--- Log opened Tue Jul 10 00:00:12 2018 --- Day changed Tue Jul 10 2018 00:00 < E1ephant> eh, it's good for the price/prosumer level, not quite enterprise but they are making progress now 00:00 < xamithan> dell has all that force10 stuff. Its pretty good if you get the enterprise stuff 00:00 < dimino> hey, does the value 127 ring any bells for anyone with regards to connection timeouts? 00:01 < Maarten> tds, the consumer brand netgears - at least some of them - can be managed.... but unlike the larger devides that come with their own built in web interface you have to use some crappy software to manage them. Other than that, solid switches imho 00:01 < Maarten> https://www.amazon.com/dp/B00MPVR50A/ref=sspa_dk_detail_0?pd_rd_i=B0000BVYT3 - these are cheap simple unmanaged.... and pretty good for the cheapness of them. You still get the classic metal box :) 00:01 < tds> Maarten: ah right, the netgears I've seen have had management over a web ui/telnet/ssh/serial, I'm sure there are some far worse ones out there though ;) 00:02 < E1ephant> for that price you can get managed though? 00:02 < Maarten> https://www.amazon.com/dp/B00M1C0186/ref=sspa_dk_detail_0?pd_rd_i=B0000BVYT3&th=1 --- managed one. 00:03 < Maarten> I have like 4 of those 8-porters spread around the house lol 00:03 < E1ephant> https://mikrotik.com/product/RB750UPr2 00:04 < E1ephant> managed and poe for the same pricepoint 00:04 < E1ephant> stupid cheap: https://mikrotik.com/product/RB750r2 00:07 < Maarten> E1ephant, stupid cheap maybe, also stupid slow.... test tab reveals it only routes up to 490-ish Mbps. And a LOT less if you enable any features. 00:08 < Maarten> besides, I built my own PFSense firewall, works fine and routes 1 Gbps in both directions. 00:16 < ali1234> 490Mbps is pretty good considering it only has 10/100 ethernet 00:19 < Maarten> ali1234, well that explains why :P 00:20 < ali1234> apparently the non-lite version has 10/100/1000 00:20 < ali1234> it claims 1972Mpbs 00:20 <+catphish> i'd say 490Mbps was not entirely possible on 10/100 :) 00:20 < ali1234> i don't understand how that's possible, but whatever 00:20 <+pppingme> you aren't getting 490mb/s on a 100 mb/s nic 00:20 < ali1234> https://mikrotik.com/product/RB750Gr3#fndtn-testresults 00:21 <+catphish> that's got gig ports 00:21 < ali1234> and they claim 2 gig throughput? 00:22 <+catphish> sure 00:22 <+catphish> why not 00:22 < ali1234> all ports at once? 00:22 <+catphish> only 2 ports 00:22 <+catphish> it has 5 total 00:22 < ali1234> what exactly are they claiming? 00:22 < Maarten> so 1 Gbps up, and 1 Gbps down at the same time..... that's not uncommon anymore in residential internet these days 00:23 <+catphish> they're claiming it can bridge 2gbps across any of its ports 00:23 < Maarten> maybe they can do port bonding? If you have a compatible dual port intel card.... 00:23 <+catphish> maybe 1G on 2 ports maybe 500M on 4 ports :) 00:23 <+catphish> it doesn't matter 00:23 <+catphish> 2G total 00:23 < ali1234> so 1G in and 1G out again? 00:24 < ali1234> (on a different port) 00:24 <+catphish> oh routing too, it can route at 2Gbps nice 00:24 <+catphish> there's no "in" and "out" 00:24 < Maarten> its a switch, so the switch can process 2 Gbit/s.... that could be 1 Gbps flowing through port 1 and out of port 4, and another 1 Gbps flowing into port 2 and out of 3 00:24 <+catphish> it can handle 2G total, ie 2 G of traffic from any combination of ports 00:25 < Maarten> right what he said 00:25 <+catphish> actually its a router too, it can route 2Gbps 00:26 <+catphish> it has 5 ports so there are 5 directions traffic can come from, not just "in" and "out" think of it more like a roundabout than a stargate 00:26 <+catphish> but sure, if you only use 2 ports as "WAN" and "LAN" then it can do 1G each way 00:27 <+catphish> (at the same time) 00:27 < ali1234> i see. so that's not terrible then? 00:27 <+catphish> not at all 00:27 <+catphish> that's a very very impressive spec for a cheap device 00:27 < rhineheart_m> hello guys! Can you recommend GPON for 2 KMS FOC install? 00:28 <+catphish> rhineheart_m: i think more info would be needed, one would never use gpon for a *single* install 00:29 <+catphish> for a point to point link you just use ethernet 00:29 < rhineheart_m> it's for a community of like 50 endpoints 00:29 <+catphish> ok, then maybe gpon makes sense, though i still prefer ethernet 00:30 < rhineheart_m> what if the reason for this is just to avert the effects of surges made by lightning strikes 00:30 <+catphish> reason for what? 00:31 <+catphish> lightning doesn't affest fiber afaik, so that can be igored 00:31 < rhineheart_m> aside from bandwidth concerns 00:31 < rhineheart_m> it is not that susceptible than a copper run 00:31 <+catphish> much less so i'd think 00:32 <+catphish> first of all, you would never install a 2km copper run in 2018 00:32 <+catphish> don't even entertain the idea unless it's essential for some reason 00:32 <+catphish> you always want fiber ethernet or gpon if possible 00:33 <+catphish> 2km of copper is not going to give speeds people need these days 00:33 <+catphish> even with VDSL2, it sucks at that distance 00:33 < JazzyDude> it probably won't affect fiber the medium itself, but something else in the datapath may be affected by it 00:33 <+catphish> well sure 00:33 < JazzyDude> something that doesn't use fiber, I mean 00:34 <+catphish> rhineheart_m: anyway, you want to know if you should use gpon over other fiber options? or looking for advice on how to deploy it? 00:40 < rhineheart_m> it's not a single run.. 00:41 <+catphish> you said, 50 endpoints 00:41 < rhineheart_m> yeah. I just mentioned it again. Somehow you miss it. 00:41 <+catphish> ? 00:42 < spaces> anyone doing caching networks ? 00:42 < spaces> so lots of traffic 00:42 <+catphish> you said it was for 50 endpoints, i said gpon might make sense for that kind of deployment 00:42 < rhineheart_m> or perhaps the better inquiry is... what benefits I can get over gpon than other foc deploys on 50 endpoints 00:43 <+catphish> you have 3 options: 5 separate runs, a switch, or PON 00:43 <+catphish> *50 00:44 <+catphish> PON is likely the cheapest and most inferior option 00:44 <+catphish> but it's popular because it's cheap and requires less hardware to be installed overall i believe 00:44 < rhineheart_m> got it, catphish. Thank you! 00:45 < rhineheart_m> in our place... just 2 days.. the cost of a rent is equal to the cost of the machine :D 00:46 < rhineheart_m> I am referring to a splicer/fusion machine 00:47 <+catphish> if you're installing fiber i assume it's worth buying a splicer 00:48 < rhineheart_m> especially if you do the maintenance 00:48 < rhineheart_m> any trusted brand to recommend? 00:48 < rhineheart_m> I am looking on this.. https://www.amazon.com/OrangeA-Splicer-Automatic-JW4108S-Digital/dp/B071J65SCT/ref=sr_1_1?ie=UTF8&qid=1531170588&sr=8-1&keywords=splicer+fiber 00:49 < rhineheart_m> another one.. which is from china :D https://www.aliexpress.com/item/English-menu-Fiber-Fusion-splicing-machine-DVP-760H-Fiber-Optic-Fusion-Splicer-DVP-760H-FTTH-Optical/32809172061.html 00:50 <+catphish> i'm afraid i have no direct experience with it 00:50 <+catphish> i can only share what i know of the general concepts 01:03 < hfp> E1ephant, Maarten: the thing is... I don't know what to do with a managed switch, I'm not using VLANs because I don't understand them (yet) or what they're for 01:04 < Maarten> yeah I wouldn't worry about it then.... I don't really use them either by the way, but I may play with it to separate my IoT devices from my regular network. 01:14 <+catphish> i sleep nonw 01:16 < hfp> Ha, I found some GSM7312 switches, 20$ for one, 60$ for 4. It looks like they're managed gigabit switches. Worth it? 01:24 < E1ephant> hfp: a managed switch can help get traffic metrics on a per-port basis 01:25 < E1ephant> they can also lead insight into port errors or link status, advanced sw/hw will do TDR down copper lines 01:31 < Apachez> TDR ? 01:31 < Apachez> hfp: you do the math? 01:32 < Apachez> there might be a reason why these are thrown out for $20? ;) 01:50 < spaces> E1ephant stay FAR AWAY from Apachez, he thinks he is a Helicopter or a Webserver... it can get worse with you! 01:50 < spaces> hph^ ^:P 01:51 < Apachez> E1ephant: wanna hug? 01:54 < spaces> Apachez you didn't pay your license fee for that 01:59 < nojeffre1> Is the general conscensus among networking pros to not use STP for redundancy? 02:02 < E1ephant> nojeffre1: if it can be avoided, yes. 02:02 < E1ephant> it does have use cases though, campus comes to mind. 02:03 * spaces waves :) 02:04 < spaces> ok, back to work, later guys! 02:04 < E1ephant> sick individuals 02:10 < nojeffre1> E1ephant I see, thankyou 03:10 < forgotmynick> can someone explain to me why randomly throughout the day and night every access point on channel 6 disappears? https://i.imgur.com/67TCVC9.png 03:17 <+pppingme> could be literally anything non-wifi thats using 2.4ghz.. there's an incredible amount of stuff thats on or near the same frequencies as wifi. 03:17 <+pppingme> How long does it disappear? On average how often does it disappear? 03:30 < spaces> why do we work ? 03:30 < spaces> we should get some more free 03:32 <+pppingme> spaces thats wht the democrats believe.. 03:32 <+pppingme> until they run out of other people's money 03:34 < spaces> pppingme ment 60 hours work instead of 100 hours :P 03:44 < forgotmynick> pppingme: anything from a few minutes to 10 minutes the highest I've seen. i first noticed this when my ring doorbell 2 was being a piece of shit and ring kept telling me to reset it. in the UK, houses are much more closer together and streets are much narrow compared to the US (assuming you're from there) so it's perfectly normal to see a lot of access points around but smart things aren't popular here, especially 03:44 < forgotmynick> not in my city and it being around 2am, it's weird for there to be any interference now 03:44 < ahyu84> hey hey guy 03:44 < ahyu84> would like ask u all few question 03:44 < ahyu84> My company is expanding till china 03:44 < ahyu84> would like using fortigate firewall 03:44 < ahyu84> and setup site-to-site vpn to malaysia datacenter 03:45 < ahyu84> but I heard china blocked all VPN 03:45 < ahyu84> does my site to site not working from malaysia to china and vice versa? 03:45 < forgotmynick> i'm thinking it may be something to do with smart metres these electricity companies are wanting to put into every home? I've rejected it for my house but maybe neighbours have had it installed and that's causing this? it's really bizarre man 03:46 < ahyu84> we mainly want to access datacenter only 04:11 < CoolerZ> is it possible to view the path of a url in a https connection? 04:11 < CoolerZ> by a man in the middle attack 04:11 < CoolerZ> it seems my university's network is blocking any url that contains the word 'proxy' in it 04:12 < CoolerZ> even if it is only in the path part of the url 04:12 < CoolerZ> maybe i should ask in #security 05:05 < pennTeller> Hi guys I have a question regarding vlans. If I have let's say a 3 port switch with 3 diferent vlans (one per port) do the devices connected to such ports remain in the same overall network but cant talk to each other? or does each port become something like 192.168.1.0/24 antoher 192.168.2.0/24 and another one 192.168.3.0/24? 05:10 < BenderRodriguez> vlan is a layer 2 construct while networks are a layer 3 construct 05:10 < BenderRodriguez> so technically, I guess you should be able to have the same subnets in multiple vlans 05:10 < BenderRodriguez> but i don't think that's something sane people would do 05:10 < BenderRodriguez> nor would there be a reason to 05:11 < BenderRodriguez> no would some switches be able to support without issues 05:11 < pennTeller> BenderRodriguez but how? if the default gateway is let's say 192.168.0.1 how can you have a vlan that is let's say 192.168.3.0/24? 05:11 < pennTeller> or to rephrase, what ip's are assigned to devices in vlans? 05:12 <+pppingme> if its a layer3 switch, its implied that it will **route** between vlans 05:13 <+pppingme> even if its a L2 switch, its typically impled that some router belongs to all the vlans and is able to route between them.. 05:13 <+pppingme> assuming access rules and firewall rules don't interfere 05:13 < pennTeller> +pppingme then where is the aliviation that comes from having vlans if you can still talk to devices in other "networks"? 05:14 <+pppingme> vlans have different goals.. sometimes (as your last question imples) its about security, other times its about controlling segment size 05:14 < pennTeller> +pppingme but where is the security if the switch will still "route" as you say? 05:14 <+pppingme> think of an office with 10,000 employees, but not real security concerns.. 05:15 <+pppingme> you can setup access lists on the switch to block said routing 05:15 < pennTeller> +pppingme I see 05:15 <+pppingme> or you can slap a firewall between vlans 05:16 < pennTeller> but these vlans would still be part of the main network right? in the sense that they cannot talk to each other (due to switch rules) but the computer connected to the switch are all still lets say in the 192.168.1.0 network 05:16 < pennTeller> is this correct? 05:16 < pennTeller> computers* 05:16 <+pppingme> depends on how you define "network" 05:17 <+pppingme> its implied that every vlan will be on its own ip subnet 05:17 < pennTeller> so lets say I have a network now with my gateway being 192.168.1.1 05:17 < pennTeller> +pppingme I see 05:17 <+pppingme> and of course each subnet will have its own gateway 05:17 <+pppingme> and how you setup that gateway will determine what talks, and what doesn't talk 05:18 < pennTeller> so one vlan would be 192.168.1.0 another would be 192.168.2.0 ...etc? 05:18 <+pppingme> potentially, although personally, I'd fire anyone using 192.168 in a corporate environment 05:18 < pennTeller> +pppingme why so? 05:19 <+pppingme> it shows laziness, it has high potential to conflict with future work, workers working from home, etc.. 05:19 < pennTeller> +pppingme I see... so to finish bothering you one last question if you dont mind. 05:19 < pennTeller> In this hypothetical vlan setup does each vlan have a sort of "virtual gateway" ? 05:21 < BenderRodriguez> pennTeller: https://i.imgur.com/HV6KTs1.png 05:21 < BenderRodriguez> this is my home network, each network is segregated to its own vlan with a virtual subinterface going from the router into that vlan 05:22 < BenderRodriguez> e.g. eth1.30 for vlan 30, eth1.20 for vlan 20 and so on 05:22 < BenderRodriguez> so each vlan has its own layer 3 gateway to do inter-vlan routing 05:23 < pennTeller> BenderRodriguez that helps clarify a bit 05:23 < pennTeller> thanks guys 05:42 < dogbert2> found a memory leak in BIND :) 05:44 <+pppingme> write a patch to fix it 05:45 < dogbert2> I already did, pppingme :P 05:46 < dogbert2> submitted as a bug report (2nd one I've sent in today) 05:48 * dogbert2 spins Ram Jam - Black Betty 06:08 < pennTeller> Hi guys I have a question about voip. Can one simply setup a freepbx server at home and call normal numbers? 06:23 < Apachez> in short yes 06:23 < Apachez> but you need to find a way from your pbx into a pbx thats connect to POTS 06:23 < Apachez> usually through a sip trunk with a phonecompany 06:26 < Harlock> just get a sip provider 06:27 < Harlock> doesn't even have to be a sip trunk 06:30 < Goop> Does a postfix relayhost go both ways? Send and receive? 06:30 < light> Can do, but not necessarily 06:31 < light> Depends on the domain of the email 06:31 < light> The question is vague though 06:33 < Goop> I'm using G Suite and I want to have some control over my stuff, so I wanted mail to go through my own server. I put relayhost = ASPMX.L.GOOGLE.COM:465 in main.cf 06:34 < pennTeller> Apachez but I dont understand how there can be a "provider" if it is voip 06:35 < pennTeller> can one call "voip only" phones without having to go through a provider? 06:49 < Goop> light, here's my config: http://paste.ubuntu.com/p/vCHGmg97rN/ 06:54 < scientes> pennTeller, yes, using a SIP address 06:54 < scientes> then it goes directly through the internet 06:55 < scientes> pennTeller, but you still need a sip server, and often people use the same provider that is providing a phone number to do that 06:55 < scientes> cause setting up a SIP server is non-trivial 06:56 < ||cw> pennTeller: phone numbers don't just exist on the internet, they are provided by phone companies, aka, providers 06:57 < ||cw> you can technically direct dial SIP addresses, but you need to know the server IP and the phone's account name. 06:57 < light> well, they can exist in the same way you can run your own dns servers 06:57 < ||cw> and most phones don't have a way to dial that 06:57 < scientes> ^^^^ 06:58 < ||cw> light: sure, you could setup a private phone network 06:58 < scientes> and software like telegraph, and google duo just use phone numbers to look people up 07:07 < Harlock> pennTeller you can do direct sip if you know how to reach the other end 07:07 < Harlock> and they are allowing direct sip calls 07:23 < Goop> How do I make sure I can use my mail server to proxy mail for G Suite? Here's my configuration for Postfix: http://paste.ubuntu.com/p/vCHGmg97rN/ 07:40 < pennTeller> thanks guys it makes sense to me now :) I appreciate the POTS explanation 07:44 < scientes> Goop, yeah I do that so I can use my private domain with gmail 07:45 < scientes> Goop, i juse use /etc/aliases, with scientes scientessemailat@gmail.com 07:45 < scientes> and no relay host 07:46 < scientes> I can paste it if you want me to... 07:46 < scientes> Goop, also you have to set up reverse dns properly 07:47 < scientes> otherwise google won't accept your mail 07:47 < XATRIX> Hi can you advice ? what's the best method to provide PAT ? I have a tons of ports to forward. I don't think that forwarding 'one port per line' is a good idea, for hundreds of. My config file will come to endless... 07:47 < XATRIX> i tried to use access-lists with port range + route-map 07:47 < XATRIX> But my cisco 4300 doesn't want to apply second rule which describes the second access-list and ip nat rul 07:48 < XATRIX> https://pastebin.com/nP7tNZS5 07:48 < XATRIX> I have only one public IP, so i don't need pool actually , if i understand correct 07:48 < scientes> XATRIX, you mean NAT46? 07:49 < XATRIX> nope. standard one 07:49 < afidegnum> hello, in order to improve security i have blocked most of the used ports to allow few common ones. but i noticed i can't access the web... port 80 here are my ip tables https://hastebin.com/ugakavagoy.hs 07:49 < scientes> XATRIX, oh you spelled it wrong 07:49 < scientes> you said "PAT" 07:50 < afidegnum> firewall rules... mvn 07:50 < XATRIX> sorry... i thought i was correct :) 07:50 < XATRIX> need port translations 07:50 < scientes> oh i c that makes sense 07:51 < scientes> it is sometimes called NAT44 to contrast with NAT46 07:51 < XATRIX> i need to forward multtiple ports to multiple hosts... that's it :) 07:51 < afidegnum> what am i doing wrong? what can be corrected? 07:51 < scientes> XATRIX, you need something like this -A FORWARD -d 10.66.3.3/32 -p tcp -m tcp --dport 38540 -j ACCEPT 07:52 < scientes> specifies both host and port 07:52 < XATRIX> scientes: was it for me ? 07:52 < scientes> ooo port ranges...idk 07:53 < scientes> can your security allow NAT-PMP/uPNP? 07:53 < scientes> I always use that (with miniupnpd) except this was through wireguard, which doesn't work with those protocols 08:14 < afidegnum> hello, any insight for my issue ? 08:17 < ellyacht> so I tried to use my android phone tethered to my RT-N16 and it changed the routers ip and now I can't connect to the GUI... I can see that the gateway however is the same?.. 08:18 < Harlock> it's set to auto use bridge or nat modes? 08:19 < Harlock> might be called router, repeater and AP modes 08:21 < ellyacht> ? 08:22 < Harlock> it automatically chnages the ip in repters or ap mode iirc 08:23 < Harlock> looks liek it defaults to dhcp in AP mode 08:25 < ellyacht> automatically to what tho? 08:26 < Harlock> whatever it pull from the phones via dhcp 08:29 < ellyacht> harlock that's just it. it didn't pull anything from the phone. usually when I tether other devices it pulls it but the router didn't 08:29 < ellyacht> is there a terminal command I could run on my phone to see what ip addresses it dhcp'd out? 08:30 < Harlock> looking at the manual it looks liek you have to put it into ap mode manually 08:30 < Harlock> if you haven't done that the router ip shoudl still be the same 08:30 < GlenK> hey there. sorta have centos set up as a router. I can do mtr and ping from private machines on my network 08:30 < GlenK> but if I try and telnet to port 80 of somewheres then it tells me no route to host. any ideas? 08:31 < GlenK> I suppose I have firewalld set up wrong? I set my private interface to be the internal zone. 08:31 < ellyacht> that's just it the router ip is still the same but my web browser won't connect to it. it keeps saying routers ip address changed refreshing your browser now 08:33 < afidegnum> hello, any help? 08:34 < GlenK> ha, crap. now my roommate came back 08:34 < GlenK> guess I'll have to switch back to the sucky netgear thingy 09:03 < Atro> lol 09:16 < FightingFalcon> SHALL I MOVE ALL MY IMAGES TO COOKILESS DOMAIN !!!!!!!!!!!!!!!!! ? 09:18 < light> WHAT IF THEY GET HUNGRY AND NEED A SNACK !!!! ? 09:18 < FightingFalcon> huh 09:19 < Atro> lol 09:36 < squ> !catgif 10:43 < MitteM112358> is NAT a rule or protocol? 10:44 < Emperorpenguin> it's a workaround 10:45 <+xand> a bodgearound 11:01 < TandyUK2> NAT is evil 11:01 < TandyUK2> a horrible bandaid for the fact we didnt start deploying ipv6 over a decade ago 11:04 < epitamizor> NAT works fine 11:04 < epitamizor> just have to know encapsulation 11:06 <+xand> NAT works fine at breaking end-to-end connectivity 11:06 < epitamizor> lol 11:06 < epitamizor> how else are they supposed to spy on you then? 11:07 <+xand> eh? 11:16 < MitteM112358> if a device support IPv4 most of time it can support IPv6 correct? 11:17 <+xand> err maybe? 11:17 < bezaban> "it can" 11:17 < MitteM112358> i am trying to think of examples on the top of my head for those that cant 11:17 < MitteM112358> and i blanked out for some reason 11:17 < bezaban> tending towards incorrect 11:17 < MitteM112358> then i thought.. okay a printer? 11:19 <+xand> any "IoT" thing where you don't have a "normal OS" 11:20 < MitteM112358> AH 11:20 < MitteM112358> And this is for the fact of simple math / RISC cpu? 11:20 <+xand> no? 11:20 < MitteM112358> where as the ipv4-to-ipv6 /// ipv6 hex addressing on an OS? 11:20 <+xand> no it's due to developers of such devices not bothering with IPv6 support mostly 11:21 <+xand> not a hardware issue 11:21 < MitteM112358> I'm saying, if a smart fridge supports IPv6 11:21 < MitteM112358> ah okay i understand your example 11:21 < MitteM112358> more as the implementation of such/etc ? 11:21 < MitteM112358> not actual technical capability 11:21 <+xand> yes 11:22 < bezaban> and availability 11:23 < MitteM112358> ok, thanks that really cleared my head and helped me view this better 11:23 < bezaban> they prefer organizing in botnet like structures ;) 11:26 < bezaban> been looking at wifi weather stations, there seems to be one main contender by 'netatmo' - but they have an incident of sending wifi password and ssid back to their c&c servers. Anyone used any of these and know if they'll function without / allow you to disable the cloud component? 11:26 < bezaban> or alternatives 11:28 < djph> never looked into that, sorry. Firewall prohibiting it from leaving your network not good enough? 11:28 < bezaban> djph: if it will still work then that would be fine 11:28 < djph> yeah, dunno :* 11:28 < djph> :( 11:28 < bezaban> 'Initializing, error can't connect to cloud, please restart your router' 11:29 < djph> heh, yeah, it'd probably do that 11:29 < bezaban> they look good in every other aspect, can poll them with a python open source project 11:49 < Yamakaja_> Hey, does anybody know about LDP daemons for linux? 11:51 < Roq> MPLS LDP? LDPd is available but i never used it 11:51 < Yamakaja_> Yes, MPLS LDP 11:53 < Yamakaja> Roq link? :D 11:53 < Yamakaja> Oh wait, quagga-ldpd? 11:54 < Roq> Yeah i think so, is that the BSD port? 11:54 < Yamakaja> yes 11:55 < Roq> Yeah that should be available for linux, but like i said i never used it 11:59 < Yamakaja> I see, i was hoping to avoid quagga xD 12:00 < Roq> Fair enough. What do you want to use it for? Labbing? 12:00 < Yamakaja> Yep 12:00 < Yamakaja> And maybe running an MPLS backbone in dn42 :D 12:01 < Roq> I'm not familiar with dn42 12:01 < Yamakaja> It's basically a darknet simulating the internet 12:02 < Yamakaja> Peers connect with tunnels, not direct links. Then they peer like you'd peer in real life / etc. 12:03 < Roq> I see, and MPLS is required to connect? 12:03 < Yamakaja> No 12:03 < Yamakaja> But i'd like to run it within my AS 12:04 < Yamakaja> See https://wiki.dn42.us/Home 12:04 < Roq> I would suggest some MPLS capable routers over a Linux port in that case 12:05 < Yamakaja> Uh, that's not really an option with my budget ^^ 12:05 < Yamakaja> Linux actually supports basic mpls routing 12:05 < Yamakaja> Or VPP for that matter 12:06 < Yamakaja> (https://wiki.fd.io/view/VPP) 12:07 < Roq> I think mikrotik support MPLS functionality, if budget is a concern 12:07 < Yamakaja> Yeah, but i can't easily run that in a DC like i can with a linux vps 13:14 < gtr> test' 13:15 < djph> test failed. 13:16 < gtr> how can i remove duplicate queries in wireshark from a .cap file to see dns requests? for example i have multiple lets say dddd.com how can i see it only once ? 13:16 < djph> only query for it once? 13:16 < gtr> i know of statistics - resolved addresses 13:16 < gtr> but none of the domains are resolved there 13:17 < kubast2> Does MMS protocol allows sending any type of file over? And 2nd question ,If I were to manually reencode a video with a high quality codec like VP9 will the video get sent with or without transcoding If I were to make it fit the max size requirment? 13:18 < gtr> djph, how can i query for it ? i m not looking just for 1 domain i need all but not like duplicated 13:19 < gtr> i have domain1.com then domain2.com then domain1.com then domain3.com i need to see only domain1, domain2, domain3 if this explains 13:19 < kubast2> I got a manual transcode(with libvpx9 and libopus) and an automated one(with AAC and h.264[but baseline profile]) 13:20 < kubast2> as in is the transcoding done by an application/phone or by the infrastructure of a telecome company ? 13:21 < detha> gtr: tcpdump/tshark | awk '{....}' | sort -u 13:21 < kubast2> Like theoretically you could cram up a couple of secs 1080p video with reasonable quality with reasonable quality of audio under 300KB 13:22 < kubast2> vs a half full hd video that barerlly doesn't have any sort of artifacts 13:22 < kubast2> or worse 13:22 < tcpdump> @detha yes, I can run. 13:25 < djph> kubast2: I would imagine the phone, or the remote end. Telco is just the carrier, I think... 13:28 < almostdvs> I have a dhcp pool on a catalyst 4500 that won't hand out IP addresses. Any tips on troubleshooting this? 13:28 < djph> you run out? 13:29 < almostdvs> I don't believe so 13:32 < OliverUK1> Could anyone give some recommendations for firewalls to put in at home that would do web filtering so to help keep kids safe? 13:33 < almostdvs> OliverUK1: untangle 13:33 < compdoc> pfsense is great, but requires a pc 13:33 < almostdvs> requires a pc? 13:34 < tehjanos1h> OliverUK1, what you are actually looking for is a proxy with web content filtering 13:36 < tehjanosch> OliverUK1, depending on the size of your network you could either try out pfsense or sophos utm (if they still have their free version) - but you would need separate hardware or a vm for that :) 13:36 < OliverUK1> compdoc: I am looking at putting something physical between the internet and our internal network anyway 13:36 < compdoc> linux/bsd firewalls require a computer to run on 13:37 < compdoc> you looking for a small, plastic, consumer based firewall? 13:37 < almostdvs> that's a weird statement 13:37 < almostdvs> OliverUK1: you can look into Open 13:39 < djph> UBNT Edgerouters have basic webfiltering -- although you'd probably be better with a layered approach - your filter plus opendns umbrella (if it's still free for home use), etc. 13:39 < djph> on a separate VLAN for the kid(s). 13:44 < Atro> i didnt even have internet till i was 9, now kids get VLAN's ?!?!?!?! 13:44 < Atro> preposterous 13:45 < almostdvs> Ok, some progress. ACL in on the vlan interface was presumably blocking the dhcprequest packet. I assumed the dhcp server address would be the same as the vlan interface but that is allowed in the ACL. what is the dhcp server? 13:48 < djph> Atro: I never said *when* they'd be getting a VLAN. 13:48 < djph> DHCP requests are broadcast 13:48 < djph> src 0.0.0.0 / dst 255.255.255.255 13:49 < djph> and L2 -> src (PC-MAC) / dst FF:FF:FF:FF:FF:FF 13:49 < OliverUK1> Thank you for all of your help :-) 13:50 < OliverUK1> I don't mind paying a bit for a quality solution though, doesn't have to be free, you get what you pay for 13:52 < djph> eh, the "paid for" oDNS umbrella was just more features (e.g. more users, individual PC addresses - if you have nonRFC1918 space, ofc; somewhat more fine-grained control over the filters ... nothing really special for "residential use" IMO) 13:52 < almostdvs> djph: no dhcpdiscovers are broadcast 13:53 < almostdvs> I'm talking about dhcprequests 13:53 < almostdvs> wait your right 13:53 < djph> ;) 13:54 < Roq> request is also broadcast, to let the other potential DHCP servers know which one was selected 13:54 < almostdvs> even stranger 13:54 < almostdvs> taking the ACL out allowed dhcp to work 13:54 < djph> dhcpdiscover -> dhcpoffer -> dhcprequest -> I forget. 13:54 < Roq> ack 13:55 < almostdvs> so it must be the ack 13:57 < almostdvs> ok, so does the dhcp server on a cisco switch send the ack from the vlan interface address? 14:00 < spaces> woei! all networks sexy ? 14:14 < tehjanosch> 13:41:17 < Atro> i didnt even have internet till i was 9, now kids get VLAN's ?!?!?!?! <- :D 14:14 < tehjanosch> i guess you have used a dialup connection back then :P 14:14 < tehjanosch> good ol' times 14:19 < Sout> dling off napster, and hogging up the phone lines :D 14:19 < almostdvs> feeling nostalgic about old technology on the internet 14:19 < almostdvs> good times 14:19 < squ> !catgif 14:24 < lbrun> Hi, I need to do a MPO24 trunk connection for some 10G and 40G stuff (multimode), does anyone here have some experience with polarity in these systems? 14:25 < djph> fiber has *polarity* ? 14:26 < lbrun> TX has to go to RX 14:26 < lbrun> if you have MPO12/24 connectors (12/24 fibers in one connector), this becomes a non-trivial thing 14:26 < djph> well, yeah, but I wouldn't call that "polar" .. 14:27 < djph> I mean, i guess it works ... but .. IDK 14:27 < lbrun> Most companies call it that from what I've seen 14:31 < wind_swept> i've heard it called polarity also 14:32 < wind_swept> i don't think you can change the polarity on the 40g MPO connectors, but on the 10G if they're the LC-LC connector you can pop off the clip and switch the polarity as necessary 14:34 < lbrun> wind_swept: True, but 40G-SR4 uses an MPO12 connector 14:34 < wind_swept> looks like the "Fiber Optic Association" calls it polarity also: http://www.thefoa.org/tech/ref/install/polarity.html 14:35 < wind_swept> lbrun right, but it only uses 8 of the fibers 14:35 < lbrun> I know 14:35 < wind_swept> i guess i missed the question 14:38 < lbrun> Basically the plan is to route 2 40G-SR4 (and some misc 10G) using MPO12 -> 4 LC-LC Type B onto a MPO24 cassette, trunk it to another location some 30m away, terminate into another MPO24 cassette and again use 4 LC-LC -> MPO12 Type B cables to connect to the transceivers. 14:40 < wind_swept> sounds like it would work. i've not done that but it seems like you'd just need to crossover the LC connectors on one end or the other, but keep the pairs in the same order 14:42 < lbrun> Yeah, the question is more if I can avoid to actually use crossover connectors. I can choose the type of trunk cabling (Type A, B, or C), but I have only straight-through key-down cassettes. 14:43 < wind_swept> is running the mpo24 cable cheaper than running two mpo12 ? 14:43 < lbrun> no, but there is no space 14:43 < lbrun> I can't run two MPO12 14:44 < lbrun> The cable runs through some very old building parts where making the holes bigger would be very expensive 14:46 < wind_swept> gotcha. seems like a pretty straightforward problem. diagram it out and you can figure out which cables go where. or just be ok with futzing with LC connectors :D 14:48 < italian_power> WE ARE THE ITALIANS OF ITALY 14:48 < wind_swept> no we aren't 14:48 < italian_power> WE ARE TIRED OF BEING RULED AND TAXED BY THE JEWISH 1%ERS 14:48 < spaces> italian_power good, stay there 14:49 < lbrun> wind_swept: Yeah, I think I'm going to that. I guess there is actually not that much that can go wrong. 14:49 < wind_swept> lbrun: https://www.fs.com/polarity-and-mpo-technology-in-40-100gbe-transmission-aid-475.html 14:49 < wind_swept> as long as everything terminates in LC connectors you can swap pairs 14:51 < lbrun> True, even the 40G-SR4 still go over LC connectors before going into the trunk, so even if I get the trunk wrong I can just swap. Thanks! 14:51 < wind_swept> sure thing :) 15:09 < afidegnum> hello, i can't have access to port 2022, using nmap on -p 2022 i have 3033/tcp filtered unknown error 15:50 < wind_swept> afidegnum: bummer 15:50 < wind_swept> did you have a question? 16:18 < UncleDrax> (guess not) 16:20 < wind_swept> ¯\_(ツ)_/¯ 16:30 < Asnm> hello guys 16:50 < CoolerZ> i am just looking at some network traffic in wireshark 16:50 < CoolerZ> why does wireshark report tls v1.2 when its version 1.0 16:54 < CoolerZ> https://imgur.com/ltWS9M9 16:58 < lbrun> CoolerZ: That's the version of the TLS handshake protocol, different from the TLS record protocol (which is 1.2) 16:58 < CoolerZ> lbrun, so what is the 1.0 version shown there? 17:00 < lbrun> CoolerZ: There is an excellent answer here: https://security.stackexchange.com/questions/29314/what-is-the-significance-of-the-version-field-in-a-tls-1-1-clienthello-message 17:11 < purplex88> what is NIDS? 17:12 < djph> probably network intrusion detection system. 17:12 < purplex88> is it windows firewall, or my anti-virus? 17:12 < djph> neither 17:13 < purplex88> but my bitfender total security has advanced threat defense feature 17:13 < djph> and? 17:14 < purplex88> why is it not intrusion detection system? 17:14 < djph> because it isn't. That's like asking why a pickup truck isn't a semi. 17:17 < purplex88> so what does it. 17:17 < purplex88> .. 17:18 < djph> a NIDS is a (more or less) comprehensive monitoring system for a network to detect intrusion (e.g. foreign PCs / APs / etc.) 17:19 < purplex88> i thought my advanced bitdefender solution can do it 17:19 < purplex88> e.g. block threats 17:19 < djph> no. 17:19 < djph> that's _antivirus_. 17:20 < djph> specific to a singular machine. 17:20 < purplex88> e.g. it can block bad ip addresses 17:20 < purplex88> if it detects port scan 17:22 < djph> sounds like a firewall. 17:23 < purplex88> also wifi security, vunerability scan, randsome ware protection..? 17:23 < djph> I mean, each of these components may make up a NIDS ... but they themselves are not one. 17:24 < purplex88> is NIDS a hardware box or a software i can download and install? 17:25 < djph> could be either 17:26 < djph> though, I doubt "download and install" would be that simple. It's probably more "pay a fuckton of money, then download & install" 17:32 < saul> i'm curious: how common is it for a company culture to include IT configuring users' e-mail signatures for them? 17:32 < purplex88> but the question is what will it be protect me from? 17:32 < purplex88> as i never heard someone installing them 17:34 < djph> saul: zero. 17:34 < djph> purplex88: it's to monitor a NETWORK for something getting through that shouldn't have - an extra PC, wifi APs, random other garbage, etc. 17:35 < djph> or something generating "weird" network traffic, etc. 17:35 < purplex88> ok, the entire network. 17:54 < inire> saul i've seen legal demand a specific end phrase 17:54 < inire> but it's mostly just handwaving bullshittery 18:08 < yn> https://blog.malwarebytes.com/security-world/privacy-security-world/2018/07/mother-is-blocking-ads-so-why-arent-you/ 18:19 < pokmo> hi 18:20 < pokmo> i'm not sure if it's just me, but 'curl https://www.zomato.com' times out. it works fine in a browser though 18:20 < pokmo> does it happen to anyone else? 18:22 < Sout> yes, pokmo. curl https://www.zomato.com returns Access Denied 18:23 < pokmo> hmm i don't get a response at all 18:23 < pokmo> Sout do they have a firewall or something that checks the user agent? 18:23 < pokmo> i get SSLREAD() return error -9806 18:26 < pokmo> curl -A "Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5" https://www.zomato.com/ gives me Access Denied 18:27 < pokmo> beside UA, what else could a server/firewall check? 18:47 < kottt_> somebody sanity check me here: site has a network that goes: our gateway router -> their LAN Switch -> two wireless routers. The LAN was crashing and burning periodically, as frequently as every 10-15 minutes. disconnecting their second wireless router fixed their problem 18:47 < kottt_> from LAN Switch to second wireless router: should they have been plugged into WAN or LAN port on it? 18:49 < kottt_> honestly not sure how the wireless routers were configured, whether AP/Router/Wireless Bridge/etc, so I guess that's what would make the difference. hm. 18:50 < Poster> it's not entirely clear what "router" means aside from passing IP between two or more interfaces, is there NAT, DHCP, etc? Do they have unique IP spaces behind them? 18:51 < kottt_> tbh, my assumption here has been that they were two regular consumer routers with minimal configuration, with their WAN sides getting addresses in a firewalled public address space 18:52 < Poster> if they're both on the same IP address and both handing out IP addresses in the same VLAN that could cause quite a bit of trouble 18:53 < kottt_> from our gateway, what we were seeing was that traffic would just completely stop making it upstream from their switch, which was brand new, having been replaced the first time the issue presented itself. 18:54 < tpr> hm, what tool could I use to do dhcp information request messaging? 18:55 < kottt_> we thought there might have been a switch loop or something but we had them trace every cable in the building (small library) and found nothing problematic 18:55 < tpr> whatever that even is. wikipedia just lists "DHCP information" and says "A DHCP client may request more information than the server sent with the original DHCPOFFER. The client may also request repeat data for a particular application. For example, browsers use DHCP Inform to obtain web proxy settings via WPAD." without providing any source :P 18:55 < kottt_> i guess you could be a REAL HACKERMAN and just do it by hand in C 18:56 < kottt_> sorry, i dont have an actual productive suggestion 18:56 < kottt_> <3 18:56 < tpr> :| 18:56 < tpr> oh, it's actually called DHCPINFORM <3 18:58 < tpr> and dnsmasq's contrib ships dhcp_lease_time :-)( 19:00 < tpr> /* Explicitly request the lease time, it won't be sent otherwise: 19:00 < tpr> this is a dnsmasq extension, not standard. */ 19:00 < tpr> höh 19:37 < Apachez> pennTeller: yes, you dont need a phoneprovider if you just want to call to other voip boxes connected to the same pbx 19:38 < donguston> anyone here speak russian? Is the English to Russian Google Translate as good/accurate as the Russian to English? Are there any better translation APIs to use for English to Russian? 19:52 < Apachez> I think its close enough 20:06 < hfp> Hi, I am confused with IPv6. I seem to be getting a /56 from my ISP (not sure how to confirm that, I set prefix hint to /56 and I can ping ipv6 addresses over the internet, but I can't with /48). How do I confirm my prefix? If I ifconfig on my OPNSense router, all I see is a /128 with my ipv6 on the wan interface. But my laptop gets a 2xxx ipv6 and when I visit testipv6.com, it shows my laptop's ipv6 20:06 < hfp> address, not the router's. As a corollary, does that mean that every single host in my LAN now gets a public IP? Will the firewall still prevent the internet from accessing my hosts using their 2xxx public ipv6 addresses? 20:07 < Dagger> yes, your hosts get public IPs, and yes, firewalls still block connections 20:07 < Dagger> as for the prefix... the router is doing a DHCPv6-PD request, and the response to that includes the size of the prefix 20:08 < Dagger> I don't know how you'd go about seeing what that size is in OPNSense though. I'd expect it to mention it somewhere in the admin interface 20:10 < hfp> Dagger: Thanks 20:11 < hfp> So every host having a publicly routable ipv6 simply means that if I ever want to publish a service on a host, I tell my firewall to let the communication through and it saves me from having to use my only ipv4 over nat, right? 20:13 < Dagger> yup 20:16 < Dagger> assuming your clients have v6 too, mind, otherwise you'll need to work out some way for v4 clients to connect (and the easiest way of doing that is probably to continue doing it the way you're already doing it) 20:26 < hfp> yes they all have ipv4 and ipv6 addresses 20:27 < hfp> I know the fe80 is a local address only, but they're also getting two 2xxx ipv6. I remember that one is random for privacy, and used on the internet; but how to tell which is which? 20:28 < Dagger> the one which changes when you restart or reconnect is the temporary one 20:28 < Dagger> the non-temporary one may have "ff:fe" in the middle of the right-hand 64-bits, but (due to RFC 7217) it might not 20:30 < Dagger> there's usually some kind of flag on the privacy addresses too (e.g. on Linux they have the "temporary" flag in `ip a`, on Windows they're listed as "Temporary IPv6 address" in `ipconfig`) 20:37 < hfp> I have ubuntu, ip a shows both addresses the same, the only thing that changes is the ip obviously but everything else looks the same 20:40 < streuner> i can't do port forwarding in my router 20:41 < streuner> i've set static ip in dhcp options and i have forwarded right ports 20:43 < Dagger> hfp: I guess keep an eye on the addresses then, and see which one stays the same 20:44 < Dagger> hfp: I've seen people with both normal and RFC7217 SLAAC addresses recently. I guess if you were having that problem and you also had privacy addresses disabled then you'd end up with two addresses with the same flags 20:45 < Dagger> (Ubuntu's problem is that it uses one of those fancy network management daemons that take over RA processing, and they often end up doing funky things with IPs. the in-kernel RA client is a bit easier to understand) 20:45 < CSA> HI! I have two isp uplinks. Im advertising my four /24s via ebgp. One link has 300 Meg and another have 1024 Meg/s capasity. 20:45 < CSA> How do I advertise a /22 to the 300 Meg/s link and four specific /24s towards the 1024 M/s link? 20:55 < fly_agaric> hello guys, I have 2 HPe 5406Rzl2 core switches. and i tried to configure vrrp. can you look at the config on pastebin? https://pastebin.com/z9VqH5qC 20:55 < fly_agaric> iam not sure if this is all i need 21:07 < fly_agaric> if i enter show vrrp vlan 582 it says that core is master 21:07 < fly_agaric> and core 2 is Backup 21:08 < fly_agaric> how does vrrp know which switch is master? 21:08 < fly_agaric> does it follow the spanning tree configuration? because core 1 is root bridge 21:11 < djph> VRRP is a *router* protocol ... 21:15 < fly_agaric> djph: do you know if important thing for real world vrrp are missing in my pastebin config? 21:16 < ManDay> Hi, any idea why an apple device (MacBook Air from the dhcp name of it) gets 5 IPv6 addresses? Is that some apple shit? 21:16 < lbrun> ManDay: Could be IPv6 Privacy Extensions 21:18 < djph> fly_agaric: "routers" ? 21:18 < djph> fly_agaric: although, I guess if your "core switches" are actually acting as routers ... 21:18 < fly_agaric> djph: 2 core hpe switches not routers but layer 3 switch 21:18 < djph> are they acting as routers? 21:18 < fly_agaric> yes 21:18 < ManDay> lbrun: that's a pure host thing, right? it sounds as if this were anticipated in IPv6 21:19 < S_SubZero> ManDay: do you expect different behavior? 21:19 < ManDay> S_SubZero: It's not my device, a neighbour I share my internet with 21:19 < lbrun> ManDay: What do you mean by pure host thing? 21:20 < ManDay> lbrun: The dhcp or anyone but the host that gets those adresses doesn't know about it. 21:20 < ManDay> it's just that the host gets those adresses to get extra privacy 21:22 < lbrun> ManDay: Yes, that's the case 21:26 < S_SubZero> apparently multiple IPv6 addresses are a common thing. https://unix.stackexchange.com/questions/181539/why-do-i-have-so-many-ipv6-addresses-for-a-single-ethernet-card 21:27 < ManDay> lbrun: thanks! 21:28 < hfp> Dagger: Yes, I'm thinking of moving away from ubuntu because of all the magic it does and which I don't need. Is Manjaro a better option? 21:28 < kenrin> magic? 21:29 < kenrin> Manjaro is cool if you want arch but are lazy and don't care about stability 21:31 < hfp> kenrin: yes, ubuntu uses netplan which I don't care for, it uses 127.0.0.1 as a nameserver to do some caching and some magic (which has bugs), I use i3 as my wm so I don't care for ubuntu's unity or what have you... It seems like ubuntu does too much for what I need 21:31 < hfp> kenrin: better go with arch then? 21:31 < kenrin> You know you can change all that right? 21:31 < hfp> yeah but it's a lot of work, why not use a distro that doesn't do that in the first place? 21:31 < kenrin> If you like arch, sure. I don't like random updates breaking my system every month though 21:32 < kenrin> Debian is always good choice 21:33 < hfp> I might be wrong, but my experience was that debian uses older versions of everything. sometimes much much older, whcih results in missing features that have long been released. It would work for a server but not as my daily driver because of that 21:33 < kenrin> Thats why you use debian sid or debian testing 21:34 < E1ephant> or just avoid debian 21:35 < E1ephant> because the packages fart dust they're so ancient 23:43 < GoopAway> I am writing a research paper for English 101 and the topic is Net Neutrality. I wanted to know if I might be able to either get some good advice where to look, or do an online interview from a networking professional or a business professional that has experience in the area of creating an ISP. 23:44 <+pppingme> you should write about the scam that liberals called net neutrality, which ultimately was dumped.. 23:46 < GoopAway> pppingme: what is your professional background in this area, and may I interview you online? 23:46 < purplex88> whats the meaning of network security policy? 23:47 < purplex88> is firewall rule can example of this? 23:48 < GoopAway> purplex88: I'm rather ignorant in that subject. It sounds like you need to Google it. 23:48 < vexe> irritate the employees :) 23:49 < ||cw> purplex88: yeah, a firewall would be part of it 23:51 < purplex88> ||cw: policy = creating rules of what you can access / do / view etc? 23:51 < ||cw> like, timeclock policy, vacation policy, bathroom break policy 23:52 < ||cw> door locking policy 23:52 < ||cw> think higher level. 23:52 < purplex88> i rarely used the term 'policy' so i'm unfamilar 23:53 < purplex88> okay so what are all these policies you said are for? are these rules? --- Log closed Wed Jul 11 00:00:33 2018