--- Log opened Fri Jun 15 00:00:15 2018 --- Day changed Fri Jun 15 2018 00:00 <+pppingme> well you could get your asn, start with an HE peering over a tunnel, then add real connections as you grow, then once you have at least two other connections, drop HE tunnel 00:00 <+catphish> jvwjgames__: i believe you can always peer with HE over a tunnel 00:00 <+pppingme> catphish yes, HE will bgp peer over a tunnel 00:00 < scientes> is the ipv6 privacy extensions on by default? 00:00 <+pppingme> or at least they used to 00:00 <+catphish> scientes: yes in most operating systems 00:00 <+pppingme> scientes varies by OS 00:01 < scientes> no, how do i turn them on 00:01 < scientes> debian, firefox 00:01 < yates> y 00:01 <+catphish> run "ip addr" see how many ipv6 addresses you have 00:01 < scientes> i have them under "ip addr", but firefox isn't using them 00:01 <+catphish> what ip is it using? 00:02 <+catphish> it should always use the most recent address 00:02 < scientes> inet6 2603:3023:903:9000::dcd5/128 scope global dynamic noprefixroute 00:02 <+pppingme> scientes I believe that most distribs enable it for "workstation/desktop" installs, but disable it for "server" installs 00:02 < scientes> instead of inet6 2603:3023:903:9000:62a4:4cff:fe60:d3ce/64 scope global dynamic mngtmpaddr noprefixroute 00:02 <+catphish> that looks like a static ip 00:02 <+catphish> you wont get rivact extensions if you're using a static ip 00:02 <+pppingme> that too 00:02 < scientes> it was DHCPv6 00:03 <+catphish> oh ok 00:03 <+catphish> well it looks like you do have privacy addresses too 00:03 < scientes> now how do i get firefox to use them 00:03 <+catphish> maybe the dhcp address was added later 00:03 <+catphish> firefox doesnt choose afaik 00:03 <+catphish> the os does 00:04 <+catphish> and usually the most recent, not sure why it wouldnt be the privacy address unless the dhcp address was maybe added after 00:04 <+catphish> which seems plausible if slaac ran before dhcp did 00:04 <+catphish> im afraid i dont know for sure though 00:06 < scientes> oh no i didn't have a temp addr 00:06 < scientes> inet6 2603:3023:903:9000:6c09:949b:521d:a492/64 scope global temporary tentative dynamic 00:06 < scientes> https://docs.menandmice.com/display/MM/enable+IPv6+privacy+extension+on+Ubuntu+Linux 00:07 < scientes> but it only works if everyone on the subnet uses tmp addresses 00:07 < tds> it's worth keeping in mind that ubuntu server will use the native kernel stuff for slaac + privacy addresses (so modifying the sysctls makes sense) while desktop uses network-manager (so you need to mess with stuff through that) 00:08 < scientes> I have NetworkManager, but you can mix and match because of systemd/udev introducing stable device names 00:08 < tds> oh actually, I guess server uses systemd-networkd now, idk how that handles RAs and stuff 00:08 < scientes> tds, doesn't it still use ifupdown? 00:09 < scientes> /etc/networking/interfaces, with systemd-networkd optional, and RedHat still using NetworkManager everywhere 00:09 < tds> 18.04 server has weird new stuff, they have a python script that reads yaml and generates a systemd-networkd or network-manager config I think? 00:09 < scientes> RedHat isn't even supporting systemd-networkd on RHEL yet, they were asking for a use case for them to support it 00:10 < scientes> is there really that much difference between server and desktop? 00:10 < tds> I think 18.04 desktop is still plain network-manager with the gnome stuff to manage it? 00:11 < scientes> yeah but you still have /etc/networking/interfaces 00:11 < scientes> and can enable systemd-networkd if you want---hell connman is even available in the repos 00:12 < scientes> connman is faster at getting a wifi connection than NetworkManager 00:12 <+pppingme> anonymip your IP is 193.183.116.68 00:14 <+catphish> not any more, he changed host 00:14 <+catphish> :) 00:17 < tds> scientes: yeah, just tried an 18.04 desktop iso, out of that box that's network-manager, while server is netplan + systemd-networkd 00:18 < scientes> hmm i use debian for server so i never notices 00:18 < scientes> and ubuntu for desktop 00:18 < Dagger> but it only works if everyone on the subnet uses tmp addresses <-- wait what 00:18 < scientes> the privacy part of it 00:18 < Dagger> you can use privacy extensions on a single host, no need for everybody to use it 00:18 < tds> yeah, I do the same, network-manager on my desktop/laptop and debian+ifupdown on all the servers 00:19 <+catphish> it works fine if only one host uses it 00:19 <+catphish> of course only that person will be anonymous 00:19 < scientes> but you don't get any extra privacy 00:19 <+catphish> yes you do 00:20 <+catphish> the person using the privcy estensions becomes anonymous 00:20 < Dagger> the amount of privacy you get is the same regardless of whether or not anybody else on the subnet is using privacy extensions 00:20 <+catphish> as their ip isn't linked with their machine's hardware 00:20 <+catphish> what Dagger said 00:20 <+catphish> it doesn't matter if anyone else on your network uses it or not 00:21 < scientes> oh i c ipv6 static addresses (DHCPv6)are more deterministic than DHCPv4? 00:21 < scientes> well actually you have NAT so that does the NAT thing.... 00:21 <+catphish> no, but they're less likely to be hidden by nat 00:22 < Dagger> DHCP is kinda completely orthogonal to any of this 00:22 <+catphish> also most people dont use dhcp with ipv6 00:22 < scientes> why is my ip linked to my mac address? 00:22 < turtle> because that's literally how ips work 00:22 < scientes> with ipv6 00:22 <+catphish> because without dhcpv6 you use slaac, where hosts choose their own ip 00:22 < tds> by default it'll likely use eui64 if that's what you mean? 00:23 <+catphish> and one common way to do this is based on the MAC (eui64) 00:23 < scientes> gotcha 00:23 <+catphish> this has 2 problems 1) your ip is linkable to your hardware 2) your address can be tracked even when you go to a different network because the second part is the same 00:24 <+catphish> and so random privacy addresses were invented 00:24 < Dagger> many OSs are moving to RFC7217-style addresses, in which case your MAC won't end up in the SLAAC address anyway 00:24 < Dagger> and is also not trackable between networks, since the prefix is part of the hash 00:25 < scientes> iphone even uses a fake mac address to listen for SSIDs 00:25 < Dagger> privacy addresses do still serve the useful purpose of rendering historical logs of addresses useless after a week though 00:25 <+catphish> does RFC7217 somehow produce a consistent non predictable address? 00:26 < Dagger> HASH(prefix, MAC, salt) 00:26 < tds> I'd be interested in how people are handling that, presumably logging neighbour tables? 00:27 < Dagger> 802.1x is how you identify hosts on L2 00:27 <+catphish> or just not logging it 00:27 < Dagger> if you're not using that then you don't really care about identifying hosts 00:27 < tds> yeah, that would record the mac address on the radius server, so you'd need to log ndp as well surely? 00:28 <+catphish> Dagger: and what is the salt, something random your host generates and stores? seems ideal if so 00:28 <+catphish> seems like you would need to log ndp 00:28 < Dagger> catphish: yeah, that 00:29 <+catphish> fortunately i have no interest in doing this 00:29 < tds> I'm the only user on my network, so that at least makes abuse reports easy to handle ;) 00:30 <+catphish> lol 00:46 < seven-eleven> hi, do people create a vpn if they want to backup between sites or do they just rely on the backup software encryption and connect to the remote client by its WAN IP? 00:47 <+pppingme> seven-eleven its best to NEVER expose any service or traffic that doesn't need to be exposed.. 00:47 <+pppingme> in reality, if you have multiple sites, they are probably already connected via tunnels, if they aren't, then there's probably serious questions about your setup anyway 00:48 < seven-eleven> pppingme, yeah, i was worrying using the WAN IP of two sites is a bad idea, because you'd have to reveal your custom dns server to the WAN, so the two sites can talk to eachother by their fqdns 00:50 < seven-eleven> hmm do people just add another site B to their VPN subnet A or do they create another tunnel that only connects to one machine within site A? i think you can run only one vpn server in one network, so you'd have to use something like ipsec/pptp for the second tunnel 00:51 < seven-eleven> maybe some companies have a very restrictive or complex network so you can't just add another site B to the site A's VPN network, so a second tunnel based on a different protocol is used 00:52 < seven-eleven> so you'd have a GW in site A tunneling to site B 00:58 < seven-eleven> say a company has a Site_A 192.168.0.0/24 10.8.0.0/24 tunneled to SITE_B 192.168.1.0/24 10.8.0.1/24 and now SITE_C wants to connect to SITE_A in a third subnet 10.9.0.0/24 00:58 <+pppingme> seven-eleven if its a fully controlled (you control) everything within both networks, you'd typically do the tunneling at the router level, so users don't even know there's a vpn involved, just acts like two directly connected sites 00:58 <+pppingme> and there wouldn't be two subnets per site, just one 01:02 < seven-eleven> pppingme, can you do that router to router subnet with openvpn? 01:03 <+pppingme> if the router can run openvpn 01:03 <+pppingme> openwrt for example can 01:03 < seven-eleven> hmm, so hosts from site_A and site_B both have IPs within 10.8.0.0/24 and don't need another 192.168.0.0 subnet right? 01:04 <+pppingme> no, each is on its own /24 01:04 <+pppingme> and depending on how you setup openvpn, you might have a /30 on the tunnel itself 01:04 <+pppingme> (personally I always run it in point to point, aka v1 mode for site to site, then server/client for users) 01:07 < seven-eleven> hmm, i see, then i'd use simply a route via my VPN_router if I want to contact an IP within the other's site? 01:09 < seven-eleven> 192.168.0.10 in site A wants to connect to 192.168.2.10 in site B, then i'd do `ip route add 192.168.2.0/24 via 192.168.0.1` and 192.168.0.1 routes e.g. to 10.8.0.2 (site B router) 01:09 <+pppingme> the site routers have full routing to the other sites.. you don't route individual ip's, you simply route the whole subnet and be done with it 01:09 < seven-eleven> yeah 01:09 <+pppingme> also a good idea to avoid 192.168 and also keep all your subnets similar (dont' use 10.8 either).. 01:10 < seven-eleven> what subnet do you recommend? 01:10 <+pppingme> is one of these sites more like an "HQ"? 01:10 <+pppingme> anything out of rfc1918 01:11 < seven-eleven> yeah one is like a HQ 01:12 <+pppingme> then do 10.50.1.0/24 for HQ, 10.50.2.0/24 for 2nd site, and so on.. 01:13 <+pppingme> then pick /30's out of 10.50.255.0 for your point to points if you do it that way.. 01:14 <+pppingme> crank up ospf on everything specifying a "network" statement of 10.50.0.0/16 for area 1 and be done with it, or use isis, or even use rip2 if you want to keep it really simple 01:16 <+pppingme> you implement one of those and you won't have to add any routes manually 01:18 < seven-eleven> never set up rip2 & co, i'll check those out. and with the /30 p2p thing, I'd have for example 10.50.255.1 for HQ and 10.50.255.2 2nd site? 01:19 <+pppingme> right 01:19 <+pppingme> actually, for p2p, technically they don't have to be part of a /30 01:19 < seven-eleven> yeaaah that's a much better solution than my initial idea to add the other site directly to the HQ subnet 01:20 < seven-eleven> better one /30 p2p with routing than /24 mess 01:20 <+pppingme> I'm assuming you're doing AD, point everyone to a common DNS server, or replicate dns across sites, up to you, and everything AD related will just simply work 01:23 < seven-eleven> i want to deploy bacula which wants to use FQDNs of hosts to do the backup, so I'd have to run my own dns server to translate the hosts IPs and bacula server IP to FQDNs 01:25 < seven-eleven> but I think most HQs have their own dns server already running, so I'd have to just add the p2p tunnel and the bacula server IP of site_B 10.50.2.10 to their dns server 01:27 < seven-eleven> using /etc/hosts is quiete inconvenient when you have many hosts to backup or changing IPs, so I think a custom DNS is the way to go :-) 01:28 <+pppingme> If your'e doing AD (you never really said, but sounds like heavy windows environment), you're already forced to be using MS's dns.. 01:28 < seven-eleven> ahhh I think AD will be involved yes :| 01:31 < seven-eleven> so I would be adding site_B's backup server to the AD. guess I'm going to setup an AD server to see how DNS configurations works in it 01:42 < ryao> I want to buy a gigabit switch for my cousin so that his PS4 can download games faster. Is there any reason that I am missing why I should not just buy the cheapest gigabit switch on Amazon for him? https://smile.amazon.com/D-Link-5-Port-Unmanaged-Gigabit-GO-SW-5G/dp/B008PC1FYK 01:44 < ntd> never buy d-link hw 01:44 < ryao> ntd: Why is that? 01:45 < ntd> well, in the case of a five-port dumb switch you may not get any headaches 01:46 < ryao> ntd: I am starting to wonder if I want to know the reason now. 01:46 < seven-eleven> ryao, if you don't want to do VLAN tagging you'll be fine with an unmanaged gigabit switch. if you have an unused consumer router you could even use that as a gigabit switch, but a dedicated switch has less power consumption 01:46 < ntd> sec cameras, wired/wifi nics, etc: just no 01:47 < ntd> these are the people who published their code signing certs on github 01:47 < ryao> seven-eleven: This is for my cousin. They don't do VLAN tagging at his house. ^_^;; 01:47 < ryao> ntd: lol 01:47 < ntd> so msft blaclisted/revoked their cert 01:47 < ryao> ntd: lol 01:47 < ntd> meaning the latest drivers and stuff couldn't be installed 01:48 < ntd> the old drivers were shit and did dlink publish a new, properly signed one? nope 01:48 < ryao> ntd: I used to have an 8-port unmanaged switch from dlink, but I gave it away after I switched to managed switching. 01:48 < ryao> It seemed to be okay. 01:49 < ntd> ryao, basically a run-of-the-mill realtek dumb switch with a plastic housing 01:49 < ntd> only thing d-link about it is the housing/branding 01:49 < ryao> ntd: That is what I expect. :) 01:49 * ryao just wants a switch chip in an enclosure with ports and a PSU. 01:50 < ntd> but their sec cameras: shiiit. buggy fw, never gets updated 01:50 < ryao> I wouldn't touch their security cameras. They aren't OSS. 01:50 < ryao> I'd sooner setup a picam. 01:50 < ntd> lens is to small 01:51 < ryao> ntd: I haven't found my idea security camera yet. 01:51 < ntd> me neither 01:52 < ntd> also, securing a pi is a PITA 01:52 < ntd> the 3b+ with POE hat can be nice, but i wonder why no one had made an IP67 dome housing for it+cam 01:52 < ntd> has 01:52 < ntd> i mean, doing LUKS on a pi is PITA 01:54 < ryao> ntd: I haven't thoroughly researched it, but it comes close to being able to check off the boxes. 02:33 < spaces> linux_probe alive ? 03:59 < wizzi> Hello, what are the powerful tools for test hacking wifi ? 04:06 < wizzi> No one is here ? 04:54 < sanzabark> Anyone here know about Macs? I have a Mac and USB with El Capitan on it. Mac doesn't have the operating system on it and I want to install from USB. My USB has El Capitan on it but booting from it gives me an apple logo for ever and doesn't install anything. What am I doing wrong? 04:54 < sanzabark> It's been killing me slowly for days now 04:55 < ziggylazer> yeah 04:55 < ziggylazer> Make it bootable 04:56 < ziggylazer> https://tutorials.ubuntu.com/tutorial/tutorial-create-a-usb-stick-on-macos#0 04:57 < ziggylazer> And now you dont have that problem anymore 04:57 < sanzabark> I thought I did using TransMac 04:57 < sanzabark> ziggylazer: when I hold option it shows as an option but selecting it doesn't give me anything 04:58 < sanzabark> I think the fact that Mac detects it means it's already bootable 04:58 < ziggylazer> I dont know macs at all. But you did not make that usb bootable. Asuming that you can select to boot from the USB or have set up some boot order 04:58 < sanzabark> ziggylazer: how do you for sure it's not bootable? 04:59 < ziggylazer> Since IF all other parameters are in order. It boots 04:59 < sanzabark> I don't think all other things are in order; Mac is retarded but making bootable is what I followed already 04:59 < sanzabark> p.s. you can boot from USB, and there is not boot order setup like a BIOS but holding Option key is the way apparently* 05:00 < sanzabark> I wonder if there is a channel dedicated to Mac? 05:00 < ziggylazer> I am sure there is. But look 05:01 < ziggylazer> If you can choose to boot from the USB. And it doesnt boot. 05:01 < ziggylazer> You need to make it bootable 05:07 < sanzabark> ziggylazer: I see certain files and folders which make me believe this is bootable like EFI, BOOT, Install OS X El Capitan.... 05:07 < sanzabark> I will redo the process but doubt that's all 05:07 < sanzabark> I think I am missing a step in the process 07:15 < jvwjgames__> I am wondering since I have a /36 assignment can I advertise it from multiple ASN's/sites 07:24 < SwedeMike> jvwjgames__: that has a high likelyhood of working yes. Typically people allow /48 and larger blocks 07:25 < SwedeMike> jvwjgames__: are you going to announce the entire /36 from several ASNs, or smaller blocks with no overlap? 07:25 < jvwjgames__> idk yet 07:25 < jvwjgames__> i am going to tunnel via HE then advertise from there 08:57 < kidn3ys> zzzz 09:13 < seven-eleven> is ospf, isis or rip2 all a cisco thing or can you do this with openwrt?? 09:22 < regdude> all of them are open protocols, but OpenWRT doesn't seem to be that advanced in routing to support such protocols, note that those protocols are not meant for home users 09:29 < seven-eleven> regdude, mhm, if it's a simple company HQ network with just <20 computers then static routing might do as well and I dont need a dynamic routing protocol such as RIP2 & co? 09:34 < regdude> seven-eleven: you could, but if the network is flat, no tunnels connecting multiple branches and you don't need expandability, then go with static routing. For more advanced networks you should go for something else than OpenWRT, something that is meant for advanced networks 09:35 < regdude> of course, for a flat network you could set up OSPF and throw all networks in a single area, couldn't be more easy to setup OSPF, but remember that routing makes sense only when you have multiple subnets. For 20 computers not sure if you are going to have multiple subnets 09:36 < Lope> are there any 802.11ad (yes 60ghz) wifi adapters supported in linux? https://www.aliexpress.com/wholesale?SearchText=802.11ad 09:37 < seven-eleven> yeaah, gotcha. i will check out OSPF & co in packet tracer to learn about them, so if i happen to come accross a more complex network that already deploys dynamic routing I wouldn't be clueless 10:01 < spaces> morning! 10:02 < tya99> i have a network which currently uses no VLANs, but rather aliased interfaces 10:02 < tya99> like https://wiki.alpinelinux.org/w/images/thumb/b/b0/Network_diagram_ipv4_tunnel_LANONLY_ROUTE.svg/900px-Network_diagram_ipv4_tunnel_LANONLY_ROUTE.svg.png 10:03 < tya99> the idea is that the router's eth0 192.168.1.1 (untagged), eth0.2 192.168.2.1 (tagged, traffic destined for ISP), eth0.3 192.168.3.1 (tagged traffic destined for VPN), eth0.4 192.168.4.1 (tagged traffic destined to go nowhere) 10:03 < tya99> i have looked at my managed switch and configured it like so: 10:03 < tya99> https://i.imgur.com/MVE70t7.png 10:04 < tya99> at this point the only 'tagging' should be between the router and the switch 10:04 < tya99> after it gets to the switch it's okay to strip tags 10:04 < tya99> the router is plugged into port 1 10:10 < kidn3ys> the shit people come up with in this channel always amazes me. 10:12 < kidn3ys> tya99: so you've described the network you built -- is there a question in there somewhere? 10:12 < Phil-Work> lol 10:13 < tya99> okay so i'm trying to configure my switch 10:13 < tya99> so that i have 3 separate VLANs, that way the router will have separate interfaces 10:13 < tya99> having one interface and aliased IPs on that is bad because they all share the same broadcast 10:14 < tya99> i have configured the switch like https://i.imgur.com/BR9Bp0l.png 10:14 < tya99> is that the right thing for what i am trying to do? that is my real question 10:15 < tya99> the router by the way is just a linux box and i had been routing based on source IP in iptables 10:15 < kidn3ys> tya99: if you're trying to implement VLANs, you want to tag upstream to the router port, and set the ports that have hosts as 'untagged' in their respective VLANs. 10:15 < tya99> yes 10:16 < tya99> essentially the tagging only will be between the router and the switch 10:16 < kidn3ys> rule of thumb is that only one vlan can be 'untagged' on any given port. 10:16 < tya99> any hosts in the switch will be untagged 10:16 < kidn3ys> tya99: correct 10:16 < tya99> okay so they'd all be in the default VLAN of 1 (the hosts) 10:17 < tya99> that looks like what I did in that diagram https://i.imgur.com/BR9Bp0l.png 10:17 < tya99> E is excluded so tagged connections never go in there 10:17 < kidn3ys> tya99: that looks like what you did 10:18 < tya99> so i didn't noob that up :D 10:18 < kidn3ys> yep 10:18 < tya99> i haven't actually tried it outside of a laboratory experiment :) 10:18 < tya99> the VLANs that is 10:18 < tya99> the other described network in that article works like a charm 10:19 < kidn3ys> you'll want to double check the interface on your router though to see if you are tagging for VLAN1 or not 10:19 < tya99> yep, i can do that with tshark can't i 10:19 < kidn3ys> tshark? 10:20 < tya99> wireshark for terminal to do a capture 10:20 < tya99> and then i can open the pcap on a computer with a user interface 10:20 < tya99> because the router is actually a raspberry pi 10:21 < kidn3ys> err, yea you can probably do that 10:23 < tya99> see my network interfaces on my router https://dpaste.de/x6CA 10:23 < tya99> the idea is that traffic on the ISP VLAN (2) will go out the PPP interface 10:24 < tya99> and traffic on the VPN VLAN (3) will go out the tun0 interface 10:24 < tya99> my ISP implements IPv6 with delegated prefixes (/56) 10:24 < tya99> the VPN provider has a ULA address on the interace so I guess I'd need to NAT there 10:24 < kidn3ys> what distribution is this? 10:24 < tya99> alpine linux 10:24 < kidn3ys> I don't see where you're setting a dot1q tag, unless :2 means vlan 2? 10:25 < tya99> i had wondered whether or not i should have a separate VPN gateway router 10:25 < tya99> no i'm not 10:25 < tya99> in that example 10:25 < tya99> :2 means aliased interface 10:25 < tya99> .2 would be a VLAN 10:25 < tya99> the aliased interfaces though are quite bad because they have the same broadcast 10:26 < tya99> so the problem i was facing was IPs in the 192.168.2.0/24 subnet which would go to the VPN would be issued an IPv6 address through link local and that would go directly to the ISP bypassing the VPN 10:26 < tya99> because i think it was doing all that through the link local broadcast 10:27 < tya99> VLANs i expect will solve that problem because they will be segregated networks with their own broadcast domain 10:27 < tya99> where as aliased interfaces are not, do i understand that correctly? 10:27 < kidn3ys> tya99: so that's kind of what I was saying, you'll need to convert those to use dot1q tags. 10:27 < tya99> yup 10:28 < kidn3ys> but for vlan 1, atleast with the way your switch is configured, you won't assign a dot1q tag to. 10:28 < tya99> and i will be changing it so 192.168.1.0/24 is untagged, 192.168.2.0/24 (tagged traffic for ISP), 192.168.3.0/24 (tagged traffic for VPN) and 192.168.4.0/24 (tagged traffic for nowhere) 10:28 < tya99> yeah and also VLAN 1 is reserved for untagged packets 10:28 < kidn3ys> gotcha 10:29 < tya99> so i have to change the subnets so that 192.168.X.0 ( X = VLAN ID ) 10:29 < tya99> the idea then would be IPv6 traffic from my ISP would only go out on VLAN 2 10:30 < kidn3ys> yep 10:30 < tya99> meaning hosts in VLAN 3 won't receive my ISPs prefix 10:30 < tya99> but rather will be in their own ULA behind the NAT 10:30 < tya99> (because the VPN provider has servers that have a single IPv6 address) 10:30 < tya99> obviously no PD as that wouldn't make sense in that scenario 10:32 < tya99> it seems like a more robust way of doing it than poking certain IPs at certain hosts based on their MAC address for DHCPv4/DHCPv6 10:32 < tya99> and android doesn't support DHCPv6 anyway 10:48 < horse> good morning networking dudes 10:48 < horse> is anyone familiar with rx_credits ? 10:49 < Lope> has anyone tried any 802.11ad 60ghz stuff? There are cards for cheap online: https://www.aliexpress.com/wholesale?SearchText=802.11ad 10:51 < meowschwitz> 60ghz 10:51 < meowschwitz> is that even legal? 10:52 < meowschwitz> oh, its unregulated 10:54 < Lope> https://en.wikipedia.org/wiki/IEEE_802.11#802.11ad 10:59 < horse> has anyone got any guide/docs to how network traffic is passed to and from buffers/cache in network cards to (drivers in?) operating systems? 11:03 < meowschwitz> horse: drivers -> PCI -> MAC -> PHY -> wire 11:03 < meowschwitz> and other way around, with interrupts 11:11 < GenteelBen> meowschwitz: I like your nick. 11:15 < melissa666> horse, You should check out the book "Computer Networks: An Open Source Approach" 11:16 < melissa666> http://www.stem-edu.com/wp-content/uploads/2017/02/Computer-Networks-An-Open-Source-Approach.pdf 11:17 < melissa666> it breaks down the linux networking stack, and talks about how packets are handled, and walks through the C sources for key parts of kernel networking code ... 11:19 < kidn3ys> sounds like good bed time reading material 11:21 < meowschwitz> GenteelBen: naturally 11:24 < horse> meowschwitz: thanks. does the driver have it's own buffer? reason i ask is that we've been seeing a problem with our san which was going on for over a year. the vedor fixed it today saying the problem was the "rx_credits" in the chelsio nic driver where not being returned to the buffer 11:24 < horse> and hence the buffer was slowly draining packets 11:24 < horse> i wasn't sure where this buffer was - in the card or in the driver 11:24 < meowschwitz> horse: of course, multiple buffers very licely 11:25 < meowschwitz> im not familiar with drivers on low level but it sounds like something related to QoS 11:25 < horse> meowschwitz: yeah they said it was related to QiS 11:25 < horse> QoS* 11:26 < horse> but there isn't much info online about this "rx_credit" feature 11:26 < meowschwitz> a quick google suggests the driver counts "credits" before acknowledging receipt 11:28 < meowschwitz> and it appears the credit management is configurable via lkm parameters.. 11:28 < meowschwitz> 'not being returned to the buffer' probably means not counted correctly 11:29 < meowschwitz> yeah as a quick guess credits are a method of managing buffer fills in the chelsio driver 11:31 < meowschwitz> horse: is this one of those iscsi fabric cards that support tcp offloading 11:31 < horse> meowschwitz: yeah 11:32 < horse> what i don't understand is does the chelsio driver have it's own buffer running in memory on the os? 11:32 < meowschwitz> horse: that's why, this has nothing to do with low level networking, the rx credit thing is in tcp offload code and has to do with tcp buffers 11:33 < meowschwitz> horse: yes, all drivers would, you'd need to take a copy of the frame in the card specific format and method and return it to the kernel in a common kernel format, I imagine 11:33 < meowschwitz> (again not an OS developer) 11:38 < horse> meowschwitz: cool that makes sense - so there are buffers both at a NIC level and an OS level (part of the driver)? 11:38 < meowschwitz> and probably ten more times along the way 11:38 < djph> well, maybe not quite 10 ... 11:39 < djph> but a fair number nonetheless 11:39 < meowschwitz> i got curious so I am reading rtl8139 driver source now 11:39 < meowschwitz> while the dumbass hyperv is installing 11:52 < regdude> what kind of port security features have you seen across multiple vendor switches? Cisco has sticky ports and has an option to limit a port to a single MAC address. Any other features out there for other vendors? 11:55 <+catphish> the only other thing i could think of would be sniffing dhcp and doing some l3 protection (arp filtering), i don't know if this is something swiches do 11:55 < kidn3ys> it is, its not 'port security' though 11:55 <+catphish> regdude: https://en.wikipedia.org/wiki/DHCP_snooping 11:55 < regdude> yes, that is DHCP Snooping 11:56 <+catphish> dhcp snooping is port security 11:56 < regdude> a metro ethernet stanrdrd feature 11:56 < kidn3ys> bpduguard, root guard, dhcp snooping, arp inspection, unicast/multicast flood control 11:56 <+catphish> and you could extend that to blocking rogue arp 11:56 <+catphish> good list :) 11:56 <+catphish> i forgot some of those 11:57 < kidn3ys> catphish: depends which vendor you ask I guess -- what he mentioned above were literally all controlled with comamnds that contain 'port-security' 11:58 < kidn3ys> i'm speaking from a very cisco centric perspective 11:59 < kidn3ys> dot1x might fall into that category as well 11:59 < regdude> does the Cisco's port-security option involve something more noticeable than just limiting the port to a MAC address? 12:00 < kidn3ys> regdude: you can do a mac or number of macs (in the case you have pcs behind phones) 12:00 < kidn3ys> aging also comes into play 12:00 < Lope> it looks like 802.11ac does include the 2.4ghz band, and ONLY 2 TYPES of AC use 5ghz band ONLY: AC450, AC1300... ? 12:00 < Lope> https://en.wikipedia.org/wiki/IEEE_802.11ac#Advertised 12:01 < regdude> kidn3ys: well aging is important if MAC learning is enabled. I assume that internally Cisco turns off MAC learning and uses static host entries as port security 12:01 < regdude> and, of course, disables unknown unicast 12:01 < kidn3ys> regdude: err, yes, i was referring to the port-security againg for sticky macs 12:02 < kidn3ys> aging* 12:02 < kidn3ys> e.g. if you had a port that random people use for the day but the following day it might be a different device 12:03 < kidn3ys> I forget the default sticky timer 12:04 < kidn3ys> but say it was 4 hours, if someone plugged in with mac AA, then disconnected and someone with mac BB plugged in before the aging timer expired youd trigger port-security to do whatever its configured to do (e.g. shutdown or ignore the new mac) 12:05 < Terraformer> Hello how to get an access to filesystem of consumer market router with web control pannel? 12:05 < kidn3ys> more often than not port-security is a giant pain in the ass and dhcp snooping with arp inspection is much more scalable 12:06 < Terraformer> if it is in your homenetwork 12:07 < kidn3ys> Terraformer: its going to vary based on the router you have and/or not be possible without some tinkering. what are you trying to do? 12:08 < Terraformer> just trying to look at a filesystem 12:08 < kidn3ys> cool, good luck 12:09 < regdude> you know, usually vendors are trying to keep you out of the filesystem 12:09 < Terraformer> looks like no trust in your words 12:09 < kidn3ys> I don't know what that means. 12:10 < regdude> you can always unsolder the NAND chip and read it 12:11 < Terraformer> i have an ancient firmware, so wondering if i've catched some malware 12:11 < regdude> it is very likely that the filesystem is going to be a very common one 12:11 < regdude> what vendor are you using? 12:11 < Terraformer> tplink 12:12 < meowschwitz> Terraformer: binwalk(1) 12:12 < Terraformer> kidn3ys: i dont know what exactly im trying to do at first i think i need to get an access 12:12 < Terraformer> meowschwitz: salam 12:12 < kidn3ys> Terraformer: like i said, good luck. 12:12 < Terraformer> ok 12:12 < meowschwitz> hizar 12:13 < kidn3ys> regdude: i guess you could throw sourceguard in that list as well 12:16 < regdude> kidn3ys: that one seems like simple reverse path filtering 12:17 < kidn3ys> yep, basically the same thing 12:17 < kidn3ys> it sort of overlaps with arp inspection 12:21 < kidn3ys> holy shit am I bored =/ 12:22 < regdude> like all fridays 12:23 < kidn3ys> read-only fridays 12:23 < djph> ^ 12:24 < regdude> you can read "What Hackers Know About Your Switches", there are some interesting things about port security 12:25 < kidn3ys> could disable cdp/lldp as well I guess. 12:26 < regdude> of course, these protocols can be used to overload the CPU on a switch 12:26 < regdude> a lot of tools out that that does that 12:27 < kidn3ys> such as? 12:29 < regdude> one tools was Yersenia (or spelled something like that) 12:30 < kidn3ys> hrm, i see a vtp attack that it has... 12:31 < jozefk> hi. I am not getting the meaning of "network" part of interfaces file: https://paste.fedoraproject.org/paste/hnAlobGTM-V1Pw3-Kh1WQw 12:31 < jozefk> what is it for? 12:32 < grawity> nothing useful, really 12:33 < jozefk> can I remove it? 12:33 < grawity> if you were asking about 'broadcast' I'd say some networks still use a nonstandard (all-zeros) broadcast address, but 12:33 < grawity> the 'network' value can be perfectly determined from 'address' & 'netmask' 12:33 < grawity> so yeah you can remove it 12:33 < jozefk> thanks :) 13:35 < skyroveRR> . 13:51 < Lope> How can I find out if rtl8821au has good support in linux? 13:51 < light> you could bing it 13:51 < squ> ) 14:23 < djph> realtek and ralink / mediatek are all pretty garbage ... 14:29 <+catphish> realtek isn't usually garbage, because it has good open source driver coverage, ralink definitely is 14:30 < jvwjgames__> I agree with catphish 14:30 < kidn3ys> I agree to disagree with catphish. 14:30 < Demos[m]> Lope: I don't know, does linux support Wireless Display port? 14:51 < Lope> Demos[m]: I've got no idea. 14:51 < Lope> I agree with catphish also 14:51 < Lope> DisplayLink is a piece of shit though. 14:53 < Demos[m]> nah that's not what I'm talking about 14:53 < Demos[m]> there's a standard for doing actual display port over 60Ghz, so totally uncompressed 14:55 < Aeso> Demos[m], you got a link to that standard? 4:2:2 4K60 is like 25Gbps uncompressed, I have doubts you'd get any kind of reasonable range at 60GHz 14:56 < Lope> no, I wouldn't expect it to work uncompressed, not without a lot of dropped frames. 14:57 < Lope> might as well compress it and get a decent framerate, but the hardware to compress and decompress data that fast would be intense. 14:58 < Aeso> You might be able to achieve a 'visually lossless' video transport via mezzanine compression, but even that would be pushing bandwidth limits. 15:03 < regdude> some 60G links are over 1km long, seems to be quite stable even at 1Gbps 15:04 < regdude> intel is pushing to 60G to work for multimedia uses in short distances, I think HTC Vive is going to support a wireless addon 15:04 < Demos[m]> ah it looks like that standard may not be around yet. I'll look around more once I get to the office and can browse the nonfree standards 15:05 < Demos[m]> it's unclear how the compression works. I would guess they do something like hevc compression in hw but br has unique latency requirements 15:17 < rud0lf> hello. i'm writing a bot script to check for i-lines for given ipv6 address.. is there an official page that lists which ipv6 addresses are public namespace? 15:18 < rud0lf> for example fc00::/7 15:21 < Phil-Work> rud0lf, why is there a requirement to know this for said bot? 15:52 < Tywin> Does /etc/hosts support some sort of ip address fallback? If the first IP assigned to a domain fails, try a second one? 15:58 < ||cw> Tywin: no, and dns doens't either. at best you can round-robin it. 15:58 < Tywin> ||cw, well, darn. Thanks for telling me. 16:01 < UncleDrax> depending on what your mail goal is, there are other ways perhaps to skin that cat 16:01 < UncleDrax> but most are way overkill for a small scale network (ie: what I imagine in most cases of editing hosts files) 16:12 < ||cw> UncleDrax: you'd hope anyway 16:13 < UncleDrax> not that I work in that space, but I imagine there's some justification for doing it on ephemeral containers or something like that. 16:13 < UncleDrax> if you have a static enviroment but can make changes at creation.. saves the speed of doing the resolve 16:18 < tds> AFAIK most browsers at least will retry other addresses if you have multiple a/aaaa records and connecting to one fails 16:19 < tds> I've seen it used for IRC as well, though client support for that was worse, I had situations where my bouncer only wanted to connect to one server (which was down) 16:32 < regdude> is there something noticeable and significant in AVB protocol other than QoS? 17:15 < khelpw> Is anyone here especially familiar with sonicwall CLI? I'm trying to put together repeatable steps to configure some basic settings on TZ300Ws that we send out to our clients and I can't figure out how to assign a default gateway on the WAN interface. 17:16 < djph> DHCP? 17:16 < khelpw> Nah, static IP 17:17 < djph> lemme rephrase -> "DHCP" 17:17 < djph> :D 17:18 < djph> I mean, it should literally be something along the lines of set system gateway [ip_address] 17:20 < khelpw> Doesn't seem to be the case. 17:23 < spaces> I want to make sure that all networks are sexy for the weekend 17:23 < spaces> are they ? 17:24 < regdude> https://bgpstream.com/ 17:24 < regdude> I would say they look avarage 17:30 < jvwjgames__> if i tunnel to he and use bgp there don't i need to get an ASN for he to do my bgp 17:32 < Phil-Work> jvwjgames__, not necessarily - they will probably let you use a private ASN 17:32 < jvwjgames__> cause on there from it says public ASN 17:32 < Phil-Work> presumably, though, if you have address space to advertise then you have an ASN 17:35 < jvwjgames__> but arin says i have to pay for an ASN 17:35 < jvwjgames__> i don't have one yet 17:36 < Phil-Work> but you have address space already? 17:36 < jvwjgames__> yes 17:36 < Phil-Work> from Arin? 17:37 < jvwjgames__> yes 17:37 < Phil-Work> speak to HE and see if they'll let you use a private AS but it's worth getting your own 17:37 < Aeso> jvwjgames__, if all of your upstream transit providers support it, you can advertise your space via a private ASN to the carriers and have them announce publically for you 17:38 < Aeso> but you should really just get your own ASN. If you can afford IP space, you can afford a public ASN 17:38 < jvwjgames__> true 17:43 < jvwjgames__> i just called HE they said i could try to use a private AS range 17:43 < Phil-Work> HE, despite their flaws, are really flexible 17:43 < Phil-Work> they ran a custom optic for us 17:44 < jvwjgames__> but won't that private range not work when i try to peer to other people 17:44 < jvwjgames__> on the internet? 17:46 < Aeso> jvwjgames__, a private ASN and private IP space are too different things 17:46 < Aeso> if you're actually intending to announce private IP space, every carrier is going to outright ignore those routes 17:47 < Phil-Work> HE will strip the private AS from the path and just pretend the prefix originated directly from them 17:47 < jvwjgames__> oh ok 17:51 < jvwjgames__> i am trying to google private AS ranges is this correct 64.512 – 65.534 – private AS numbers. 17:58 < Aeso> jvwjgames__, correct. As per RFC 6996 18:02 < spaces> kidn3ys I had quite a good day :D 18:02 < spaces> no need to die(); yet! 18:06 < jvwjgames__> and when i do do bgp do i want to announce my /36 or break it up 18:19 < Aeso> jvwjgames__, that's going to depend a lot on what you're doing internally with those IPS, whether you have multiple upstream carriers, etc. There's plenty of documentation on BGP best practices, I recommend you do some reading 18:26 < tds> jvwjgames__, there's also the larger private as numbers if you want to use those (and all your routers support 4 byte asns, which they should) 18:27 < jvwjgames__> if i chose not to go through he would that work cause there form rejected the private range 18:27 < tds> You'd be reliant on whatever other transit provider you pick to strip the private asns from the path 18:28 < tds> If you want to run your own network, there's very little reason to not get an asn imo 18:28 < jvwjgames__> ok 18:28 < jvwjgames__> I called ARIN i basiclly get it for free 18:28 < tds> :) 18:29 < jvwjgames__> after the $550 fee 18:29 < jvwjgames__> cause i am classed as an ISP so the yearly fee foir the ASN is waived 18:30 < tds> Ah, here it's a 50 EUR one off charge if you have a sponsoring lir iirc? 18:37 <+catphish> why are you even allowed an ASN if you have no peers at all? 18:40 < TandyUK> isnt it rather a ctahc 22 between getting peering and an AS 18:40 < TandyUK> can you get peering wihtout one? 18:40 < TandyUK> kinda makes sense till you actually have the first one though 18:40 < TandyUK> *to wait 18:41 <+catphish> well with RIPE you just neeed to submit a plan 18:41 <+catphish> you tell them a minimum of 2 people you intend to peer with 18:41 <+catphish> and then its fine 18:41 < TandyUK> yeah so makes sense 18:42 < TandyUK> they wont give you an AS because youre 'thinking about pering at some point' 18:42 < TandyUK> thats the next major step i need to look into tbh 18:43 <+catphish> do it :) 18:43 < TandyUK> i can think of 4 networks i would want to peer with instantly 18:43 < tds> Heh, I don't know if they actually attempt to contact the peers you list 18:43 < TandyUK> lol that would make it kinda pointless 18:44 < TandyUK> i wanna peer with facebook and google, gimme AS :P 18:44 < jvwjgames__> right 18:44 < tds> I'm still not peered with Google :'( 18:45 <+catphish> they're on linx route servers, good enough for me 18:46 < tds> Yeah, we've had this discussion several times before :P 18:46 <+catphish> we have 18:46 <+catphish> im going home now 18:46 <+catphish> have fun 18:46 < tds> In fact I got an email last night saying my peering ticket had "expired" so idk what's going on there 19:05 < Apachez> https://cached-images.bonnier.news/cms30/UploadedImages/2018/6/15/f54f619e-dc17-48ae-8fd7-4c8432adebca/bigOriginal.jpg?interpolation=lanczos-none&downsize=*:568&output-quality=80&output-format=webp 19:24 < tonsofpcs> anyone else having trouble getting through to netgear support this week? 19:25 < Aeso> I'm more shocked netgear even has a support program, tbh 19:39 < tonsofpcs> Aeso: all of their professional products have lifetime warranties too, you call them and say "this thing died" they say "how died?" and you explain how half the switch won't talk to the other half and they ship you a new one for like $30 (cost of shipping) 19:39 < tonsofpcs> (you have to send the old one back) 19:40 < UncleDrax> mmm delicious google peering 19:41 < UncleDrax> I just need to drive more traffic to netflix so we qualify for an OpenConnect appliance :[ 20:20 < Apachez> https://www.flightradar24.com/IDPCC/1cc90850 20:22 < tpr> italians invading sweden? 21:08 < Apachez> https://cached-images.bonnier.news/cms30/UploadedImages/2018/6/15/c9cfa364-8e17-4533-87e6-6b4b87aba511/bigOriginal.JPG?interpolation=lanczos-none&downsize=*:568&output-quality=80&output-format=webp 21:26 < Apachez> https://pbs.twimg.com/media/DfwS8oQX4AAqn2d.jpg:large 21:28 < Maarten> Apachez, I have seen a DC-10 do that just a few miles from my house..... it wasn't water though but the red foscheck stuff.... even so, pretty amazing to see a fucking JETLINER fly so low over a fire. 21:29 < Maarten> Those pilots have balls of steel 21:30 < Maarten> this is the VERY drop I saw..... I live near there. https://www.youtube.com/watch?v=-3KyWLvUT5Q 21:36 < ldiamond> For a TCP connection, I see SYN, SYN ACK, ACK, FIN ACK, FIN ACK, ACK 21:36 < ldiamond> The first FIN ACK is the server requesting to close the connection right? 21:36 < ldiamond> Is there any field I can check to figure out what the reason is? 21:36 < Emperorpenguin> Yes 21:36 < Emperorpenguin> No 21:36 < Aeso> Maybe so? :P 21:36 < ldiamond> Ok then, just blame Cisco I guess. 21:37 < Emperorpenguin> What happens ldiamond 21:37 < Aeso> ldiamond, it won't be in the packet, it'll probably be in the firewall or server logs 21:37 < ldiamond> Emperorpenguin: There's supposed to be a HTTPS connection happening, but the TCP connection is closed right away. 21:39 < Emperorpenguin> If it was a firewall it would be likely terminated right away with a RST 21:39 < Emperorpenguin> Not opened then closed 21:39 < ldiamond> it goes throught a proxy 21:40 < Emperorpenguin> And what happens on the other side of the proxy, ldiamond ? 21:47 < atsu> Do you have access to the proxy? 21:55 < ldiamond> I don't have access to it but I'm on the phone with people who do 21:55 < ldiamond> It's a Cisco CMX appliance trying to send us data via a HTTP post 21:56 < ldiamond> but when I tcpdump on my end I just see the source closing the TCP connection right away 21:56 < Emperorpenguin> Then ask them what they see on the proxy 21:56 < ldiamond> that's what I'm doing 21:56 < Emperorpenguin> Good. Our work here is done. 21:57 < ldiamond> I was just wondering if I could find info from the TCP packet on my ned 21:57 < ldiamond> end 22:09 < Apachez> https://www.youtube.com/watch?v=3X9X8BVEuGs 22:09 < Apachez> Maarten: yup specially when they waterbomb on the hills 22:09 <+catphish> so, here's an absurd bit of bureaucracy and wasting taxpayer money: as a uk government organization, one is entitled to a .gov.uk domain name, this domain name is reserved, only one person can ever have it, the government owns it, but in order to register it, the registration has to go via 2 separate private companies at a cost of £120 22:09 <+catphish> who thinks up these things 22:09 < Apachez> I can imagine the cockpit sound "PULL UP! PULL UP! FFS PULL UP!!!!!!!!" :) 22:13 < Mattx> Hey guys. Quick question. In a http2 connection using multiplexing, if I send two requests A and B, is there any chance of B reached the server before A? 22:13 < Apachez> https://www.youtube.com/watch?v=OZ2_cUBflcc 22:14 < Mattx> I'm sending two rests requests to a server, but it says B can't be executed (as it depends on A), and then A gets executed 22:14 < Mattx> so either they receive B and then A, or they receive A and then B but they process it in parallel so B gets executed first for whatever reason 22:16 < Emperorpenguin> Mattx: since http2 is TCP packets COULD get to the destination in the wrong order but would be correctly reassembled 22:19 < Mattx> yeah, so correct order when sending is guaranteed 22:19 < Mattx> the problem should be they process the requests in parallel, what do you think? Emperorpenguin 22:20 < Mattx> I don't know how to fix it. maybe adding a small delay between them helps. any other workaround? 22:20 < Emperorpenguin> Why would it be a problem? 22:21 < Mattx> because I need to get A executed before B, and even though I send them in that order, it happens that B gets executed first and fails 22:21 < Emperorpenguin> Could be a race condition inside the server code 22:22 < Mattx> actually they don't say they execute them in fifo order so it wouldn't be a "bug" 22:23 < Mattx> I'm guessing what happens if they are processed in parallel by the web server is A takes longer to execute so B completes first and fails 22:23 < Mattx> adding a small delay should work if that's the case 22:25 < kottt> just had a technical contact phone us to ask us for our phone number 22:25 < kottt> because the signal on his cell phone 22:25 < kottt> where our number is saved 22:25 < kottt> is too poor for conversation 22:26 < tds> catphish: it seems bizarre it's not just done through nominet directly (eg iirc sch.uk is run centrally by nominet, but handing out domains is authorised by local authorities or something) 22:27 <+catphish> Mattx: your question seems strangely familiar 22:27 <+catphish> Mattx: anyway, there is afaik no guarentee that get executed in order, servers process requests in parallel 22:28 < Mattx> yeah, I asked something similar the other day. but it was this morning that I finally tested it and saw B fail because A wasn't executed yet 22:29 <+catphish> well my answer still applies 22:32 <+catphish> the problem isn't the order they reach the server, the problem is that you're assuming one will finish before the next one starts, which simply wouldnt be the case, that would be inefficient, maybe http/2 has a way to request that, but by default they'd be processed at the same time 22:33 < Mattx> it would be absolutely useful if that can be requests with a header or something 22:36 < Apachez> what if the server listens on twoports? 22:36 < Apachez> and first req is like 10 bytes 22:36 < Apachez> and the second is 500 megabyte 22:36 < Emperorpenguin> What if you use two connections? 22:36 < Apachez> think of the children! 22:36 < Mattx> Emperorpenguin, how that would help? 22:36 < Emperorpenguin> You start one connection 22:37 < Emperorpenguin> Ask for a 22:37 < Emperorpenguin> Then open a new connection and ask for b once a is done 22:37 < Mattx> that can be done in http2 with one connection 22:37 < Mattx> I just would need to wait to get the first response byte for A before sending B 22:38 < Mattx> but that would be around 30x to 50x slower compared to multiplexing 23:03 <+catphish> Mattx: can you not just ask for a single request to achieve everything you need? 23:03 < Mattx> I wish but there's no endpoint to do that 23:04 <+catphish> that's why i said ask :) 23:04 < Mattx> oh no, I can't 23:04 <+catphish> shame 23:04 < Mattx> I got interested in that idea you had about requesting the server to process them in order. you read that somewhere or was it just a crazy idea? 23:05 < Mattx> I couldn't find anything like that on the internet 23:06 <+catphish> crazy idea, you probably can't, i just said it because i don't know http/2 and didnt want to say it was impossible 23:06 <+catphish> by the way, did you actually try http/1.1 like i suggested before? 23:06 <+catphish> that's way more likely to process them sequentially instead of simultaneously 23:08 < Mattx> no I didn't try but that should be easy to test, I'll disable http2 and have a look 23:08 < Mattx> how http1.1 would help? I know it doesn't support real multiplexing 23:08 < WrinkledCheese_> I have an odd issue. If I ping, I get 0.1ms. If I access a specific port via browser, I get a web interface. If I try to telnet or ssh, I get no route to host. Client is slackware linux and server is OpenSuSE linux. 23:09 < Mattx> is it supposed to work just because it would take more time to send B? 23:10 < WrinkledCheese_> ping client ip is 0.01ms and ping switch is 1.0ms, which is significantly longer than server, but neither server nor client are directly connected to router. 23:10 < WrinkledCheese_> Any ideas how to diagnose such an odd error message? 23:10 <+catphish> Mattx: it's precisely the fact that it doesn't support multiplexing that helps! 23:11 <+catphish> Mattx: it means it will likely process the requests one at a time 23:11 < WrinkledCheese_> The only thing I can think of is ssh and telnet are tcp whereas ping is icmp 23:12 < Mattx> catphish, that approach would be equivalent to sending A, read the first byte of A, then send B, and finally read both responses. right? 23:12 < Mattx> I mean, it can be done on http2 that way ^ 23:13 <+catphish> Mattx: no, because you don't have to wait for the first byte to reach you, then send the next request, you send them all at once, as soon as the server *sends* the first byte, it'll start processing the next request 23:13 < Maarten> WrinkledCheese_, sounds like ssh might be blocked (or the server firewall blocking an ip) on the server..... 23:13 <+catphish> it'll be faster by at least 1 round trip time 23:13 < WrinkledCheese_> Maarten, I considered that, but would that give a no route to host error? 23:14 <+catphish> Mattx: see this diagram: https://upload.wikimedia.org/wikipedia/commons/1/19/HTTP_pipelining2.svg 23:14 < Maarten> WrinkledCheese_, if the firewall completely drops the traffic (not reject) it has no way of knowing why the traffic didn't arrive... so your side may assume its a routing issue. 23:15 <+catphish> you're describing the thing on the left, you send each request after you receive the response, but http/1.1 pipelining is on the right, you send all the requests, it processes them in order and sends back the response for the first request as it starts to process the next 23:15 < WrinkledCheese_> Maarten, Hmm, must be a linux thing. I've been doing FreeBSD networking and if there's a route. i've never gotten no route to host when there was a valid route. 23:15 < WrinkledCheese_> Thanks very much Maarten I suspect you're right. 23:15 < Mattx> I didn't know that, thanks catphish! 23:15 <+catphish> http/2 is different, because it processes all the requests at the same time, http/1.1 can't do that, so it processes them in order 23:15 <+catphish> but you can still queue them up 23:16 < Maarten> if a firewall rejects something, it typically sends back a message traffic is rejected.... if its dropped, it just disappears into a black hole, and nothing is sent back to the client..... so the client will make up its own mind as what is wrong :P 23:16 < Mattx> I guess the queue is created on the server side, so right after A finishes it already have B waiting 23:16 <+catphish> Mattx: a clever http/1.1 server *might* choose to process them at the same time, but probably not 23:16 <+catphish> Mattx: right 23:16 <+pppingme> WrinkledCheese_ do you get the error right away, or does it take several seconds? 23:16 < Mattx> that should work, that's exactly what I'm looking for :) 23:17 <+catphish> with http/1.1 the responses must be sent in order, with 2.0 they're multiplexed 23:17 <+catphish> so i think pipelining might be exactly what you want 23:17 < Maarten> WrinkledCheese_, if its a NEW server, most linux distros have common ports such as ssh configured in the firewall for security reasons, and you actually have to open up the port for it to work.... but.... I have no real experience with slackware or opensuse, I am mostly a RHEL and Debian guy. 23:17 <+catphish> just make sure you send "Connection: keep-alive" in your request headers 23:18 < Mattx> I really didn't know pipelining was different than multiplexing. it's weird http2 doesn't support pipelining, I suppose at some point http 1.1 is deprecated and some apps will stop working 23:18 <+catphish> and as long as the server supports keepalive, you can just send all 3 requests at once, in order 23:18 <+catphish> pipelining isn't considered that useful 23:18 < Mattx> I mean, that won't happen anytime soon. I guess they will add a pipelining mode at some point (?) 23:19 <+catphish> normally if you send multiple requests at the same time, you want them all processed at the same time, and you want the response to each as soon as possible, not in order 23:19 <+catphish> so http/2 is basically just the same as opening LOTS of connections, but more efficient 23:19 < WrinkledCheese_> pppingme, it is immediate 23:19 < Mattx> I see that, but in my use case pipelining is clearly better 23:20 <+catphish> the fast pipelining processes the requests in order has never been useful to anyone, normally its used when you just want to download a load of stff fast like web page assets 23:20 < WrinkledCheese_> Maarten, Thanks. Slackware is wide open out of the box, much like FreeBSD. OpenSuSE seems to be pretty locked down. 23:21 <+catphish> Mattx: the thing is... normally you should never send a request that depends on a previous request without first checking the response code of the first request, that would be a really bad idea 23:21 <+catphish> but i assume in your case you don't care 23:21 <+pppingme> WrinkledCheese_ then that leaves no doubt, the host is rejecting with that error (you can basically pick the error with iptables and most other firewall setups, see this: https://unix.stackexchange.com/questions/124624/what-a-input-j-reject-reject-with-icmp-host-prohibited-iptables-line-does-ex ) 23:21 <+catphish> either they both succeed, or they both fail, you don't need to care much :) 23:22 < WrinkledCheese_> pppingme, sounds about the right direction, but ping and http over 9090 works. 23:22 < WrinkledCheese_> everything else is no route to hsost which im not used to. coming from a freebsd background in networking 23:22 < Mattx> that's the point, for me if A gets executed fine then B is guaranteed to execute fine, so I don't need/want to wait for A 23:23 < WrinkledCheese_> im just finishing my beer and going to give the firewall a look and I will let you know. Thanks so much 23:23 <+catphish> as long as B won't cause weird effects if A fails and you don't know 23:24 < Mattx> I tried doing it "the correct way" (ie, waiting for A) but it doesn't work, the events comes so fast that I end up with an ever increasing queue 23:25 < Mattx> but this pipelining thing should finally fix it 23:25 < Maarten> WrinkledCheese_, sometimes when you install a service or an application, it will automatically add the required rules to iptables to allow the traffic. SSH is pretty much a system function. If it's a virtualized server you can launch a console server from your hypervisor and fix it remotely, if its a physical server you'd have to walk up to it and fix. 23:26 < Mattx> just when I thought I was improving it by upgrading to http2 :P 23:28 < WrinkledCheese_> I'm sitting here with two keyboards Maarten just installing the opensuse gui firewall which is the point of switching to opensuse from freebsd in the firstplace 23:31 < WrinkledCheese_> That's interesting. OpenSuSE has it's firewall config setup like an actual firewall. You can have "runtime" aka running config, or you can have "permanent" aka saved config ( switch command save run ) 23:31 <+pppingme> WrinkledCheese_ the fact that some stuff works, then others gives an error that doesn't make sense for the situation (with no delay), pretty much confirms its firewall.. 23:31 < WrinkledCheese_> I opened the port and now I'm getting connection refused. Thanks Maarten and pppingme 23:32 < Maarten> well thats a start :D 23:32 < WrinkledCheese_> Just have to start ssh manually I guess. 23:33 < WrinkledCheese_> Thanks guys. no route to host seems like an odd error. Although, FreeBSD ( I only mention it because I've been using it at work for the past 5 years ) has no route to host if there is actually no available route ( no default response ) but if there is an explicite route, such as in this case, it says network unreachable. 23:39 < kerframil> WrinkledCheese_: if it matters, Linux issues a RST for TCP connections to unbound ports. Nefilter can have it behave otherwise, though. 23:40 < kerframil> Netfilter* 23:57 < discipulus> I have this strange issue. I'm running archlinux with i3, and for some reason, each time I boot my computer it takes a while to establish a network connection. After the desktop is fully loaded, it'll take an additional 5-10 seconds to get a network connection. 23:57 < discipulus> I'm talking about a wired connection btw. 23:58 < discipulus> To start with I used dhcpcd, but since I had to get a vpn, I switched to NetworkManager. 23:58 <+pppingme> Whats the purpose of the vpn? to connect to work? or what? 23:59 < discipulus> I'm not sure what I've configured wrong, but I won't get any error messages, anywhere, so it's hard to crack this nut. --- Log closed Sat Jun 16 00:00:00 2018