers become a little like cell phone manufacturers? Where there is only really two major brands to choose from? Asus and Netgear? 01:01 < ryao> When I heard about the FBI's warning, I was surprised it didn't happen sooner. 01:01 <+catphish> then you could compare it to a known good device 01:01 < ellyacht> where would I find a known good device? 01:01 <+catphish> ellyacht: no, there are loads 01:02 <+catphish> ellyacht: no idea 01:02 < ryao> catphish: That might not work out well. There is NVRAM storage in the flash for settings. 01:02 < ryao> catphish: I guarantee you that every single device is going to have a different hash. 01:02 <+catphish> ryao: then i guess you'd neeed the flash map and do the relevent partss 01:02 < ryao> Also, good malware is able to fake a signature of not being present. 01:02 < ellyacht> ryao: I usually clear NVRAM before flashing new firmware. 01:02 <+catphish> that seems dumb 01:02 < ryao> catphish: What? 01:03 < ellyacht> catphish: ok good to know 01:03 <+catphish> clearing the nvram 01:03 < ryao> catphish: The flash map is easy to get, but it is easier to just reflash it. 01:03 <+catphish> seems a bad idea, it would contain macs 01:03 < ryao> catphish: Ah, yeah. If the software isn't designed to handle an empty state, that could mess it up. 01:03 <+catphish> and other factory settings 01:03 <+catphish> probably 01:03 < ryao> catphish: Well, the hardware should have the mac addresses hard coded for lookup and defaults should be written into the software. 01:04 < ryao> It depends on whether the firmware's developers test that scenario though. 01:04 <+catphish> the mac address could be "hard coded" in the nvram :) 01:04 <+catphish> it's a perfectly valid place to keep it 01:04 < ryao> catphish: I don't think it is, but I am willing to say that I am wrong. 01:04 < ellyacht> catphish: so there would be no real point in running the flash through a md5 hash if I had no known good device to compare it to?> 01:04 <+catphish> but i agree it would be better not to do this and maybe they don't 01:04 < ryao> catphish: I never tested either way. :P 01:04 <+catphish> maybe they're capable of generating fresh settings 01:04 <+catphish> ellyacht: indeed 01:05 < ryao> catphish: I vaguely recall that it is, but I am not certain. 01:05 <+catphish> if you found the right parts you could compare it to an image downloaded from the manufacturer 01:05 < ryao> ellyacht: There is no point. You'd need a SPI programmer to be able to image the flash with the device off and then inspect it. 01:05 <+catphish> https://www.ebay.co.uk/itm/Ruckus-1000-1006-Zone-Director-Wireless-Controller-with-No-PSU/282996742877?epid=1750595445&hash=item41e3eb9add:g:XDEAAOSwxUtbFyRf 01:06 < ryao> Otherwise, well written malware (like from the supposed nation state hackers that the FBI claims to be behind the hacks) will be able to hide itself. 01:06 < ellyacht> is there a modem on the market that you can connect to its GUI via HTTPS:? 01:06 < ryao> ellyacht: lol 01:06 < ryao> ellyacht: No. 01:06 < ellyacht> WHAT? 01:06 < ellyacht> damn 01:06 < ryao> And there never will be. At least not with a certificate signed by a trusted CA. :P 01:06 <+catphish> well yeah a perfect hack could fake its own flash content :) 01:06 < ellyacht> seriously? 01:07 < ellyacht> so what is the safest way to communicate with your modem? 01:07 < ryao> ellyacht: Yes. The accusations being made are that the hacks weren't done by amateurs, so any of the advanced techniques could be in use. 01:07 < ryao> ellyacht: Okay... please answer this question for me. What is a modem? 01:07 <+catphish> ellyacht: there is no safe way once it's hacked 01:07 < ryao> I don't think we are talking about the same thing. 01:08 <+catphish> if it's hacked, anything it sends you might be a lie :) 01:08 < ryao> catphish: There is, but you need to use a SPI programmer while it is offline. 01:08 < ryao> It can't lie then. 01:08 <+catphish> oh yeah, what ryao said 01:08 < ryao> Unless the hardware has a backdoor that the malware is using, but that is unlikely. 01:08 < ellyacht> ryao: my Coaxial cable from my ISP goes into my modem. Converts Digital to Analog. From my modem ethernet runs to my routers. From there its out to the devices 01:08 < ryao> It is incredibly unlikely that mass production equipment will have hardware backdoors of that nature. It costs extra to make the chips. 01:09 <+catphish> the 7962 AP looks kinda chunky and ugly :( 01:09 < ellyacht> or analog to digital not sure* 01:09 < ryao> ellyacht: Okay. So, you get to rely on your cable company for that entirely. DOCSIS modems are incredibly locked down and are designed so that the cable company has full control over them. 01:09 < ryao> catphish: Get the 7982. It is nicer. 01:10 < ellyacht> DOCSIS 3.0 are are the only modems available to the public no? 01:10 <+catphish> none available 01:10 < ryao> catphish: Darn. I guess the 7341 is an option then. 01:10 <+catphish> yeah, loads of those 01:11 <+catphish> its 7341 or 7962 01:11 < ryao> ellyacht: No, but the DOCSIS 2.0 modems are having support dropped and DOCSIS 3.1 modems are rare and pricy. They don't change the situation with being locked down. 01:11 <+catphish> the 7962 just isn't going to work except in a warehouse, it's huge 01:11 < ryao> catphish: You might like the 7962 for the root AP and the 7341 for the client APs. 01:11 < ryao> catphish: I wouldn't say huge, but it is fairly large. 01:11 < ellyacht> so there is no real work around for having my ISP control my modem? 01:12 < ryao> ellyacht: There is, but it is a grey area and ISPs hate it. 01:12 <+catphish> i'm not really sure whether to bother buying the controller, its kinda expensive, but if it does seamless roaming i might be tempted 01:12 < ellyacht> I love grey 01:12 < ryao> ellyacht: Look into forceware firmware. It is supposed to be GPL, but the sources aren't distributed. -_- 01:12 < koala_man> can ISPs run code on docsis modems? 01:12 <+catphish> ryao: ask them then ;) 01:12 < ryao> koala_man: Yes. 01:13 < koala_man> wat 01:13 <+catphish> they wouldnt want to break precious copyright law rught 01:13 <+catphish> *right 01:13 < ryao> catphish: Have fun asking them. It is a dark web thing. 01:13 < ryao> ellyacht: https://hackaday.io/project/20063-flashing-forceware-on-sb6141 01:13 <+catphish> oh ok 01:13 <+catphish> how odd 01:13 < ryao> ellyacht: There are modems on eBay with it preinstalled, but there is no telling if anything had been done to them. 01:13 <+catphish> i wouldnt trust that one bit 01:14 < ryao> catphish: I am not sure which is worse. The stock cable modem, or one running forceware. 01:14 <+catphish> lol 01:14 < koala_man> ryao: are you talking about ISP routers with built-in modems? 01:14 < ryao> ellyacht: That is supposed to be extremely customizable. It tends to be used for illegal things. I have never used one. I just know of it through a defcon talk. 01:15 < ellyacht> ok so for a single guy (Paranoid) single guy that likes to game on PC but also likes security, has only 4 devices, what setup would I want to choose if money were no object? 01:15 < ryao> koala_man: No. Actual DOCSIS cable modems. There were a few defcon talks about this. The manufacturers were forced to release part of the sources under the GPL, so people started hacking away at them. 01:15 < ellyacht> the sb6141? 01:15 <+catphish> if money were no object, you'd get ethernet fiber to the home, a juniper router, and ruckus APs 01:16 < koala_man> wow, definitely watching this 01:16 < ellyacht> ryao: APs access points? 01:16 < ryao> ellyacht: Well, I'd get pfSense router, a subscription to "Private Internet Access" or another reputable VPN provider, and then send all traffic through the VPN. 01:16 < stonelore> fiber to the modem, man 01:16 < ellyacht> I have PIA 01:16 < ryao> ellyacht: Then what the modem is won't matter. 01:17 < ellyacht> Pia, pfsense router and fiber to the home? 01:17 < ellyacht> with rukus APs 01:17 < ellyacht> ?\ 01:17 < ryao> ellyacht: Then set it up to force all traffic over it at the gateway. I am not sure if the Asus router lets you do that. You will be better off with a pfsense one. I'd ask what your internet speeds are, but I assume that they are lousy, so you could probably get away with the cheap pfSense SG-1000. 01:17 <+catphish> is there a simple answer to 7341 vs 7962? 01:17 < ellyacht> 300 down 12 up 01:17 < ryao> catphish: The 7962 should get somewhat longer range. 01:17 <+catphish> oh 7341 Single-band (2.4GHz) 11n AP 01:18 < ryao> I thought it was dual-band... maybe that is the 7343. 01:18 <+catphish> so thats a big difference right away 01:18 < ryao> It is single band. You probably don't want it for a mesh network. 01:18 <+catphish> shame the 7982 isn't available, thats cool and not ugly 01:19 < ryao> catphish: We have tons of them in the US. 01:19 <+catphish> if the range is awesome then mesh isn't a requirement 01:19 < ryao> catphish: It is a shame that shipping to the UK is pricy. 01:19 < ryao> catphish: Well, that is true. You won't need the ZD1000 either because of the awesome range. ^_^;; 01:20 <+catphish> that was my thought 01:20 < ryao> ellyacht: FTTH is nice and somewhat more secure than cable, although sending all traffic through PIA makes it pointless. 01:20 <+catphish> it only matters at home 01:20 < ryao> catphish: A single ZF7341 probably would serve you well given that you don't use 5GHz. 01:21 < ryao> ellyacht: With a VPN in place, the confidentiality of the channel doesn't matter. 01:21 <+catphish> maybe i'll buy some 7341 then, they're so cheap 01:21 <+catphish> it's mostly for the office because of apple whiners 01:21 < ellyacht> ryao: mmk. So if a person is worried about the integrity of packages being delivered to their home. How would I go about purchasing a pFsense router, and rukus APs? 01:21 < ryao> catphish: Enjoy. You will love it. 01:22 <+catphish> lol "40 X Ruckus Zoneflex 7363 Access Points" 01:22 <+catphish> current bid 0.99 01:22 < ryao> catphish: 40 pack. Score. 01:22 < ryao> ellyacht: Why did you ask about Ruckus APs? ^_^;; 01:22 <+catphish> 7363 is dual band 01:22 < ryao> catphish: Okay. That clears up my confusion. 01:23 < ryao> ellyacht: Anyway, wow, that is paranoid. Build your own Intel box for router duty and then install pfSense on it. 01:23 <+catphish> 6 x Ruckus Zoneflex 7762 outdoor wireless access points - £50 01:23 <+catphish> i can do my yards too :) 01:23 < ryao> ellyacht: Ruckus APs aren't particularly magical when it comes to security. However, they do support VLANs, which lets you keep the management functions off limits from connected devices if you use them to make another subnet. 01:23 < ryao> catphish: Nice. :) 01:24 <+catphish> i do wonder if that ugly shape serves some antenna purpose 01:24 < ryao> ellyacht: VLANs are a really nice security feature, if used properly with a firewall to keep routing from breaking the isolation. 01:24 < ryao> catphish: It does. 01:25 < ryao> catphish: They shrunk it in the 7982 and later models, but the proprietary antenna array is actually using some of the space. 01:25 < ryao> I hate the shape too though. 01:26 < ryao> ellyacht: As for making certain that someone didn't compromise a Ruckus AP... flash it? I don't think many people know how to backdoor one of them and flashing things generally wipes out installed backdoors unless someone went out of their way to replace the flash chip with something special. 01:27 <+catphish> what if someone hacked your eyes? 01:28 < ryao> catphish: It doesn't matter what I do anymore. It would be game over. :P 01:28 < ryao> s/doesn't/wouldn't/ 01:29 <+catphish> this is a great source of info https://support.ruckuswireless.com/product_families/4-eol-products 01:38 < ryao> catphish: It just dawned on me that I forgot to mention someting important. With Ruckus APs, the PSU and mounting equipment are not included. 01:38 <+catphish> they all say poe, it's not clear what kind 01:39 < ryao> catphish: 802.3af, although I recall them mentioning that they could take advantage of 802.11at on some models (newer I think). 01:39 < ryao> catphish: They also support >1.25A 12VDC PSUs with 2.5mmx5.5mm barrel connectors. 01:39 < ryao> I think you can get away with a 1A though. 01:40 < ryao> s/802.11at/802.3at/ 01:40 <+catphish> my current stuff is a combo of 802.3af and proprietary dumb poe 01:40 < ryao> catphish: Then you should be fine. :) 01:41 <+catphish> the office where i mostly want these is all 802.3af so i should be good to go 01:41 < ryao> catphish: Silly question, but are you going to get the zone director for your work and do the mesh setup? I am curious. 01:41 <+catphish> no, i'm gonna get 2 and run them standalone 01:41 <+catphish> or maybe just one, range being good enough 01:42 < ryao> Let me know how you like them, although I think that I already know the answer to that. :) 01:42 <+catphish> right now we have one unifi per floor, and its fine apart from apple users :) 01:43 <+catphish> at home i have one ceiling mounted unifi per floor, they're ceiling mounted, i will *try* replacing then with a single ruckus ap, but i can't be bothered to ceiling mount again, so unless its amazing from the place where my switch is, i probably won't bother 01:43 < ryao> catphish: You probably already know this, but I suggest: setting 2.4GHz to a static 20MHz channel, setting 5GHz to a static 40Mhz channel, setting power output to the legal maximum, using different SSIDs for 2.4GHz and 5Ghz 01:43 <+catphish> that's exactly my current setup 01:43 <+catphish> though i think maybe i use 20MHz on 5G too 01:44 <+catphish> whatever the minimum us 01:44 <+catphish> *is 01:44 < ryao> catphish: I am in the same situation. I had the unifi ceiling mounted. I was going to ceiling mount the ruckus, but I misplaced the ceiling mount kit between getting it and having time to do it. It is awesome from the cabinet where I have it resting though. 01:44 < ryao> catphish: 20MHz is the minimum. I like to go higher on 5GHz because I consider that to be for throughput and 2.4GHz for range. 01:44 <+catphish> well i'm redcorating my halls at some point, would be nice to lose the surface mounted cables to the ceiling 01:45 < ryao> catphish: In dense deployments, you don't have that luxury, but the ruckus handles multiple clients fairly well. 01:45 < ryao> catphish: It is hard to find fault with ruckus APs, aside from the top of the line model being too expensive. :) 01:46 <+catphish> well since i won't be wall mounting, i guess the ugly 7962 is the better choice 01:46 * phogg takes careful notes 01:46 <+catphish> it'll be on a shelf anyway 01:47 < ryao> By the way, I remember hearing that you shouldn't place APs near metal objects... I have it next to a metal model airplane. No issues. ^_^;; 01:47 <+catphish> lol 01:47 <+catphish> all the 11n devices claim a max throughout of 300mbps 01:48 < ryao> That is for 2 stream performance and a 40MHz channel bandwidth. 01:48 <+catphish> ah that makes sense 01:48 <+catphish> so more realistically 150Mbit at 20MHz 01:49 < ryao> And in practice, you can expect only half the link throughput on these things. At least, that is my old rule of thumb. The latest 802.11ac radios seem to have broken that threshold. On the 802.11g equipment, I only expected 30%. 01:49 < ryao> catphish: Yes. 01:50 < ryao> Of course, that is only on single client tests. I never did multiple client tests to know if it gets better (although at large numbers, it gets worse). 01:50 < ryao> Latencies remain awesome the entire time though, provided there is not a bufferbloat problem upstream. 01:52 < ryao> catphish: If you are doing a 20Mhz channel on the unifi, then I suspect that a 40Mhz channel on the ruckus could be okay. The ruckus is really good at dealing with interference and the signal strength should improve, despite the 3dB penalty from a 40Mhz channel. 01:52 < ryao> The ruckus has more range after all. 01:52 <+catphish> there are so many seemingly identical models 01:53 < ryao> catphish: They probably had a few ways of 802.11n line ups before EoLing all of them. 01:53 < ryao> s/ways/waves/ 01:53 <+catphish> ah ok 01:53 < ryao> I know that the 7982 replaced the 7962 as the top end model. 01:53 < ryao> With 802.11ac, they have had 3 different high end models. The R700, R710 and R720. 01:54 < ryao> Those are wave 1, wave 2, wave 2 with a better radio :P 01:54 < ryao> They have had 2 different groups of midrange and low end models on 802.11ac. I am not familiar with the history of the 802.11n product line. 01:55 < ryao> catphish: The key specifications to look at are maximum client count, spatial streams, antenna pattern count, receive sensitivity and transmit power. 01:55 <+catphish> i don't really have those specs :( 01:55 < ryao> When doing comparisons in their 802.11n line up. 01:56 < ryao> catphish: It is in the datasheets that you can find mirrored on other sites by searching google with their names. 01:56 < ryao> They are all pdfs. 01:56 < ryao> e.g. Google `filetype:pdf zoneflex 7982` 01:57 <+catphish> i mostly want to know if the 7962 is worth much more than the 7341 to me 01:57 <+catphish> the obvious difference is the 5ghz band 01:58 <+catphish> your google fu works well 01:59 <+catphish> 40 X Ruckus Zoneflex 7363 Access Points would be awesome, but 10 days more auction 01:59 <+catphish> https://www.erre1.it/upload/1fe33535a8af3485.pdf 01:59 <+catphish> nice comparison 02:03 < Harlock> i have just one older ruckus i am using at home 02:03 < Harlock> an 11n model 02:09 <+catphish> well i've ordered a couple of the cheap 2.4GHz ones, will have a play in the office, hopefully it'll be more stable for the apple users 02:09 <+catphish> if they're awesome, i'll try the range at home too 02:10 <+catphish> but ultimately i'll want ac for home because i use a fair bit of bandwidth 02:10 <+catphish> ryao: thanks for the pointers, i'll see how it goes and maybe but more current ones in the future if they're good 02:24 < ryao> Harlock: Cool. I imagine that you like it. :) 03:02 < jennifer> Hey guys, haven't thought about this topic for a while. If I connect to a company wifi, can they spy on me? Read content, etc? 03:04 < Peng_> Unencrypted stuff, yes. Encrypted stuff, not normally. But if you're installed monitoring software (or just a CA) on your device, encrypted stuff too. 03:04 < koala_man> jennifer: they can generally see which web sites you go to, and sometimes what you do on them 03:04 < Peng_> Good point. Even "encrypted" communications are revealing. 03:11 < local_host> It must be refreshing to be a spy all you have to do is get paid to stalk. 03:12 < jennifer> I see 03:13 < jennifer> I guess I just need to spend my time wisely at this company then 03:14 < dogbert2> hehehe...whazzup in here? 03:44 < spaces> and I thought what did I feel there in my neck, it was a tick! 03:45 < spaces> damn tiny small thing 03:50 < spaces> dogbert2 you as a dog must have them often, I just hugged my dog so I know where it came from :P 03:50 < dogbert2> LOLOL! 03:51 < spaces> damn they are really small I only saw then dead or sucked with blood 03:51 < spaces> I like to remove them, it's just fun if a animal trusts you 03:51 < spaces> *an 03:57 < spaces> dogbert2 what are you doing ? spining that chick all the time? 04:32 < Harlock> ryao yes it works well, and i don't get random disconnections 06:00 < Goop> I want to try to network two Raspberry Pi's together over a CAT5 cable with no additional boards. 06:01 < Harlock> you have my permission 06:02 < Goop> I don't want to reinvent the wheel, so is there some software (on Linux) that takes a string of text and sends binary signal out, and takes care of all the timing? 06:03 < Goop> That's what I've never understood about networking--how computers negotiate how long a "1" and how long a "0" is. 06:04 < Harlock> don;t these have an ethernet port 06:04 < Goop> The Raspberry Pi 0's don't have Ethernet ports. 06:04 < Goop> I want to build something, and I won't want to add extra weight with a network switch. 06:05 < Harlock> why would you need a switch 06:05 < Harlock> and you never said you had a pi 0 in the first place 06:05 < Goop> Sorry, my mind is a few different places. 06:06 < Goop> I want to use the GPIO pins to send/receive data from another Raspberry Pi (zero). 06:06 < Spice_Boy> there is a serial interface in those GPIO pins 06:07 < Goop> Spice_Boy, I'm not sure what that is. I'm fairly new to doing this kind of thing. 06:08 < Harlock> one of those new fangled serial ports eh 06:09 < Goop> Are you saying that I would have to have the GPIO pins act as a serial port, then have it use the face serial cable as a network cable? 06:09 < Harlock> you want to run ip over it? 06:09 < Harlock> you can use slip or ppp over serial 06:10 < Goop> Yes, I want to run Internet Protocol over GPIO. 06:10 < Spice_Boy> its GPIO pins have serial, but it's not rs232 voltage levels, but if you're going between two pis then it should be fine 06:10 < Spice_Boy> then yeah, ppp or something 06:11 < Goop> Is ppp is a Linux package? How would I go about doing this as far as a software side? 06:11 < Spice_Boy> okay, stop there. If you don't know these things, what are you actually trying to acheive? 06:13 < Goop> I'm trying to achieve using multiple digital, electrical input/output pins a computer has and have Linux recognize the pins as a network interface. 06:15 < Goop> That really is what any other network port does--it's just a fancy set of input/output wires that leads to a fancy physical port, which goes over to a cable of wires. 06:18 < Goop> Is it making sense what I'm saying? 06:21 < grawity> it's technically possible, yes 06:25 < grawity> but it depends on what protocol you want to run over those pins, electrically 06:27 < Goop> So I need an electrical protocol, and the Internet Protocol goes on top of the electrical protocol? 06:27 < grawity> sure 06:28 < Goop> I don't really have an opinion on electrical protocols. 06:28 < Spice_Boy> as we said, use the built in 232, same levels because both are Raspberry Pi, then run PPP on it, then you're done 06:28 < grawity> packets don't just go over the wire, you need to turn them into some sort of signal, whether it's standard like RS232 or Ethernet or custom 06:28 < grawity> if the device already has *dedicated* RS232 ports, yeah, that'd be a lot easier 06:28 < Spice_Boy> https://pinout.xyz/pinout/serial_pi_plus# 06:28 < Spice_Boy> pins 8 and 10 06:28 < Spice_Boy> easy 06:29 < Spice_Boy> too easy 06:29 < grawity> what's the highest bit rate you can get on pi's serial? 06:29 < Spice_Boy> just don't connect it to a standard computer serial port, as voltages are different 06:29 < Spice_Boy> don't know... never actually used it, just know it's there 06:29 < Spice_Boy> I tend to use a usb-serial adapter 06:30 < Spice_Boy> ...at 9600 generally 06:46 < Goop> So the "baud" (bits per second) rate of the serial connectors is 115200. That is 14.4kilobytes per second 06:47 < CuriosTiger> baud != bps 06:47 < grawity> I was told bits per second wasn't anywhere the same as "baud rate" anymore 06:48 < CuriosTiger> grawity: They were never the same. Back in the day, they used to correlate, but compression algorithms changed that. 06:48 < grawity> also, I think some raspberry pis *can* go up to a Mbps or two 06:48 < CuriosTiger> baud measures physical pulses per second across some medium, like a phone line. 06:48 < grawity> hmm 06:49 < Apachez> baud rate = characters per second 06:49 < Goop> I got at least 30mbyte/s on a wireless connection over a wireless USB interface. 06:49 < CuriosTiger> pulses don't quite correspond to bits. For example, in a typical 8B10B encoding, a byte (eight bits on a computer) requires 10 pulses across a phone line. 06:49 < Apachez> bit rate = bits per second 06:49 < grawity> CuriosTiger: so actually it *is* the same for raw RS232 then, no? 06:49 < Apachez> bits are always in size of 1 bit 06:49 < Apachez> baud can be anything between 5 and 8 bits per char depending on charset being used 06:49 < Apachez> back in the days you had like 5-7 bits, 8 bits per char is pretty new invention 06:49 < CuriosTiger> grawity: For raw RS232 with no compression or other manipulation at the endpoint, yes, I suppose. 06:49 < grawity> since I don't think serial uses any fancy modulation 06:50 < Apachez> or lets say unicode would been used then baud would have been 16 bits/char 06:50 < CuriosTiger> grawity: Serial does generally use 8B10B, basically to avoid long runs of all zeroes or all ones that may be mis-counted by the hardware. 06:50 < Goop> https://elinux.org/RPi_Serial_Connection that is the context 06:50 < Apachez> so default is often 9600 for com ports while you often want to change that into 115200 for switches/routers 06:50 < Apachez> because a show run will take so much longer with 9.6kbps vs 115.2kbps 06:51 < Apachez> other than that a com port in a computer often supports up to 2 megabit/s 06:51 < Maarten> 1988 is knocking and wants his com1 port back.... ;) 06:51 < CuriosTiger> Apachez: Wrong. Baud has nothing to do with bytes, nor with whether you're using unicode or ASCII or EBCDIC. 06:51 < CuriosTiger> Baud measures the number of pulses per second. Changes from one to zero or from zero to one. 06:51 < Apachez> CuriosTiger: wrong bytes is always 8 bit, baud have nothing to do with bytes 06:51 < grawity> CuriosTiger: ah right, I forgot stop bits and stuff 06:51 < CuriosTiger> The closest corresponding unit is bit, not byte. 06:51 < Apachez> baud can be anything between 5-8 bits depending on standard being refered to 06:52 < CuriosTiger> Apachez: And no, bytes aren't always 8 bits. 06:52 < Apachez> nowadays they are 06:52 < Maarten> baud is just a raw bitrate, how you transfer things really depends on what the settings are, some connections only use a start bit + 7, others start, 6 bits, stop bit.... I forget, its been so long :( 06:53 < Maarten> I used to GAME against friends using a com1 cable between two PC's. 06:53 < grawity> ah, here's the page about overclocking serial (on the original raspberry I think) https://www.thedevilonholiday.co.uk/raspberry-pi-increase-uart-speed/ 06:55 < Tegu> isn't baud the symbol rate, not bitrate? 06:56 < Goop> So the stop bits is "1", the bits are in 8, no parity in the context of this page here: https://elinux.org/RPi_Serial_Connection 06:56 < grawity> Tegu: yeah, though we're talking about RS232 where they're apparently close enough 06:56 < Tegu> if one symbol represents one bit, the it equals to bitrate 06:56 < grawity> Tegu: though I don't understand why Apachez insists it's related to bytes somehow 06:57 < Tegu> ah yea, context. didn't read enough backlog 06:59 < grawity> ...oh right, if byte size is 8 bits, then I guess the bitrate is 8/10ths of the baud rate due to the start/stop bits 07:06 < Tegu> it still transfers the stop bits etc, so would that be more like "effective bit rate" or "effective data rate" 07:17 < iateadonut> i just made a reverse proxy, and the configuration on the original source server says this: Proxied. Traffic is being served from this site, but your domain may be configured behind a proxy like Fastly or Cloudflare. 07:18 < iateadonut> i wonder how that could be detected? 08:06 < Kirball> There’s a Mr Robot Badge PCB on eBay from last years defcon personalized and autographed by int80 of Dual Core. If anyone’s interested. 08:21 < dionysus69> I understand concept of multiple application servers behind the loadbalancer, but what about the loadbalancer itself? how many requests can loadbalancer(nginx) handle 08:21 < dionysus69> and what's the practice of scaling the loadbalancers themselves? and how often is it needed? 08:49 < melissa666> I'm looking at this wifi antenna --> https://www.amazon.com/gp/product/B01LY35HGO/ref=ask_ql_qh_dp_hza ... I thought it would be easy to find on Google, but I can't find a consistent answer on what the range of a USB wifi adapter like this, with 5dBi antenna would get outdoors with clear line of sight. 08:54 < detha> melissa666: there is no simple answer to that. It depends on too many factors (AP, how noisy is the environment, reflections/multipath, how are you holding the device, ....) 08:55 < grawity> how about "compared to adapter with an internal antenna" 08:57 < detha> "slightly better, but not much" 09:00 < melissa666> detha, assuming low traffic on the channel they are on, do you think it would be reasonable to say that two hosts using this card would be able to communicate from indoors across a city street (assuming they were in a window or something without any walls, etc between them)? I am wondering if they would have strong signal 50-100 ft away in with nothing significant between them and low traffic on channel? 09:01 < melissa666> is that something that could be said with any confidence? 09:01 < grawity> how wide are your streets 09:01 < melissa666> or just no way to say for sure, even for that short range? 09:02 < melissa666> grawity, that's what I meant by the 50-100 feet - I was referring to distance across streets of that width 09:02 < detha> No. It is likely to work, most of the time, but don't be surprised if for example a large truck or a car with noisy ignition passing through the street breaks your link 09:04 < melissa666> detha, ok, thanks 09:49 < veek> when you do a traceroute.. what's that stuff in (brackets) 09:49 < veek> 15 72.249.137.132 (72.249.137.132) 288.276 ms ae-6.r10.dllstx09.us.bb.gin.ntt.net (129.250.5.4) 304.049 ms ae-5.r11.dllstx09.us.bb.gin.ntt.net (129.250.5.24) 292.284 ms 09:50 < veek> it's hop wise acknowledgements - so.. what's ae-5 09:59 < grawity> it's literally each router's hostname and IP address 09:59 <+xand> veek: the IP address... 09:59 < Reventlov> I don't see any bracket :| 09:59 <+xand> and the name... 09:59 <+xand> () are brackets 09:59 < grawity> ae-5 is whatever NTT decides to name the thing 09:59 < Reventlov> shit, I have been calling that parenthesis 10:00 < grawity> some definitions of 'brackets' include all levels of curliness 10:00 < EvanR> () are often called brackets 10:00 <+xand> Reventlov: yeah that's a more specific term :p 10:00 < EvanR> maybe we should be fair and sometimes call [] square parentheses 10:01 < veek> okay so that's because traceroute's sending multiple pkts with different ttl 10:02 < veek> 1st line started with 3 pkts with different ttl and i guess depending on routing they get sent through different paths 10:03 < veek> what's funny is that the final destination should resolve to 1 host unless it's multihomed like yahoo and i'm getting 2 hosts.. and i w as redirected to a scam page but the site's legit 10:04 < winsoff> How would someone take devices from multiple subnetworks and put them all into one logical network? For instance, if I have devices all over 10.0.0.0/8, but I wanted to put 100 or so of those on 192.168.1.1-101. 10:05 < grawity> if both networks use different routers, just make sure each router has routes to the other network... 10:06 < winsoff> grawity, is there no way to symlink these things together, in networking tersm? 10:06 < winsoff> terms* 10:06 < grawity> I don't see why that would be necessary 10:06 < grawity> hosts in one network can alreadt reach hosts in another network 10:06 < grawity> that's literally how internet works 10:07 < winsoff> Right, but if I've got multiple devices behind multiple routers, all behind one big boy router, and I wanted to hack a network together out of multiple devices on all of those networks, is that possible? 10:07 < winsoff> Like a VPN, but accessible/addressable by any host behind the big boy router. 10:08 < grawity> well yes, sure 10:08 < bezaban> what network would they 'be' on? You could use multiple interfaces and vlans or virtual interfaces if supported by the hosts 10:08 < grawity> tell that router which device handles which subnet 10:08 < grawity> again, literally how internet works 10:08 < winsoff> So would I just set up the hosts without dhcp, in that case? 10:09 < grawity> no, why? 10:09 < ahyu84> how to set inter-vlan to communicate vlan with other vlan each other? 10:09 < winsoff> Or are dhcp servers complex enough that I can say, "hosts from this vendor get this IP" 10:09 < grawity> some servers can certainly do that, but uh, I don't see how that's in any way relevant 10:09 < bezaban> ahyu84: you use a router like any other network :) 10:09 < ahyu84> managed switch 10:09 < winsoff> grawity, I've recently seen a network in which multiple IP cameras from multiple different places (and therefore, definitely different networks) were all on 192.168.1.1/24. 10:10 < ahyu84> hi bezaban ^_^ 10:10 < bezaban> ahyu84: hey again :) 10:10 < ahyu84> yup 10:10 < ahyu84> haha 10:10 < grawity> winsoff: connected to a bunch of home routers which perform NAT by default, I guess 10:10 < winsoff> grawity, nah, enterprise. 10:10 < grawity> well 10:10 < winsoff> No nat, though I don't know the exact implementation. I guess I could ask the sysadmin, but I'm curious if this was commonly in use. 10:10 < grawity> 1) enterprise doesn't mean "not stupid" 10:11 < winsoff> lolol 10:11 < grawity> 2) different places don't mean different networks 10:11 < grawity> could have a single "IP cameras" VLAN across the whole thing 10:11 < winsoff> So the VLAN *can* be IP-based? 10:11 < grawity> nothing in the above implies that it's an IP-based VLAN 10:12 < winsoff> Well, if they are indeed only connected by layer 3 tech, then it would have to be, right? 10:12 < winsoff> The places that these IP cams are in are like half a mile away from each other 10:12 < grawity> what do you mean by "connected by layer 3 tech"... 10:12 < winsoff> Routers, not switches. 10:12 < winsoff> Is "layer 3 tech" satisfactory to describe the difference? 10:12 < grawity> it's perfectly possible to have L2 links half a mile across, anyway 10:13 < shangul> I have a dial-up modem, a DSL splitter/filter, a DSL modem and a telephone. How should I connect these? 10:13 < winsoff> grawity, those would just need repetition, right? 10:13 < winsoff> without going into wireless, that is 10:14 < grawity> winsoff: not if it's over optical fiber 10:16 < grawity> fairly sure fiber ethernet can go at least 10 km without any sort of repeater 10:16 < winsoff> Hot damn. 10:16 < winsoff> Did I already ask where you got all of your networking knowledge, grawity 10:16 < grawity> https://xkcd.com/903/ 10:17 < squ> haha 10:18 < winsoff> There is no way that 1) you are that good at searching wikipedia and 2) wikipedia is as comprehensive as you are. 10:18 < winsoff> Maybe for most of the discussion, though. 10:20 < grawity> I mean, I've been screwing around with networks since 1st grade and currently manage the LAN of a tiny local college 10:20 < winsoff> Are you US-based? 10:20 < grawity> more like eastern europe 10:21 < shangul> I think I asked a too advanced question! 10:22 < winsoff> Be right back. 10:22 <+catphish> yes, fiber ethernet can go 100km :) 10:22 < grawity> "For standard NRZ-OOK links with G652 fibers, the unamplified limit is approximately 100 km" that's a lot of acronyms I don't know 10:22 < squ> grawity: thinking about wiring local college with optical cables? 10:22 <+catphish> yeah, the best transceivers i see can do 100km 10:22 < grawity> squ: well it's already got those between buildings anyway 10:23 < squ> inside, between routers 10:24 < grawity> >routers 10:24 < grawity> 'tiny' in European scale 10:24 < squ> let's say you have 3 story building, each floor has mikrotik WiFi with SFP 10:25 < grawity> are we talking about routers, or about wi-fi access points? 10:26 < squ> if you want to define difference between access point and wifi router 10:27 < grawity> "wifi router": a 2/3/4-in-one device that bundles a wifi access point, an ipv4 router, and an ethernet switch 10:28 < grawity> I'm not sure why you'd put that in a large network *at all* 10:28 < squ> what do you have there? 10:28 < grawity> (admittedly, one such mikrotik device *is* hanging on the wall behind me, but it's not doing any IP routing, just like the other APs aren't) 10:29 < grawity> there's one dedicated 'router', going to a bunch of switches, going to a bunch of assorted wifi access points 10:30 < squ> with fibre 100km range wifi access points can be plugged directly to 1st router 10:30 < grawity> and I suppose they are 10:31 < squ> so you are considering to upgrade the network? 10:31 < grawity> no 10:32 < squ> did you setup cameras too? 10:32 < grawity> no 10:36 <+catphish> this conversation is weird 10:36 < grawity> it is 10:38 < squ> why? Is it not up to network admin to setup cameras? 10:38 < grawity> we don't *have* cameras 10:41 < grawity> https://superuser.com/q/1331111/1686 10:42 <+catphish> grawity: wonder what kind of weird cable they have, but seems like it'd work fine 10:50 <+catphish> violet: please stop that some time soon 10:51 < violet> catphish: I'm sorry it is over now, I had issues from my phone. 10:51 < violet> sorry and thank you for the patience 10:51 <+catphish> violet: it's ok :) was just getting a bit annoying 10:51 <+catphish> not a big problem 10:51 < violet> I'm sorry I'll avoid trying to identify from my mobile, thanks once more have a great day :) 10:52 <+catphish> oh i see what happened :) you have a nice day too 12:01 < darsie> Will a device only connect to a hotspot with matching SSID and password or would it also connect to a hotspot of a hacker which accepts any password on is open and the hacker could then connect to the device and mess with it? 12:02 < darsie> Will the password be transmitted to the hotspot or does it use some challenge/response algo? 12:03 <+xand> darsie: it doesn't just send a password out so it can be captured 12:03 <+xand> it's challenge/response 12:03 < darsie> k 12:04 < spaces> all networks sexy ? 12:04 < darsie> What about a hacker offering a hotspot with the same SSID? 12:05 <+xand> darsie: it wouldn't connect if the key didn't match... 12:05 < darsie> ok thx 12:07 <+xand> the AP will send encrypted packets which the client will try to decrypt and fail to 12:07 < kidn3ys> darsie: look up 'wpa evil twin' 12:08 < darsie> ok 12:12 < imado> . 12:12 < darsie> . 12:16 < imado> anybody knows how to register to ##electronics channel ? or where should i ask this question? 12:16 < darsie> #freenode 12:17 < Mead> good morning ##hardware 12:22 <+catphish> imado: see https://freenode.net/kb/answer/registration - ask in #freenode if you get stuck 12:24 < Aviyah> Hey, room. I am new here. Anyone awake right now? 12:24 < Roq> Sure 12:25 < Aviyah> So I bought the cheapest linksys repeaters I could find on amazon and I didn't realize this upon purchasing them but it is impossible to disable WPS on them. 12:25 < Aviyah> Does that sound absurd to anyone else? 12:25 < Aviyah> lol 12:25 < winsoff> Is it usually a sign of routing issues when one traceroute (tcp) goes straight to the router and into a subnet, and when another (udp) goes all the way out to an edgerouter? 12:28 < Roq> Aviyah: I dont know, does it have a webinterface where you can turn it off perhaps 12:28 < djph> Aviyah: given "the cheapeast consumer crap" ... no 12:31 < Aviyah> There is a very minimal user interface on the repeater. I couldn't find a disable WPS option anywhere so I went on to linksys customer support chat twice. First, guy didn't have a clue what I was talking about. Second guy knew and said there is no way to disable it on that particular device. 12:32 < Aviyah> It is pretty stupid. 12:32 < Aviyah> I guess there would be a way to disrupt the WPS through modding the firmware, right? 12:33 < djph> maybe *wrt 12:33 < djph> but "maybe" 12:33 < Aviyah> I am not even going to try to do such a thing though. These were literally bottom of the barrel repeaters. 12:33 < Aviyah> I am just going to buy a better, newer set of repeaters and go from there. 12:34 < winsoff> Aviyah, I know what's wrong here 12:34 < Aviyah> Shoot? 12:34 < winsoff> you're using a repeater. 12:34 < Aviyah> Yeah, I know. They are not for me particularly. 12:34 < Aviyah> I use a different network than these repeaters connect with but they are for my housemates. 12:35 < winsoff> Aviyah, what's the size of the house? 12:35 < winsoff> If you are willing, I bet we can find a better solution. 12:35 < djph> Are they *repeaters* or extra APs? 12:35 < Aviyah> It is decent sized but the dimensions of the house make two repeaters necessary. 12:35 < winsoff> Not necessarily. 12:36 < Aviyah> Because the house has wings and a courtyard like situation. 12:36 < kidn3ys> run cable, add more Aps. 12:36 < winsoff> I have one of these situations. Large house. 12:36 < Aviyah> Anyways, if I needed to extend a signal, I wouldn't use repeaters. 12:36 < winsoff> AP placed in the middle of the house covers the entire house. 12:36 < djph> winsoff: not necessarily 12:36 < Aviyah> Yeah, I have a different set-up. For now. 12:36 < winsoff> djph, I'm saying in my case, which is a super large house. 12:37 < winsoff> Some ludicrous 4k sq ft or something. 12:37 < Aviyah> I am going to start messing around with some kind of wireless mesh and learn more about it. 12:37 < winsoff> Aviyah, what is the current primary AP? 12:37 < djph> Aviyah: are they actually *repeaters*, or are they wired-in APs? 12:37 < winsoff> And what devices are your housemates using? 12:37 < Aviyah> They are actual repeaters. 12:37 < Aviyah> Linksys repeaters hooked up to their own access point. 12:38 < winsoff> What model are these linksys repeaters? 12:38 < Aviyah> RE2000 12:38 < djph> ew, why'd you do that to your poor housemates? 12:38 < winsoff> Looks like they are dual-band. 12:38 < mcdnl> what about plc aps? 12:38 < Aviyah> Yeah, they're not impressive and they were literally dirt cheap. 12:38 < winsoff> Aviyah, if you are insistent on keeping these, all you need to do is put the link on the 5ghz band and then the repetition on the 2.4ghz band. 12:39 < winsoff> How cheap is dirt-cheap? 12:39 < winsoff> Good dirt is $14 a cubic yard. 12:39 < Aviyah> Interesting idea, winsoff. 12:39 < Aviyah> lol 12:39 < Aviyah> I'll try that out actually. 12:39 < djph> winsoff: which is way better than mulch ... goddamn 12:39 < winsoff> djph, lolol 12:40 < Aviyah> I am going to just deploy them with the WPS and be done with it. I don't like WPS though. 12:40 < winsoff> Why are you mulching? 12:40 < winsoff> Aviyah, don't use WPS. It's heavily vulnerable. 12:40 < Aviyah> I know. 12:40 < Aviyah> It is extremely easy to exploit. 12:40 < Aviyah> Which is why I am bummed out. 12:40 < djph> winsoff: because weeding the rose garden sucks 12:40 < Aviyah> I am not going to deploy both of them. Just one for the sake of a smart tv which will be the only device connecting to it. 12:41 < winsoff> djph, loller. Landscape fabric is cheap! 12:41 < winsoff> Inb4 "but ugly" 12:41 < djph> winsoff: yeah, but it's not as nice looking. Gotta keep the missus happy. 12:41 < winsoff> Another option is just wood chips and pine needles. 12:41 < winsoff> The missus is gonna go missing if she keeps piping up about how the rose bush looks 12:41 < Aviyah> On the subject of router firmware builds though, how do the current mainstream options size up to you guys 12:41 < Aviyah> ? 12:41 < winsoff> Aviyah, what is your current gateway's make/model 12:42 < djph> winsoff: haha, yeah, we do the natural / woodchip mulch. still like $20/yd 12:42 < winsoff> Hot fuck. I wonder how much they get out of a decent sized diseased tree. 12:43 < winsoff> I really need to make a better (illegal) wifi antenna setup. 12:43 < Aviyah> The gateway for their network to which the repeaters were to connect was a ISP-provided modem. 12:43 < winsoff> The book I have on antenna design is really hefty, though. 12:43 < squ> winsoff: illegal? 12:43 < winsoff> squ: only for certain jurisdictions 12:44 < winsoff> Aviyah, what make/model 12:44 < kidn3ys> I've never seen an antenna design declared as 'illegal' only channel usage and power usage. 12:44 < squ> emitting forbidden frequencies is illegal probably, but antenna design? 12:44 < winsoff> kidn3ys, a boosted antenna is still a designed antenna. 12:45 < Aviyah> That doesn't matter. It isn't the weak link. 12:45 < winsoff> The larger power usage is specifically part of the antenna's design, as far as I know, since there are not many cards that let you use them as power supplies. 12:45 < winsoff> Aviyah, it matters to my question. Don't treat me like tech support. 12:45 < kidn3ys> sure, but isn't it then illegal because of the output of the antenna? 12:46 < winsoff> kidn3ys, indeed, though the criminal intent is in the design and assembly of the antenna for illegal purposes (malicious intent), or whatever. 12:46 < Aviyah> I wasn't treating you like technical support. I wasn't really dismissing you so much as preserving my infosec. It is a modem/VOIP hub. 12:46 < squ> what is your intent winsoff 12:46 < Aviyah> I would have to go look at the thing to tell you. 12:46 < Aviyah> This isn't my network. 12:46 < winsoff> squ: nice try fbi 12:47 < winsoff> Aviyah, I figured you already knew. You don't have to go look at it; you can just log into it 12:47 < djph> winsoff: although, that may include delivery (I really need a truck, but ~money~) 12:47 < winsoff> You could also just pull the make/model out of the air if wps is enabled, Aviyah 12:47 < winsoff> djph, I hate trucks, and I still try to do everything in a sedan. 12:48 < djph> winsoff: yeah, but it's kinda hard to do bulk mulch in that :) 12:48 < Aviyah> Oh, the gateway doesn't have WPS enabled. I made sure of that when I set it up like a year ago. 12:48 < Aviyah> Right now I am not even connected to that network. 12:48 < kidn3ys> winsoff: hrm, maybe im splitting hairs -- my understanding is that it doesn't matter the intent if you're output power has broken the threshold of the local governing body it's illegal. intent of use of the antenna would be an entirely different situation/charge (assuming they could prove it) 12:49 < Aviyah> I am using my own but I am hopping back and forth between two different networks. 12:49 < Aviyah> Anyways, what do you all think about home mesh networks out there? 12:49 < Aviyah> Are they worth the cost? 12:49 < djph> copper > mesh. 12:49 < kidn3ys> e.g. in Moscow you're limited to 25mW -- if you were to break that the FSB gets to crawl up your ass about it 12:49 < djph> 25 mW!? 12:50 < winsoff> Aviyah, it's cheaper and easier to buy PATCH CABLES in 50 foot lengths and run them where you need them 12:50 < djph> that's like what ... 6 dBm? 12:50 < winsoff> Still cheaper, I think, to just buy a spool of ethernet, the tools to crimp and test it, and then to crimp and test it yourself and run the damn lines 12:50 < djph> oops, 13 ... but still 12:50 < winsoff> I still don't get db in terms of "oh wow that's a lot": 12:51 < kidn3ys> djph: yea -- small cells :( 12:51 < winsoff> For instance, if a network's rssi is -70dbm from where I am sitting, and then I put on a 5dbi antenna, does that mean the theoretical max rssi i'm going to get is -65dbm? 12:51 < squ> did you know that google does not have mW to dBm conversion 12:51 < djph> winsoff: 0 dB = 1 mW.... from there every 3 dB is doubling (or halving) the wattage. 10 dB = *10 (or /10) 12:51 < Aviyah> Yeah, I know. I like to learn the air but you're right. I don't even have wireless interfaces in some of my systems. I took that shit out. 12:52 < djph> winsoff: well, the theoretical minimum, yes. 12:52 < djph> barring any losses in cabling between the antenna and the radio tranceiver. 12:53 < winsoff> WPA2 is extremely insecure. If someone were to put up the cash for an ASIC that bruteforces WPA2, they could get intensely fast speeds (think Giga/terahashes/sec). 12:53 < kidn3ys> winsoff: rssi doesn't translate directly to dbm 12:53 < djph> winsoff: er, what? 12:53 < winsoff> djph, I was replying to Aviyah 12:54 < winsoff> WPA2 itself is extremely insecure in that it's not very good crypto against modern computational power. 12:54 < djph> winsoff: that WPA2 is "extremely insecure"? Last I looked, AES was still a "hard" problem. 12:54 < kidn3ys> Depends who you are. 12:55 < squ> who? 12:55 < kidn3ys> If you're a nationstate -- WPA2 is likely a very small hinderance in the grand scheme of things. 12:55 < winsoff> djph, forgive me, but as far as I know, bruting wpa2 just requires the handshake and the ability to do 4096 rounds of sha really quickly 12:55 < Aviyah> Yeah, I do not trust wireless networks. 12:55 < Aviyah> At all. 12:55 < djph> winsoff: er ... maybe if it was TKIP? 12:55 < winsoff> oh it's sha1 12:56 < djph> winsoff: but using AES/CCMP as the underlying crypto ... I don't think it's quite that straightforward 12:56 < winsoff> It doesn't matter if it's tkip or ccmp i think 12:56 < Mead> TKIP has been shown to be insecure for over a decade 12:56 < djph> admittedly, I'm not a cryptonerd 12:56 < djph> Mead: I know 12:56 < winsoff> i'm pretty certain it just has to do with the weakness of the known plaintext in the mic 12:57 < winsoff> weakness in wpa2 overall, that is 12:58 < Mead> what size of nails do I need to attack fence pickets to 1 x 3 rails? 12:58 < Aviyah> I was once involved in a certain foreign interests several years ago and witnessed a successful attack against a pairwise key. 12:58 < Aviyah> I don't like Wifi. 12:59 < winsoff> Mead, well, if you just want to attack them, you don't even need to grow out your nails. Just punch them. 12:59 < kidn3ys> The general consensus is if you're not using EAP-TLS you're fucked. 12:59 < winsoff> doesn't eap-tls still make it possible to evil twin though 12:59 < winsoff> or am i thinking of earlier eap 12:59 < Mead> err attach them, sorry typo. But I need this info before I go to the hardware store 12:59 < winsoff> Mead, buy screws, please. 12:59 < djph> Mead: I'd imagine brads would be fine with that small of material 13:00 < Mead> winsoff: screws don't fit in my nail gun 13:00 < kidn3ys> winsoff: you can still evil twin but eap-tls provides mutual certificate auth between the infrastructure and the client. 13:00 < winsoff> Mead, lolol 13:00 < winsoff> Mead, just buy finish nails 13:00 < winsoff> kidn3ys, ah, interesting. Hmm. 13:00 < Mead> what size finish nails? 13:01 < kidn3ys> or maybe im thinking of eap-ttls -- i always get them mixed up 13:01 < winsoff> Are the rails only .75" thick 13:02 < Mead> they are the standard 1 x 3 inch boards, 13:02 < winsoff> I think they make them in 1.5 inches. 13:02 < winsoff> How thick are the pickets, though? They make those in different sizes. 13:03 < winsoff> The entire thing is probably only 1.5" thick. Buy 1in nails. 13:03 < Mead> gosh I didn't measure them, maybe 3/8 inch 13:04 < Aviyah> I am getting more and more concerned with networks so I imagine I'll pop in here with some frequency. Any systems architects running aroun this channel? 13:05 < squ> only fence architects 13:05 < kidn3ys> Aviyah: titles don't mean shit. 13:05 < Mead> hehe 13:05 < winsoff> Everyone in this channel is required to be licensed, insured, and bonded with the state for general contracting. 13:05 < Aviyah> I agree. I was merely curious. 13:06 < Mead> which state? 13:06 < kidn3ys> well, atleast in the US. 13:06 < Aviyah> Utah. 13:06 < djph> Mead: Sealand 13:07 < kidn3ys> I was surprised to learn that 'architect' and 'engineer' are controlled titles in Russia. 13:07 < djph> they should be controlled here too 13:07 < djph> but meh 13:07 < kidn3ys> I agree. 13:07 < winsoff> Aviyah, you're in Utah? 13:08 < Aviyah> No, I was making a guess. I am in Oregon. 13:08 < squ> land of bears 13:08 < squ> sequoiyas 13:09 < Mead> and stanky hippies 13:09 < Aviyah> All of the above, yeah. 13:09 < Mead> can you guys pump your own gas yet? 13:10 < Aviyah> If your county has less than a certain population it is permissable. 13:10 < djph> o_O 13:10 < Aviyah> It is funny you mention that because I work part time pumping gas. LOL 13:10 < Mead> that is retarded, Pumping gas is not rocket science 13:10 < djph> ... and this is why everyone thinks the US is back-asswards... 13:10 < Aviyah> No, it is the easiest job on Earth. 13:10 < kidn3ys> Mead: not everyone is a rocket scientist 13:10 < djph> pickup nozzle, put in gastank 13:11 < Aviyah> And it keeps me entertained and physically active. 13:11 < squ> last news from Oregon was this on 15 May 2018 http://handofmoscow.com/2018/05/15/american-ninja-infiltrated-in-the-womens-toilet/ 13:11 < Aviyah> But it doesn't pay well. Fortunately I have other streams of income. 13:11 < hagbard> nothing like silling coke to make ends meet. ;) 13:11 < Mead> Aviyah: I'm don't blame you for taking the job, just that the state has the laws 13:11 < Aviyah> Yeah, I know. I wasn't offended. 13:12 < Aviyah> It is the most basic job. You push some buttons and you slide cards. You squeeze a handle. It really isn't rocket science. 13:12 < Aviyah> I did it in high school. I did it in college. I do it again now. I enjoy it. 13:13 < Aviyah> I wouldn't work at the most bottom of the barrell job if I didn't enjoy it. 13:13 < Mead> I drove through in 2004 and was dumbfounded by the concept. I had not seen full service gas stations in my state since before the end of the coldwar 13:13 < hagbard> I did that back in '03, Redmond to SF 13:13 < mgolisch> why do you need people for that anyways? 13:14 < mgolisch> cant the driver fill gas in their car themselves? 13:14 < Aviyah> You really don't. I imagine in the 50's when the law was passed that enough people viewed it as a serious liability issue. 13:14 < hagbard> Ostensibly, so there are jobs for people who fill gas into cars, I believe. 13:14 < mgolisch> hm i see 13:15 < Aviyah> People treat gas pumpers like they're morons though. That is the most entertaining part. 13:15 < Mead> Didn't a bunch of old people freakout after never having pumped their own gas in their life? 13:15 < hagbard> I mean, they're not wrong, they're morons too. 13:15 < Aviyah> Stuck up yuppies in their Volvo n' shit. 13:15 < hagbard> I mean, the people calling the attendants morons are also morons. 13:15 < Aviyah> Pretty much. 13:16 < hagbard> you gotta be a special kind of stupid to degrade the people serving you. 13:16 < kidn3ys> Are we making a blanket judgement that all attendants are not morons? 13:16 < hagbard> I wasn't. 13:16 < Aviyah> I like this channel more and more talking to you guys. It has personality and it's active at this hour. Perfect. 13:16 < Mead> I always try to show people doing shit jobs that society depends on to function nicely. 13:16 < mgolisch> i saw that alot in spain too but it not a common thing here in germany 13:16 < Mead> err treat 13:16 < hagbard> It's like the beginning of the American Gods show - Always be nice to the ladies behind the counters at airports. 13:17 < Mead> See a janitor cleaning up shit? "Hello, how is it going." and try to avoid the wet floor they are mopping or whatever. 13:19 < Aviyah> If my girlfriend finds out i am still awake at this hour I'll have to figure out an excuse that alleviates what will become her adderall theory. 13:19 < Aviyah> lol 13:19 < squ> 4 in the morning in Oregon 13:19 < Mead> this hour? It's 6am, time to start your day 13:19 < kidn3ys> just have some porn off to the side 13:20 < Aviyah> Or just go low-key and curl up with this shit on my chest and if I hear her door I act like the dude who passed out paying his shit the proper diligence. 13:20 < Aviyah> Whereabouts are you guys? 13:20 < kidn3ys> Moscow at the moment 13:20 < Mead> The Republic of Texas 13:21 < Aviyah> Moscow, eh? I would like to visit someday. 13:21 < kidn3ys> It's a beautiful city. 13:21 < Mead> https://en.wikipedia.org/wiki/Moscow,_Texas 13:22 < kidn3ys> stand by 13:22 < Aviyah> I know a lot of Russian Jews. I used to date one. 13:22 < Aviyah> A lot of Jews in Russia. 13:23 < squ> half of Israel is russian 13:23 < Aviyah> In fact a majority of the organizentia leadership are Jewish. 13:23 < Aviyah> Yeah, I know. 13:24 < Aviyah> You Israeli, squ? 13:24 < squ> no 13:24 < squ> but sometimes friends tell me I behave like one 13:25 < Aviyah> You never wait for a table. There are worse things. 13:25 < Mead> I got called a jew after beating most of the basketball team at dominos when I was in College 13:25 < Aviyah> lol 13:26 < kidn3ys> Bah. I was going to get a picture of St Basils with a sticky note that said 'No, Mead not Texas' but there is a bunch of shit in the way. 13:26 < Mead> Oh, so Moscow idaho? 13:27 < kidn3ys> Pretty sure there is only one St Basils cathedral... 13:27 < Aviyah> Alright. That's a whole pack of smokes since the afternoon yesterday. I am on a roll. 13:29 < Mead> I don't pay attention to where cults worship, so I don't know what st basil's is 13:29 < Aviyah> lol 13:29 < kidn3ys> Less about the cult, more about the architecture. Lots of really cool buildings here. 13:30 < squ> how cool? 13:31 < Dalton> ice cold 13:31 < kidn3ys> Umm, we'll call it 61 degrees cool? 13:32 < Mead> 61 degrees is cool it was like 98 degree here yesterday 13:33 < kidn3ys> Yea, the weather has been great -- only a couple rainy days. 13:36 < kidn3ys> lunch time, bbl 13:39 < Aviyah> Any of you guys following Westword right now? 13:40 < Aviyah> Westworld*** 13:40 < Mead> not me, waiting for the second season to be over to binge it 13:41 < Mead> been big on The Expanse lately 13:42 < Aviyah> Yeah, I am secretly doing roughly the same thing. My girlfriend insists that I disconnect to watch it every sunday but I just spend the time thinking about shit. I want to watch it straight through in silence, alone and on my terms. 13:42 < Aviyah> Everybody makes way too much noise for me to get into it. 13:44 < Aviyah> It seems like a good season though. 13:44 < squ> its just because we had no adequate series on space thematics 13:48 < Aviyah> So I am merely curious and not that it matters but are there any Jewish regulars in this channel? 13:49 < Mead> Why would a person's religion be relivant in an irc chat about networking? 13:49 < Aviyah> Being Jewish is more than just a religious framework. It is a culture as well. 13:50 < djph> s/culture/cult/ bahhahaha 13:50 < djph> anyway, seriously bro (cue triggers for gender assumption), it doesn't matter. 13:51 < Aviyah> You're right. It was merely another curiousity. 13:51 < Aviyah> I wasn't suggesting that it makes a difference honestly. 13:51 < Mead> I'm not your bro, man 13:51 < djph> I'm not your man, bud 13:51 < Aviyah> lol 13:52 < Aviyah> I really like this channel. 13:52 < Aviyah> I think you guys are cool. 13:52 < Mead> I'm not your bud, dude 13:52 < djph> c-c-c-c-combobreaker 13:52 < djph> i'm not your dude, pal 13:52 < Mead> I'm not your pal, guy 13:52 < djph> i'm not your guy, friend 13:52 < Aviyah> You guys have humour. Something a great many freenode channels seem to lack. 13:52 < Mead> I'm not your frwiend, buddy 13:53 < djph> i'm not your buddy, homie 13:53 < Mead> I'm not your Homie, vato 13:54 < djph> anyway, if a channel doesn't have fun, it's probably infested with leftwing commies 13:55 < Mead> damn commies, sprouting up in the USA again. I thought they all realized the error of their ways when the USSR fell 13:55 < Aviyah> Or people who take themselves way too seriously. 13:56 < Aviyah> Don't get me started. And while we're after the commies, we should send all the Mexicans back to Guatemala. 13:57 < Mead> Guatemala doesn't want them either, you know who likes mexicans? mexico 13:57 < djph> shit, even Mexico doesn't like Mexicans 13:57 < Aviyah> Not these days. 13:57 < djph> but yeah, the left wingnuts are cancer ... all of their ideologies are cancer ... 13:58 < Mead> Left wingers are almost as bad as right wingers 13:58 < Aviyah> lol 13:58 < Mead> I'd rather be a torso than a wing 14:00 < squ> ))))) 14:01 < djph> Thank Cthulhu that we got the reincartion of the god emperor of mankind. 14:02 < Aviyah> lol 14:02 < kottt> ideology isn't the problem, it's dogmatic adherence and the vilification of the opposing viewpoint 14:02 < djph> the far-[left|right] are all crazies. center-left can be okay people. 14:02 < djph> although, the weird thing is that the conservatives are apparently this generations dissidents. holy hell, talk about role-reversal. 14:02 < Aviyah> I prefer to stay off the whole mat when it comes to politics. 14:03 < kottt> left and right wing politics in the US are two sides of the same coin, and it's the coin used by the god damn illuminati to systematically oppress free thought 14:04 < djph> Aviyah: I was much the same, until the 2016 election ... although it's taken til like April / May this year to get educated enough to at least consider that I'm not just getting drawn in by propaganda. 14:04 < microwaved_> kottt: its called *Cabal* 14:04 < Aviyah> There are a shit ton of people parked in this room. Roundabouts how many active regulars in here? 14:04 < djph> depends on the day, really 14:04 < djph> and time-of-day as well 14:05 < djph> kottt: and yeah, you're right about the whole vilification thing. 14:05 < Aviyah> I have the same indignation, djph. I started to weigh in here and there since the 2016 election myself. 14:05 * TotallyNotKim set's parking break on 14:05 < Aviyah> But as a usual policy I don't go there. It just pisses me off. 14:05 < Aviyah> lol 14:05 < Mead> so back on the topic of networking, anyone messed with ethernet over coax lately? 14:06 < squ> I have a problem and reading irc while I don't know how to solve it 14:06 < TotallyNotKim> Mead: that would be basically one tp? 14:06 < kottt> that's what irc is for 14:06 < Mead> one tp? 14:06 < Aviyah> I have to wake up and drive in like 2 hours. 14:07 < TotallyNotKim> well twisted pair, but I dont think coax is even twisted 14:07 < Aviyah> It was honestly a pleasure talking to you guys tonight/this morning. I will be back for sure. 14:07 < Mead> no, I'm talking about coax like what tv/cable traditionally uses 14:07 < squ> remember we are not your guys, Aviyah 14:07 < djph> Mead: not since 10BASE-T 14:07 < detha> Mead: thinnet? 14:07 < djph> detha: I think RG6/RG59 is thicknet 14:08 < Mead> detha: moca 14:08 < detha> thicknet is more like RG8, aka garden hose 14:08 < djph> ah 14:10 < djph> I've only seen thinnet as like RG17something 14:10 < Mead> My directv install already uses some modern form of ethernet over coax, the boxes even get IP's from my internet gateway. Was wondering if I could use it to get connectivity for other devices and computers 14:20 <+catphish> i think this might have been a little too much load :) https://i.imgur.com/xLUsibq.png 14:22 < djph> load average? 14:22 < djph> yeah 30 is probably a bit much 14:22 <+catphish> yeah 14:22 < djph> how many cores? 14:22 <+catphish> 8 14:23 < djph> so only about 3.5x over-worked 14:23 <+catphish> i had 2 x 8 core servers in a cluster, both in the same state, i've added 2 more :) 14:23 < djph> probably a good idea 14:24 < djph> I really have to get better at "Linux Server Administration" 14:24 < djph> I mean, I know my way around the CLI and everything ... but actual spinning up something "automatic" (ansible?) ... not so much (and probably loads of other things) 14:26 <+catphish> i'm still mostly of the "do everything manually and document it" school 14:26 < djph> catphish: yeah, same here -- but looking for an admin job, they all want that kind of stuff. 14:26 <+catphish> though of course one should have proper automated processed for some things, in our case monitoring, firewall and security policy management mostly 14:27 < djph> (need to GTFO this company) 14:29 < detha> catphish: you just went past automation threshold - one or two servers: do it manually. 3 or more, automate it. 14:30 <+catphish> detha: i think that's probably it 14:30 <+catphish> individual servers are configured manually and documented, company-wide things are automated 14:32 < squ> how are you documenting things? A file with dates and changes you've made to the system? 14:33 < detha> "The Little Black Book"...... 14:34 < Minnebo> is there a way to check which TLS version a client uses when using FTP? 14:34 < djph> no, because FTP doesn't use TLS 14:34 < djph> upgrade to SFTP. 14:35 < grawity> Minnebo: you arrived right in the middle of Pedantry O'clock here, so you need to call it "FTPS" 14:35 < Minnebo> :) 14:35 < Minnebo> Same question ;p 14:35 < Minnebo> (using ftps) 14:35 < djph> grawity: wait, when is it not pedantry-o-clock in here? 14:35 < grawity> djph: when you're not around 14:36 < grawity> Minnebo: are you checking from the client side, or from the server side? 14:36 < Minnebo> client side 14:36 < djph> grawity: logs seem to disagree... 14:36 < grawity> then ask your client program I'd say 14:36 < grawity> some in fact put that in the logs 14:36 < grawity> for those which don't, idk, I'd try Wireshark and see if it shows that in the handshakes 14:36 < Minnebo> Some of our clients are using 'moveit cmd line' a pretty large script with certificates to setup the connection (it is to upload credit card stuf) 14:37 < grawity> of course, the best option would be to disable undesired TLS versions server-side 14:37 < djph> ... and this is why cc info gets stolen ... 14:37 < Minnebo> ATOS Worldline forces TLS 1.2 as of July 2018 14:37 < Minnebo> which is a good thing : ) 14:39 < dogbert2> get the new lenovo P52 thinkpad with 128GB of ram, 6TB HDD, 15,6" 4K screen, and the gfx card from hell :) 14:40 < kottt> 128GB of ram... 14:40 < kottt> :thinking: 14:40 < UncleDrax> 64kB should be enough for anyone 14:40 < kottt> get out of here grampa 14:40 < djph> dogbert2: an AMD? 14:40 < djph> UncleDrax: 640 14:41 < UncleDrax> djph: 640B? or 640kB ? either way don't care. I'm sticking with my 64kB.. because C=64s rule, Apple]['s drool 14:41 < kottt> so cyberpunk he shits model M's 14:42 < djph> if that were the case, you'd think they wouldn't cost so damn much 14:42 < grawity> model M's are literally the opposite of cyberpunk 14:42 < kottt> hmm 14:42 < kottt> yes i suppose so 14:42 < kottt> nevermind me 14:43 < kottt> still so mad at myself for throwing away the model M i had growing up 14:43 < kottt> for a shitty razer arctosa membrane keyboard 14:43 < UncleDrax> because you really like AT connectors? 14:43 < djph> UncleDrax: I believe the quote was (more or less) "I can't imagine a time when someone will need more than 640K of RAM" 14:44 < kottt> i needed the anti-ghosting for counterstrike 1.6 14:44 < UncleDrax> djph: prob true.. tbh I've paraphrased it for so long the actual quote has been lost to me 14:44 < djph> Model M's had PS/2 as well (although that might've been after IBM sold to ... Unicomp?) 14:44 < djph> UncleDrax: yeah, hence the "more or less" -- could be 640K is enough for anyone ... 14:44 < UncleDrax> ya. well there's a whole Mech-KB scene now. unfo getting ergo/split type mech KBs is usually very $ or the models are too weird. 14:45 < kidn3ys> seems to have livened up in here 14:51 < djph> UncleDrax: well, mechanical keyboards were quite good ... 14:52 < kottt> my BFF got me a DasKeyboard, it is my favorite thing... <_< 14:52 < kidn3ys> kottt: which model? 14:53 < kottt> let me find out, I always forget 14:53 < kottt> it's pretty baseline 14:54 < UncleDrax> djph: yeap. There's a IndieGoGo for a reasonablly priced (<$300usd) fixed-frame split mech KB that I'm prob gonna jump on. They do move some of the meta-keys so I'll have to relearn how to type.. so that's annoying.. but might be worth it 14:54 < kottt> The Model S Professional is the closest to what I've got 14:54 < kottt> https://www.daskeyboard.com/model-s-professional/ 14:55 < kidn3ys> Ah, I think i ended up with the professional (non-s). Really enjoy it though. 14:56 < UncleDrax> the biggest problem with the X-Bows though if I used it for home is they recommend WASD mapping -> RDFG or something.. which would be great except half the games out there still don't let you remap right 14:57 < djph> ew 14:57 < kottt> UncleDrax: Use a program with profiles to remap your keys at the OS level so that R->W, etc 14:57 < kidn3ys> that sounds ugly. 14:57 < kidn3ys> in game chat/multitasking goes to shit 14:58 < kottt> mmm 14:58 < kottt> fair point 14:58 < UncleDrax> ya i'd imagine so 14:58 < UncleDrax> aight.. conf call. please return the hcannel to the usual 'my wifi router is crap and I can't VPN to netflix'-problems by the time I return. kthx 14:59 < kidn3ys> netflix has VPNs? 14:59 < UncleDrax> no, but enough ppl try to VPN to get around NF's region locking, it comes up enough.. so it seems 14:59 < grauzikas> Hello, i`m trying TC rule on Centos machine to shape virtual machine traffic, but i`m geeting some error: https://pastebin.com/VmKmpey3 15:00 < grauzikas> and in virtual machine internet speed is only 300kbps after this rules 15:00 < kidn3ys> UncleDrax: I know -- I was just fucking with you. :D 15:00 < hiya> What's up? 15:01 < hiya> I want to redirect all the UDP/TCP traffic to a local transparent socks-proxy with can handle both on my Debian Linux laptop 15:01 < hiya> Can someone help me with it? 15:04 < kidn3ys> hiya: which part are you stuck on? 15:05 < hiya> :P 15:05 < hiya> kidn3ys, Wait I will show you what i wrote with iptables okay? 15:05 < kidn3ys> k 15:08 < ALowther_> If a router is on layer 3, then how come they so often support ports? Aren't ports layer 4? If I SSH into my router, doesn't it have to have port 22 open(or whatever non-standard may be configured)? 15:09 < djph> because the "layers" aren't "hard limits" 15:10 < grawity> ALowther_: but ports aren't involved in routing 15:11 < hiya> https://hastebin.com/tirukotiza.bash <-- kidn3ys 15:11 < ALowther_> grawity: So it's main purpose is to deal with things on layer 3, but it may have functionality for layer 4 or even above...I guess if a router has a web interface then it's even supporting layer 7, yeah? 15:11 < ALowther_> djph, too. :) 15:11 < hiya> https://manpages.debian.org/testing/shadowsocks-libev/ss-redir.1.en.html <-- kidn3ys this where i took it from 15:11 < grawity> ALowther_: yes – L3 routers, L2 switches, even L1 media converters can additionally act as hosts and speak the entire stack 15:12 < grawity> there's really nothing in the "layering" thing that forbids it 15:12 < kidn3ys> hiya: so were are you getting stuck? 15:12 < lupine> don't forget, layers are the enemy 15:12 < ALowther_> grawity: It's more generally what it is purposed for and what it will do best? 15:12 < grawity> it's about how routers are L3 because they make their routing decisions based on IP addresses, and not Ethernet MACs or TCP ports 15:13 < hiya> kidn3ys, when I turn it all on, it shows my ISP's external IP instead 15:14 < grawity> (that said, yes, there are L2 switches which do "IP-based VLANs", and there are routers which do TCP port "policy routing" – *this* would be a layering violation strictly speaking) 15:15 < kidn3ys> they are not IP-based VLANs. 15:15 < kidn3ys> that is 100% just how someone decided to associate subnets to those VLANs 15:15 < grawity> sometimes they are 15:16 < kidn3ys> explain... 15:17 < djph> grawity: well "violation" 15:17 < grawity> kidn3ys: literally, some switches support assigning the VLAN membership based on various things like ethertype, or MAC vendor, or IP source address 15:17 < grawity> as in https://i.imgur.com/z71XHaS.png 15:17 < grawity> it's ... probably to deal with some shitty VoIP phones, I assume 15:18 < kidn3ys> .. that looks like a fucked up gui for setting up an SVI. 15:18 < kidn3ys> again -- has nothing to do with the VLANs being 'ip based' 15:18 < grawity> no, it's not 15:19 < djph> VLAN tagging is L2 isn't it? 15:19 < grawity> they don't behave anything like SVIs, and the same config section has "MAC-based VLAN" and "Protocol-based VLAN" 15:19 < kidn3ys> djph: yes 15:19 < djph> this coffee has far too little booze :| 15:21 < kidn3ys> grawity: what device is that from? 15:21 < grawity> ZyXEL GS1910-24 15:21 < kidn3ys> -_- 15:22 < kidn3ys> like i said, some fucked up implementation of multiple technologies 15:22 < grawity> I see our TP-Links support VLAN assignments by MAC or protocol, too 15:22 < kidn3ys> that's dynamic vlan assignment 15:22 < grawity> how's that any different 15:22 * meowschwitz strangles TP-Link as a concept 15:23 < kidn3ys> its not far off from dot1x 15:23 < hiya> kidn3ys, do you know? what is going on? 15:23 < kidn3ys> hiya: haven't looked 15:23 < hiya> Ok 15:24 < grawity> kidn3ys: so like it sees a frame with MAC x:y:z:t:a:b, and internally tags it as VLAN 42 based on that? 15:25 < kidn3ys> grawity: likely swaps the port to that specific vlan when a device is connected 15:25 < ALowther_> kidn3ys, grawity, djph: Thanks for the trialogue. Information for all :) 15:25 < grawity> though either way, that's the same as what I was talking about moments earlier, just replace 'MAC' with 'IP' :) 15:26 < kidn3ys> grawity: I understand what you're talking about but VLANs are NOT ip-based. 15:26 < hans_> i'm behind 2 routers, the deepest has subnet 192.168.0.0/31, the upper 1 has 192.168.1.0/31, the computers connected to the deepest subnet can connect up to 192.168.1.* , but not vise-versa.. and now that's a problem 15:26 < djph> check routing, also NAT 15:27 < grawity> kidn3ys: well, why can your "dynamic vlan assignment" be MAC-based and protocol-based but not IP-based? 15:27 < hans_> by assignment, you mean assign IPS? 15:27 < hans_> IPs* i guess 15:28 < kidn3ys> grawity: you can use all kinds of information to drop things into specific VLANs, under the hood it's just a means of authentication 15:28 < kottt> hans_: routers above the 192.168.0.0 subnet don't have a route to the 192.168.1.0 subnet 15:28 < grawity> if you use the IP header to drop things into VLANs, that's by definition "IP-based" 15:29 < kottt> set a static route on your 192.168.0.0 router to point 192.168.1.0/24 traffic to the address of the 192.168.1.0 router 15:29 < hans_> kottt, yeah that sounds about right 15:29 < kottt> or learn about RIP or something and have the deepest router advertise its subnets 15:29 < grawity> much like using 'regular' tags is called "802.1Q-based" in some switches, etc. 15:29 < kidn3ys> grawity: and yet the VLAn exists regardless of the addresses you're using, right? 15:29 < kottt> which is technically the more proper way of handling it but may be overkill depending on your use case 15:39 < kidn3ys> grawity: makes me wonder how they handle devices that use dhcp though... 15:39 < grawity> kidn3ys: I assume the tagging decision is done per-packet, not just based on what's seen initially 15:39 < grawity> oh, yeah, I get what you meant 15:40 < grawity> the feature seems so special-purpose that they probably don't bother with dhcp 15:40 < UncleDrax> innit that what option 66 stuff is for? 15:40 < UncleDrax> assuming said switch will still accept ingress vlan tags for said mapped vlan 15:40 < UncleDrax> ? 15:41 < UncleDrax> (or about a dozen other auto-prov protocols) 15:41 < kidn3ys> hrm, isn't 66 just specificying an ip -- as in "go talk to this IP for your config"? 15:42 < kidn3ys> sure 15:42 < kidn3ys> i only recall it for phone configs 15:42 < UncleDrax> yeap.. then your device applies said config, which in theory you might use to force it into a VLAN 15:42 < UncleDrax> I've seen some ONT/NIDs that use it 15:43 < UncleDrax> but that's like 'hey i'm doing FTTx and your CPE needs to be generic and get a config based on what port it is connected to' stuff 15:43 < kidn3ys> UncleDrax: I was thinking more along the lines of where does the dhcp server live if the switch dynamically changes the vlan based on source ip 15:43 < UncleDrax> oh the switch is changing the default vlan? 15:43 < UncleDrax> i figured it was just mapping based on l2/l3 info 15:43 < kidn3ys> UncleDrax: Yea -- grawity pointed out that zyxel has an 'ip' 'mac' and 'protocl' based vlan feature 15:44 < kidn3ys> It seems like a closet case where you have a switch that doesn't support dot1q tags connected to a single port with devices that typicaly reside in multiple broadcast domains 15:45 < UncleDrax> ya.. although I'd spend to get a .q aware switch.. I mean the up charge these days is minimal 15:45 < kidn3ys> agreed 15:45 < kidn3ys> just an intersting idea 15:46 < UncleDrax> I could see if it you deployed WhositWhatsit brand SIP phones and they all start with mac ff:ff:ff and you want to slap them into a VoIP VLAN.. that sorta thing 15:46 < kidn3ys> sure 15:46 < kidn3ys> the mac based makes sense 15:47 < kidn3ys> not far off from dot1x with mab 15:47 < hanshenrik> the outer subnet is 192.168.1.* , the deep router's ip on the outer subnet is 192.168.1.100, the deep subnet is 192.168.0.*, the deep router's ip on the deeb subnet is 192.168.0.1, and i have no idea what i'm doing. any suggestions? https://i.imgur.com/FNX8bub.png 15:48 < kidn3ys> hanshenrik: what's the problem? 15:48 < djph> hanshenrik: before we go any farther, what are the make/model of these two routers? 15:48 < hanshenrik> kidn3ys, devices in the outer subnet cannot initiate connections with devices in the deep subnet 15:48 < hanshenrik> but vise-versa works fine 15:48 < djph> oh, linksys ... you're fucked, and have to use NAT. 15:48 < kidn3ys> hanshenrik: sounds like you're probably NATing. 15:49 < djph> oh wait, sweet, you can turn off the nat - turn that off on the "deep router", and add a static route on the "outer-router" to get to 192.168.0.0/24 via 192.168.1.100 15:50 < grawity> UncleDrax: yeah the zyxels actually default to a bunch of voip oui's in that feature 15:51 < hanshenrik> the outer router is a Linksys... this 1 https://www.linksys.com/dk/support-product?pid=01t80000003KOIsAAO - and the inner router is TP-Link AD7200, this 1 https://www.tp-link.com/us/products/details/cat-5506_AD7200.html 15:52 < djph> hanshenrik: if hte tp-stink can't disable NAT, you're SOL. Why're you doing this anyway? 15:54 < hanshenrik> djph, i need a device connected by cable to communicate with a TP-Link HS110 smartplug that can only communicate via wifi, and the wifi is from a different router, bleh 15:54 < grawity> kidn3ys: are ACLs on switches a common feature? 15:55 < grawity> kidn3ys: like "drop packets matching this condition" 15:55 < kidn3ys> on a port? 15:55 < djph> hanshenrik: so you don't actually need the second router to route? 15:56 < kidn3ys> grawity: most access layer switches only support inbound filtering and doing an ACL per port is a pain in the ass to manage 15:56 < kidn3ys> mots of the time it gets pushed up to the SVI/gateway for that subnet 15:56 < djph> hanshenrik: set it up to be an "ap only" (if you can), or turn off all the DHCP and whatnot, and instead of using its "WAN" port as the uplink, use one of the switchports (NOTE, set its LAN IP Address to something in the 192.168.1.0/24 range) 15:56 < kidn3ys> but dot1x can dynamically apply ACLs as wel. 15:56 < kidn3ys> and those are applied at the port level 15:56 < hanshenrik> ill try that 15:57 < kidn3ys> depending on what you're trying to do, private VLANs might be a better option 15:59 < grawity> just asking because the zyxel has this kind of packet filtering, so I suppose they thought "hey we have accept and drop, why not add an action to mangle vlan tag" 16:01 < meowschwitz> omg zyxel still exists 16:02 < kidn3ys> grawity: sure, im not saying its not useful. my point was just that VLANs are not tied to IPs -- regardless of what a single manufacturer decides to name a feature 16:25 < hans_> doesn't seem like i can turn off NAT x.x is this related? https://i.imgur.com/nR5usCC.png 16:26 < Dalton> how many public ips are you going to route through that Tp-Link residential wifi router? 16:29 < hans_> randomishly 4-10 i guess (4 right now), but there's only 1 device/ip that i need to communicate with from the outside 16:35 < HTiberian> anyone ever experienced problems with linux active-passive bonding (mode 1), using VLANs on top of bond and a centralized firewall connected to both VLANs and seeing the same MAC address several times in every VLAN/zone? 16:35 < Dalton> hans_: i don't know that you can disable NAT on that kind of a device. 16:36 < meowschwitz> hans_: you might be able to turn off nat by switching device mode to bridging or whatever 16:37 < HTiberian> We are seeing our switches flooding frames to all hosts in this VLAN, which are directed to these machines 16:37 < meowschwitz> personally I'm never going to buy tp-link garbage again 16:38 < meowschwitz> HTiberian: the *firewall* is seeing the same MAC in different zones? 16:38 < HTiberian> meowschwitz, right! 16:38 < meowschwitz> and this is actually arriving on the wire? 16:39 < HTiberian> normally linux does not change or scramble MAC address when adding subinterfaces on top of bond 16:40 < meowschwitz> I'm wondering if this is an actual problem with your network layout and configuration or the particular box which sees a phantom effect 16:40 < HTiberian> so switching gear learns 00:00:00:00:00:01 in VLAN 10 and VLAN 20 16:40 < HTiberian> and also does the firewall 16:41 < HTiberian> firewall is Cisco ASA 5580 16:42 < HTiberian> but what i'm wondering about is that the switches actually flood these frames to all ports in this VLAN 16:42 < meowschwitz> look at switches' host tables 16:42 < tds> hans_: if you can't do what you want in the stock firmware, it may be worth checking if openwrt/similar supports that device 16:42 < meowschwitz> tds: I checked, it doesnt 16:42 < HTiberian> nothing suspicious in the frames when doing a capture, just normal unicast forwarding 16:42 < tds> meowschwitz: ah, that's annoying :( 16:43 < meowschwitz> HTiberian: there's nothing inherently wrong with same leg of the firewall having same mac being presented to different vlans 16:44 < HTiberian> meowschwitz, thats what i'm assuming too, but what i don't get is the flooding on the switch (which is only doing L2) 16:44 < meowschwitz> is STP on? did you examine the host tables? 16:49 < hans_> according to the following article, tp-link is deliberately blocking OpenWRT.... https://www.pcworld.com/article/3044594/open-source-tools/tp-link-blocks-open-source-router-firmware-to-comply-with-new-fcc-rules.html 16:50 < hans_> but how, exactly? do they require a signed flash file before flashing? 16:50 < ||cw> yes, fcc requires it 16:50 < ||cw> and it's stupid 16:50 < hans_> ..... 16:51 < HTiberian> meowschwitz, this is a Brocade Ethernet Fabric running with TRILL. No STP needed 16:51 < HTiberian> meowschwitz, and yes i check the MAC table, shows the MAC for VLAN 10 and VLAN 20 16:52 * meowschwitz shrugs 16:52 < meowschwitz> the normal behaviour for switches is to unicast flood when the destination mac is not in the host table 16:52 < hans_> think i can still flash openwrt on there with 1 of these? https://img.staticbg.com/thumb/large/oaupload/banggood/images/BD/C9/0b6c45a2-9177-4dc5-9530-f2de1ac5b287.JPG 16:52 < meowschwitz> i dont know if it's different for fabrics 16:52 < hans_> if im lucky and the network drivers are available.. 16:52 < HTiberian> meowschwitz, normally it isn't ;-) 16:53 < hans_> flashing it directly to the firmware chip 16:53 < HTiberian> but sometimes such things kill all your years on network knowledge :-D 16:54 < meowschwitz> according to pediwikia an overflow of the host table could also cause this 16:54 < meowschwitz> ymmv and so 16:54 < ||cw> hans_: unless you want to get into jtags can crap, best to stay with the supported hardware list 16:54 < ||cw> can/and/ (wtf fingers) 16:54 < hans_> jtags? 16:54 < ||cw> exactly 16:55 < hans_> like this? https://en.wikipedia.org/wiki/JTAG 16:55 < HTiberian> yeah but then i would see all traffic in that VLAN, as the switch transitions into a hub 16:55 < ||cw> yes 16:56 < hans_> well, to piss on FCC, sounds pretty tempting right about now, but nah 16:56 < ||cw> hell of a learning curve, but is some fun if you have the time 16:57 < obsrwr> Hi #networking, be prepared to roll your eyes. I have 2 network interfaces eth1 and eth2 on the same host, they are connected to eachother to an ethernet switch. Can I ping through eth1, so that it goes to the switch, and back on eth2 ? 16:58 < ||cw> obsrwr: sure? 16:58 < obsrwr> something is preventing the packet to reach the switch 16:58 < ||cw> maybe routing tables? 16:58 < obsrwr> say eth1 has mac address ::01 and eth2 has mac address ::02 16:58 < obsrwr> routing table seems ok, i have static routes 16:59 < ||cw> and you're sure they are correct? 16:59 < obsrwr> but if i have a packet leaving eth1 with dest mac ::02, it doesn't reach the switch 16:59 < obsrwr> but if i modify eth2 mac's address, it reaches the switch 16:59 < tds> if it's a linux box, there will be a separate routing table (local) that causes it to go via the loopback interface? 16:59 < obsrwr> i was thinking about the local table too 17:00 < tds> so traffic back to an ip on the same box shouldn't ever leave a physical interface afaik 17:00 < obsrwr> but the MAC seems the problem, not the IP 17:00 < obsrwr> if I change eth2 mac to ::03 but still send dst address from eth1 to ::02, it reaches the switch 17:01 < obsrwr> if i change eth2 back to ::02 and eth1 packet has dest address ::02, it doesn't reach the switch 17:02 < obsrwr> if i had network namespaces maybe this wouldn't be a problem. but I can't have a custom kernel on this particular box, all i can do is change routes and arp table, any posible solution? 17:02 < obsrwr> i think the linux network stack is not letting packets leave the interface if the dst mac is a mac of one of the interfaces on the host 17:04 < meowschwitz> /me rolls his eyes indeed 17:05 < meowschwitz> obsrwr: first, how do you know it does or doesn't "reach the switch" 17:05 < meowschwitz> second, ip route get 17:05 < obsrwr> i have access to the RX FIFO counters of the eth switch's XLAUI interfaces 17:08 < obsrwr> can i ip route get for a particular interface? 17:08 < obsrwr> when i ping i use ping -I eth1/eth2 17:09 < mcdnl> ip route | grep devname 17:10 < obsrwr> there is only 1 route to the ip of eth2, the one i set statically, 192.168.2.1(eth2) via 192.168.1.1(eth1) dev eth1 17:11 < obsrwr> same for eth2, 192.168.1.1(eth1) via 192.168.2.1(eth2) dev eth2 17:11 < detha> obsrwr: ip route show table 0 | grep 192.168.1 17:12 < obsrwr> hmm there is this local 192.168.1.1 dev eth1 table local proto kernel scope host src 192.168.1.1 17:12 < obsrwr> should i also modify local routes so that the vias cross? 17:13 < mcdnl> oh i see what you want to do 17:15 < obsrwr> mcdnl: i need to do this just to develop the firmware for the switch, but linux is being a bit weird, and i don't have much flexibility with changing the kernel 17:15 < detha> obsrwr: it would make life a lot easier if you had two machines. 17:15 < obsrwr> yes, but all interfaces are on the same PCB 17:16 < mcdnl> make a different route table for the other interface 17:16 < detha> ^ 17:16 < obsrwr> a different route table... huh 17:16 < obsrwr> i would have thought i would need a different arp table 17:16 < detha> ip rule to 192.168.1.2 rtable 2 17:16 < detha> then add a route in rtable 2 17:17 < obsrwr> ok i'll try 17:17 < mcdnl> if it doesnt know the other interface is directly connected 17:17 < mcdnl> it will forward it instead of "directly delivering" the packet into the interface 17:18 < obsrwr> actually it doesn't even "directly deliver" 17:18 < obsrwr> the packet is seen from tcpdump as exiting but nothing reaches eth2 17:18 < obsrwr> somewhere it is silently dropped 17:19 < obsrwr> but i think tcpdump is a few layers above the TX ring of the nic 17:19 < detha> you are trying to make the kernel do things the kernel devs have tried very hard from not happening.... 17:19 < obsrwr> haha 17:20 < obsrwr> i was considering to cheat like do mac-nat with ebtables 17:21 < obsrwr> if eth2 receives ::5 , nat to ::2, then back 17:33 <+catphish> what are you trying to achieve? 17:33 <+catphish> ah, just found the start 17:34 < obsrwr> to test SRAM and DDR memories of an ethernet switch in the long run 17:34 <+catphish> obsrwr: to answer your first question, linux will never allow an inbound packet with a source IP of itself, it will be silently dropped 17:34 < obsrwr> i just want a simple way to generate traffic from one host between 2 interfaces 17:34 < obsrwr> catphish: it will with network namespaces... which i don't have 17:34 <+catphish> so even if you make your packet loop, it will be dropped unless you "spoof" the source ip 17:35 < obsrwr> like do SNAT? 17:35 < obsrwr> snat on inbound, hm 17:35 <+catphish> frankly i'd skip all that and just open a raw ethernet socket 17:35 <+catphish> and send it manually 17:36 <+catphish> assuming there no actual practical reason you want this to work 17:36 < obsrwr> raw ethernet socket, hm 17:37 <+catphish> also you definitely *can* do this using multiple routing tables, but only if the original source (ie the source IP of the packet) is not the host doing the weird loop 17:37 < obsrwr> i can just send L2 packets through the linux network stack? 17:37 <+catphish> ie an intermediate router can do this, but not the host that created the packet 17:37 <+catphish> obsrwr: yes, you just open a raw ethernet socket 17:37 < obsrwr> i'll look into that thanks 17:37 <+catphish> ten you can write your own raw ethernet frame and send / receive whatever you like :) 17:38 < obsrwr> that would be more than enough 17:39 <+catphish> https://gist.github.com/austinmarton/1922600 17:42 <+catphish> obsrwr: http://man7.org/linux/man-pages/man7/packet.7.html 17:43 <+catphish> "SOCK_RAW packets are passed to and from the device driver without any changes in the packet data." it's cool if you want to do weird experiments or write a userland ethernet switch 17:45 < obsrwr> catphish: i love IRC, it's like a pool of free hackers 17:46 <+catphish> basically 17:46 < obsrwr> gotta run home, hungry af, thanks again 17:48 < wdc65c02> hi, i have a question regarding queuing on openbsd 17:49 < wdc65c02> i am using an openbsd box as a router and am trying to limit download and upload speed for a single host 17:49 < wdc65c02> so far I have "queue main on $lan bandwidth 1000M" 17:50 < wdc65c02> along with 2 leaf queues 17:51 < wdc65c02> "queue limited parent main bandwidth 1M min 0K max 1M burst 3M for 1000ms" (the slow queue) and "queue unlimited parent main bandwidth 1000M min 0K max 1000M default" 17:51 < wdc65c02> the host i want to slow down is defined in a table 17:51 < wdc65c02> so for limiting download speed i have a rule "pass in on $lan from to any set queue limited" 17:51 <+catphish> i don't know bsd at all, but i shall provide one piece of advice: you can generally only limit on tx interfaces, so consider that you may need to have the queue on the right interface for the traffic in each direction 17:52 < wdc65c02> catphish: hmmm that makes sense, ill try it 17:52 < wdc65c02> but basically if i have working download limits 17:52 < wdc65c02> and i have that queue in lan 17:52 < Kingrat> if you use pipes and ipfw you can do it on both ingress/egress on the same interface 17:52 < Kingrat> but it doesnt tie in nicely with pf atm 17:53 < wdc65c02> it means i would need a queue on $wan 17:53 <+catphish> so if this is a router between the host and the internet, for the host's download, you'd need to use the queue on the internal interface, and for its upload you'd use the wan interface 17:53 < wdc65c02> hmm 17:53 < detha> wdc65c02: you can do it with one rule like that, or just throw in a 'match in on $intf from set queue slow 17:53 < wdc65c02> hold on lemme try that 17:54 < wdc65c02> detha: oh ok you just want me to use that rule instead 17:54 < wdc65c02> ok 17:55 < wdc65c02> yeah its cleaner 17:56 < detha> wdc65c02: matter of taste, that's how I do it - match for some ToS from upstream or some address, and put the connection state in the right queue 17:56 < wdc65c02> no i can see how that reads better 17:56 < detha> then the actual pass/rejects go in a separate rule 17:56 < wdc65c02> the most important thing is to be able to actually see what the hell you have written 3 years ago 17:58 < wdc65c02> ok now im a little confused as to how i would set a limit on the wan interface 17:58 < wdc65c02> if i do the same as for the lan (different names obviously) 17:59 < wdc65c02> then how do i match packets after they have been natted? 17:59 < detha> the limit actually sits on the lan interface - you cannot limit what gets sent to you, as catphish said, but you can limit what gets sent to the client 17:59 < detha> TCP will slow down when you limit it like that 18:00 < wdc65c02> so match in on egress to set queue u_limited? 18:00 < wdc65c02> that doesnt do anything 18:00 < detha> I do it the other way around, match in in $int_if from set queue limited 18:00 < detha> that sets state 18:01 < detha> *match in on 18:01 < wdc65c02> that limits download speed 18:01 < detha> correct. 18:01 < wdc65c02> thats what im doing alreay 18:01 < wdc65c02> already( 18:02 < wdc65c02> i am trying to control upload speed 18:02 < detha> ok, then you have to have a queue on wan_intf 18:02 < wdc65c02> the wan interface? 18:03 < detha> yeah. but rules on 'match out on wan_int ...' come after NAT 18:03 < wdc65c02> yeah thats what i was wondering 18:03 < Apachez> https://imgur.com/gallery/k3YTHdJ GDPR We have updated our privacy policy 18:04 < detha> I think you will need to do marking in an 'match in on lan ....', then a 'match out on wan tos 0x01' 18:04 < wdc65c02> detha: can i "tag" packets like i would do in smtpd 18:05 < wdc65c02> hmm 18:06 < detha> the (in)conveniences of NAT 18:09 < wdc65c02> maybe i can tag them in my nat line? 18:11 < detha> set tos in the nat line should work, but do you have a separate nat line for ? 18:11 < wdc65c02> i can make one 18:12 < wdc65c02> my current nat line is "match out on egress inet from !(egress:network) to any nat-to (egress:0)" 18:13 < detha> I would make a separate match rule, just for the tagging; keep it separate from routing logic 18:14 < wdc65c02> match out on egress inet from ehm, match in on int_intf from 18:15 < detha> you want to tag the initial packets 18:15 < wdc65c02> should i just add it to my download queue rule 18:15 < detha> that would work I guess 18:15 < wdc65c02> i already have match in on $lan from set queue d_limited tag slow 18:16 < wdc65c02> erm ignore the "tag slow" i just added that now 18:16 < detha> yeah. then you can do the egress rule on the 'slow' tag 18:17 < wdc65c02> so then "match in on $isp tagged slow set queue u_limited" 18:17 < detha> that would be download? 18:18 < wdc65c02> no upload 18:18 < detha> $isp is the wan interface? 18:18 < wdc65c02> yes 18:18 < wdc65c02> and no that rule doesnt work (just tested) 18:18 < detha> so to limit upload, match out on $isp tagged slow set queue limited 18:19 < wdc65c02> nope, doesnt do a thing 18:19 < wdc65c02> still the most asymmetric connection ever 18:20 < wdc65c02> im still a little confused about "in" and "out" 18:20 < wdc65c02> gg/in 18:20 < wdc65c02> erm wrong window 18:20 < detha> vi ;) 18:20 < wdc65c02> actually the manpager 18:20 < wdc65c02> man pf.conf 18:21 < detha> think like the packet - initial SYN goes in on $lan, out on $isp 18:21 < wdc65c02> right 18:22 < wdc65c02> so that packet can be matched either "in on $lan" or "out on $isp" 18:22 < wdc65c02> hold on 18:22 < wdc65c02> you said i cant limit RX, only TX right? 18:23 < wdc65c02> wait nvm 18:24 < drathir> mornin/evenin... 18:24 < wdc65c02> moin 18:24 < wdc65c02> detha: ok now im very confused 18:24 < wdc65c02> my (working) download limit 18:24 < wdc65c02> is: 18:24 < wdc65c02> match in on $lan from set queue d_limited 18:25 < wdc65c02> how can it be "from "? 18:25 < wdc65c02> unless you are specifically talking about TCP where it could mean that it is the initiator of that connection 18:26 < detha> you match the packets based on source, then set that flow to queue d_limited 18:26 < detha> each flow (tcp, udp, whatever) has state 18:26 < wdc65c02> huh 18:28 < wdc65c02> oh wait i got it 18:28 < detha> from man pf.conf: "By default pf(4) filters packets statefully: the first time a packet matches a pass rule, a state entry is created." 18:29 < detha> you can add 'no state' if you don't want it to 18:30 < wdc65c02> hmmm 18:38 < wdc65c02> well ill need to figure this out slowl 18:38 < wdc65c02> slowly* 18:39 < wdc65c02> luckily for now i only need to worry about 4k netflix shit 18:39 < wdc65c02> eventually some torrent folk may use this network 18:50 < rtmataeu34> hello 18:50 < skyroveRR> hi 18:51 < rtmataeu34> skyroveRR: hi 18:52 < rtmataeu34> hows things 18:53 < skyroveRR> They're good, over there? 18:53 < rtmataeu34> usual 18:53 < rtmataeu34> gonna make lunch soon 18:53 < skyroveRR> What does that mean? 18:54 < rtmataeu34> correction- things are fine 18:54 < rtmataeu34> lol 18:56 < rtmataeu34> got an old laptop with a screen that quit- was thinking of making it like a network monitor or some sort of appliance 18:56 < rtmataeu34> but its pretty old 18:58 < Apachez> https://pbs.twimg.com/media/DfnuGu-WsAIatlp.jpg:large :D 18:59 < rtmataeu34> wait a second. . 18:59 < rtmataeu34> that sure is some good looking ice 19:13 < ||cw> rtmataeu34: is it like Pentium 2 old? 19:15 < efb> is it possible to have CUBE register to sip servers on different vrfs ? I.e sipserverA on VRFA and sipserverB on VRFB? 19:29 < rtmataeu34> ||cw: compaq v2000 19:30 < rtmataeu34> its the AMD turion one w 2GB ram 19:30 < ||cw> not terrible 19:30 < rtmataeu34> no 19:31 < ||cw> does it have gigE? 19:31 < rtmataeu34> had debian on it atm and can ssh with it 19:31 < rtmataeu34> good question 19:33 < rtmataeu34> 10/100 ethernet lan w b/g wireless 19:33 < rtmataeu34> :( 19:34 < rtmataeu34> tried using it as a pi-hole server once via wireless but the dns became quite slow because of it 19:35 < ||cw> yeah i wouldn't do that on b/g 19:35 < rtmataeu34> just wanted to see :) 20:26 < Aviyah> I am back. You guys still around? 20:26 <+catphish> Aviyah: there are 1290 people here 20:26 <+catphish> :) 20:27 < n3t> Shhh, don't scare them. 20:27 < Aviyah> I know,. Those with whom I spoke earlier will know who I addressed. 20:27 < Aviyah> But anyways, I am a big fan of this room. 20:27 < Aviyah> It has a good culture. 20:30 < kottt> o/ 20:44 < skyroveRR> \o 20:56 < forgotmynick> I have 2 IP's pointing to servers at the same data centre taking completely different routes. One has 8 hops, the other has 14. The ping averages are the same. What are the disadvantages of more hops aside from more points of failure (I'm assuming)? 20:56 < grawity> worse latency, usually 21:01 <+pppingme> forgotmynick are they pointing to the same server, or different servers? 21:04 < forgotmynick> pppingme: different servers, same rack 21:15 <+catphish> forgotmynick: the ISP is likely sharing load across multiple upstream connections, its not likely to be a big problem 21:15 <+catphish> they may have different latency, but hopefully not dramatically so 21:16 <+catphish> oh yeah, you said latency was the same, so i wouldn't worry about it 21:16 <+catphish> just balancing different routes, ISPs do that sometimes 21:18 <+catphish> the route the other way is likely the same for both :) 21:35 < epitamizor> if lan is faster than upstream, it's better to use iterative dns queries? 22:10 < rtmataeu34> any recommendations for irc "hardening" 22:14 < Aeso> rtmataeu34, how do you mean? server or client? 22:14 < rtmataeu34> Aeso: client side atm 22:14 < Aeso> Use a bouncer, make sure you use SASL to authenticate to the IRC servers, etc 22:16 < rtmataeu34> i havent made a key yet 22:16 < rtmataeu34> cert* 22:18 < rtmataeu34> cool thanks ill have to look more into it 22:26 <+catphish> TLS is a good starting point 22:32 < rtmataeu34> hi catphish 22:38 < wdc65c02> detha: so um 22:38 < wdc65c02> any idea how different openbsd's pf is from freebsd pf? 22:39 < wdc65c02> i know how to achieve upload limits on pfsense 22:39 < wdc65c02> so i setup a pfsense vm 22:39 < wdc65c02> do limits 22:39 < DoctorDick> limters? 22:39 < wdc65c02> dump the pf rules table 22:39 < wdc65c02> DoctorDick: uh yea 22:40 < DoctorDick> I love pfsense 22:40 < wdc65c02> im trying to limit upload speed of a single host behind my NAT (obsd router) 22:40 < felda> I ALSO LOVE PFSENSE 22:40 < DoctorDick> WANNA HOLD HANDS? 22:40 < felda> YES 22:40 < DoctorDick> OKAY! 22:40 < felda> I actually own the pfsense nick on freenode lmao 22:40 < wdc65c02> pfsense is cool and all but i dont want magic, i just want to lern teh ruules 22:40 < wdc65c02> lol 22:40 < wdc65c02> so i can do teh fairwall without leaving it to the pf gods 22:41 < felda> have you seen this thread? https://forum.netgate.com/topic/48694/limit-bandwidth-per-ip/5 22:41 < wdc65c02> i know how to do it in pfsense 22:41 < wdc65c02> i want to do it on openbsd 22:42 < felda> ah 22:42 < wdc65c02> so ill do it in a pfsense vm 22:42 < wdc65c02> then dump the rules 22:42 < felda> I haven't fooled around with PF on OBSD 22:42 < wdc65c02> and try to figure them out 22:42 < felda> does PF on OBSD do limiters? 22:42 < wdc65c02> im fairly sure it can 22:44 < rtmataeu34> how can i pfsense 22:44 < rtmataeu34> and can i use a really old AF laptop 22:44 < rtmataeu34> :D 22:45 < felda> you could run a VM to try it out 22:45 < felda> pfsense would probably struggle on anything older than a Core2Duo 22:46 < wdc65c02> not really? 22:46 < wdc65c02> ive run it on worse 22:46 < wdc65c02> pentium HT 22:46 < wdc65c02> in production 22:46 < felda> well yeah I've run it on old pentium watchguard 22:46 < wdc65c02> 100mbit dualstack routing with some heavy rules+proxy+couple of vpns 22:46 < felda> but new versions are getting heavier 22:47 < wdc65c02> this was a while back ill admit 22:47 < wdc65c02> like 2 years 22:47 < felda> RIP 32bit pfsense 22:47 < wdc65c02> r i p 22:48 < felda> PF originated on OBSD so in theory PF on that platform should be newer? 22:48 < wdc65c02> in >>theo< do I remember that pfsense backported some patches to make pf multithreaded? 22:49 < wdc65c02> no one leaves till the raadt speaks 22:49 < Aeso> I could be wrong, it's been a while 22:49 < wdc65c02> i thought freebsd did the multithreaded pf first and openbsd took it back 22:50 < felda> I guess now that i think about it I don't really know much of anything about the original PF 22:50 < felda> I just always used pfsense 22:50 < Aeso> eh, at this point eBPF >>> all 22:50 < wdc65c02> just remember that openbsd is never usually faster 22:50 < wdc65c02> but they are usually correct 23:29 < yates> any samba experts here (under linux)? 23:30 < yates> i'm trying to create a samba share on ubuntu 16.04lts. https://paste.fedoraproject.org/paste/wCM7xnYQBNut8vbmVLEyXA 23:30 < yates> testing yields this https://paste.fedoraproject.org/paste/wmMPwJNtRBt-5-krQAsH8w 23:30 < yates> i've googled and all leads fizzle out.. 23:33 < ||cw> yates: -L means list, you only give the server name, not the UNC. also IPs don't always work as a name, there's a separate option for that 23:33 < ||cw> also, #samba ? 23:33 < ||cw> you did smbpasswd -a your user right? 23:33 < yates> ||cw: no, i did not 23:34 < ||cw> needed for the NTML hash 23:38 < yates> ||cw: smbpasswd itself gives the same error: Unable to connect to SMB server on machine 127.0.0.1. Error was : NT_STATUS_CONNECTION_REFUSED 23:41 < yates> ||cw: what is the alternate syntax for ip address? 23:41 < ||cw> are you sure it's running? 23:41 < yates> systemctl restart smbd 23:41 < yates> systemctl status smbd says it active 23:42 < yates> it's 23:42 < jvwjgames__> can I advertise my v6 range over the internet if i got the space from ARIN 23:42 < jvwjgames__> ? 23:42 < ||cw> man smbclient says -I 23:42 <+pppingme> not running; firewall; not listening due to bad config 23:42 < yates> oh $*(# 23:42 <+pppingme> jvwjgames__ sure, when you find someone to peer with 23:42 < yates> what port does smbd use? 23:42 < jvwjgames__> i have CenturyLink ARIN said they should let me 23:42 < yates> i think the firewall is blocking it... 23:43 < jvwjgames__> CenturyLink residential that is 23:43 <+pppingme> over a residential connection, probably not 23:43 < jvwjgames__> cause i thought BGP was blocked on residential ISP's 23:44 <+pppingme> its not that its "blocked" its more simply they just simply don't do it 23:44 < jvwjgames__> I did tell ARIN that it would be from a residential ISP and they still said yes they should let you 23:44 < jvwjgames__> so i got an IPV6 /36 from ARIN 23:44 <+pppingme> you might be able to get them to advertise the space, then deliver it to you over a typical routed subnet, like they might do for a business connection 23:45 <+pppingme> but they aren't going to do that for some $30/month residential acct 23:45 < jvwjgames__> :( 23:46 <+pppingme> do you have an AS#? 23:46 <+pppingme> or just a /36 assignment? 23:46 < jvwjgames__> So i can't goto my router and say setup BGP with google will Centurylink Still block it? 23:46 < jvwjgames__> just a /36 23:46 < jvwjgames__> i will get an ASN 23:46 <+pppingme> no, bgp doesn't work like that 23:47 <+pppingme> if you have an AS, you can tunnel to HE, and talk bgp to them 23:48 <+pppingme> that'd be free 23:49 < scientes> mind if I ask, why do you care for a /36? 23:49 < scientes> I mean /64 is pretty big 23:50 <+pppingme> scientes the pracitice is t assign a /64 per network, so if he has customers, or runs multiple subnets, each gets a /64 23:50 <+pppingme> so with that practice, no, a /64 isn't "pretty big" 23:50 <+pppingme> its exactly one network, one subnet 23:51 < jvwjgames__> So basically without the Tunnel even if I had an ASN it still wouldn't work? 23:51 <+pppingme> jvwjgames__ you always have to "peer" with someone, you don't just start throwing bgp out and hope its seen, it doesn't work like that.. If you "peer" with centrylink, then that also means they "peer" with you.. and takes manual configuration from both parties.. 23:52 <+pppingme> note that "peer" I'm talking about a bgp concept, that doesn't mean from a transit or billing perspective that its still viewed as a "peer"ing relationship 23:52 < jvwjgames__> ok 23:53 <+pppingme> and in most cases, that "peer" needs to be a device that you're directly connected to.. 23:53 <+pppingme> thus why HE is able to do it over a tunnel, the tunnel simulates a direct connection between your router and HE's router 23:53 < jvwjgames__> oh ok 23:54 <+pppingme> in most cases, isp's aren't even talking bgp on the customer edge of stuff 23:54 <+pppingme> thus, they can't peer without special setup 23:56 <+pppingme> jvwjgames__ what are you doing with this /36 ?? 23:57 <+pppingme> does it amount to play/learning/experimenting, or does it amount to something missin critical, or what? 23:57 < jvwjgames__> I have a webhosting business and i prvide web hosting, VPS, and LXC Services 23:58 < jvwjgames__> I am classed as an "ISP" according to ARIN 23:58 < jvwjgames__> witch is why they gave me an ISP allocation sized /36 23:59 <+catphish> you need an AS number and someone to peer with, that is all there is to it --- Log closed Fri Jun 15 00:00:15 2018