--- Log opened Sat Jun 23 00:00:09 2018 00:01 < AaronTTT> kuahara: there would be a bottleneck somewhere, Im fairly certain windows displays the connection to the switch, Erhm, is an openvpn client running on each machine or the router? 00:01 < kuahara> there's a client installed, but I am using the service to connect since it does a far better job of it 00:03 < AaronTTT> so each computer is connecting directly to the vpn server? (just making sure im thinking right) 00:03 < kuahara> yes 00:03 < AaronTTT> Okaydokay, hmm, can you speedtest.net on one to see? 00:06 < kuahara> how would I force it to use the correct interface? 00:07 < Ouroboros> by pointing the default route there, i guess, the vpn software should already do this 00:08 < kuahara> We usually specifically indicate not to use the remote gateway as the default gateway 00:08 < kuahara> so we don't start routing non business related traffic through the vpn server 00:08 < tds> iirc on windows the openvpn tap device may show a connection speed of 10Mbps but actually be capable of more? 00:09 < drathir> mornin/evenin... 00:09 < tds> oh yeah, it does on linux as well 00:09 < drathir> tds: server side restricted/limited? 00:10 < tds> no, it's not an issue, I've happily pushed a few hundred Mb/s through those interfaces 00:10 < tds> the interface speed just shows as 10Mb/s 00:10 < Ouroboros> kuahara: i that case, i am not sure, it may be possible to configure the src ip in the browser 00:12 < Ouroboros> kuahara: or i suppose that you can add a temporary route for speedtest 00:13 < drathir> tds: thats interesting probably openvpn bug...? 00:14 < tds> eh, not really a bug, the link speeds on these kind of things tend to be made up 00:14 < tds> eg I've got lots of VMs where the virtio ethernet interfaces claim to be 10Gb/s, you can happily push 15Gb/s through them 00:15 < drathir> tds: at linux im worried that app detecting that could have problems but its guess only... 00:34 < AaronTTT> ryao: Hm maybe removing the UPS's from outside the rack will be better? 00:34 < AaronTTT> ryao: for space etc 00:45 < godsmack_> Looking for a "stresser" service to use on my website. Will pay $800/day in bitcoin or monero, pm me if you can do it 00:46 < AaronTTT> godsmack_: How big of a stress you need? 00:46 < godsmack_> 100 gbit i think 00:47 < AaronTTT> Ah daym thats a bit, I cant help im afraid but there should be people around who can :) 00:48 < godsmack_> will give a bounty if you find someone who can 01:04 < drathir> godsmack_ or just use memcached vuln... CVE-2018-1000115 ^^ 01:06 < drathir> 260 Gbps of inbound traffic should be enough ^^ 01:11 < MarkusDBX> That new edgerouter 4 or 6, any good? 01:11 < MarkusDBX> Looking for a solution to have 3 way failover 01:11 < MarkusDBX> so 1 lan port, and then 3 wan 01:11 < atsu> Depends on what you're using it for. Just home stuff? Or small office? 01:13 < MarkusDBX> homelab, but it's my office too 01:14 < MarkusDBX> atsu: I would say, think demanding small office =) 01:14 < linux_probe> ur mum 01:14 < MarkusDBX> atsu: I do got three wan for a reason 01:14 < myrat> hello guys 01:15 < myrat> my laptop starts too long after installing netplan can somebody help to fix this 01:15 < atsu> For that purpose, yeah Edgerouters are good. IIRC they make multiWAN pretty simple 01:15 < myrat> 5min 5.887s networking.service 01:17 < MarkusDBX> atsu: any contenders? The edgerouter 4 is about $200, and seems good value. Maybe something more serious might be available from ebay? 01:17 < atsu> Performance is good as long as you stay in the ASIC, which usually means limited/no QoS, but hey, for the money and performance it's not bad 01:18 < MarkusDBX> any other disadvantages? Some kind of IDS would be nice 01:18 < atsu> Something more serious will need more of your time for sure 01:18 < MarkusDBX> atsu: more time to manage? 01:19 < atsu> Mainly more time to setup and take more research 01:19 < atsu> IDS, you are not going to get with EdgeOS 01:19 < atsu> IDS, you should really just use a PC and play with different UTM/firewall software 01:19 < MarkusDBX> I do got a few spare machines, should I just go for pfsense? 01:21 < atsu> Sophos UTM comes to mind, just cause that's what I have experience with, but a lot of players in the firewall/UTM game that you could possibly try out 01:21 < atsu> Not sure if pfsense does IDS/IPS? 01:21 < MarkusDBX> isn't sophos pricey? 01:22 < MarkusDBX> IPS in this context? 01:22 < atsu> D = Detection. P = Prevention 01:22 < atsu> You could mirror to another system more specialized in IDS 01:22 < MarkusDBX> ah 01:23 < MarkusDBX> I wonder what is a better solution long term 01:23 < MarkusDBX> I guess pfsense isn't going anywhere 01:25 < atsu> There are some free IDS systems out there, but they only really do IDS. Can't remember the names at the moment. I know a lot of IDS/IPS just uses snort with different rules 01:25 < atsu> and IDS really just needs to know about your traffic. Port mirrors are pretty simple 01:26 < mead> Anyone familure with Directv DECA (ethernet to coax) I can't find much real information like hardware compatibilitiy 01:26 < atsu> Ubiquiti EdgeOS certainly has the performance for the money factor 01:27 < atsu> Those hardware ASICs are pretty decent at forwarding 01:28 < atsu> they are a little lacking in some of the features you would expect from a real router, but usually nothing you run into for SoHo 01:30 < adleff> atsu, there are not hardware asics dedicated to forwarding in a ubiquiti router 01:30 < adleff> they are functions provided by the network cpu on the router 01:31 < atsu> Sorry. I don't know details of the hardware. I just know they do hardware based forwarding 01:31 < adleff> you can call the main cpu an asic if you want 01:31 < adleff> and may not be entirely inaccurate 01:31 < adleff> but there are not dedicated asic to data plane 01:31 < atsu> yeah 01:33 < atsu> Thanks for the correction. Certainly not the same as getting a high dollar router/switch 02:27 < cobracommand> basically now if you're not a paid streamer of the fifa world cup, your internet is slowed down. prove me wrong 02:28 < cobracommand> If you're paying to stream the world cup, you get priority qos. If not, you get throttled. Welcome to the end of net neutrality. 02:29 * compdoc throttles cobracommand with some coax 02:32 < Ouroboros> what fraction of public smtp servers currently support some form of tls? 02:33 < tds> not enough 02:36 < Ouroboros> i mean, is there even any point in enabling it for incoming mail on your own server? 02:37 < kerframil> yes 02:38 < kerframil> though it doesn't provide a direct answer to the question, here's some insight: https://transparencyreport.google.com/safer-email/overview 02:38 < kerframil> if you want the percentages to increase, then support it 02:39 < qman__> it won't start being widely used unless people start using it 02:39 < qman__> so start using it 02:40 < tds> and ideally use a valid cert with the right hostname, otherwise it's a bit useless 02:41 < qman__> a fair number of people do support it but it's not practical to require itm 02:41 < qman__> but supporting it as optional gains progress toward the goal 02:41 < tds> iirc google has started displaying warnings when sending/receiving email over non-tls, which is a nice start 02:41 < tds> s/google/gmail/ 02:42 < Ouroboros> interesting 02:44 < Ouroboros> re getting a real certificate, i am looking at letsencrypt, but it is a bit of a pain because it requires a web server 02:44 < tds> you can do dns-01 validation if that's easier 02:44 < tds> some acme clients have a built in webserver as well, which makes life easy 02:44 < qman__> yeah, dns validation is the way to go 02:45 < qman__> i use dehydrated with a hook I wrote for my dns host 02:50 < tds> I still just do http-01 for all my stuff, it's easier for me 02:52 < Ouroboros> hm, dns validation does seem simpler, but still it will take me a few days to figure out how to do it 02:53 < Ouroboros> i suppose that i could use a self-signed certificate 'temporarility' 02:57 < kuahara> ok, me and 3 other technicians are completely spent on ideas, so I'm just going to do some explaining and see if anyone else can come up with an idea or theory about what is going on here. Bear with me while I get the facts out of the way first. 02:57 < kuahara> We have a file share on a folder in our datacenter. Users connect to the datacenter using openvpn, then launch our softare on their PCs. PCs are generally Windows 10 or Windows 7. The login happens in IE and our product uses wscript to launch an image viewer (an executable on the local client machine). 02:57 < kuahara> That viewer will contact our server in the datacenter, request the relevant file (pdf or tif) and display it for the user. The file in question is only 47k in size and is a .pdf 02:57 < kuahara> From the client PC, I can navigate into the share, double click the file, and it opens in adobe reader instantaneously. For a few days, on only 1 PC out dozens, this file would take 40-60 seconds to load up in the viewer before being displayed. Naturally, we assumed the problem was with the PC and did extensive troubleshooting to try and prove it. 02:58 < kuahara> On many other machines located in different counties within Texas, we VPN'd in and used the same software and it loaded up within 2 seconds. This was true during the same exact time that the one PC was taking 40-60 seconds. 02:58 < kuahara> The network interface on all client machines tested is 1Gbps and I can do a large file transfer between the troubled machine and the datacenter and sustain 50Mbps for a long period of time in both directions. 02:58 < kuahara> I'm told the datacenter is sitting on a 100Gbps backbone with burst speeds up to 400Gbps and no bottlenecks on the way out the door. 02:58 < kuahara> This evening, between 4:45pm and 5:15pm CST, the problem showed its ugly face on all test machines spread across 3 different counties in Texas. It was taking forever to load this image everywhere. Now (more than 2 hours later), it is just a problem on that 1 machine again and is loading fast everywhere else. 02:58 < kuahara> The problem machine for testing purposes only has no antivirus or antimalware software of any kind installed on it. It is not subject to any real time scanning, and is not behind a firewall (hardware or software). 02:58 < kuahara> What would you look at next? 02:59 < light> mtr 02:59 < tds> what are you using for the file share, samba/cifs? 02:59 < kuahara> Try not to laugh, but sitting in this $300 million facility is a buffalo nas unit that these images are on. 03:00 < tds> sorry, I meant what protocol? 03:01 < qman__> that's netbios for you 03:01 < kuahara> I'll have to look. Not sure what the buffal nas terastation does by default, 1 sec 03:01 < kuahara> buffalo* 03:01 < tds> it probably does a whole load of protocols by default, it's how you actually connect to it that's interesting 03:02 < tds> ie do you to go \\yournas\pictures on windows machines? 03:02 < qman__> do you have a wins server? 03:02 < kuahara> well, when I test outside of our software, yes. I use windows to access it via \\server\share\file 03:03 < tds> hmm, as qman__ suggests, this sounds a lot like it's related to name resolution and cifs to me 03:03 < kuahara> would that it explain it working in multiple locations and not in 1 or 2? 03:04 < qman__> netbios is the default way to resolve windows file shares, as the protocol dates back to the early 90s before IP networks were common 03:04 < Ouroboros> ok, now the real question: exim or postfix ;) 03:04 < kuahara> Also, we don't use a server name. The software requests something like j:\folder\file.pdf and J is mapped to the \\server_ip\share 03:05 < qman__> Ouroboros: postfix 03:05 <+pppingme> server ip or server name?? 03:05 < kuahara> we don't use a hostname in the mapping, we use the IP 03:05 < Ouroboros> qman__: yeah, i think so too, seems like it is ultimately more configurable 03:06 <+pppingme> sloppy 03:06 < kuahara> pppingme agreed 03:06 < kuahara> There are worse things going on that I've brought up over and over through the years, but ultimately above my paygrade 03:06 < kuahara> PPTP, SMB1, I could go on. 03:07 < qman__> anyway, what I was getting at is that SMB has what's known as a master browser, which is where everything on the network looks to find shares 03:08 < qman__> by default, the master browser is elected via what is essentially a shouting match of everything on the LAN 03:08 < qman__> and it's common for machines to disagree on who the master browser is, particularly on intermittent or slow connections 03:09 < qman__> such as wifi or vpn 03:09 < Ouroboros> qman__: how much screwing around will i need to do to get the most basic config up? just smtp to a spool, no imap etc 03:09 < qman__> the result is inconsistent share access 03:10 < qman__> Ouroboros: with postfix, not much, most distros work out of the box 03:10 < kuahara> does it matter that the routes are the same on the test machines and tracert -d \\server IP shows the same 3 nodes across the working and non-working machines? 03:10 < kuahara> I guess I am asking if that rules out the master browser issue 03:10 < qman__> no, it doesn't 03:10 < qman__> that's layer 3, smb master browser is layer 7 03:11 < Ouroboros> qman__: does it require an imap server, or can i just write to a spool for a few days? 03:11 < qman__> Ouroboros: nope, imap is completely separate 03:11 < qman__> postfix doesn't care about it 03:11 < kuahara> qman__ how can I test/fix this? 03:12 < Ouroboros> ok, good, i don't have time to set up everything right now 03:12 < qman__> packet captures and lots of head bashing 03:12 < qman__> alternatively switch to a protocol that's more sane, or re 03:12 < kuahara> you mean switch away from SMB1? 03:12 < qman__> redesign your system to use wins and a smb server that is always the master 03:13 < kuahara> Why would it consistently be this same machine that always has trouble, though? 03:13 < kuahara> your suggestion sounds like the problem should be intermittent for all machines 03:13 < qman__> you would think so but no 03:13 < qman__> they tend to happen to the same machines 03:14 < qman__> I've also seen it happen due to a hardware/driver bug with a specific ethernet card 03:15 < qman__> the card was not picking up the packets during the election and the machine was electing itself as a result 03:15 < kuahara> I hope that's not the issue. I'm nowhere near this machine. Am remoted in from a few hundred miles away 03:16 < Ouroboros> ugh, i have not heard the term 'election' in about 20 years :P 03:16 < qman__> the card otherwise worked perfectly 03:17 < qman__> so it was a bug specifically around smb master browser elections 03:17 < qman__> multiple versions of windows 03:17 < kuahara> wtf.. 03:18 < kuahara> eh.. maybe this doesn't matter since this public workstation is the 1 machine not in their domain. It's a standalone workgroup machine. Just noticing that the primary and secondary DNS servers are set to 8.8.8.8 and 8.8.4.4 03:19 < kuahara> Thought this was a domain machine for a minute. The rest of that county is. 03:19 <+pppingme> that won't work for AD 03:19 <+pppingme> obviously 03:19 < kuahara> yea, it won't. 03:19 < kuahara> My domain doesn't use public DNS anywhere. Just the DC. 03:19 < qman__> yep, it will also affect smb name resolution 03:19 < kerframil> qman__: he says he's using a raw IP address in the UNC path, though 03:20 < qman__> joining a domain changes smb's settings 03:20 < kuahara> qman__ this machine is not joined to a domain though, so it won't matter that it's using public DNS servers, right? 03:20 < qman__> yes, but smb is a janky old protocol and browsing by IP doesn't rule out netbios issues 03:21 < qman__> you still talk to the master browser 03:21 <+pppingme> But that doesn't work across a routed environment, master browser is a lan concept 03:21 < qman__> kuahara: it's less about the dns severs and more about the fact that it's not on a domain and not getting domain policies 03:22 < qman__> so it could have different settings than everything else 03:22 < qman__> for the smb protocol 03:23 < kuahara> ah. that makes sense 03:23 < kuahara> so short of getting them to join this machine to the rest of the domain, I'm still back at troubleshooting SMB 03:24 < qman__> so, i suggest starting there, compare the applied policies and registry settings related to smb 03:24 < qman__> which is a lot of them, unfortunately 03:24 < kuahara> I don't manage this network, so I won't even have access to look. 03:24 < kuahara> and the group that is contracted to manage is, firmly believes the problem is our software 03:24 < qman__> well, in a roundabout way, it is 03:24 < kuahara> which we have demonstrated is not true, but we're trying not to treat the client like we've just throw the issue over the other side of the fence and looked away 03:25 < kuahara> yea, I can't argue that 03:25 < qman__> mapping network drives over openvpn is pretty kludgy 03:25 < kuahara> That's just another thing in the pile I've complained about and I think they are tired of me pointing out things that need to change 03:25 <+pppingme> qman__ not if you have dns setup properly and you aren't natting anything 03:26 < qman__> if you're just loading a pdf, serve it on http instead 03:26 < kuahara> the scariest thing that makes me uncomfortable is that the default .ovpn file they are distributing through attorneys offices in Texas gives all other cloud customers access to that attorney's data 03:26 < dogbert_2> u cannot fix stupid :P 03:26 < kuahara> so if you have 10 customers in the cloud on that server, nothing is stopping them from browsing into \\server\ and then just double clicking on a diffent county's share and viewing their confidential files. 03:27 < qman__> yep 03:27 < Ouroboros> yeah, but, i mean, it is texas ;) 03:27 < kuahara> nothing is stopping ransomware from taking all the customers out at the same time too. 03:27 < qman__> no, that kind of thing is common 03:27 < qman__> it's awful, but tons of companies do business with stuff like that 03:27 < kuahara> When I brought it up at the last company meeting 2 months ago, the VP interrupted me to say it wasn't a problem because she could spin up another virtualized copy of the data in under an hour and everyone would be back online 03:27 < kuahara> .gov does this everywhere 03:28 < Ouroboros> sure, security and reliability always come last 03:28 < kuahara> I thought, ok... you can mitigate all customers being offline for a bit, but what about when they find out their confidential information isn't. 03:29 < Ouroboros> like in that gitlab thing, primary db deleted, 5 out of 5 backup methods mostly useless 03:29 < qman__> yeah, you can be held liable for that 03:29 < Ouroboros> how do you even do that? 03:29 < kuahara> our backups are solid in a lot of places. 03:29 < qman__> gross negligence, and especially if you're selling this to lawyers, that's a really risky proposition 03:30 < kuahara> Not private lawyers, but I doubt that matters. 03:30 < kuahara> They'd be county attorneys and DAs 03:30 < kuahara> county and district judges, county and district clerks, and justices of the peace 03:30 < qman__> sure, but lawyers know how courts work and how to sue people 03:30 < dogbert_2> anyone heard of ****ing encryption? 03:31 < dogbert_2> assjacks deserve to lose their data 03:31 < Ouroboros> dogbert_2: wait, there is encryption for ****ing now? 03:31 < qman__> and they definitely will if they experience significant damages by your company's gross negligence 03:31 < kuahara> I'm hoping to be out in a few more months. 03:31 < kuahara> moving off to fort worth for 3.4x the money 03:31 < dogbert_2> pfft...you don't put stuff in the cloud without encryption, period. 03:32 < qman__> a smart choice 03:32 < kuahara> dogbert_2, he sells the customers on how well encrypted all the backup data is 03:32 < kuahara> and I have to hold back my eyerolls at the fact that the live data is not nearly as well protected 03:32 < qman__> I'd also make sure you have some evidence that you pointed this problem out to your company 03:32 < Ouroboros> dogbert_2: alas, sometimes end-to-end encryption is not possible 03:33 < dogbert_2> then you find some other solution :) 03:33 < qman__> so that you personally can't be held liable later if it comes to that 03:33 < kuahara> yea, I wrote it up in a few emails for exactly that purpose. Knowing I was irritating people by repeating myself. 03:33 < dogbert_2> I can't log into work assets on the laptop w/out using the VPN 03:33 < kuahara> and I will take those emails with me when I go. 03:33 < kuahara> I'm that guy that never, ever deletes mail. 03:34 < Ouroboros> dogbert_2: i mean like if i want to run public 'services' in the 'cloud', then i can't really have the data encrypted there 03:34 < kuahara> Ouroboros why not? 03:34 < qman__> sure you can 03:34 < qman__> aws even has a key manager for it 03:35 < Ouroboros> but aws can see the key? 03:35 < qman__> you do have to trust that aws isn't skimming your keys, of course 03:35 < kuahara> I can put a cause number into the software and a list of image keys is associated with the case. It's pulled from the database on the fly when I open it up. When I click view, it should be able to request and decrypt the file on the fly. 03:35 < qman__> but that's adequate 99% of cases 03:36 < Ouroboros> yeah, that is what i meant, you have to trust the cloud provider (and possibly other users in case there is *cough* spectre) 03:36 < kuahara> the risk that they are skimming my keys is better than just leaving the data unencrypted 03:36 < qman__> nah 03:36 < qman__> oh 03:36 < qman__> misread 03:36 < kuahara> we are the cloud provider in this case. 03:36 < kuahara> we own that datacenter 03:37 < qman__> yeah, aws is a pretty trustworthy system, as providers go 03:37 < qman__> they take it seriously 03:37 < kuahara> I tried selling the company on aws glacier, but admittedly I've only read about it. I kinda wanted to test it out with Cloudberry. 03:37 < qman__> random cloud offerings, on the other hand, are very risky 03:37 < kuahara> for the customers that can't afford to buy Barracuda backups. 03:38 < kuahara> aws is housing data for CJIS and the FBI and several banks among other people with sensitive data 03:38 < kuahara> s/FBI/CIA/ 03:38 < kuahara> (CJIS and FBI are pretty much the same thing) 03:38 < qman__> aws .gov stuff is in different datacenters that public aws 03:39 < kuahara> I figure bank data is more sensitive than anything .gov 03:39 < Ouroboros> just read about how ach works 03:40 < kuahara> I don't know why I'm wasting my Friday evening on this. 03:40 < qman__> finance is one of the worst areas when it comes to it security 03:41 < ALowther> I just got a new router & I am trying to set it up. In the meantime, I'd like to set up static routes, something I have never done before & I am having a difficult time figuring out what to tell it the gateway is....I have WAN -> Modem -> .88.1 -> .3.1 -> .11.1...I want to set up static routes between .88.1 <- .3.1 -> .11.1...I assume the destination IP address is pretty straightforward in that if something is destined for .11.x/24 the 03:41 < ALowther> n it will route it to that network, but what do I put as the gateway? That is where I am having issues. 03:41 < Ouroboros> most banks don't even support 2fa yet 03:41 < qman__> most banks are still ftping pifi data across the internet 03:42 < kuahara> ALowther, I feel like I'm qualified to answer that question but, paradoxically, can't figure out what you're asking. 03:42 < h0dgep0dge> same here. are you talking about nested subnets? 03:42 < dnanib> ALowther: me too. 03:42 < kuahara> qman__ we still FTP as well, but for the most part it's intralan 03:43 < kuahara> andI am always the go to person when they wind up having to do outside to inside FTP (anothing thing I complain about!) 03:43 < h0dgep0dge> ALowther: maybe draw a quick diagram of your physical setup, and explain how you want it to work 03:44 < kuahara> also, telling us your inside ip scheme and addresses doesn't put you at risk 03:44 < dnanib> And please use full IP addresses + subnet masks. You can make them up, but be honest about the masks 03:45 < h0dgep0dge> kuahara: i think they might just be doing it for the sake of brevity 03:46 < qman__> i used to work for managed service providers, so i have a lot of experience with different kinds of businesses, including banks and government stuff, like township offices, police departments, etc 03:46 < kuahara> maybe, but I can't tell if .88.1 is in the same subnet as .3.1 and .11.1 03:47 < h0dgep0dge> yeah, that's confusing, i'd assumed that was the suffix, but if that where the case .3.1 would represent a host, not a network 03:47 < ALowther> kuahara: dnanib: Hmmmm, maybe I have no idea what I'm talking about.....I have 3 routers. The WAN goes to my first router 192.168.88.1/24 network. Then, plugged into that router is a 192.168.3.1/24 network. Plugged into that router (.3.1/24) is a 192.168.11.1/24 network....How can I allow the 192.168.88.1/24 and 192.168.11.1/24 networks to communicate through the 192.168.3.1/24 network without using NAT? 03:48 < kuahara> before I read the rest of the sentence. why are we using 3 routers? 03:48 < qman__> one sensitive system for the state police department, they controlled access by not having a dns record, and putting it in the hosts file on computers of people who needed access 03:48 < ALowther> kuahara: It's temporary while I configure my new router...It's my home LAN, this change won't affect my speeds I really am just asking for learning purposes. 03:48 < qman__> i wish i was making that up 03:49 < kuahara> qman__ that's officially up near the top of the list of most ridiculous things I've heard of in networking 03:49 < kuahara> if we can still call that networking 03:50 < h0dgep0dge> ALowther: i get setting up complex systems because it's interesting and a learning eperience, but I would recommend starting simpler 03:50 < h0dgep0dge> and it's entirely possible your router devices aren't really made to be configured in that way, so you're going to have a hard time making it work with stock firmware 03:50 < kuahara> Start with quadruple NAT, it'll build character 03:51 < qman__> haha 03:51 < h0dgep0dge> yeah, multiple layers of nat aren't going to make your life pleasant if you want to make inbound connections 03:52 < ALowther> h0dgep0dge: Is this complex? My Linksys router has an Advanced Routing tab with the option for Dynamic Routing(RIP) & Static Routes 03:52 < tds> bonus points if you make a network where connections are properly routed in one direction, but nated in the other 03:52 < ALowther> I assumed this would be trivial for a more experienced networker, idk, maybe not. 03:52 < h0dgep0dge> it's complex in comparison to merging all 3 subnets into one larger subnet. you can even keep your addresses, just use a bigger netmask 03:52 < kuahara> ALowther it is because the nat problem alone is going to quickly get you asking questions that no one in the channel will be able to answer or help you with. And it will end in "don't do that". 03:53 < kuahara> h0dgep0dge is right. start simpler for sure 03:53 < ALowther> I also may not be helping by poorly explaining my configuration. 03:54 < kuahara> You trying to create a lab for a network cert or something? 03:54 < h0dgep0dge> i think we get it, you have 3 lans, each with an 8 bit subnet, each with a router, and the wan side of the routers are linked into a third lan where they can talk to the internet router? 03:54 < h0dgep0dge> fourth lan, excuse me 03:56 < ALowther> Yes. It's just a router behind a router behind a router, each with their own address space. 03:56 < h0dgep0dge> is it nested, or branching? 03:56 < ALowther> Nested. 03:57 < tds> a diagram is especially helpful at this point :) 03:57 < h0dgep0dge> and you want all hosts to be able to talk to eachother? 03:57 < kuahara> for the record, that's now how you would put different offices into different subnets in the real world. Again, just guessing at the learning objective. 03:57 < dnanib> So you have subnets arranged serially? 03:57 < ALowther> tds: Any free websites where I can easily draw a schematic? 03:57 < tds> draw.io is neat 03:57 < h0dgep0dge> mspaint.exe 03:57 < tds> but in general just disable NAT everywhere other than the last router, set a default route on each route via the one "above" it, then add static routes via the next downstream router for all downstream networks from each router 03:58 < tds> if I'm correctly understanding your design 03:58 < dnanib> And how many routers do you have? Typically one router must be able to route between all the subnets (3 of them) you have and allow WAN access too (though to block one of them off the WAN you need a firewall too) 03:58 < dnanib> ALowther: lucidchart too 03:58 < kuahara> tds, I don't think you mean a default route on the one above it. just a static route that knows how to find the network below it. 03:59 < tds> kuahara: oops, I'm missing an r there, should say "set a default route on each router via the one above it" 03:59 < kuahara> also, multiple static routes will need added. just because router 4 knows a route to router 3 doesn't mean it knows where to send traffic to get to the subnet under router 2. 03:59 < h0dgep0dge> you're definitely going to want to be disabling nat, but that's not something that's necesarily trivial, or even possible. i shit you not, my current router doesn't let you change the subnet mask 03:59 < dnanib> ALowther: Let us take your routers one by one. Each router needs at least two subnets directly connected to justify its name. So you are saying on router1 you have 88.1/24 on wan side, and 3.1/24 on the other side (lan side)? 04:00 * tds just uses linux machines as routes, then you can do pretty much whatever you like 04:00 < tds> s/routes/routers/ I think I need a new r key 04:00 < kuahara> I was going to trample over your linux machine to get from A to B 04:01 < dnanib> static routing, dynamic routing with quagga, policy routing with iproutes2... the full stuff 04:01 < tds> boo, they all use bird not quagga :) 04:01 < kuahara> if you want to learn cisco stuff instead, Jeremy Cioara's CCENT, CCNA, etc... video series is awesome. 04:02 < Ouroboros> tds: you mentioned acme clients with a built-in web server? 04:03 < tds> Ouroboros: sure, certbot has a standalone mode, I think various other clients do as well 04:04 < h0dgep0dge> ALowther: i'm drawing a diagram of what i'm imagining, just hold tight 04:05 < ALowther> dnanib: Yes, so the WAN side for .3.1/24 is .88.1/24 and the LAN side is .11.1/24 04:05 < dogbert_2> damn...a waste of fine booze: 9,000 barrels of bourbon fall in Kentucky distillery building collapse 04:05 < Goop> What is the most I can get out of a (one, single) fiber optics cable that is 19 miles long, with a budget for the end-devices of $2,000 each? 04:06 < Goop> I guess you could call them fiber optics modems, but I'm not sure that's the appropriate word. 04:06 < h0dgep0dge> hire a chimp with a laser pointer 04:07 < h0dgep0dge> ALowther: take a look at this https://imgur.com/a/8pwZ8eC 04:07 < h0dgep0dge> is that what you're working with? 04:07 < ALowther_> Exactly! 04:08 < Goop> I'm just looking at raw fiber optics, and what to expect for long-distances. 04:08 < tds> ALowther_: what routers are these, what options do you get with NAT? 04:09 < ALowther_> .88.0/24 & .11.0/24 are MikroTiks. .3.0/24 is a Linksys 04:09 < tds> ideally you want to disable it on everything but connections going out via the wan interface on router 1, then set up static routes as I described above 04:09 < dnanib> Subnets are not devices, ALowther_ 04:10 < Goop> Was my question not clear? 04:10 < h0dgep0dge> for static routes, each router should have it's default gateway set to the router above it, with static routers for each subnet below it, and the gateway for the static routes should be the router directly below it 04:10 < h0dgep0dge> Geep: hold tight chief, we're just helping out this other poor chap 04:10 < h0dgep0dge> LOL ^Geep^Goop 04:11 < Ouroboros> tds: is there a reason why that is a worse idea than dns validation? i assume that this web server runs only at the time of validation? 04:11 < dnanib> ALowther_: there will be a router which has 2 cables going into it, and having IP addresses in two different subnets. You need to identify those devices and the subnets configured. 04:11 < tds> Ouroboros: yeah, it only runs for validation 04:12 < dnanib> On each of them, you need to add a static route to the subnet that appears ONLY on the other one. This static route will have a gateway of the other router's IP address in the common subnet. 04:12 < ALowther_> h0dgep0dge: but how, for example, does .3.0 know the gateway to .11.0. Wont it have been assigned some IP address by .3.0’s DHCP server? 04:12 < tds> dnanib: the only thing we're really missing per that diagram is the subnet on the wan interface of router 1, which I'd guess may be dynamic? 04:13 < dnanib> Oh. Was there a diagram? :-) 04:13 < tds> https://imgur.com/a/8pwZ8eC 04:14 < h0dgep0dge> ALowther: if you're using dhcp to configure the routers, static routes go out the window. static ips my friend 04:14 < tds> stick with dhcp and just run ospf/rip/whatever, what could possibly go wrong? ;) 04:15 < dnanib> Here is typical deployment scenario: --> 192.168.88.1/24|Router1|192.168.3.A/24 <-----> 192.168.3.B/24|Router2|192.168.11.1/24 <-- 04:15 < dnanib> ALowther_: with this scenario you need to local Router1 and Router2, and identify what A & B are. 04:16 < dnanib> Then add static route in Router1 : ip route add 192.168.11.0/24 via 192.168.3.B and in Router2: ip route add 192.168.88.0/24 via 192.168.3.A 04:16 < dnanib> That's all to it 04:16 < dnanib> s/local/locate/ 04:16 < h0dgep0dge> yeah, just use the ip command on a domestic router, piece of cake 04:17 < ALowther_> Hahahaha. I think he’s using Mikrotik commands 04:17 < dnanib> Whatever, just use the appropriate incantation of the device you are working on. 04:17 < dnanib> ip route was used only as an illustration. 04:17 < ALowther_> But those won’t work on my Linksys which is the middle router. 04:17 < tds> well you can with openwrt on a consumer router :) 04:17 < tds> or even put bird on that if you want 04:18 < h0dgep0dge> there are better ways to do it if we can switch around the topology of the network, but that's not the game, this is network golf 04:18 < ALowther_> dnanib: BTW. Your example is EXACTLY what I’ve been trying to do. I just don’t know what to put for Default Gateway which is where I ran into the initial problem. 04:19 < tds> default gateway just always needs to be the router "above" each router in that diagram 04:19 < dnanib> ALowther_: as I said: identify A & B in your scenario and put those in 04:20 < tds> then you want 2 static routes on r1 via r2 for the subnets below it, 1 static route on r2 via r3, then you should be done 04:20 < h0dgep0dge> tds: they're asking about the default gw in the topology dnanib is describing 04:20 < tds> ahh, I was getting very confused, that makes more sense 04:20 < tds> it's 3:30am here, I should probably sleep or something :) 04:21 < h0dgep0dge> ALowther: we've given the configuration you need for your set-up, tds and myself gave outlines above. if you want to know the best configuration for these clients to talk to eachother that's another question 04:21 < ALowther_> h0dgep0dge: The .11.0/24 network connects to a VPN. The .88.0 router has no WiFi capabilities. Ultimately, I’d like to figure out how I can move the VPN configuration from the .11.0/24 network to the .88.0 router & then set up another VPN network on the .88.0 router, if that’s possible. Then I can get rid of the .11.0 router. 04:22 < h0dgep0dge> oh good, i thought this was a tricky setup, turns out you've got vpn involved 04:22 < ALowther_> h0dgep0dge: Yes, thanks. I’m currently providing my son the comfort of my presence while he doses off to sleep, then I will test it out & see if I can get it working :) 04:22 < h0dgep0dge> np, let us know if you have any luck 04:22 < h0dgep0dge> Goop: you wanted to know about fibre? 04:23 < tds> handling the vpn sounds like a bit of a pain, you'll probably want to add an extra interface for the "vpn lan", then policy route traffic from that via the vpn gateway 04:23 < dnanib> ALowther_: have you solved your first problem? 04:23 < ALowther_> h0dgep0dge: Yes, the current .11.0 router is a hAP lite. It only supports 2.4 band & fast Ethernet. I’d like to get rid of it. 04:23 < dnanib> Is the 11.0/24 network on the remote side of the VPN? 04:23 < ALowther_> dnanib: maybe, I haven’t been able to test yet for the reason stated above. I will be shortly. 04:24 < dnanib> And what type of VPN is that? One that hooks two locations/offices or one that allows roaming folks (roadwarriors in VPN lingo) to hook on? 04:24 < ALowther_> tds: Idk what any of that means right now! But it sounds doable! Lots for me to learn ;) 04:25 < ALowther_> dnanib: it’s a personal VPN between the home’s of my family members. 04:27 < ALowther> If I disconnect on both clients, we'll know it didn't work ;). 04:29 < ALowther> Yeah, idk what it is I'm not understanding. On my .3.0 router I am putting: { Destination IP: 192.168.11.0, Subnet: 255.255.255.0, Gateway: 192.168.11.0 }. It says the gateway address is not valid. 04:30 < h0dgep0dge> does that router have a 192.168.11.0/24 address? 04:30 < h0dgep0dge> the .3.0 router, i mean 04:31 < ALowther> I need to find the address that the .3.0 router has assigned to router through that ethernet port, right? 04:31 < h0dgep0dge> no routers should be being assigned addresses by dhcp 04:32 < h0dgep0dge> as long as your routers are configuring themselves using dhcp your static routes aren't going to work 04:32 < ALowther> What is the default gateway for the WAN? 04:32 < h0dgep0dge> of which router? 04:33 < ALowther> h0dgep0dge: Sorry, that was unspecific. The .3.0 router. What is the gateway to the .88.0 router, which is on the incoming WAN to the .3.0 router. 04:33 < dnanib> ALowther: identify A & B please 04:33 < dnanib> Typically A and B are not 0 04:34 < h0dgep0dge> ALowther: i'm sorry guy i don't know what you just said 04:34 < ALowther> Is the gateway 0.0.0.0? 04:35 < h0dgep0dge> i'm sketching out another drawing to show how it should be configured 04:36 < ALowther> WAN -> .88.0 -> .3.0. -> = ethernet cable from LAN port to WAN port....How do I determine gateway address for .3.0 -> .88.0, for outbound traffic? 04:37 < h0dgep0dge> the gateway address for the .3.0 router is the lan ip address of the 88.0 router 04:37 < whatsabinki3> are you configuring a router or a computer? if you are configuring a router that's the isp info, if it is the router plugged into the modem... if you are configuring the computer than it is the local ip address of the first router connected to the computer 04:37 < h0dgep0dge> but that should be in the wan configuration for .3.0, not the static routes 04:37 < dnanib> ALowther: Destination IP: 192.168.11.0, Subnet: 255.255.255.0, Gateway: 192.168.11.0 04:37 < h0dgep0dge> whatsabinki3: this is what alowther is trying to do https://imgur.com/a/8pwZ8eC 04:37 < dnanib> This is incorrect. This config is supposed to allow your router to send packets to the 11.0/24 subnet. If its gateway is in 11.0/24 itself, we have a chicken-and-egg problem. 04:38 < dnanib> ALowther: refer back here: --> 192.168.88.1/24|Router1|192.168.3.A/24 <-----> 192.168.3.B/24|Router2|192.168.11.1/24 <-- 04:38 < dnanib> Look closely where I have mentioned A & B. Identify those in your scenario. 04:38 < h0dgep0dge> dnanib: they're talking about for traffic going from .3.0 to .88.0, nothing to do with sending packets to 11.0/24 04:40 < dnanib> h0dgep0dge: maybe I missed something then. I was responding to this: "Yeah, idk what it is I'm not understanding. On my .3.0 router I am putting: { Destination IP: 192.168.11.0, Subnet: 255.255.255.0, Gateway: 192.168.11.0 }. It says the gateway address is not valid." 04:41 < h0dgep0dge> the gateway should be the address router #3 has on the .3.0/24 subnet 04:41 < dnanib> Yes, A or B in my scenario :-) 04:42 < ALowther> h0dgep0dge: Right, I figured that out, I think. So I looked at the static IP the .3.0 router had assigned to the .11.0 router...but how about a static route going the other way. What is the gateway for the .88.0 router from the .3.0 router? 04:42 < ALowther> h0dgep0dge: I should say, I looked at the dynamic IP it had assigned & then I made it static & used that. 04:43 < whatsabinki3> I'd recommend using a switch and one router, but figuring this out might be interesting... 04:43 < ALowther> whatsabinki3: Hahahha, yes. This won 04:43 < ALowther> won't be a permanent configuration. Just a temporary setup/learning lesson. 04:43 < whatsabinki3> ahh 04:43 < strixdio> can I connect to a cisco switch management port with a rollover ethernet cable connected to my laptop ethernet port? 04:44 < strixdio> or do I need to specifically use the usb/serial cable? 04:47 < dnanib> " So I looked at the static IP the .3.0 router had assigned to the .11.0 router" - this doesn't make sense. Is the first router assigning addresses to the second one via DHCP? 04:47 < h0dgep0dge> this is the configuration you want. https://pastebin.com/RdQFzfte 04:47 < dnanib> strixdio: I think recent models can automatically detect the type of cable so it doesn't matter? 04:47 < strixdio> this is a 3560G 04:49 < ALowther> dnanib: Yes, the .88.0 and .3.0 are both assigning IPs via DHCP. 04:49 < strixdio> happen to know how to factory reset it without console access? 04:49 < dnanib> ALowther: h0dgep0dge's config suggestion should work. I think I misunderstood your topology a bit. 04:49 < h0dgep0dge> ALowther: stop using dhcp to configure the routers, it's only going to make your life more difficult 04:50 < h0dgep0dge> dnanib: this is the topology https://imgur.com/a/8pwZ8eC 04:50 < ALowther> Am I still here? 04:50 < h0dgep0dge> sure looks like it 04:51 < ALowther> Ah man, I'm so confused. 04:51 < ALowther> Good thing these routers are constructed to be smarter than I am :p 04:51 < ALowther> So I set the static routes, but I can't ping 192.168.88.1 from the .11.0/24 network. 04:51 < whatsabinki3> that reminds me... if you turn of dhcp on all routers, except on the one plugged into your modem, then you can plug the output of the modem router right into the output of another router and if it's dhcp is off it will work like a switch 04:52 < ALowther> But I am still connected to the Internet on the .11.0/24 network which has to go through the .88.0 router to get to the Internet and come back.. 04:52 < dnanib> ALowther: maybe you should post the full config of the routers. 04:52 < dnanib> h0dgep0dge: thanks. Three routers, cascading? :-) 04:53 < ALowther> dnanib: How do I grab that from a Linksys? 04:53 < h0dgep0dge> have you disabled nat on routers 2 and 3? 04:53 < dnanib> Oh wow. The web UI must have a config backup/download somewhere. 04:53 < ALowther> h0dgep0dge: Yes 04:53 < h0dgep0dge> i'd try traceroute instead of ping, it's great for diagnosing multihop issues 04:55 < ALowther> h0dgep0dge: It's getting lost at 3.1 04:55 < dnanib> ALowther: where is the trace starting from? 04:56 < ALowther> .11.x -> .11.1 -> .3.1 -> ****(lost) 04:56 < h0dgep0dge> and what's the destination? 04:57 < ALowther> .88.1 04:57 < h0dgep0dge> okay, so you can talk to .3.0/24 from 11.0/24, but not to 88.0/24? 04:57 < ALowther> Which I have configured on the .3.0 router...{ Destination: 192.168.88.0 , Subnet: 255.255.255.0, Gateway: 192.168.88.1 } 04:57 < ALowther> As a static route 04:57 < ALowther> Yes 04:58 < h0dgep0dge> can you talk to 88.0/24 from 3.0/24? 04:58 < ALowther> h0dgep0dge: Idk how to test that. Idk if Linksys has built in tools like that. 04:59 < ALowther> h0dgep0dge: Let me see if I can test on a client on the .3.0/24 network 04:59 < h0dgep0dge> many routers have diagnostic tools that allow you to do pings or traceroutes 05:00 < ALowther> h0dgep0dge: Yes, it worked. 05:01 < h0dgep0dge> router #1 isn't configured properly to return packets to 3.0 05:01 < ALowther> h0dgep0dge: I was able to talk to .88.1 directly from .3.0 router 05:01 < h0dgep0dge> okay wait hang on 05:02 < h0dgep0dge> no, i don't think you are. router #3 may be able to talk to router #1, but it's not using .88.1 05:02 < h0dgep0dge> sorry, not using .3.1 05:02 < h0dgep0dge> it'll be using .11.2 05:02 < h0dgep0dge> wait christ 05:03 < h0dgep0dge> this scheme is so confusing 05:03 < fedorauser123952> needing vpn service- anyone have recommendations? 05:03 < ALowther> h0dgep0dge: Hahahha, on traceroute router #3 is hearing back from router #2, but not router #1. Yet on the router #2 interface I can hear back from router #1 05:04 < h0dgep0dge> okay, i think router #1 isn't configured to return packets to .11.0/24 05:04 < h0dgep0dge> what routes do you have on router #1? 05:04 < ALowther> h0dgep0dge: I've configured none. 05:04 < h0dgep0dge> also maybe we should switch to pm, fedorauser wants to know about vpn 05:04 < fedorauser123952> i can haz vpn plz? 07:16 <+pppingme> Spice_Boy your boy Elon shutting down all sorts of factories.. 07:17 < Spice_Boy> how the hell is he my anything? 07:17 < Spice_Boy> who cares 07:17 <+pppingme> his financial house of cards is really crumbling 07:18 < Spice_Boy> again, why are you telling me? I don't care 07:18 < Spice_Boy> why do you care? 07:22 <+pppingme> because I keep an eye on tech and business 07:22 <+pppingme> but then again, elon isn't really business, he's more of a welfare case 08:16 < h0dgep0dge> anyone here familiar with ipfire? i'm playing around with it in virtualbox, looking at different options for installing on a router, but it's proving difficult to get it to do anything 08:44 < k2gremlin> h0dgep0dge, I stick with pfsens 08:44 < k2gremlin> e 09:06 < networking> hi 09:08 < networking> non technical question, how do you replace or keep track of your bookmarks when a large site like reddit changes their way and has two domains/url's going to old and new sites? 09:08 < mos6502> networking: you don't 09:09 < mos6502> alternatively, regular expressions 09:09 < IanTLopp> I've got AT&T Fiber internet running a Pace 5268AC Modem/Router combo (no other option here), and I've got a Netgear R6900v2 router connected to it. I've got most everything setup and working, with the pace working essentially in gateway mode (they don't have a strict gateway mode - I have to set it to DMZplus mode where all traffic is routed to the router) 09:09 < IanTLopp> this gives the netgear router an external IP address. 09:09 < IanTLopp> BUT, as a result of all this, I can't seem to get the netgear on the same subnet as the Pace unit. 09:10 < IanTLopp> I want all my devices following the same 192.168. routine, but Netgear fails connection to the internet every time I set it up with 192.168. as the subnet 09:10 < networking> mos6502: how does regex come into picture? 09:10 < IanTLopp> any suggestions? 09:11 < mos6502> networking: export (not to xml, to something else) and then regex to new url pattern and then import again 09:12 < mos6502> as to why not html or xml 09:12 < mos6502> https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags/1732454#1732454 09:14 < varesa> couldn't you still use regex on for example https://reddit.com/[^<]* even if the bookmarks were in XML 09:14 < varesa> sure, never use it for matching XML (or related) tags 09:17 < detha> hipster solution: export to xml, write an xslt filter, re-import ;) 09:18 < networking> mos6502: ok 09:20 < varesa> IanTLopp: have you enabled NAT on the second router? What's the current working subnet? 09:20 < IanTLopp> the current working subnet on the netgeat is 10.0.0 09:20 < IanTLopp> while the pace is running 192.168.1 09:21 < IanTLopp> I haven't modified NAT on the netgear yet, so it will be whatever is set by default 09:24 < varesa> IanTLopp: Can you clarify what you meant with "gives the netgear router an external IP address"? 09:24 < IanTLopp> it passes an external (seen by the rest of the internet) IP address to the router, the router's IP is not listed as an IP in the subnet of the Pace modem/router 09:25 < IanTLopp> this is necessary for the netgear to function as a router. 09:25 < varesa> so something outside 10./8 and 192.168./16? 09:25 < IanTLopp> I have lan port 1 on my pace connected to the WAN port on my netgear, as well. 09:25 < IanTLopp> varesa: um.. I suppose so? 09:26 < IanTLopp> the actual mask on both is 255.255.255.0, but I have the subnet of the Pace at 192.168.1.xxx and the subnet of the netgear is at 10.0.0.xxx 09:26 < IanTLopp> if I switch the subnet of the netgear, it won't be able to connect to the internet, and then it will reboot itself, and automatically reset to 10.0.0.xxx 09:27 < varesa> I mean, does the WAN address as seen by the netgear begin with something else than 10. or 192.168. ? 09:27 < IanTLopp> yes 09:28 < IanTLopp> I'm sorry if my responses are short, or slow.. I'm presently bleeding from the head for some odd reason. 09:28 < varesa> okay, then the subnet on the pace router shouldn't matter 09:29 < IanTLopp> well I want to be able to have all devices on 192.168.1.xxx, and I want to be able to access the pace while connected to the netgear 09:29 < IanTLopp> it's not absolutely necessary - but I have static IPs for half my devices. makes my firewall rules so much easier to follow. 09:30 < varesa> uhh, that sounds like a pain to setup 09:31 < varesa> do you have one or two connections between the routers? 09:32 < IanTLopp> varesa: what do you mean? 09:32 < networking> IanTLopp: what is this pace device? 09:33 < IanTLopp> I have one line that comes in from the wall to the modem (the fiber line), then one ethernet line from lan port 1 to WAN on the netgear router\, then one ethernet line from lan port 1 on the netgear to my 24port switch. 09:34 < IanTLopp> networking, the pace device is a 5268ac, supplied directly from AT&T for their fiber network. there are NO OTHER OPTIONS (trust me, I've checked), so if I want to have more than 5 wifi devices on at once, or have any control over anything, I have to setup this weird DMZ+ mode that kind of acts like a bridge. 09:35 < varesa> IanTLopp: if the pace gives the netgear an external/public IP it is acting as a dumb bridge which means you can no longer access the pace device from your network 09:35 < IanTLopp> I can actually.. 09:35 < IanTLopp> I just can't do so with everything on the same subnet 09:36 < varesa> there must be something in the setup I'm missing as it shouldn't work like that 09:36 < IanTLopp> while my router, and all devices are connected to each other on 10.0.0.xxx, I can type the pace's internal IP address (on 192.168.1.xxx subnet) and it shows me the landing page for the pace. 09:36 < networking> IanTLopp: ok 09:36 < IanTLopp> I'm sure it has to do with that weird DMZ+ mode. 09:37 < varesa> if you have a netgear router that gets an external IP from the ISP and the default gateway also goes to the ISP, any packets to a subnet not known to the netgear device (e.g. the 192.168.1.0/24 subnet) get sent to the ISP 09:37 < IanTLopp> even IF I just wanted to dump the pace's settings, and just have everything else on 192.168.1.xxx, I couldn't modify the pace - it's subnet are set in bloody stone. 09:37 < varesa> unless the pace does something really weird and intercepts the traffic 09:37 < IanTLopp> varesa: again - I'm guessing it's the DMZ+ thingy. 09:37 < IanTLopp> yes, DMZ+ best guess. 09:39 < varesa> yeah... I've never come across something like that. It has either been pure bridge mode (router becomes a dumb modem) or "DMZ address" where the second device gets and RFC1918 address but the first device just basically port-forwards all incoming traffic to that address 09:40 < varesa> but you can't have the same subnet on both sides of a router like that 09:40 < IanTLopp> rfc1918 address? 09:40 < varesa> it should be for example ISP -> Pace <- 192.168.0.0/24 -> Netgear <- 192.168.1.0/24 -> your LAN 09:41 < varesa> RFC1918 are general purpose private addresses, 10.*.*.*, 192.168.*.* and 172.?.*.* 09:41 < varesa> well, rather RFC1918 is the document that defines those address ranges 09:41 < IanTLopp> ahhh 09:42 < IanTLopp> I gotcha 09:42 < IanTLopp> so even in the second example, there's no way to have the two devices on the same subnet? hmm. 09:42 * IanTLopp can't wait to build his pfsense router 09:42 < IanTLopp> heh 09:43 < varesa> routers are basically made to divide networks into subnets 09:43 < varesa> and in a network without NAT a single subnet can only exist once 09:44 < IanTLopp> hmm 09:46 < varesa> so if you don't want to change the subnet the most of your devices are on and want the netgear router in play (was there something you needed it for that the pace didn't do?) 09:46 < varesa> you could try to change the subnet on the pace as that'd be only one address you really care about 09:59 < IanTLopp> sorry for the delay there - had to deal with the bleeding head. 10:00 < varesa> sure, take your time. I'm supposed to be working anyway :) 10:01 < IanTLopp> well I'm done now. 10:01 < IanTLopp> I don't think I can change the subnet of the router 10:01 < IanTLopp> looks like I'm just going to have to deal with 10.0.0.xxx 11:00 < jackbrown> hello 11:00 < jackbrown> anyone here 11:00 < jackbrown> ? 11:01 < IanTLopp> yes 11:02 < h0dgep0dge> IanTLopp: my router is the same, fixed at 24 bit subnet, absurd. 11:02 < h0dgep0dge> i'm here also 11:03 < jackbrown> f i'd like to upgrade my Laptop Wireless network adapter (MiniPCI of course) which one would you suggest to buy? 11:04 < jackbrown> I just bought a FRITZ!Box 7490 as main router, anyone knows FRITZ!Box ? 11:05 < varesa> without knowing any better I'd probably buy the latest Intel card you could fit in the machine 11:05 < varesa> be aware though that some systems have a whitelist of supported cards you can plug into them 11:15 < spaces> varesa :D 11:24 < jackbrown> varesa, thanks 11:25 < varesa> jackbrown: that being said I know very little about wireless adapters in general so whatever you find be at least sure to google around for reviews/angry complaints on forums 11:25 * varesa thinks he owns more 10G SFP+ NICs than wireless ones 11:26 < jackbrown> varesa, thanks but I think an Intel one would be fine, the only problem I should check if it's compatible or not with my ASUS N56VZ 11:29 < Apachez> wireless SFP+ nics? 11:30 < Apachez> sposnored by NSA? :P 11:34 < varesa> got to have that 10G wireless 12:34 < kyra_> Hello there! i have a question about network attatched storage devices - anyone here that can help? 12:35 < Jonta> Yes 12:35 < kyra_> fairly simple question - i'm looking for a NASD which i can use multiple drives - hopefully up to four - without implementing RAID? i want each drive to be a seperate, mountable drive, on a single device... 12:36 < light> why would you want that 12:37 < kyra_> well like i said i want each drive to be interchangeable, and i don't really have a need for it to be read as one large drive. doesn't seem necessary to me, and too prone to failure/headaches 12:38 < h0dgep0dge> isn't the point of raid that it's resistant to failure? 12:38 < light> interchangeable? 12:39 < kyra_> not very familiar with raid, but as i understand if one drive fails or is corrupted, it can ruin your whole raid system? 12:39 < kyra_> swappable 12:39 < light> lol 12:39 < h0dgep0dge> i would have thought any NAS machine could be configured without RAID, but that's just a guess 12:39 < h0dgep0dge> nope, the r in raid stand for redundant 12:39 < h0dgep0dge> you can lose a drive, drop in a new one, and you won't have lost any data 12:39 < light> if you're using raid0 you will lose data if a single drive dies 12:40 < varesa> RAID usually is used to sacrifice capacity for availability/resiliency 12:40 < h0dgep0dge> true, but some argue raid0 isn't raid, because it's not redundant 12:40 < light> you want to be able to swap disks in and out of this nas? 12:41 < varesa> I would expect any decent NAS device to support a volume/share per drive if you want the maximum capacity and don't care about loosing for example 1/4th of your data if a disk breaks 12:42 < kyra_> @light - yes 12:42 < varesa> oh, h0dgep0dge already said that. Oh well 12:42 < h0dgep0dge> why do you want to swap disks? are you taking them somewhere? 12:42 < kyra_> looking at the NAS devices it seemed they were designed for RAID, maybe i need to dig a bit harder 12:42 < light> many also support JBOD 12:43 < varesa> RAID is the most common use case but usually not forced 12:43 < light> but I don't see the point 12:43 < kyra_> well for one, if i wanted to upgrade size, but didnt want to upgrade all four, (jbod would work) 12:44 < kyra_> i dont have the $$ to buy four 8tb disks and a NAS all at once 12:44 < light> invest in some decent sized disks now, if you buy small and replace it will cost you more 12:44 < h0dgep0dge> i can understand wanting to avoid a front-loaded cost, even if it winds up costing more 12:45 < varesa> unless the smaller disks can be then used somewhere else 12:45 < kyra_> yeah 12:45 < kyra_> i simply cant afford four 8tb drives, maybe four 2 tb and MAYBE 4tb but thats pushing it 12:45 < h0dgep0dge> how worried are you about losing data? 12:46 < h0dgep0dge> poof and 25% of your data is gone, how bad is that? 12:46 < h0dgep0dge> (or i suppose "25% of your data are gone") 12:46 < kyra_> depends which 25 haha 12:46 < kyra_> not the end of the world, its not proprietary or anything 12:47 < kyra_> and anything REALLY important i would have more than one backup 12:47 < h0dgep0dge> you can use disks of different sizes in a raid array, but AFAIK you can only use the size of the smallest disk times the number of disks 12:48 < h0dgep0dge> so you could start at 2 tb, and progressively upgrade, you just won't get any more storage space until you've upgraded all 4 12:48 < kyra_> see so that makes no sense at all if you expect to have different sized drives, or to upgrade single drives 12:48 < varesa> though since RAID is not a backup I'd say the primary reason for RAID would be uptime/availability, not preventing data loss 12:48 < light> how much are you planning to spend for this setup? 12:48 < kyra_> so what is the advantage of a RAID then? are you protected from data loss if a drive dies? 12:48 < light> yes 12:49 < light> but not if you delete something accidentally 12:49 < kyra_> hah 12:49 < varesa> or there is filesystem corruption or a software bug or ... 12:49 < kyra_> im hoping to spend less than a thousand CAD 12:49 < h0dgep0dge> varesa: i think RAID is only valuable for uptime if you assume backups are already being kept 12:49 < kyra_> preferably in the 400-600 range 12:50 < kyra_> so what are the other alternatives to four seperate drives - raid - jbod - ....? 12:51 < light> jbod is just a bunch of disks 12:51 < h0dgep0dge> i don't really think there are any other options, use parity or don't use parity 12:51 < light> well, there is unraid 12:52 < h0dgep0dge> quick primer on unraid, for the uninitiated? 12:53 < varesa> was that just a RAID type implementation that could take mixed size disks? 12:53 < varesa> s/was that/did it have/ 12:54 < light> yeah different sized disks and can expand the array 12:54 < h0dgep0dge> that's what it looks like, seemingly just treats smaller disks as if they're bigger, and pads the missing areas 12:55 < h0dgep0dge> for the purpose of calculating parity, that is 12:55 < h0dgep0dge> is there free software to implement that? 12:55 < kyra_> if i had, say, four drives of equal size, would there be storage loss with raid? 12:55 < h0dgep0dge> you trade off space for resistance to data loss 12:55 < light> depends what raid level you went with 12:55 < varesa> with a RAID level that can tolerate a disk loss, yes 12:56 < varesa> you don't just magically get an extra disk worth of space :) 12:56 < varesa> the capacity hit is at least as many disks as it can tolerate to loose 12:58 < kyra_> ok so say you have 4x2tb drives, you would have 6tb usable space, so that you could theoretically have one drive die? 12:58 < light> if you went with raid5 12:58 < kyra_> hmm interesting 13:01 < kyra_> ooook so answer to my original question is basically - any of them should allow for treating four separate drive as four separate drives, but why would i want that? 13:02 < h0dgep0dge> i can understand why you'd want it, but you should know the pros and cons 13:03 < kyra_> thank you 13:04 < varesa> yeah, as you should have separate backups (unless the NAS is the backup, multiple separated copies anyway) it comes down to if you want the maximum capacity for the money and do you care about spending a day or two restoring a few terabytes from backups 13:04 < varesa> and how many family members will be complaining about being unable to access their music/photos/movies/documents while you're restoring said backups :P 13:05 < h0dgep0dge> maybe, if you want to be able to upgrade in the future without buying 4 new disks, get a nas with more than 4 bays 13:05 < varesa> synology is one of the better brands by the way 13:05 < h0dgep0dge> you could get another disk the same size and add it to the array, or get a bigger disk and use it on it's own 13:06 < varesa> I've not owned one myself (don't have any off-the-shelf NASes) but I know a lot of people who swear by them 13:07 * varesa logs into NetApp AFF200 13:09 < kyra_> yeah i was looking at synology 4 bay... and it led me to my nex question... stock software, or something like openNAS 13:09 < kyra_> ? 13:09 < h0dgep0dge> depends on how much you like having knobs dials and levers to play with 13:10 < varesa> I'd expect the synology software to be good enough 13:10 < varesa> it is good enough that people are trying to run it on their own servers (xpenology) as well 13:10 < kyra_> what KIND of knobs dials and levers? hehe.. i suppose i can just look into that myself though 13:11 < h0dgep0dge> i would assume you can flash new software all day long, try everything out and see what fits 13:12 < kyra_> preach! 13:12 < kyra_> haha that sounds more my style than thinking about it now anyways :P 13:13 < h0dgep0dge> shoot, i would even wager some platforms will install on virtualbox, play around with some virtual drives on there 13:14 < kyra_> gooood idea 13:15 < h0dgep0dge> that's why they pay me the big irc bucks 13:15 < varesa> whaat? I only get small irc bucks 13:16 < h0dgep0dge> you gotta get a brand deal man 13:16 < h0dgep0dge> This IRC Answer brought to you by tide pods. MMMHMMM, tide pods! 13:16 < Jonta> https://irc.com 13:19 < kyra_> hah 13:20 < Jonta> Wonder what their business model is 13:21 < kyra_> dang so many to choose from 13:23 < Jonta> Top 3, gogogo 13:23 < kyra_> couldnt even start 13:23 < kyra_> i'd probably just choose between price point, CPU/RAM specs, and hardware options (hdmi, usb, etc) 13:24 < kyra_> this is really only something i started looking into a couple days ago so i am not yet at the point where i need to choose 13:24 < Jonta> ? 13:25 < varesa> I'm wondering if I should a) build a separate NAS b) stuff an HBA + bunch of disks into one of my hypervisors c) stuff a bunch of disks in my desktop 13:26 < varesa> Separate would be nicest but my apartment is starting to run out of space, need to start scaling vertically, literally :P 13:27 < kyra_> like this one:dual HDMI ports, keyboard mouse connection so its essentially a standalone machine 13:28 < Apachez> d) store everything in the cloud because what could possibly go wrong? 13:29 < light> your data would get wet in the cloud 13:29 * varesa imagines main storage array dying and having to download 10 TB worth of data/VMs 13:29 < JyZyXEL> i calculated it would take around ~930 days to upload my NAS to the cloud :P 13:29 < light> your porno collection is probably already well seeded 13:30 < light> you only need to backup important data like your tax documents 13:31 < JyZyXEL> but apparently sneakernet is available with some providers 13:32 < Jonta> What if JyZyXEL composited their tax documents into the porn, to hide it? 13:32 < varesa> the was an AWS snowball at the office recently, maybe could use that to upload 13:33 < h0dgep0dge> You can get better throughput to the cloud if you tie an external disk to a weather baloon 13:33 * varesa hides his data among work stuff 13:33 < varesa> h0dgep0dge: why not a rocket? 13:34 < h0dgep0dge> i did try that once, but i'm not allowed into those datacenters anymore 13:35 < varesa> but the others still let you use weather balloons in them? 13:36 < h0dgep0dge> those things take forever to go up and come back down, they don't know who caused that damage 13:36 < Apachez> PORN! 13:37 < varesa> the trick is to shoot the rocket at an angle so it lands beyond visual range 13:37 < kyra_> 4x50tb ssd 13:37 < kyra_> or bust 13:38 < kyra_> screw that, 16x50tb 13:38 < kyra_> backup the contents of my lifes google searches 13:38 < light> google already keeps a record of your searches 13:38 < light> you can view it in the top right hand corner 13:39 < kyra_> yeah but i need it for offline access 13:40 < varesa> you need a cluster of 2U shelves with 24x15TB SSDs 13:40 * varesa logs out of the NetApp AFF A200 13:46 < kyra_> hmm i just looked at my google history and apparently i wiped it and turned off storing it so when i created an archive of all my google history it was only 44 items... 13:48 < tempate> Hello. How can I map a local address (i.e. private ip and port) to a specific "domain"? 13:49 < varesa> you can't map a port to a domain (with some specific exceptions) 13:50 < light> tempate: you can redirect with your packet filter 13:50 < varesa> and you can't also directly map a domain you want to be externally accessible to a private IP. You need the map the domain to an external IP of a device that will then port forward or proxy the traffic to your internal stuff 13:50 < tempate> I don't want it to be externally accessible 13:51 < light> what are you trying to accomplish? 13:51 < tempate> I'm just tired of typing 192.168.1.100:8080 every time I want to check out a website I'm hosting there 13:51 < light> why not bookmark it? 13:52 < light> or use autocomplete 13:52 < light> you could use a hosts file entry and a vhost 13:52 < tempate> I mean, yes, I can do that. But still, it would be better if I could simply go with the domain. Also for learning purposes 13:53 < tempate> I'm using a vm running Debian 9, light 13:56 < varesa> tempate: you can map a domain to 192.168.1.100 either by hosting a DNS zone somewhere (internally in a VM or with some external DNS provider) 13:56 < light> or by adding it to /etc/hosts 13:57 < varesa> you'll still need to type domain:8080. Either change the port to 80 or run a reverse proxy on that or some other system (look up for example nginx reverse proxy) 13:57 < varesa> light: yes, I left that out since you already said it + tempate said he wanted to learn DNS 13:57 < tempate> great 13:57 < varesa> but yes, hosts-file can be used to "fake"/override DNS locally 13:57 < tempate> Thank you all very much 13:58 < tempate> /etc/hosts of what machine? 13:58 < tempate> the host, right? 14:06 < tempate> versa: about the reverse proxy, would it be possible to have several of this domains each pointing to a different port? 14:06 < tempate> these* 14:06 < light> you don't need separate ports if you use vhosts 14:06 < tempate> don't I? 14:07 < Apachez> no 14:07 < tempate> mhm 14:07 < Apachez> the server will look at host header to know which directory to servce as document root 14:08 < tempate> I see 14:09 < spaces> big data, blockchain and privacy complaning people, something is not right there 14:10 < Apachez> and more than 24 hours since spaces last visited pornhub, something is definately not right there 14:12 < spaces> Apachez you didn't upload anything new, mate even watching my dog sleeping is better then your cameraskills 14:12 < spaces> Apachez you cannot multitask, you are a man... when you try to focus on the camera... fll in the rest yourself 14:13 < spaces> Apachez and you are not sexy the camera have proven :P 14:14 < h0dgep0dge> template: i don't think anyone answered it before, you need to edit the /etc/hosts file on the client, and it will only work on machines that have it added to their hosts file 14:14 < h0dgep0dge> and the windows hosts file is found somewhere else 14:16 < h0dgep0dge> lol too late. it sounds like they might be going to try changing the /etc/hosts file on the server 15:53 < Apachez> How to cleanup a Data Center: https://imgur.com/gallery/qAJg8Xi 15:55 < dogbert_2> bwhahaha...funny 16:10 < jaelae> my team flew up to our DC and did some work 16:10 < jaelae> i left early cause i was there the previous day and they were going to pull old cables 16:10 < jaelae> i came back a week later to find cables on the floor that im not sure where they came from. and in the wiring runs they just cut the ends of cables and stuffed them banck in there 16:10 < jaelae> on the flipside - there was no outage 16:12 < zenix_2k2> one question, is there anyhow i can get my Public IP instead of going to an online site ? 16:12 < zenix_2k2> and it is not that i don't trust those sites but i wanna know how can those sites get my IP address 16:12 < zenix_2k2> logically, if it can then i can ? 16:14 < light> login to your router and take a look 16:15 < Crypto_Cube> Personally, I just have a browser addon that deals with that. 16:16 < zenix_2k2> so er... sorry but which part of my gateway's page that shows it ? --> https://ibb.co/mQFVVT 16:16 < light> wan 16:19 < zenix_2k2> one more thing, does your IRC client provide any function that you can use to get my IP address ? Because, this site (https://www.whatismyip.com/my-ip-information/) shows 42.113.189.247 but the WAN part shows 100.109.116.44 16:19 < zenix_2k2> and i haven't actually used anything like proxy or VPN 16:20 < zenix_2k2> not currently* :P 16:20 < zenix_2k2> i am not so sure that which IP is the correct one 16:23 < light> /whois 16:27 < zenix_2k2> but it is kinda weird, if my IRC client shows 42.113.189.247 then what does the "IP address" mean in this situation ?? --> https://ibb.co/cXzFVT 16:27 < tds> zenix_2k2: you're behind cgnat, so without making connections out through that you can't determine the address you'll get nated out via 16:28 < tds> (100.64.0.0/10 is reserved for cgnat) 16:28 < zenix_2k2> oh 16:30 < strixdio> I have a 3560g, I tried "delete flash:vlan.dat" but I still have vlans. any thoughts? 16:31 < light> flash:/vlan.dat 16:32 < Apachez> and reboot 16:33 < strixdio> ah, okay. 16:33 < strixdio> thanks :) 16:36 < strixdio> nope. 16:36 < strixdio> everything is still there. I tried wiping the whole config... makes no sense. 16:37 < light> is the file still there? 16:38 < strixdio> idk 16:38 < light> ._. 16:38 < strixdio> I'm very new to managed switches 16:38 < strixdio> sorry 16:39 < strixdio> I have vlan.dat eah 16:39 < strixdio> yeah* 16:39 < strixdio> also c3560-ipbase-mz.122-35.SE5 16:39 < light> delete the file then check again 16:40 < strixdio> okay it's gone. 16:40 < light> dir const_nvram: 16:41 < strixdio> invalid input at c 16:41 < light> k 16:41 < light> delete const_nvram:vlan.dat just in case 16:41 < strixdio> invalid input for the c (of const) again 16:42 < light> reboot the switch 16:42 < strixdio> I have config.text, private-config.text, and that other file I mentioned earlier. 16:42 < strixdio> still good to reboot yeah? 16:43 < light> yes 16:43 < strixdio> okay. doing so now. takes a few minutes :P 16:43 < light> unles syou want to also delete the configs as well 16:43 < strixdio> I did try that already. 16:43 < strixdio> I think the configs did delete. 16:44 < strixdio> I had to name the switch and provide an IP 16:44 < light> oh, by the way, there are a set of standard vlans that you always have 16:44 < strixdio> Okay. That's fine, but 100% these were custom from the previous owner. 16:44 < strixdio> How do I set a management IP on an interface? 16:45 < light> grab an ios cheat sheet if you're new to cisco 16:45 < strixdio> okay cool thanks! 16:46 < strixdio> light: I'm looking on http://www.skullbox.net/ioscheat.php 16:48 < strixdio> light: so, do I need to set the IP based on the vlan? 16:48 < strixdio> light: omg, the vlans are STILL there! 16:49 < light> you should properly reset the switch if this is from some former owner 16:52 < strixdio> light: that's what I'm trying to do :/ 16:53 < strixdio> I held "mode" while powering on, flash_init ... ? 16:58 < strixdio> ah, missed something. trying it again. Thansk 17:38 < strixdio> anyone around? 17:39 < strixdio> I'm trying to set up my cisco switch, but I'm not sure how to get it so I can ssh to it. I'm in the console session.. gave it an IP, told it the default-gateway... ??? 17:44 < Jonta> strixdio: Pastebin of all commands and the responses you received? 17:44 < strixdio> Jonta: ?? 17:44 < Jonta> /topic 17:45 < strixdio> Jonta: in other words, it was just the two commands, to set ip address and default-gateway 17:45 < strixdio> Jonta: there's no output of them 17:46 < Jonta> Which switch do you have? 17:47 < strixdio> catelyst 3560g 17:47 < strixdio> catalyst* 17:48 < Jonta> Did you try https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swauthen.html ? 17:49 < strixdio> Jonta: I haven't seen this page, but, I'm not even able to ping the device. 17:49 < Jonta> I'd try googling Cisco 3560g can't ping then 17:49 < Jonta> It's faster if you do the googling yourself =) 17:50 < strixdio> ...... \I've been googling...... 17:50 < strixdio> I have never set up a switch from scratch before. 17:50 < strixdio> There's probably a lot of config I don't even know about. 17:50 < strixdio> necessary* 17:51 < Jonta> Hm. There's probably a user manual for it 17:51 < Jonta> https://www.cisco.com/c/en/us/support/switches/catalyst-3560-series-switches/tsd-products-support-series-home.html 17:52 < strixdio> https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swipaddr.html 17:52 < strixdio> this is what I followed 17:52 < strixdio> or at least, I am trying to. 17:52 < strixdio> I don't want DHCP 17:52 < Harlock> did you reset it first 17:52 < strixdio> yes. 17:52 < strixdio> full reset. 17:53 < strixdio> basically what I'm getting at is, what is the minimal that I need to do from a fresh reset so I can start using the switch? 17:53 < strixdio> I thought it was setting the default gateway and the switch IP. 17:54 < Harlock> didn't the config script run after you reset and rebooted the switch? 17:54 < Harlock> i need to run out 17:55 < strixdio> yeah, it did. I set the ip, but in "show run" the IP was nowhere to be found, and it didn't reply to pings 18:03 < strixdio> "no shutdown" was the ticket, I guess. 18:09 < strixdio> and this switch is too old for ssh, sadly. 18:12 < Jonta> Too old for ssh? 18:20 <+pppingme> Jonta yeah, you have to be at leat 18 to use ssh.. same for beer 18:20 < Jonta> pppingme: And that switch is… over 65536 years old? 18:21 < detha> huh? pretty sure there should be a k9 image for 3560 18:24 < detha> strixdio: https://supportforums.cisco.com/t5/wan-routing-and-switching/ssh-version-2-not-supported-on-cisco-3560-g-switch/td-p/2031908 18:34 < dogbert_2> you need IPBASEK9-mz for the switch to support adv features, including SSH 18:45 < kur0mi2> :D 19:00 < strixdio> detha: thanks 19:00 < strixdio> dogbert_2: thanks 19:00 < dogbert_2> nodz 19:00 < strixdio> so, I have a trunk set up with vlans, and I have a ubiquiti AP with 2 of those vlans on it 19:00 < strixdio> when my clients try to join, they don't get an IP. 19:01 < strixdio> do I have to configure anything on the port itself to allow those vlans? 19:01 < dogbert_2> well, the ports need to be in the same VLAN you trying to access... 19:02 < strixdio> the ubiquiti AP has multiple vlans 19:02 < strixdio> how can one port be in multiple vlans? 19:02 < strixdio> unless those have to be trunks also? 19:04 < dogbert_2> trunks connect https://help.ubnt.com/hc/en-us/articles/222183968-Intro-to-Networking-Introduction-to-Virtual-LANs-VLANs-and-Tagging 19:05 < dogbert_2> Trunk: A trunk port is typically considered a member of all VLANs—it will accept and forward traffic on any VLAN ID and is typically configured for the uplink and downlink ports between switches and routers. 19:06 < strixdio> which makes sense 19:06 < strixdio> however, that doesn't say anything about APs 19:06 < dogbert_2> look at tagged/untagged vlans... 19:07 < dogbert_2> https://help.ubnt.com/hc/en-us/articles/204962144-UniFi-How-does-VLAN-traffic-get-tagged- 19:09 < strixdio> uh, okay? 19:11 < Harlock> you can tag how you want on the ap and set up ports on the switch can accept tags as you desire 19:11 < strixdio> Harlock: right, that's basically what I have going on. I'm just trying to figure out how to do that on the cisco switch. 19:12 < Harlock> trunk port like was mentioned, not access port 19:12 < Harlock> unless just a single vlan is ok on the port 19:12 < strixdio> Harlock: okay, so my ubiquiti AP needs to be connected to a trunk port 19:12 < Harlock> then it can be an access port 19:12 < strixdio> needs to be multiple :) 19:13 < Harlock> a trunk port will have a native vlan plus you can set it to accept additional vlans iirc 19:13 < strixdio> going to test now. Thanks :) 19:13 < strixdio> yeah, seems about right. 19:14 < strixdio> I probably didn't word it correctly from the beginning. 19:14 < Harlock> on cisco i mean 19:14 < strixdio> yep 19:14 < Harlock> trunk means a different think on some other manufactures switches 19:14 < Harlock> er thing 19:15 < dogbert_2> yeah, I wish they would standardize that... 19:17 < strixdio> hm 19:17 < strixdio> so, I added the trunk on that port, proper vlans, still no connection. 19:18 < Harlock> have you had it working untagged? 19:19 < strixdio> no 19:19 < strixdio> well, hang on.. 19:19 < xingu> strixdio: what model is this thing and what does your config look like (pastebin) 19:19 < strixdio> so, I have had this AP connected to pfSense for a long time, working just fine. 19:19 < strixdio> 3560G 19:22 < strixdio> https://pastebin.com/fwFrRp32 19:23 < xingu> strixdio: what does "show vlan id 20" say? 19:24 < xingu> strixdio: ditto "show vlan id 30" 19:24 < strixdio> not found 19:24 < Harlock> are you running a single lan interface with multiple vlans on pfsense? 19:24 < strixdio> oh jeez 19:24 < xingu> strixdio: boom. 19:24 < strixdio> I didn't realize I had to make them on the switch. 19:24 < Harlock> og you didn;t set up your vlans? 19:24 < strixdio> I guess not! 19:24 < strixdio> Well, I set up one, 255 19:24 < strixdio> I think. 19:24 < dogbert_2> facepalm :P 19:24 < strixdio> yeah I did 19:24 < strixdio> I didn't realize that's required. 19:25 < strixdio> this is my first managed switch and I'm not formally trained. 19:25 < xingu> strixdio: ios(like) bridge instances have a discrete forwarding stage 19:25 < xingu> strixdio: no stp instance, no forwarding. 19:25 < strixdio> sorry that's over my head right now. 19:25 < xingu> strixdio: so tagged frames will be accepted but terminated at ingres. 19:25 < strixdio> oo 19:26 < strixdio> do I have to give each vlan an IP? 19:26 < xingu> strixdio: no 19:27 < xingu> strixdio: just start stp instances; "vlan 20" "name ..." 19:27 < strixdio> stp instances? 19:28 < dogbert_2> stp spanning tree protocol 19:28 < Harlock> they only need ips for intervlan routing but your will most likely keep your routing on pfsense 19:28 < xingu> strixdio: yes; ios(like) bridge domains resolve to loop-free on a per vlan basis. 19:29 < strixdio> wow I didn't realize how much there is to this. 19:29 < xingu> strixdio: nb, also vtp version 3 and vtp mode off unless you really need it; this will result in the bridge instances appearing in running config, which is a bit nicer from a device recovery perspective. 19:30 < strixdio> <1-2> Set the adminstrative domain VTP version number 19:30 < strixdio> looks like I don't have 3. 19:30 < xingu> strixdio: do it from enable rather than config mode 19:30 < strixdio> am in enable mode 19:30 < xingu> ah, try config mode then. :) 19:31 < xingu> (depends on hw / sw matrix) 19:31 < strixdio> same thing 19:31 < xingu> fair enough; version 2 19:31 < strixdio> might need to update anyway. 19:31 < strixdio> vtp mode client server or transparent 19:31 < xingu> transparent 19:32 < xingu> and yes, update that thing if you have a support contract, it has control plane bugs for sure. :) 19:32 < xingu> current / recommended MD should be fine, don't get fancy with ED 19:33 < xingu> after switching to transparent mode the vlan NNN should appear in running config. 19:33 < strixdio> huzzah I have wifi back :) 19:33 < dogbert_2> LOL 19:33 < strixdio> just to verify: was it the lack of the vlans on the switch, lack of the port being a trunk, or both? 19:33 < xingu> both 19:34 < dogbert_2> add in some comments as well... 19:34 < strixdio> okay :) 19:34 < Harlock> recommend enablign portfast on access ports 19:34 < strixdio> looking into that now. 19:34 < xingu> strixdio: trunk allowed vlan 1 is a little redundant too 19:34 < strixdio> that's for fast stp? 19:34 < dogbert_2> make sure you write the running config to memory 19:34 < xingu> what he said. 19:35 < Harlock> strixdio yes 19:35 < strixdio> :) 19:35 < strixdio> redundant but doesn't mess anything up right? 19:35 < dogbert_2> also, copy the running config to something like notepad++ as well 19:35 < strixdio> well, I'm in the learning process right now. If I break the config, I won't cry about it. 19:36 < Harlock> which swithc do you have, 3560G-24PS? 19:36 < strixdio> 48 19:36 < Harlock> oh they did make an ios 15 for for it 19:36 < strixdio> oooo! 19:36 < xingu> strixdio: exactly; native pvid is vlan 1, you shouldn't see vid=1 as a dot1q tag in ordinary operation 19:37 < dogbert_2> vlan 1 is typically the mgmt vlan as well 19:37 < strixdio> xingu: so I should remove it? 19:37 < xingu> strixdio: I would, I favour brevity; personal preference. 19:39 < xingu> strixdio: nonobviously "trunk allowed vlan ..." is an egres feature; so if native vlan is in the allowed mask, it's going to get tag stripped during forwarding and then added to the floodlist for that port regardless. 19:39 < xingu> strixdio: hence, "a little redundant" 19:43 < xingu> strixdio: last style tweak, adding "switchport nonegotiate" will disable dtp on that interface for this platform 19:44 < xingu> strixdio: if you don't particularly trust the far end of gi0/1 or gi0/2 I'd recommend as a second line of defence, dtp isn't well audited. 19:45 < strixdio> wow 19:45 < strixdio> as soon as I removed vlan1, I couldn't get any network connections again 19:45 < xingu> strixdio: I'm not talking about the vlan1 svi, I'm talking about switchport trunk allowed vlan 1 19:46 < strixdio> yes, that's what I mean. 19:46 < xingu> strixdio: oh neat 19:46 < strixdio> lol 19:46 < xingu> strixdio: that's probably because spanning-tree mode pvst; try mode rapid-pvst+ 19:47 < strixdio> I don't have + 19:47 < elim_garak> quick question - does anyone know how I could look at a pcap and identify an FC initiator? 19:47 < strixdio> but I put it to rapid-pvst 19:47 < xingu> oh neat. 19:48 < strixdio> I need to update my ios I think. 19:48 < xingu> strixdio: leave the angry bear alone, agreed. 19:48 < xingu> strixdio: is vtp v3 and option in "vlan database" (from configure mode) ? 19:48 < strixdio> no 19:48 < xingu> k 19:48 < strixdio> I do need to update ios, and want to... 19:48 < xingu> then update or not, back to you. 19:49 < xingu> no huge risks and these are all style preferences 19:50 < xingu> strixdio: better than likely chance that this thing will leak memory and crash ~annually 19:51 < xingu> file under 37xx stack ring memory leaks are fun 19:51 < strixdio> lol 19:58 < strixdio> So, this is great. Now I can get a few NICs and add them into my server, and my "diskless" pc for better performance 20:00 < Harlock> my 2960S seems stable 20:01 < Harlock> i don't think it has been restarded since the last iso update i did on it, probably 1-2 years ago 20:10 < Fieldy> fix connection 20:11 < strixdio> oh jeez, now I'm considering things I can't really afford :D 20:28 < varesa> oh, TIL that the IOS needs to have the VLANs defined and that I had them defined without realizing that (VTP etc.) 20:28 < varesa> I wonder what was the great idea behind the configuration that doesn't show up in the configuration :) 20:30 < strixdio> anyone, thank you everyone for helping! 20:30 < strixdio> anyway* 20:31 < newpy> hey is tcp-psh a valid keyword for tcpdump, similar to tcp-rst? eg. tcpdump (tcp[tcpflags] & (tcp-rst) == 0) 20:32 < newpy> I tried google but all I got where people using literal bitmasks like tcp[13]&8 != 0 20:32 < newpy> *were 20:32 < Fieldy> the only way i've seen flags expressed is tcp[13] = 0x18 or some such, though that's psh-ack (too lazy to look it up) 20:32 < Fieldy> that'll be the easier route then 20:32 < newpy> yea I'll just look up the ip header again 20:33 < newpy> just easier to make a mistake using literal bit#'s imo 20:34 < newpy> *tcp header 20:41 < ghostboarder> guys, anyone having issues with browsers refusing to go to https sites? 20:42 < ghostboarder> win10 fully updated, browsers latest versions 20:42 < ghostboarder> in this case, firefox and edge 20:57 < tds> ghostboarder: what error are the browsers displaying? 21:05 < IAMfeelings> hi 21:06 < IAMfeelings> any tips to separe guest from my main wifi network 21:07 < compdoc> seperate ports on your firewall 21:10 < IAMfeelings> can I create a vlan on router and trunk with a catalyst 2950 ? 21:25 < wallbroken> hello 21:25 < alexandre9099> *a curiosity question*: What is the max speed over twisted pair cable? is it 10Gb? 21:33 < Kingrat> what kind of twisted pair cable? 21:36 < alexandre9099> let's supose an sftp cat8 cable (i guess that exists? my point is like the *best quality* cable with 4 pairs) 21:38 < Jonta> wallbroken: Hi 21:41 < wallbroken> can i ask you something? 21:42 < jackbrown> hello 21:42 < jackbrown> can anyone help me ? 21:43 < jackbrown> What happen if I connect a second router identical to the 1st as client IP disabling DHPC and Firewall and I use it even as Wireless Access Point ASSIGNING IT THE SAME SSID ? 21:43 < wallbroken> i'm connected to a wifi that allows internet access trough a captive portal adding account credential, but it allows connection to the lan without adding any credentials, so, if i connect my smartphone to the wifi, and i add my laptop ip as default gateway, is possible to make figure that the packets are sent by laptop and not by the smartphone? 21:44 <+pppingme> jackbrown make sure the cable into the "new" device goes into a lan port, and you have your channels at least 5 apart, 1-6-11 work best, and it will simply work 21:44 <+pppingme> wallbroken no, not without some manipulation.. 21:44 < jackbrown> pppingme, sorry I got lost, what means "channels at least 5 apart" ? 21:44 <+pppingme> wallbroken and chances are, the AP has ap isolation turned on 21:45 <+pppingme> jackbrown 1 and 6, 6 and 11 21:45 < wallbroken> it's clear what my goal is? 21:45 < jackbrown> pppingme, here is the guide I'm going to follow, will them be on the same subnet ask ? they will have all address for ex. 192.168.1.X ? 21:45 <+pppingme> wallbroken you don't want to authenticate on the 2nd device 21:45 < wallbroken> AP isolation? i think you mistunderstood the problem 21:46 <+pppingme> jackbrown if you cable it properly 21:46 <+pppingme> jackbrown the 2nd device isn't even involved in ip addressing 21:46 < wallbroken> pppingme, both smartphone and laptop are connected to wifi, and they can ping each other 21:46 < wallbroken> the problem is that only one can surf the internet because an account is needed 21:46 < jackbrown> pppingme, sure the 1st will do anything (DHPC firewall etc.) 21:46 <+pppingme> wallbroken then they don't have ap isolation turned on 21:46 < wallbroken> so i want to use an account for both the devices 21:46 < jackbrown> pppingme, what about using the same SSID for both ? 21:47 <+pppingme> jackbrown thats fine, and common... devices will grab whichever has the stronger signal when the startup 21:47 < wallbroken> so in some way i want to forward smartphone traffic to laptop and the laptop forward that to internet 21:47 < wallbroken> in this way i can use the account also for smartphone 21:47 < jackbrown> pppingme, isn't that a MESH Wireless network ? 21:47 < wallbroken> the problem is: how? 21:47 <+pppingme> wallbroken you'll have to nat or something on the laptop 21:47 <+pppingme> jackbrown NO 21:47 < wallbroken> the problem is: how? 21:47 < jackbrown> pppingme, can you explain me easily what is a MESH wireless network ? 21:48 < jackbrown> pppingme, it's like a network with many repeater that you see as one ? 21:48 <+pppingme> usually it means everything is on same channel, and devices communicate wirelessly.. you're running a multiple AP setup with everything on different channels and all wired to a central switch 21:48 <+pppingme> a cabled AP on a diff channel is NOT repeating 21:49 <+pppingme> repeating and "mesh"ing are bad, because they eat up bandwidth 21:49 < jackbrown> pppingme, this second router, identical to the 1st has the repeater function, do you think would be better using that instead ? 21:49 <+pppingme> multiple AP with good channel management doesn't have any wireless overhead 21:49 <+pppingme> NO 21:49 < jackbrown> pppingme, really ? so the AP I'm doing is better ? 21:50 <+pppingme> if you can pull a cable, run it as an AP, NOT NOT NOT as a repeater 21:50 < jackbrown> pppingme, yes sure! 21:50 < wallbroken> in this way i can use the account also for smartphone 21:50 <+pppingme> to over simplify, repeaters cut bandwidth in half, wired AP's double bandwidth 21:50 < jackbrown> pppingme, I'm using by the way 2 FRITZ!Box 7490 do you know this kind of modem router? 21:50 <+pppingme> I've heard of it, never touched one 21:51 <+pppingme> wallbroken I'm only guessing, I don't know what the network you're on is watching for.. you'll just have to experiment 21:51 < jackbrown> pppingme, got it, if i'd like to buy another router to connect as AP what do you think is better ? Connect 2 of them to the main or connect in cascade ? Or it's the same since it's always the first connected to the DSL that rules (DHPC etc.) 21:52 < jackbrown> 2 to main or main ----- 1 ------ 11 21:53 <+pppingme> bandwidth wise its better if everything is run to your central switch 21:53 <+pppingme> by cascading, I assume you mean use the switch built into the 2nd device.. 21:53 <+pppingme> in that case, the first and second device share the bandwidth of the cable between the main switch and 2nd device.. 21:54 < jackbrown> pppingme, but if i connect them main-------1-----------1 isn't the main that rules on the entire network without affecting bandwidth ? 21:54 <+pppingme> describe connect them main-------1-----------1 21:54 <+pppingme> do you mean run a cable from each AP back to your main switch? 21:54 < jackbrown> pppingme, ok main router has DSL connection and 4 Gigabit LAN Runs DHPC and Firewall 21:55 <+pppingme> ok,e verything is on the same Layer2 (ethernet), doesnt' really matter where dhcp is.. 21:55 < jackbrown> pppingme, 1st router is connecte the the 1st Gigabit Lan of the main and has no DHPC and Firewall so it's on the same subnet 21:55 <+pppingme> firewall is obviously on edge between your network and isp network 21:55 < jackbrown> pppingme, third router the same but connected to the 2nd router 21:55 <+pppingme> everything plugged into the common L2 is on the same subnet 21:56 <+pppingme> your best to home-run the cable from the 2nd ap (what you're calling third router, please use correct terms) 21:56 <+pppingme> when you're running these as AP's, they are no longer routers, they are AP's 21:56 < jackbrown> pppingme, sorry Access point, they turn into access points when I disable DHPC 21:57 < jackbrown> pppingme, fine 21:57 <+pppingme> you should only have ONE dhcp server on your network 21:57 <+pppingme> doesn't matter where it is 21:57 < jackbrown> pppingme, they don't route anything since it's the main that route/ rule 21:57 < jackbrown> pppingme, isn't better that the DHPC is on the one that is connectec to the DSL ? 21:57 <+pppingme> it can be on a PC/server, it can be on your main router, I don't recommend it be on any device that used to be a router and you're re-purposing.. 21:58 <+pppingme> there is no requirement where dhcp runs as long as its somewhere on the same L2 segment, and it hands out correct parameters 21:58 < jackbrown> pppingme, PC/serve I avoid into an home eviroment since it should be always turned on 21:58 < jackbrown> L2 segment ? sorry 21:59 < jackbrown> Layer 2 21:59 <+pppingme> same physical lan, 21:59 <+pppingme> layer2 21:59 <+pppingme> yes 21:59 < jackbrown> 192.168.0.X 21:59 <+pppingme> somewhere within all of your nonsegmented ethernet switches 22:00 < jackbrown> So I still didn't undestood which configuration is better, the main router that connect via LAN1 and LAN2 2 Access Points 22:00 < jackbrown> or a cascade pppingme 22:00 <+pppingme> I don't know what you're calling lan1 and lan2... are you referring to swithc ports on your main switch? 22:01 <+pppingme> you should have *ONE* lan, no more, without a good reason 22:01 < jackbrown> pppingme, are the RJ45 Gigabit Output on the Main router that runs DHPC and it's connected to the DSL 22:01 <+pppingme> you have a switch built into what you're calling your "main router" 22:01 <+pppingme> its a switch, nothing more 22:02 <+pppingme> its probably a 4 port switch 22:02 < jackbrown> pppingme, ok 22:02 <+pppingme> (well, technically its probably a 5 or 6 port switch, but we are getting into semantics and technicals) 22:03 <+pppingme> so if thats enough switch ports for you, its best to home run EVERYTHING to this switch 22:03 < jackbrown> pppingme, I just see 4 22:03 <+pppingme> its got at least one internal port that the "router" hooks to 22:04 < jackbrown> pppingme, initially i was tempeted to but this one that is a repeater but since it has an rj45 port it can be turned into an AP too am I right ? https://en.avm.de/products/fritzwlan/fritzwlan-repeater-1750e/ 22:05 <+pppingme> if it has an "AP" mode 22:05 <+pppingme> not all "repeaters" can function as ap's 22:05 < jackbrown> pppingme, but if it spread the signal connecting via a LAN cable ? What else should be if not an AP ? 22:06 <+pppingme> some of those devices expect to sync to another AP, if they do, then it won't work as an AP 22:06 < jackbrown> pppingme, so I found this used and it was cheaper too https://en.avm.de/products/fritzbox/fritzbox-7490/ 22:07 < jackbrown> pppingme, I did a better choice then 22:07 < jackbrown> pppingme, ?? 22:07 <+pppingme> most "routers" can be used as an AP, even if they don't have an "ap mode".. as long as you can disable the dhcp server built into them 22:08 < jackbrown> pppingme, what I missed on those FRITZ!Box is the OpenWRT support, I can't use them as torrent client or download manager 22:08 < jackbrown> pppingme, that's bad 22:09 < jackbrown> pppingme, if you had to build a wireless into a big house with very think wall (50cm), possibly using Router and AP OpenWRT compatible, what will you use ? 22:09 < jackbrown> pppingme, a wireless network system 22:09 <+pppingme> real AP's, all cabled back to a central switch, and everything capable of PoE 22:10 < jackbrown> Power over Ethernet 22:10 < jackbrown> pppingme, brand models ? 22:10 <+pppingme> depends on budget 22:10 < jackbrown> pppingme, you think that OpenWRT is a good idea? 22:10 <+pppingme> not for AP's 22:11 < jackbrown> pppingme, for the main switch ? 22:11 <+pppingme> in general, stock firmware on AP's have features that allow multiple AP's to work together 22:11 < mgolisch> i like the ubiquiti stuff or aruba 22:11 < jackbrown> pppingme, together what do you mean ? aren't them all connected to the main switch to a different port of the switch? 22:12 <+pppingme> I'm not aware of any PoE switch that supports openwrt, and if there were, I'd expect to lose features, not gain them 22:12 < spare> openwrts just a mips cross compiler you can add any foss source to it 22:13 < jackbrown> pppingme, yeah OpenWRT is very flexible, even if I had a very small experience with it with my old NetGear WND4300, it completely changed 22:13 < jackbrown> pppingme, i can't find this ubiquiti 22:14 < jackbrown> pppingme, https://www.amazon.it/dp/B00HXT8R2O/ref=asc_df_B00HXT8R2O53394062/?tag=googshopit-21&creative=23394&creativeASIN=B00HXT8R2O&linkCode=df0&hvdev=c&hvnetw=g&hvqmt= ? 22:15 < jackbrown> pppingme, you mean for example, since my provider already give us a router fo accessing ADSL, I should use a Switch that is only a switch for example with 8 or 16 ports then connect via lan cables all the AP that I need ? 22:15 <+pppingme> if that came up right, that particular AP doesn't do true PoE (its a hack) and doesn't do A or AC 22:16 < jackbrown> pppingme, sure I should choose one more updated 22:16 < jackbrown> pppingme, and even the switch need to be compatible with PoE ? 22:17 <+pppingme> if you want the devices to be powered via PoE, then yes, the switch needs to feed them PoE.. 22:17 <+pppingme> the switch becomes their power source 22:18 < jackbrown> pppingme, yes I know, why you prefer PoE ? because it's annoying to plug for each AP it's power source (that usually is big and awful?) 22:18 < mgolisch> thats the most common way of doing it, its easier as all you need is one ethernetcable no additional power bricks and stuff where you put your APs 22:18 <+pppingme> I properly mount AP's on ceilings or where ever appropriate, they aren't cheap consumer devices laying around the house.. 22:19 <+pppingme> there typically is no power 22:19 < jackbrown> pppingme, on the ceiling I think is the more elegant way! 22:19 < jackbrown> pppingme, are you installer or you work into doing network ? 22:20 <+pppingme> I make to much to screw with installs, I outsource it 22:20 < jackbrown> https://www.amazon.it/WT-GPOE-8B-24v60w-iniettore-dispositivi-Mikrotik-alimentazione/dp/B01N7HISJK/ref=sr_1_1_sspa?s=pc&ie=UTF8&qid=1529785045&sr=1-1-spons&keywords=Ubiquiti+PoE&psc=1 22:21 < jackbrown> pppingme, why they are 16 ? one for the data other for the power? 22:22 <+pppingme> passive PoE is crap, its not really PoE, and fits NO STANDARDS 22:22 <+pppingme> and in many cases not compatible with gig 22:22 < jackbrown> https://www.amazon.it/Ubiquiti-Networks-UAP-AC-LR-access-point/dp/B016K5A06C/ref=sr_1_109?s=pc&ie=UTF8&qid=1529785336&sr=1-109&keywords=Ubiquiti+PoE 22:23 < jackbrown> pppingme, this is better ? https://www.amazon.it/Ubiquiti-Networks-Gestito-Ethernet-Supporto/dp/B004BQCKXO/ref=sr_1_124?s=pc&ie=UTF8&qid=1529785386&sr=1-124&keywords=Ubiquiti+PoE 22:23 <+pppingme> I don't use any equipment that does "passive PoE", period.. 22:24 <+pppingme> and I don't allow it on any networks I manage 22:24 <+pppingme> too high of risk of damage 22:24 < jackbrown> pppingme, the second one ? has still passive PoE ? I didn't know that there were different kind of PoE 22:24 <+pppingme> Real PoE is negotiated, it doesn't just start shooting power that can damage equipment 22:24 < jackbrown> pppingme, which is the difference within passive and active PoE 22:24 < jackbrown> pppingme, can you link me an example of a switch with active PoE ? 22:25 < jackbrown> pppingme, https://www.linkedin.com/pulse/what-difference-between-poe-passive-jason-chesla 22:25 < spaces> I want to bitschslap someone 22:25 <+pppingme> 802.3af defines PoE.. 802.3at (aka PoE+) is the higher wattage version.. 22:26 <+pppingme> if your devices require higher wattage, you MUST use an at switch, if all your devices can deal with af, you can use either kind of switch 22:27 < jackbrown> pppingme, ok so if I find a switch and an AP 802.3af compatible it means that they have active PoE 22:27 <+pppingme> it means it has real PoE 22:27 <+pppingme> and that PoE is negotiated and not randomly shot onto the wire 22:28 < spaces> pppingme erm a switch is PoE or not 22:28 <+pppingme> and it won't damange non-PoE equipment 22:28 <+pppingme> spaces kinda.. some PoE switches may only do PoE on some ports.. my 48 port switches only support it on 24 ports for example 22:28 < jackbrown> pppingme, so this https://www.amazon.it/UBIQUITI-Networks-US-8-60W-Ubiquiti/dp/B01MU3WUX1/ref=sr_1_9?ie=UTF8&qid=1529785663&sr=8-9&keywords=802.3af+ubiquiti 22:29 < jackbrown> pppingme, plus this https://www.amazon.it/Ubiquiti-Uap-Pro-1300-Mbit-Ethernet-Supporto/dp/B079DSTX99/ref=sr_1_4?ie=UTF8&qid=1529785663&sr=8-4&keywords=802.3af+ubiquiti 22:29 < spaces> pppingme yeah that is fine but why AT then ? your switch does less because of the power it requires 22:29 < spaces> pppingme I always use old dell 3448's for it, they are great! 22:29 <+pppingme> jackbrown the swithc you just linked is an 8 port swith but only four ports do PoE 22:30 <+pppingme> MAKE SURE your ap's only need 802.3af, if they need at, that switch isn't strong enough 22:30 < jim> can you do nat in ipv6? 22:30 < jackbrown> spaces, this beast ? http://www.itinstock.com/dell-powerconnect-3448-48-port-fast-ethernet-network-switch-k0670-8089-p.asp 22:30 <+pppingme> many dual band ap's need the extra power 22:31 < jackbrown> pppingme, ok so there are two standard of active PoE af and at at requires more energy and of course a proper compatible at switch 22:31 <+pppingme> and is backward compatable.. an at switch can power anything.. af and at devices 22:32 <+pppingme> an af switch will not power an at device 22:33 < jackbrown> pppingme, do you know of any accesspoint that can be installed near or up to the chandelier? I think that the mid position of the chandelier should be the best one to spread the signal (intead of putting the AP near the wall) 22:33 < Dagger> jim: it's of course /possible/, but you should generally never actually be doing it 22:33 <+pppingme> almsot all single band ap's use the lower power, many dual band ap's need the extra power, cams vary, there's other PoE devices as well 22:34 <+pppingme> shouldn't be close to power, especially if LED's are involved, just cause noise 22:34 < jackbrown> pppingme, so if an AP is 2.4/5GHz it will probably need more power and it will be at standard compatible ? 22:34 < jackbrown> pppingme, ok 22:34 < Dagger> there may be some special cases where it's useful, but you shouldn't be routinely NATing like you do in v4. you should have enough address space that it's unnecessary 22:37 <+pppingme> jackbrown maybe, I have seen dual band ap's that work on .3af, but they tend to be cheaper ones 22:37 < jackbrown> pppingme, got it 22:38 < jackbrown> pppingme, what about Linksys ? 22:38 <+pppingme> I don't even know if they have any PoE ap's 22:39 < jackbrown> pppingme, got it, anyway you prefer PoE just for aestetical reason, there are no other reason right? (I agree anyway) 22:39 <+pppingme> cheaper to install 22:39 <+pppingme> with PoE I have to pay someone to pull network cable, with a powered device I ALSO have to pay someone to pull power 22:39 < jackbrown> pppingme, easier and less time, you don't need necessarly a power source where the AP camme 22:40 < jackbrown> pppingme, great! 22:40 <+pppingme> and with separate power, its probably not on a UPS, so now I need to hang a cabinet for that 22:40 <+pppingme> the cost per device is easily in the hundreds.. 22:40 < jackbrown> pppingme, so you confirm that I have to AVOID MESH(it) or Repeating ? 22:40 <+pppingme> thats all bad 22:40 < jackbrown> pppingme, ok! 22:41 <+pppingme> mesh might be good for a low bandwidth application, like neighbors all sharing a few neighborhood cams or something.. beyond that, its crap 22:41 < jim> Dagger, I should never be doing nat on ipv6? why not? 22:41 < jackbrown> pppingme,sorry I got lost in the last sencente you wrote "and with separate power, its probably not on a UPS, so now I need to hang a cabinet for that" 22:42 < jackbrown> pppingme, I'm not a native english speaker sorry 22:42 <+pppingme> whats the question? statement seems clear to me??? 22:42 < jackbrown> pppingme, what does that mean ? 22:42 <+pppingme> it means i would have to put up a cabinet to hold a ups.. so that the ap keeps working through power outages 22:43 < Dagger> jim: the question is more "why?" -- you should have enough address space to not need to do it 22:43 < jackbrown> pppingme, ah ok you mean with PoE you don't need an UPS each AP since you can use one just for the switch( that powers all the AP) 22:43 <+pppingme> jim with rare exceptions, there is no need for nat on ipv6, after all, every subnet has 2^64 ip's 22:43 <+pppingme> jackbrown right 22:44 < jackbrown> pppingme, anyway thanks you give me a good idea, for the AP and the switch brand I have to check ar UBIQUTI and do you have other suggestions ? 22:44 <+pppingme> anything that supports real PoE is probably already in a better class of equipment.. get all the same brand and model.. 22:45 < jackbrown> pppingme, ok you mean what supports real PoE is designed for high end/ professional use so should be good 22:45 <+pppingme> thats a bit of an overstatement.. 22:45 <+pppingme> even tp-link makes PoE supported ap's 22:46 < jackbrown> pppingme, ceiling is the best solution anyway ? 22:46 <+pppingme> generally, then you can optimize location compared to the space 22:47 <+pppingme> and users dont' hardly see them.. they blend in like a smoke detector 22:47 < jackbrown> pppingme, great even for estetical reason they seems fine 22:51 < spaces> pppingme can we have some physical interaction ? 22:52 < jim> pppingme, you can't set the size of a subnet? 22:53 <+pppingme> jim thats the definition of a mask 22:53 <+pppingme> or prefix length 22:54 < jim> I'm not sure I understand that... 22:55 < jackbrown> pppingme, last thing: those are that fake/passive PoE that I have to avoid ? https://www.amazon.it/DSLRKIT-Active-Splitter-Ethernet-Raspberry/dp/B01H37XQP8/ref=sr_1_15?s=pc&ie=UTF8&qid=1529787041&sr=1-15&keywords=PoE%2B 22:57 <+pppingme> thats a splitter, it takes PoE and splits it off for devices like a PI 22:57 < spaces> some people on OFTC are even worse then Freenode, wtf, are this nerds ? 22:57 < Dagger> jim: you should generally be using /64 for everything. you should have enough space to not need to go smaller, and there's certainly no reason to go bigger 22:57 < Dagger> and SLAAC requires a /64 anyway 22:57 <+pppingme> they are good for mounting tablets on walls and stuff like that 22:57 < jim> in ipv4, I could carve up subnets any way I wanted... I can't do that in ipv6? 22:58 < Dagger> you don't *need* to. a /64 is fine for everything 22:58 <+pppingme> jim standard ipv6 practice is to give everything a /64.. you want another subnet? get another /64 22:59 <+pppingme> in general, isp's are generally giving at least a /60.. if you ask.. so that gives you (64-60)^2 potential networks 22:59 < Dagger> you don't need to ask yourself whether 256 hosts is enough or whether you need to make it /23 or if you can get away with /25... you just use /64, which fits however many hosts you like 22:59 <+pppingme> many are giving /56's 23:00 < jim> I don't necessarily want to put those subnets directly on the net 23:00 < Dagger> you can split up and route your /56-or-whatever-it-is like normal, it's just that you should be winding up with on-link subnets that are /64 23:00 <+pppingme> jim who's your isp? 23:00 <+pppingme> define "directly" 23:00 < jim> without nat 23:00 <+pppingme> you do realize nat offers NO protection at all, right? 23:00 < Napsterbater> Jim, its called a firewall.. 23:01 < jim> that's what I'm building :) 23:01 <+pppingme> an appropriately configured firewall does all you need 23:01 < spaces> pppingme in some way it does 23:01 <+pppingme> in all ways it does 23:01 < Dagger> spaces: no, it does sod all 23:01 <+pppingme> again, nat is not security 23:01 < Dagger> spaces: in fact it's worse than nothing, because it's usually used to make outbound connections possible when they otherwise wouldn't be 23:01 < spaces> pppingme it closes at least the ports you don't NAT 23:01 <+pppingme> no, a firewall does 23:02 < Dagger> your computers would be a lot more secure if they couldn't connect to random internet hosts 23:02 <+pppingme> you start your firewll with a block all inbound rule 23:02 <+pppingme> then you allow rules as needed, if needed (not needed for most consumers) 23:02 < spaces> yeah I know what you mean but try a loadbalancer in front of it, it NATS as well 23:02 < Dagger> spaces: no, NAT doesn't do that at all. NAT applies to outbound connections. any inbound connection that was possible before you started NATing outbound connections will still be possible after you start NATing outbound connections 23:03 < spaces> and deos block the rest of the ports you have services running on 23:03 <+pppingme> some load balancers do, not all 23:03 < spaces> most 23:03 < spaces> actually if it doesn't, it's a shitty LB-er 23:03 <+pppingme> read this 1000 times, if you still don't get it, read it 1000 more times, repeat as needed: NAT IS NOT SECURITY, NEVER HAS BEEN, NEVER WILL BE.. 23:04 < spaces> no it's not but it helps :D 23:04 < ellyacht> why can't I seem to shake this innate feeling that someone for the last 8 or so years, has been monitoring/manipulating/dictating whatever I do via the internet?!!?! no matter the medium used... 23:04 <+pppingme> you're assuming one method of load balancing, there are many 23:04 < Dagger> spaces: uh, as I just said... it doesn't help 23:04 < spaces> Dagger I only NAt using LB-ers, it does then 23:04 <+pppingme> and no, nat does not even "help" with security 23:04 < Dagger> take a network. add NAT to the network's outbound connections. it'll have exactly zero impact on the inbound connections for that network 23:04 <+pppingme> never has, never will 23:05 <+pppingme> nat is EASY to bypass if there's no stateful firewall surrounding it 23:05 < spaces> Dagger I'm only talking about inbound 23:05 < spaces> I don't touch outbound mostly because I don't care 23:05 < jim> pppingme, ok, so what you're saying, has got to be that if I have a nost behind a nat it's (1) discoverable, and (2) enterable? 23:06 < jim> host 23:06 < Dagger> jim: what we're saying is that NAT has no impact on those things 23:06 < Dagger> if people can connect inwards to your hosts, then they can do it regardless of whether or not you're NATing outbound connections from those hosts 23:07 < jim> isn't that a big if? 23:07 < Dagger> sure? but it's one that doesn't depend on NAT 23:08 < bjorn`> Is there such a thing as a latency algorithm that can precisely measure latency in each direction of a link, in the case of async routing? 23:09 < Dagger> the point of all this is that you already need a firewall for security reasons, and that NAT contributes nothing to your security. hence, you don't need to NAT to get security -- you're only NATing because you're out of address space 23:09 < jim> let me just ask this... if NAT is irrelevent in ipv6, is it also irrelevent in ipv4? 23:10 < tds> if you can afford public v4 addresses, then yes 23:10 < tds> but for most people that isn't the case 23:10 < Dagger> for security purposes, yes. you're only doing it in v4 because your ISP hasn't given you a big enough IP allocation for your network 23:11 < Dagger> or "no allocation", as is common for almost all ISPs 23:11 < spare> ill open a free root shell on my box behind isp resi nat right now if you can ping it you can have it... its definitly the only thing right now stopping a hole heap of stupidity being exposed to the internet 23:11 < jvwjgames_> are ipv6 addresses portable 23:11 < spare> isps shouldnt be shipping any un authenticated upnp or routable address by default 23:13 < Dagger> spare: that's probably going to be tricky for us. it's just that it's important to realize /why/ it's going to be tricky for us 23:13 < spare> i get its not a security feature but it literally stops people just automating nmap and popping the whole host of old boxes or wrongly configured boxes that arent exposed right now 23:14 < Dagger> no, it doesn't 23:14 < spare> so you can nmap my desktop from behind router nat right now and tell what its running ? 23:14 < Dagger> I've /tested/ this. applying NAT to your outbound connections does absolutely nothing to your inbound ones 23:15 < Dagger> depends. does it have an IP I can reach, and are there any firewalls in the way? 23:15 < Napsterbater> It is not NAT protecting your devices, it is the lack of a route in most cases. 23:16 < spare> thats what i just said isps shouldnt be shipping unauthenticated upnp on v4 or exposing v6 by default 23:17 < Napsterbater> nothing to do with UPNP. 23:17 < Dagger> they /should/ be shipping routable addresses. it's just very difficult to do that in v4 because there aren't enough 23:17 < spare> same problem different formats 23:17 < spare> resi addresses dont need wan facing lan 23:18 < Dagger> if resi wants to be connected to the internet, then resi should be using globally-unique addresses 23:18 < Napsterbater> spare: using global addresses on LAN dosn't make it "WAN facing" 23:18 < Dagger> if you /don't/ want to connect your network to the internet, then fine, but most people do 23:18 < Napsterbater> again, firewall. 23:18 < spare> most of the iot stuff just gets plugged in asks for upnp and gets a wan listener 23:19 < spare> default residential routers have sucky setups 23:19 < tds> most of the iot stuff I've seen doesn't bother with upnp, just makes outbound connections (because people actually bother with firewalls) back to some central control system 23:20 < Napsterbater> One reason why I kinda laugh at people who make such a HUGE deal abourt UPNP being enabled, yet let EVERYTHING outbound go unchecked. 23:21 < spare> ive got uid:gid locked outbound rules if your building a botnet listeners are harder to track than a reverse tcp connection your forced to hardcode domains in them 23:23 < spare> if you have a listener you can randomize the port and timeout to respond to stop quick scans its alot harder to hide a c&c that needs a hardcoded phone home in it 23:25 < spare> thats why i dont think adding more routable address to networks that have no need for them is stupid : / 23:34 <+catphish> spare: no idea what you mean by "wan facing lan", LANs have to be routable to and from the internet since people want to browse their cat pictures, the issue is purely that systems should be adequately firewalled, and most likely consumer devices should be firewalling inbound connections by default 23:35 <+catphish> ie if i send an unexpected packet to someone's home PC, their router should reject / drop it 23:35 < spare> listening ports on lan being forward to lan no authed upnp any drive by malware can port forward if it was sensible by default tracking reverse connections is easier 23:36 <+catphish> i also agree wholeheartedly that upnp should be properly secured so that firewall exceptions shouldn't be made unauthenticated from outside 23:36 <+pppingme> jim yes 23:36 < spare> i just cant see ipv6 roll out not making this a thousand times easier by default because of the stuff thats already acceptable as default 23:36 <+pppingme> unless there is a stateful firewall in place 23:37 < spare> is that what was going to be shipped by default ? 23:37 <+catphish> one benefit of ipv6 is that it makes people less lazy with firewalls 23:37 < spare> given upnp for ipv4 is literally default on for every isp box ive ever had 23:37 <+catphish> upnp is fine, as long as it can only be activated from inside the LAN 23:38 <+catphish> and it's pretty useful for consumer devices that need to open inbound connections on the firewall 23:38 < spare> nah should be admin locked to the router if anything can just request it then you havent bottled necked listening devices to a gateway 23:38 <+catphish> what? 23:38 < spare> you can turn upnp off and open port forwarding on the devices web interface 23:39 <+catphish> yeah but most people don't want or need to do that, the just want their inbound connections to work automatically 23:39 < spare> every isp box ive had shipped just runs a upnp deamon that allows any one that asks to port forward 23:39 < jim> pppingme, can a stateful firewall be implemented as iptables rules? 23:39 < tds> jim: yes 23:39 <+pppingme> yes 23:39 <+catphish> spare: no, they only allow it from inside the network 23:39 <+pppingme> and typically is in an ipv4 environment 23:40 <+catphish> which is fine, its only a problem if they allow it from outside, i know some did on occasion :( 23:40 <+catphish> jim: yes 23:40 < spare> thats still the problem it lets any malware open a listener rather than phoning home to a domain which is harder to track than a payload being forced to drop a domain or ip in the source 23:40 < Napsterbater> If you have malware on you LAN, you already lost. 23:40 <+catphish> spare: if you have malware on your lan you've lost, it's moot 23:41 < jim> ok, so with such a firewall running, nat is then not irrelevent? what if the nat is implemented by the iptables rules? 23:41 < spare> its not in terms of pushing a domain blacklist and that no longer working rather it just sitting listening untracked with a whole host of ways to avoid being scanned remotely : / 23:41 <+catphish> phone home is so trivial that there's no point in crippling a useful feature to avoid what you're describing 23:41 < tds> anyway, how does listening on a port and unfirewalling it help if you're not phoning home? 23:41 < tds> it's not like it's easy to scan the whole of v6 space to find your listeners 23:42 <+pppingme> nat is and has always been irrelevant, the firewall just happens to be a convenient place to do it.. 23:42 <+catphish> nat isn't relevent to the security 23:42 < Dagger> jim: which rules are we talking about here? the iptables rule that you use to do NAT is separate from the rules used to do firewalling 23:43 <+catphish> but there's definitely a legitimate argument about where firewalls should be implemented, and whether end users should be allowed to manipulate them 23:43 < Dagger> jim: and as I tried to explain, they serve different purposes. one controls which connections are permitted, and the other rewrites the apparent source address on outbound connections 23:43 < jim> so if both were present, then you'd have something reasonable? 23:43 <+catphish> but you should not confuse any of this security with NAT 23:43 <+pppingme> if both what? 23:44 <+pppingme> the firewall is whats reasonable in controlling traffic to/from your network.. 23:44 <+pppingme> nat is a hack that has nothing to do with security 23:44 < tds> if you mean both stateful firewalling and nat, then yes, that's what I'd expect of most home v4 routers 23:44 < jim> and if you didn't have them present, having the subnets would be useless, as nothing would be there to route to the exit? 23:44 <+catphish> spare is correct though i don't believe that it's worth trying to fight malware that already controls your PC 23:45 < Dagger> jim: using NAT when you don't need to use it isn't reasonable 23:45 < wpwpwpwp> hi 23:45 < wpwpwpwp> so I am behind a double NAT probably 23:45 < wpwpwpwp> well 23:45 < Dagger> in v4 you frequently do need to use it, but that's not the case in v6 23:45 < spare> not on about from a personal use case if someone drops something that infects a million end points and they start hammering a dns server if its a listner you cant kill if its doing phone home you can literally stop it recieveing updates and kill the netowrk 23:45 < wpwpwpwp> thing is that I read that there may be ways around it without using a tunnel-relay thing 23:45 <+catphish> i can see the argument that sometimes domain blacklisting might work sometimes 23:45 < wpwpwpwp> like letting the router/internet modem use the NAT gateway of ISP directly? 23:46 < wpwpwpwp> how that? ppoe? how does that work? 23:46 <+catphish> wpwpwpwp: i feel like you need to do some googling and come back with a coherant question 23:46 < jim> Dagger, yeah, I'm probably not interested in that point of view; sorry 23:47 < spare> having a botnet run by push updates you can distribute to hide source or having a single point of failure is common sense : / opening more device to the internet will do more damage than good 23:47 <+catphish> jim: what? 23:47 <+catphish> jim: you don't believe in *not* using NAT? 23:47 <+catphish> are you mildly insane, or did i miss something? 23:47 <+pppingme> what point of view? 23:48 < wpwpwpwp> catphish: I did! http://www.practicallynetworked.com/networking/fixing_double_nat.htm 23:48 < wpwpwpwp> catphish: bridge mode in router? is that ppoe? 23:48 < tds> a network without nat? what? surely that can't exist! 23:48 < wpwpwpwp> I got a huawei router thing for LTE 23:48 < wpwpwpwp> tds: it can, ipv6 - in an ideal world that sadly never came... 23:48 < jim> that nat is unreasonable always no matter what 23:48 < tds> wpwpwpwp: i know, I was joking :) 23:48 < jim> which is what he seems to be saying 23:48 <+pppingme> there's few actual use cases to justify nat.. and most are highly technical, none have anything to do with security 23:48 <+catphish> wpwpwpwp: it seems unlikely to me you can avoid double NAT if your ISP already does NAT and only gives you a single address 23:49 < Dagger> jim: I didn't say that. I said using it "when you don't need to use it" 23:49 < tds> wpwpwpwp: it's an ideal world that's already here, I'm typing on a computer that doesn't have a v4 address :) 23:49 < wpwpwpwp> tds: a public ipv6 address it got? 23:49 <+catphish> jim: nat is a hack, it's a good idea when it's absolutely necessary 23:49 < tds> wpwpwpwp: yes 23:49 < wpwpwpwp> catphish: would PPOE allow the router to become the only NAT? 23:49 < wpwpwpwp> catphish: if not, I guess, there is no way adding port forwarding because I got no login for the NAT of my ISP, right? 23:49 <+catphish> wpwpwpwp: pppoe isn't something you choose 23:50 <+catphish> either you're already using it, or you can't use it 23:50 < wpwpwpwp> catphish: let's say the router offers this option, could I enable it - and hope it works then? 23:50 < wpwpwpwp> catphish: it is a router with LTE modem 23:50 < wpwpwpwp> would it be worth a try? using LTE over PPOE? 23:50 < tds> if your isp is doing cgnat (which many mobile networks do), there's very little you can do about it 23:50 <+catphish> wpwpwpwp: your only option would be to get rid of the router and connect one PC direct to the LTE modem, but you wouldn't gain anything 23:50 < wpwpwpwp> tds: I want to connect from the outside to an ipcamera from time to time 23:50 < jim> Dagger, this is what I'm interested in doing: I have a set of scripts that calculate a nat/ipmasq firewall/router given the ips and attributes of how the interfaces are set up 23:50 < wpwpwpwp> catphish: so I still have no port forwarding then? :( 23:51 < wpwpwpwp> damn, some articles I found say it is easy "just enable bridging or PPOE" and then there is no double nat anymore 23:51 <+catphish> wpwpwpwp: you'd only have one NAT, but i can't think how you'd benefit, your ISP would still be doing a NAT you don't control, so no port forwarding 23:51 < Dagger> most people should be getting sufficient v6 space from their ISPs to not need to NAT. as such, they generally shouldn't be NATing 23:51 < wpwpwpwp> lol, then there is a single ISP NAT without configuration 23:51 <+catphish> wpwpwpwp: IMO if the ISP does NAT, there's nothing you can do 23:51 < Dagger> "I need security" is /not/ a reason to be NATing (and NAT won't help you with security anyway) 23:51 < wpwpwpwp> catphish: OK, so let's say I want to connect to an ipcam behind the NAT (double NAT) - how can I do that? 23:51 < tds> you could try sending upnp at their routers, but they'll likely ignore it 23:52 < jim> they work fine in IPv4, I'm interested in extending that set of scripts so they cover IPv6 23:52 <+catphish> jim: well sure, just don't do NAT 23:52 < wpwpwpwp> catphish: Let's say I got a mobile phone with LTE/3G mobile internet - is it likely that it got no Double NAT and one could connect to it from the outside? 23:52 < jim> what do you do instead? 23:52 <+pppingme> jim change your -j MASQUERADE to -j ACCEPT and you're done, assuming the rest of your rules are reasonable 23:52 < tds> jim: just plain routing, you'd typically get a subnet route to you via dhcpv6 prefix delegation 23:53 < tds> s/route/routed/ 23:53 <+pppingme> wpwpwpwp its likely your mobile provider is doing nat before it even gets to you.. 23:53 <+catphish> jim: ipv6 is different, you need some IPs, you need PD, you need SLAAC, several things 23:53 < jim> you're welcome to look at them, they're on github 23:53 < Dagger> or just drop the `-j MASQUERADE` rule, that chain is usually set to policy ACCEPT anyway 23:53 <+catphish> jim: you just don't need NAT 23:53 < Dagger> you also need to pick the LAN subnet based on a DHCPv6-PD request to your upstream router 23:53 < Dagger> that's pretty much it 23:54 <+catphish> some ISPs just blindly route a whole /56 or /48 to your router, no PD needed :) 23:54 <+catphish> in that case it's MUCH easier 23:54 < wpwpwpwp> pppingme, catphish: OK, so I need a VPN in the middle, the box behind double NAT has to connect to that VPN server at the outside, then the smartphone can also connect to it and form a connection 23:54 < wpwpwpwp> what is a cheap / free shell/vpn/cloud instance service I can use for this? 23:54 <+catphish> wpwpwpwp: yes thats a good way 23:55 < wpwpwpwp> are there cheap/free providers for VPN servers that I can use as middleman? 23:55 <+pppingme> wpwpwpwp does this vpn server have a real ip? 23:55 < Dagger> catphish: PD is still the only automated way to find out what the /56 or /48 is 23:55 <+catphish> wpwpwpwp: normally the best option is to rent a chea VPS and learn how to use openvpn 23:55 <+catphish> Dagger: makes sense if its not static 23:55 < wpwpwpwp> pppingme: I guessi t has, right? otherwise the smartphone / natted box wouldn't be able to find it 23:55 <+pppingme> then you're done.. 23:55 < wpwpwpwp> catphish: could you recommend me a VPN that is very cheap and good that I can try for this? 23:55 < Dagger> catphish: even if it is static, it's still the only automatic way to get that info 23:56 <+pppingme> nat isn't generally a factor for oubound traffic (client trying to reach server), its more a factor for inbound (you are the server).. 23:56 <+catphish> wpwpwpwp: see my previous message 23:56 < wpwpwpwp> pppingme: hm, public IPs are the most expensive part of a server? 23:56 <+pppingme> no, hardware and power ios 23:56 <+pppingme> no, hardware and power is 23:56 < wpwpwpwp> catphish: "normally the best option is to rent a chea VPS and learn how to use openvpn" 23:56 <+catphish> yes 23:56 < wpwpwpwp> catphish: and what cheap VPS would you recommend? :) I just want to try this 23:57 < Apachez> cooling is pretty expensive too 23:57 < wpwpwpwp> Apachez: so we need optical computing :P 23:57 <+pppingme> you can find vps's all over the place for $5/month 23:57 < wpwpwpwp> pppingme: can it be even cheaper? 23:57 <+catphish> wpwpwpwp: i can't recommend something, since there are different providers in different countries, and my experience is normally with more expensive high quality ones, maybe look at linode 23:57 < Apachez> wpwpwpwp: how would that help? 23:57 < wpwpwpwp> Apachez: light would be faster and no cooling 23:57 <+catphish> wpwpwpwp: probably isn't going to be less than $5 23:57 < tds> just try to pick a provider who's not too new/small, otherwise you may find your vps disappear in a few months ;) 23:57 < wpwpwpwp> ah I see 23:57 < Apachez> wpwpwpwp: not true 23:58 < wpwpwpwp> what is the cheapest VPS I could get? :P 23:58 < Apachez> its the computing who cost power, not the eletrons on the bus itself 23:58 <+pppingme> you could always peer up on something like dn42, but thats probably beyond your tech level 23:58 < tds> oh yeah, dn42 is a neat suggestion 23:58 < tds> plus then it would have an actual use! 23:58 < wpwpwpwp> oh, dn42 is a bit like blockchain, no? :P 23:58 <+catphish> no 23:58 < tds> no 23:58 <+catphish> wpwpwpwp: actually, you could just get a free ipv6 tunnel from HE then use ipv6 23:59 < tds> catphish: no luck with 6in4 behind nat though :( 23:59 < wpwpwpwp> catphish: HE = Hurricane electric? 23:59 < jim> so I take it there are no unroutable subnets (like 192.168.*, 172.(16-31).*, 10.*)? 23:59 < Dagger> catphish: so long as you have a public v4 address to run the tunnel on, of course... 23:59 <+catphish> wpwpwpwp: yes 23:59 < wpwpwpwp> ah found it 23:59 <+catphish> Dagger: i hoped it could run over UDP, not sure though :( 23:59 < tds> iirc he only support 6in4, not udp 23:59 <+catphish> wpwpwpwp: might not work if you don't have a public IP :( 23:59 <+pppingme> correct, about HE --- Log closed Sun Jun 24 00:00:11 2018