#networking

@tame carbon no business reason, thus no funding allocated

yes, they had the -EM devices with extra memory for BGP in routeros 6.. the extra memory is probably not necessary anymore with v7

I bet unifi would do the opposite

they would add more ram, and have a 300% profit margin on the modules

their high end gear so expensive

@tender hazel Just saw the nanog email this morning of others talking about the Akamai traffic
https://mailman.nanog.org/pipermail/nanog/2021-April/thread.html

@hollow marlin 🤣 https://mailman.nanog.org/pipermail/nanog/2021-April/212976.html

thanks.. I was checking nanog yesterday and didn't see anything

@hollow marlin lots of work ahead: https://i.imgur.com/4IS1ZpU.png

AMX-IX hit new record

9.935Tbit/s

I compared some other exchanges

and turns out

this is actually the best one to be on

psh, 4 of our baby MX10003s can handle that no probs

Its connected to everything

This complex

is the heart of european internet

https://eu-e25b.kxcdn.com/images/_contentBlockGraphicLarge/15401/website-full-width-image_amsterdam-colocations-map.png

@hollow marlin these are all within 5-30 mins driving

I guess 1 atom bomb

and rip europe

@hollow marlin whats the most extreme bandwidth in a single unit you've seen deployed?

like, how does an IX

do the actual peering, is that just a patch in the exchange?

between two switches ?

most of these buildings

do up to ~1tbit/s

except the national institute for particle physics

they were sucking 2tbit/s

you all get an assigned IP on a common subnet

sometimes you may peer directly with others, but often you get the peering by peering with a single route server at the IX and everybody who peers with the route server exchanges routes

route servers are helpful because if you want to peer with all 100 people at an IX or however many there are, you don't have to contact them individually

thats what AMS-IX says they do

they have a single route server

and provide their services through that

but how was just beyond me

yeah but even when they have a route server, people don't always have to use it - some companies have a direct peering policy where they will only peer directly and not through the route server

and what is that then?

you get a direct fiber link between your gear and the other peer?

no, you still peer with them over the shared subnet, but you create the peering link with their IP directly, not the IP of the route server

or do they do some kind of switching with vlans on the endpoint?

@tender hazel so this subnet

that's a public range ?

yes, it is generally a public range

what if you had two ISPs that wanted to directly exchange routes?

would they still use that common gateway from the exchange?

or is that what it literally means

one big giant street

and everyone sets up shop

Nothing extreme, 80-100gbps. Majority of our customers are business but still a good amount of residential

the exchange doesn't really provide a common "gateway", it is a shared network where people can peer over, and the route server will be used by most to automate that

@tender hazel but what if I was to say, build a building with servers in it

and you get multiple x-connects with a fiber to different exchanges

you announce that route, to all three of those exchange points then?

AMS-IX is looking at RFC5549 to help conserve public IPv4 space btw

https://archive.nanog.org/meetings/nanog56/presentations/Monday/mon.general.vijn.20.pdf

mikrotik supports that in routeros v7

So the BGP is over v6

but the routes can be dual ?

you can do BGP over either v4 or v6 and advertise both v4 and v6 but it is generally advised to peer over v4 for sharing v4 routes and over v6 for v6 routes

so you would set up two peerings with each, one for all of the v4 stuff with the ipv4 peering address and one for all of the v6 stuff over the v6 peering address

Much more than dual, there are tons of AFI/SAFI

Yes, v4/v6 are typically separate just for ease of management. Having them in the same peer can have some odd limitations

https://i.imgur.com/s3XqLmA.png

I don't think RFC5549 has any specific dependencies on BGP.. but I don't think they are using it yet in production

they are just preparing for eventually going to that

It does, its based on a modified NLRI. Not sure I have seen OSPF/inter-as-inter-as allow v6 next-hop for v4

Im sure it exist in the latter

All our IX peers are /31. But at their scale it makes more sense to move to v6 next-hops

ok

ahh yes, it's been a while since I read the presentation

slide 24 covers the behavior

is v7 ready for production?

or does it not run on all devices yet?

it runs on all devices, but it is not yet ready for production no

it is stable enough to use at home

but I certainly wouldn't put it in any sort of important role

@tame carbon Just wondering do u know if its possible to watch blu ray disk copies on vlc on ur phone? (via that network sharing) The ones that u open on vlc by clicking 'open disk > blu ray', I'm thinking no rn because they have javascript menus and stuff but wondering if u know.

@tender hazel So I'll do that fiber 1000/500 setup on v6 :P

@thick minnow you need a network stream for something like that

oh so its in this case that streaming through vlc would actually be useful>

well if you have a blueray

might just be easier to use handbrake or something

https://handbrake.fr/

You can use this to turn DVDs and BluRays into files

Yes.. anything production like that I wouldn't run on v7

Id like to run it on my AC2 but the forums say otherwise

I'm running v7 at home on my rb4011 wifi

it's the first version that hasnt' been rebooting like crazy on me

it's stable with my config and I have a fairly kitchen sink config running on it

AC2 is reporting at least the last 2 betas causing reboots/freezes

@hollow marlin most of the reboots/freezes in my experience are due to the config

routeros 7 doesn't properly update the config syntax when going from one version to the next like routeros 6 would

the stable v6 on the rb4011

so you can have a syntax that is invalid that gets loaded and it causes instability

I've never had any issues with

the ac2 had issues with wireless once

after 120 days

reboot fixed it

to upgrade with stability you need to export the config, upgrade, reset to no defaults and paste the config back in

that way it will be validated by the parser for that version

I don't really believe the people who stay it is not stable with the hap ac2

they probably did not reset to no defaults and paste the config back in like you should

you can always use partitions to test v7 on your hap ac2 safely

Yeah, Id recommend that regardless since v7 is almost built from the ground up. I know routing config not updating was a big problem for many.

I have not messed with that yet. Is there a second flash that the partition lives on or just single flash? AC2 only has 16mb and base package take up most of it. Only reason I ask is Cisco/Juniper have secondary flash for failover

That said, I have 2 more AC2s on standby and I could test with one

oh only 16MB.. I thought it was a bit more for some reason

yeah for partitioning you need one with 64MB at least I think

Ill give it shot on a spare. If only Mikrotik will cut it out with the 16mb flashes

microsoft is having dns issues

fun

https://downdetector.com/
You can see how everything related to microsoft is just having issues

NOO minecraft too

@peak cloak soon discord will be down then too

you drop the a bomb on microsoft

and poof, no more fortnite

discord uses google cloud, if microsoft buys it I guess they will have to move to Azure?

hahaha.

good joke

might not just be related to microsoft

Cloudflare is still fine tho

unless Telus uses Microsoft

itll be shoved into their global offerings clouds they set aside for public service use most likely. So yeah, Azure

anyone here familiar with IIS URL Rewrite?|
I would like to add a site into IIS (fake directory since the app doesn't use IIS)
Then create a rule so that I can access this web app from the internet. myapp.mysite.com should point back to localhost:8080

so reverse proxy basically?

<rewrite>
    <rules>
        <rule name="Reverse Proxy to webmail" stopProcessing="true">
            <match url="^webmail/(.*)" />
            <action type="Rewrite" url="http://localhost:8081/{R:1}" />
        </rule>
        <rule name="Reverse Proxy to payroll" stopProcessing="true">
            <match url="^payroll/(.*)" />
            <action type="Rewrite" url="http://localhost:8082/{R:1}" />
        </rule>
    </rules>
</rewrite>

https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing/_static/image5.png

I am trying to configure my Unifi Security Gateway for the first time. I am able to get through the configuration process to set it up with the Controller software, but when I click finish, it gives me this error.

"{Mac}" is not a valid Target.

And I know that the USG does not have wifi capabilities, but the setup process for the controller has me entering in a SSID and password for a wifi network. How could that be?

@plain siren great, I'll try that. thanks

you can skip the wifi step

can someone help me with a vm it keeps deciding to stop working

i got this base station for a home security system and discovered it seems to function like a mesh router; i still don't quite understand how wireless mesh networks work, and i'm worried about it potentially impacting internet bandwidth

👍 Im in the controller. Now when I go to the Unifi devices menu, I can see the USG on the list, but when I hover over it, it says "Managed by other"

did you try setting it up before?

you may have to reset it to release it

😩 http error 404

Present, would you know anything about setting up VLANs between Unifi and MicroTik?

Just got my switch setup but my VLAN WLANS and wired VLAN connections are not getting connection.

Yes but I couldn't get passed that last error I was getting

well I've set up vlans between my USW FLEX mini and my dlink switch

done it at all between unifi and mk?

nope

what does your network look like

don't you use mk a lot or am i thinking of someone else?

crystal

ah

but vlans are standertized

yeah, it was 12 am for him so he wasn't able to help atm lol

it's just a sfp+ link from udmp to crs326

so in the controller I would just make the link be trunked

i have all of my vlans untagged to all of my in-use ports

how do i trunk a port?

in the controller it's the all option

ah

make sure in your networks tab you have the correct vlan id setup

i've done this

i'll change it to all though

https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching

i've been using the gui

huh idk then

I'm getting a mikrotik device though

HEX S

oh cool

do i need to set up subnets or something for the vlans?

no

all that's on the router

i assumed, yeah

I can show my d-link config

sure

do you think anything looks wrong with this?

idk why bridge is there in untagged

is that your trunk port?

oh it's by vlans like that

@tribal ferry there is nothing tagged

what do i need to tag?

your trunk port should be tagged

my uplink is sfp-sfpplus1

trunk basically means all tagged

yeah tag that

on all vlans?

yes

and i guess i need to un-untag it

wdym?

can someone help me with a vm it keeps deciding to stop working if u can help please dm or @ me

remove it from being untagged to make it tagged

oh yeah

this is it now

and two, you can only have a port be tagged or untagged per vlan, not have it be vlan 12 untagged and vlan 13 untagged

but you can gave vlan 12 tagged and vlan 13 tagged

on one port

well i need vlan traffic to be able to pass through all ports

oh your connecting a vlan supported switch to distribute to the end devices?

yep

ah ok

well

then everything should be tagged

some of these are going to switches

one is going to an ap

another goes to my cable that goes upstairs

yeah so any port that is going to another device that supports vlans needs to be tagged

Oh fun VLAN Trunks

so what should i change in this config?

because this is all a vlan is

tag everything

and remove all untags?

yes

the reasoning behind this is that it needs to be tagged so the final switch or ap will know what packet is on what vlan and untag it on the right port

or ssid

so what should i use untags for then?

anything going to a device that is only on one network or client devices

so for example

I have my AP on a port that is tagged both vlan 20 (trusted) and 30 (guest). The AP untags the packets that come in and sends it out to the clients, and tags packets coming back

but I also have a roku connected to my core switch, and that is untagged on IOT, since it's a client device

so, tagging every port in use besides the trunk will allow vlans to flow freely?

well tagging every vlan is called trunking

WOOOOHOOOO!!! I got the USG to adopt. Now, since I'll be using the USG as my main router, and my Linksys WRT3200 as my WiFi access point, what do I need to do?

good diagram to wrap around for brain chewing:

put the linksys in AP mode

yeah vlans are hard to explain, they finally clicked for me once

many people confuse vlans with subnets

it's more that a subnet is carried over a vlan

^

still got to wrap my head around this lol

https://cdn.discordapp.com/attachments/387022787480387605/801831633644159016/Untitled_Diagram.png

a VLAN Trunk basically means you dont have to run 3 cables to another switch just to have 3 networks (subnets) sent to that switch

in this case, those 3 VLAN's cant talk.

not on same networks, but you could use the router, static routes for example to allow... VLAN 1 to talk down to 2 and 3 but only allow 3 to talk back up

It keeps the "Vision" clients have on your network limited to your walled garden... the vLAN

ofc there is more to it and it has more uses

yeah unless you use a Layer 3 switch, if you want to go from subnet on a vlan to another you need to go through the router

Get 3 straws of diff colors, wrap them in something. The wrap is the trunk and each vlan is a straw. Your data can only pass through 1 straw despite being in the same wrap

A router would allow you to control mixing at what would be a "smart" junction/combine valve as needed (L3 would just be a junction valve without advanced reaching control like a router has)

if i have a friend

and i wanna send him like a 200gb file

over the internet. what is the best way for me to go around this?

for free

upload to a free file sharing site or self host a sharing service

for 200gb?

at reasonable speeds?

do you know any such sites?

idk

best is to self host

@hollow marlin have you done any QoS at fairly high rates? like close to 1Gbps or so?

@hollow marlin lets talk about graceful failover again

You wouldn't use statics as they are already connected, they'd already be routable. You would need ACLs to stop them from routing from one VLAN to another

do you know if BFD over BGP kills GF?

I know I sinned by doing that but it was for the sake of simplicity despite being mostly wrong

I couldnt think of another way

Is there a way to make it where I can access the USG interface at 19.168.1.1 & Linksys interface at 192.168.1.2?

All our access edges are set with QoS. 10/40gb. Primarily for voice priority

yes

Give .1 static IP to USG and .2 static IP to linksys?

Ooooo you have an update on the issue?

i do but this is not the same thing

Do I do that in their respective interfaces?

Yus

@clear igloo I found a bug in NX-OS 9x that exists in 7x but they had no clue 9x did it. no code upgrade path

its rare to trigger it. I triggered it by flapping a VPC port channel multiple times using the interface range VS one interface at a time

@hollow marlin we've been running into issues with mikrotik doing queueing for connections nearing 1Gbps.. we have one large site with hundreds of customers and 1Gbps coming in, and the best effort queue is only able to hit about 850Mbps at the highest.. if I disable the qos, the usage immediately increases to like 950Mbps

Oh, I missed this comment. It shouldn't, BFD just informs BGP to pull the peer on loss, but by that time, BGP already knows the peers going down from GF

we're not seeing GF work 😦

we get packet loss the second BGP goes down

oh i should mention the links go down too

its complicated

there is no individual CPU core that is even close to maxing out when the clients are hitting that maximum

FW A <> FW B, then to the switches. FW A has full link failure so FW B with the same peer IP turns up all its interfaces and tries to resume

we get like 30sec packet loss

this is how Palo failover works

standby FW keeps all links hard down

I'd get a PCAP, but if it's the same IP, FWB is going to be using a different sec/dst port and the session will have to time out.
Unless the FWs are clustered

clustered

i was not able to see what BGP was doing because the second I started to try that I hit that bug and OOPS

https://quickview.cloudapps.cisco.com/quickview/bug/CSCuy35913

"quite timing relative and very hard to hit."

FU cisco

Hmmm... DM me a sketch with some dummy IPs

damnit where did my visio template file go

I have not dived into Mikrotik queuing, do you have one of the configs I could take a peak at. WRED could be kicking in when you are getting that close

yes we are using RED

Let me see if Mikrotik has the thresholds or if they're configurable.

/queue type
add kind=red name=red-queue red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
/queue tree
add bucket-size=0.01 max-limit=980M name=Splitlake parent=MHT_347_SPL queue=red-queue
add bucket-size=0.01 limit-at=10M max-limit=10M name=7_monitoring_and_routing_splitlake packet-mark=\
    monitoring-and-routing parent=Splitlake priority=1 queue=red-queue
add bucket-size=0.01 name=0_best_effort_splitlake packet-mark=no-mark parent=Splitlake priority=6 queue=red-queue
add bucket-size=0.01 limit-at=5M max-limit=5M name=6_mgmt_traffic_splitlake packet-mark=mgmt parent=Splitlake priority=2 queue=red-queue
add bucket-size=0.01 name=5_ent_priority_splitlake packet-mark=ent-priority parent=Splitlake priority=3 queue=red-queue
add bucket-size=0.01 name=4_ent_splitlake packet-mark=ent parent=Splitlake priority=4 queue=red-queue
add bucket-size=0.01 name=3_retail_priority_splitlake packet-mark=retail-priority parent=Splitlake priority=5 queue=red-queue
add bucket-size=0.01 name=2_background_splitlake packet-mark=background parent=Splitlake priority=7 queue=red-queue
add bucket-size=0.01 name=1_scavenger_splitlake packet-mark=scavenger parent=Splitlake queue=red-queue

about 78,000 PPS going through the queue

mikrotik for the most part just uses the queue types and HTB support that is built into linux already, although they added their own in a few cases like pcq

I can change the queue type but I get the best performance from RED in general

we mark the packets by using bridge filters which are set from the MPLS experimental bits

Are you able to walk me through the process on both the USG and Linksys to set the static IP?

The USG I know you just punch in https://192.168.1.1/ On first connect and the WebUI will ask you to set it a an IP

How?

sftp, scp...

What do those stand for

Is there any way I can just send someone a file with utorrent?

Because normally when letters are involved that means hard to set up.......

I guess you can use torrent

just create a torrent

idk how torrent works

can someone help me with a vm it keeps deciding to stop working if u can help please dm or @ me

@sturdy knoll What's up with it?

And what are you running it in?

I am using unraid the graphics card is a gigabyte rx590 and what’s happening is when I send it to the gpu it works for a couple min then black screens and is I try and start it again it freezes at the tianocore screen

@thorny vector I’ve also tried routing the vbios, booting in legacy, using Q35, using SeaBIOS instead of OVFM

Any errors kicked back? @sturdy knoll

The logs don’t show any errors

so i was tryna setup zerotier and i have 2 devices on a network rn both show tha status as ok but when they try to ping each other all packages end up as lost

did i miss something

also both show up as online in the website panel

anyone got any ideas?

@thick minnow no matter how you twist it, the initial transfer is limited by your internet upload speed, so self hosting is best. Look into a few options like sftp, scp or even a web server. If your upload speed is super slow, it might even be faster to just overnight ship a flash drive

I guess that last option isn’t really free

How does self hosting bypass the upload speed limitation?

it doesnt

your service speed will be limited to your upload.

@thick minnow sending something via torrent requires an online tracker managing the torrent connections (seeders and peers) in order to coordinate the flow of data

Ohh ripriprip

Oh wait r u saying be my own tracker

This seems complicated

If you are just trying to send a file to one person, torrent probably would not make sense - you would have to register the torrent with some kind of tracker and have the other person get the magnet link to get the seeders and peers from the tracker

Oh ok

What do you recommend then?

torrenting is only faster if you can potentially have a bunch of different people serving the file to one person

Nah that won't be the casw

Just need to send a single big file

Well, it won't really be quick in that case, but from my experience it'll probably be a lot more reliable

So which method do you recommend?

how big?

330gb max

I'd say torrent for that size

that's really big

But how do I make the tracker?

@thick minnow https://lifehacker.com/how-to-share-your-own-files-using-bittorrent-5534190

I haven't done it before myself

and that's a really old link

the idea should still work as long as you use a current tracker

That article doesnt explain the tracker.

It just says if your using a private tracker set it to private otherwise public like wtf?

yeah so with torrents you probably need to use a public tracker which means someone else could download the file too as long as you are offering it

nothing to protect it

it may not be suitable for what you need

sending a file that huge is not a normal thing

may I ask what it is that you are trying to send that is so huge? you don't have to answer if you aren't comfortable answering

@tender hazel summer beach photos of your mom

@thick minnow Torrents are for peer to peer sharing

eg: thousands of computers and users

I need a way now to disable the quick setup feature in the mikrotik app for our users

I'm hoping that mikrotik will be able to add some kind of feature to allow control for that

https://forum.mikrotik.com/viewtopic.php?f=1&t=93041

Already been requested

9 years ago

yeah this is different though

I don't care about winbox, and we already remove it via webfig

this is just about the mikrotik phone app

mh

@tender hazel ssh proxy? with commandlet filtering?

the mikrotik phone app uses the winbox port so I don't think any sort of filtering will work

attacking this from a developer's perspective xD

the issue for me is that we can't have our users going into quick setup on the phone app

because here's what happens

@tender hazel give them a presentation, with the threat of sodomization by baton

if I go into quick setup on the phone app with one of our routers and just next next next next finish

it disables the PPPoE interface and changes all wireless interfaces to open authentication

I always tell tik users to NOT TOUCH quickset after configs have been done xD

@tender hazel wait what about user groups?

can;t you restrict PPPoE setings and such?

there is no group for controlling quickset access

yeah but doesnt quickset do that through commands.

?>

and the issue is that we actually want our users to have full control of their routers

even the ability to lock us out, if they wish, and if that helps them to avoid wanting to buy their own third party router

you just want to protect them from themselves

yes

whelp

xD

the problem is that in the phone app the quick setup is this enticing big icon with a magic wand and sparkles

displayed very prominently

practically screaming "click me" at the user

I was looking for a click me meme

couldnt find one

https://www.youtube.com/watch?v=ofRhJjmvzno

I am not sure if this is the perfect channel, But I was trying to port forward on my router and it dosent seem to work. Any ideas please?

@tacit leaf have you had any port forward on this network before?

You might want to check if you are not behind a CG-NAT, and have your own public IP

Never, I had them on previous network and it worked all fine

Is there any way to check it?

@tacit leaf open commandline and run a tracert 1.1.1.1

you can look at the path it takes through the routers, if you are on a CG-NAT or not

Says trace complete

ok screenshot?

not CGNAT

@tender hazel that ISP does have some shitty backbone lol

It probably does lol.

@tender hazel you certain?

I don't recognize any of the providers, but what exactly do you mean

@tender hazel what about the 10.0.0.0/8 ?

that's not any concern - we use RFC1918 for point to point links inside our network since they aren't used for any customers and the only thing they show up in is traceroute

so if our own customers traceroute to 1.1.1.1 they will hop over a few RFC1918 links in the 10.0.0.0/8 space

@tender hazel the other points break traceroute lol

if there was CGNAT here you would see something in the 100.64.0.0/10 space and you don't

yes they do, but that looks like their upstream similarly using RFC1918 addresses internally

I am soo confused xD

when the upstream provider uses RFC1918 internally to save on IPv4 public space you will see timeouts for a few hops that are addressed via RFC1918

it is the only downside of using RFC1918 for point to point is that people who aren't on your network will see timeouts for those hops and think something is wrong

@tacit leaf go to your router config

but in actuality it is good practice for conserving public IPv4 space

@tacit leaf find that port forward config, and have a look

send us screenshot if you can

@tender hazel I was always under the impression that they use 10.0.0.0/8 internally, but thought they use some kind of encapsulation to make it appear as though it is a direct link between two routers

looks right

@tacit leaf does the router WAN IP correspond to the public IP you get if you search online for your own IP?

https://www.google.com/search?q=what+is+my+ip

It’s different

@tacit leaf what does the WAN on the router report?

no, the problem with encapsulation is that it adds overhead which can impact MTU, so you don't want to do that when it isn't necessary.. you can use any sort of RFC1918 subnet to connect any two public subnets.. it works perfectly, the only downside is that you don't get a traceroute response from the RFC1918 subnet unless you are on the same provider network as the RFC1918 subnet

those 40 bytes too much? xD

172.16.15.89

Ip is way different

@tender hazel well look at that? isnt that CG-NAT then?

172.16.0.0/16

Oh, is there anything I can do about it

that's RFC1918, CG-NAT shouldn't use that range

where are you seeing that 172.16.15.89?

Status page of my router

Under WAN

ugh

So I was right?

Shitty ISP

@tacit leaf are you from india?

then your ISP is using RFC1918 space as CG-NAT instead of the actual CG-NAT space

Yeah

Developing world has got the wrong end of the stick in ipv4

they started using internet widely after we already ran out of IP addresses

india has better IPv6 deployment than most of the world

yeah, v6 xD but not v4

@tacit leaf your public IP is shared amongst other users from your ISP

Is there anything I can do about it tho?

thus, you cannot port forward.

Ohhh, bruh thats shit

yes you were right - it didn't show up in the traceroute though

@tender hazel I didnt think they would have a public range on their PPPoE servers

Can I ask them to give a personal IP address?

@tacit leaf usually a business plan would give you your own static public IP

Like, sometimes feels like here in europe its so easy to get your own public IP, even as a household consumer

and that everywhere else, its utter shit

Ohh, but getting one will fix my issue?

South Africa still has a bunch of IPv4's

@tacit leaf the problem is that we are out of IPv4 addresses.

and getting your hands on one is a combination of the right ISP & some luck

Hmm, soo it’s worth a try atleast

It looks like they do

which is actually strange

afaik, there's no point in using a public IPv4 as the ISP address on a PPPoE tunnel

https://i.imgur.com/j6AqqFc.png

I mean we do it but we only do it because we have a ton of addresses and it is just one of those

and it is already routed to the device

we could change it to an RFC1918 in a few seconds and it wouldn't do anything

except it would free up some addresses

Meanwhile, I'm sitting on a /29

and not even using two of those addresses

yup in the case of the provider in this case it makes sense to use RFC1918

The ISP originally set me up with a /30

and that was such a stupid move xD

every last address they can give to a customer is valuable

I think we have finally convinced mikrotik to add /31 support

lol wat?

is there even space for ..

wat

how does that even work

yeah.. /31 is a special thing

it was designed to conserve IPv4 address space

no network or broadcast address

by adding more bogus broadcast?

oh

the device has to be designed to support /31

ok but a downstream client can use a /32

when there are only two devices there is really no need for a network or broadcast address

and not care ?

yes, a /32 works too, but the problem is that /31 is so standardized, mikrotik seems like they are doing something weird by not supporting /31 and supporting /32 only

mikrotik and linux in general allow you to do /32's on both sides which in some ways is even better than a /31

because you can have point to multipoint with a /32 - one /32 address on the "hub" with multiple /32 addresses for each "spoke"

the issue is that /31 is considered so normal that to not support it, you seem to be strange

I thought /31 was a gimmick

in north america, the fact that mikrotik doesn't support /31 just makes them seem more like some tinkertoy router vendor

and that /32 and /30 are the only ones that make sense

either you have full broadcast domain & network, or none at all

every other major router vendor supports /31

time for routerOS to step up to the challenge

they been struggling because of the old kernel

the /31 support shouldn't really matter because they support /32 and it can do the same thing theoretically but it is just the optics of the situation

we had techs waste hours and hours and hours trying to figure out how to get one of our mikrotiks to connect to an upstream ISP that was giving us a /31

F

all they had to do was configure it for a /32 instead but that isn't exactly clear if you don't know what you are doing and the upstream says "assign this address with /31"

@tender hazel that was me with 0 experience about vlans and subnets

setting up fiber on my RB4011, called my ISP like 5x

I think they are glad its all working now lol

IPTV was even worse

All they gave me was a tutorial for a draytek

@tame carbon what should i exactly ask my isp?

@tacit leaf ask them if they provide public IPs to customers

probably not... but never know

its probably going to cost extra

Aight will ask

@tender hazel lol shared IPs are so annoying when IP banning. On that minecraft server we had lots of issues with people from Comcast

you ban 1 person

and 1 week later ,you get another user complaining

"I am banned"

IPv6 is the only solution to all this

@tender hazel It got so bad to the point, that I started logging IPv4 <--> User

the thing is that people are still asking what do we need IPv6 for? nat is great!

So I could get a picture of who would be using what, and if I could ban without a problem..

and you sometimes find 1 public IP

it is insane if you can't explain to someone what the problem is with NAT

used by 20 different users over 1 year's worth of time

why it is bad, always, always

@tender hazel lol "please can you unban me, my brother was being an idiot"

nice NAT you have there.

IPv6 is the solution

if two people have the same IPv6 address exactly, they are the same person 🙂

Our mc server doesn't support v6

protocol might these days, but my own database doesnt lol.

It stores 32 bit unsigned integers

well the thinking has to change to make things better

it is changing now - PS5 now actually uses IPv6

DROP PROCEDURE IF EXISTS proc_ban_ip;
CREATE PROCEDURE proc_ban_ip(
  IN addr     INTEGER UNSIGNED,
  IN reason   VARCHAR(128),
  IN duration BIGINT
)
  BEGIN
    INSERT INTO ip_address VALUES (addr, NULL, NOW(), NOW(), duration, reason)
    ON DUPLICATE KEY UPDATE
      banreason = reason, banned = duration;
  END;

^ :D

PS4 could get an IPv6 address but didn't use it for anything - you could ping it but it did squat

@tame carbon yeah so you will have to adjust that code to be more protocol neutral

@tender hazel the problem is the internal code that calls this procedure

it uses InetAddress

which on minecraft only applies to v4

stupid stupid stupid

https://i.imgur.com/6C4DY5k.png

@tender hazel ^ lol my schema

it logs who was the first user to use an IP

and any other users that might have used it

first time, and last use

and also tracks how often an address is used

java?

database is MySQL with PL-SQL Procedures

the application is java yes

ok right, I just mean the InetAddress

https://docs.oracle.com/javase/7/docs/api/java/net/InetAddress.html

lemme find the calling code

@tender hazel yeah but the server only listens on v4.

OVH doesnt support v6

what's OVH?

idk

it burned down

@tender hazel see the problem is here

    @Override
    protected KnockturnPlayer login(UUID uuid, InetAddress address, String username) {
        try (Connection connection = KnockturnCore.getMySQLConnection()) {
            PreparedStatement ps = connection.prepareStatement(
                    "CALL proc_player_login(?, UNHEX(?), ?);"
            );
            ps.setString(1, address.getHostAddress());
            ps.setString(2, uuid.toString().replace("-", ""));
            ps.setString(3, username);
            ResultSet rs = ps.executeQuery();
            rs.next();
            Long discordid = rs.getLong("discordid");
            if (rs.wasNull()) {
                discordid = null;
            }
            return new KnockturnPlayerImpl(
                    rs.getString("username"), rs.getLong("firstlogin"),
                    rs.getLong("lastlogin"), uuid, connection, server, rs.getBoolean("banned"),
                    rs.getString("banreason"), discordid);
        } catch (SQLException e) {
            logger.error("failed to login", e);
            return null;
        }
    }

getHostAddress() always returns v4

interface is the same for v4 and 6

50$ yearly for a public ip

@tacit leaf wow.

wait

no

that's not so bad

It is yes

@tacit leaf I pay 16 euros/month extra for 8 extra public IPs

2 bucks/month/ip

I can get another isp and pay 2-3$ extra to get a public ip by default

https://stackoverflow.com/questions/6908398/inetaddress-gethostaddress-ipv6-compliant

@tender hazel its an interface that is subclassed based on the type

But that is moot

if the server only listens on v4.

then you can't connect via v6 yeah

any incoming connections will always be of Inetv4

Thanks a lot for helping yall 🙂

https://i.imgur.com/bdX8eOF.png

either way it is incredibly frustrating to see so many people having to set up these crazy workarounds like doing a VPN to a VPS

if (address instanceof Inet4Address) { //foo }

to get a public IPv4 address when they most likely already have a public IPv6

@tender hazel I wrote this code in 2014

and it still works :D

just needs to be dusted off for the eventual move to a new hoster

@tame carbon this illustrates how commonly used /31's are

@tender hazel could my ISP in theory use my FttH to provide a vlan which I can peer with in an exchange?

The fiber operator here can support 10G as well

in theory, but you need an AS number to peer

yeah, but I need to be on a special block don't I ?

I can't just announce a route through my WAN

lol advertise 127.0.0.0/8

BGP works over TCP so you can be several hops away from who you are peering with

like you can peer with someone halfway across the world separated from you by a dozen routers

oh really?

yeah

SO THAT. is what my african friend wanted to do

he asked me if i wanted to peer

cus he sits on a pile of v4's

I thought I couldnt

Might be a super stupid question, I guess theres no work arounds for this?

https://en.wikipedia.org/wiki/Pretoria_Wireless_Users_Group

@tender hazel he wanted to peer with this ^ xD

he's the operator for them

but just peering won't actually give you connectivity to that, you need to have routes installed outside BGP that will allow you to direct traffic there

right

@tender hazel lol some of the crazy stories I've heard from them

like getting hijacked while on the job to fix a tower

by a guy with a BB-Gun

christ

they were in the car

@tender hazel yeah unlucky for the guy with the BB-gun

they had a real 9mm

I think they shot him in the leg and drove off

Pretoria is quite a rough neighborhood

@tender hazel opiate infested regions makes people do some bad things :/

That happens to AT&T dudes in Chicago too lol

pfffft

@plain siren sounds like someone been playing Watch_Dogs

im not even joking

taking down ctOS

you might be getting an IPv6 address from your ISP and that should allow you to do the same stuff but it depends on what the games (or whatever else you are trying to access) support

I actually just had a guy tell me a story how someone was shooting at him cuz he was trying to upgrade their internet but it turns out they were trying to rob him

minecraft

chicago

"Im the wireless guy come to fix your internet"

"PUT EM UP"

@tacit leaf and minecraft doesn't have full support for IPv6 yet, and it is something that is more their problem I would say, than your ISP's

whistles https://tunnelbroker.net/

@plain siren behind CG-NAT?

Does it matter? Its point to point

I thought you had to enter your remote IP into the link

yes you can use tunnelbroker over nat

you have to enter the remote IP but it doesn't have to be the remote IP that you actually have

it can be the remote IP you are NAT-ted to

^

and if it changes?

if it changes you have to change it, or you can automate it with scripts

Neither did their IT.

Or their heads

everybody seems to treat lack of support for IPv6 as no big deal.. super frustrating

I'll use it once tunnelbroker allows me to set GeoIP

I cant watch american netflix, library is terrible

your ISP should give you v6

yet they don't

none of them do

they say they are "ipv6 ready" whatever that means

you're in germany right?

Netherlands

I thought that was supposed to have pretty good IPv6 deployment

on the map anyway

@tender hazel https://i.imgur.com/k2KvhN9.png

that AS13335 I believe is Serverius

the traceroute there is fine

https://serverius.net/

https://www.reddit.com/r/admincraft/comments/ljly6u/hosting_a_server_with_ipv6_help/ what about this>?

@plain siren ooh btw, I called my soon to be employer again, and I agreed to take the job

yeah I found that before, I don't play minecraft or other online games (I only play single player games myself) but it might work

They gave me a week to decide, but I jumped the gun this morning

Ill try 🙂

we've been hit in the last few days by this stupid call of duty update

akamai

I saw the mail chain

we have hospitals not getting their required service because of call of duty

I wonder why these ISPs dont upgrade their gear

Its only gonna get worse

here's the problem in our case

our upstream requested a second bell cross connect one year ago

due to covid bell hasn't delivered yet

a cross connect in the same building they are in where they have facilities

lol

oof

so the call of duty update took them down

because they knew they would be running out of bandwidth over a year ago and it's taken over a year for bell to deliver

which is insane considering that it is a colo in the biggest facility in toronto

and doing rate limits on akamai?

You are in the states

and if bell takes over a year to deliver a simple service to a colo in the biggest colo facility in toronto

net neutrality? lel.

canada

oh

we have net neutrality

also

why the fuck is a CoD update 50GB

but bell says they could not install because they have to get this part that is out of stock

some like part worth a few dollars

out of stock for the past year due to COVID

do they not do incremental patches?

people are reporting anywhere between 50GB and 80GB for the update

50GB is the low end

I'm not sure why there is the 30GB difference between some users and others

yeah but what is so big lol

like, are they reinstalling the game entirely?

probably

they have updated most of the assets in the game

it is likely easiest to just update the entire thing

this is our third night dealing with those issues

it isn't as bad tonight but it is still impacting us

right.

My 25 page report on comparison between Relational and Graph databases is FINALLY FINISHED.

omfg. I hate this course so fucking much

There are a few services online that you can peer with for BGP monitoring purposes - you don't actually use them for routing but for monitoring

QRator is one

they are this monitoring service in russia

I dont need russian service

we aren't peering with them ourselves yet but I've signed up for an account there because they've picked up a few open ports in our network that we didn't notice

all the russian blocks are on my drop list

who needs russians on their network

same is for the chinese.

they have no business on this network

@tender hazel doesn't HE support some kind of BGP monitor too?

we don't really need to peer with them, and we don't, currently

no, not the same type

and the qrator service has alerted us to ports we have had opened that we should not

My ISP did that for me

we had a BGP port open on one router to the world and we only found out because of the qrator alert

they werent happy with the exposed port 53

on my public subnet

so much so that they emailed me, and immediately dropped the route

that's fine, except we are the ISP in this case

I forgot to configure the FW on my mikrotik

to only allow 53 from the DMZ itself

not WAN

Oh shit, get the whiskey, hes an adult now

something a bout DNS servers used for DDoS >_>

DNS Reflection

@plain siren I had some junior positions at two other companies, and I am also self-employed (I have VAT number)

we wanted to do a scan of our network for ports that could be used for DDoS amplification

I know im being an asshole

<3

but one of our employees was against it

your an asshole too so doesnt work I guess

No, I just suck at detecting sarcasm lol

Same difference

he was saying that if we started scanning for open ports that we would start calling our customers every day about open ports and that eventually we would be doing nothing except calling customers about open ports and go out of business as a result

so therefore due to the slippery slope we shouldn't ever scan for open ports

@tender hazel you want to portscan my network? :P

which of course doesn't make sense at all

no.. I wouldn't portscan anybody else's network unless they asked.. our own network is different, I think it is good practice to see if our customers are vulnerable

That's why I am asking lol

I have no idea. I did an NMAP scan when I first finished the config

how do i check if I have ipv6?

didnt turn up anything

@tacit leaf ipconfig /all

http://test-ipv6.com/

or that

if you get 10/10 you have ipv6

https://i.imgur.com/1ugLwAm.png

I am soo sad lmao 0/10

Ig theres no way for me 😦

https://i.imgur.com/KTmD6gZ.png

unless you can switch ISPs your only workaround is to get a VPS somewhere and set up a VPN tunnel to that

See, I can do v6 just fine

but i dont want to set up a mailserver to finish the certification

I am too lazy

so I am limited to ~60mbit

you can do v6 just fine over an HE tunnel yes but that won't solve the netflix issue

See this kind of shit wouldnt ever trend in EU: https://i.imgur.com/q4sdNOT.jpg

that's the same reason we couldn't use netflix on HE

we actually get blocked

we can't use netflix at all

if we are on HE

so I would have to turn HE tunnel on and off every night before being able to use netflix

I got sick of it and just left it off

https://i.imgur.com/WyaZJzf.png

Trending in NL ^

I assume those aren't trending in NL and are instead just trending in US and you are getting them because of that

whole library changes

subtitles not available

etc

in our case it is blocked entirely

within europe there's no difference to netflix content

netflix won't even load

because single market EU

if I turn up an HE tunnel

and go online with it

I can get to everything except netflix

netflix says sorry you are blocked because you are on a VPN

ye it doesnt for me

https://i.imgur.com/4tERFm4.png

I can just toggle this entry ^

yeah probably due to netflix not tracking everything

to enable/disable v6

I am in canada so netflix seems to have created special programming for that

I hate going to germany and watching youtube

if you are in canada and connecting to HE, netflix is blocked entirely

because when I return home

all the ads on youtube are german

for couple weeks

my HE tunnel is somewhere in New Jersey

our server administrator is from russia originally

sometimes he does updates for software

but I get 7ms to 1.1.1.1 even on v6

and our software changes to russian language

my ISP Peers directly with HE

so I dont understand

why I dont get v6 from them

it detects his preferred language on his computer and tries to be helpful and chooses that as the language

helpful

so suddenly we go into the calendar and the months are in russian

or other crazy things like that

it is work to try to figure out how to roll out IPv6 on an ISP-wide basis

and the problem is that a lot of ISPs don't really see a benefit for them

they see it as just extra work for nothing, so they ignore it

because everyone wants a v4 at least

because if they are v6 only, they will cri

yes

the curse of IPvX

I had to push to get IPv6 rolled out at our ISP

we are completely dual stack now

but I had to push for it

I remember that time, when it took 8 months to convince my coworkers that git was better than svn

even in an ISP there are people saying "but we don't need IPv6 for years and years, IPv4 is fine"

"merges" were an all-day ordeal.

and while in progress, nobody could push code

@tender hazel how are the IPv4 reserved addresses handled in v6?

yeah it is really that, you get so stuck on what you know well (Ipv4 or svn) that you are totally oblivious to what can be done better

sorry?

Like, isnt there a range in v6

that maps the v4 addresses?

If my ethernet cable is damaged can it affect my ping

I've been getting really high ping lately.

@tame carbon yes, but I only know it because I've seen a few things online that reference it.. but it isn't automatic

I think it is designed for 464XLAT

@tender hazel an ideal dual-stack would be a NAT'ed v4 locally, and a public V6
The outgoing v4 would prefer v6 addressing

both addresses can be reached on v6

v4 only on v4

dual stack and 464XLAT are two different solutions

dual stack means the client has IPv4 and IPv6 at the same time, usually CGNAT on v4 and public v6

then...

@thick minnow

what are those v4 mapped v6 addresses even for

if nobody uses them

@thick minnow wifi?

im using ethernet

the cables damaged

464XLAT is a way for the client to only have IPv6 but be able to access ipv4 resources without having an ipv4 address to begin with

@thick minnow I see nothing wrong

my ping has been high lately

my understanding is they are for 464XLAT

ever since it was damaged

you don't need an IPv4 address you can just have an IPv6 address, you can make a request to that IP with a system that has Ipv6 only and it will respond

@tender hazel I'd imagine that the ISP would have some kind box that did this for you then?

yes

so you can connect to v4 from a v6 network

sounds neat

why arent we using this?

or is that the million dollar question xD

we actually are using this for cell phones in many cases

most cell phones in the US get only IPv6 addresses

tmobile for instance

Nailed it

they are using 464XLAT to get to all IPv4

It was a waste of space for a small point in what couldve been replaced with many other things that are avail now

The fact the assignment table is tainted with a transitional block just looks bad on the paper 😦

but one issue is that 464XLAT works great for all websites but doesn't always work with VPN's.. that is what is starting to impact meraki, when tmobile moved their cellular to 464XLAT, the meraki customers could no longer connect to their corporate VPNs which were IPv4 only

Every time I look at this I get conversation I get more confused, people do realize networks don't work solely on just getting sent out over what standard protocol for IP addresses they're using right?

I'm about to break out my cisco textbook and do some explaining lol

Honestly this whole thing should be moving much faster

ffs

someone needs to worm the v4 protocol

so we can ditch it

yeah that's exactly what I was saying @plain siren

it's too slow

OUT

we are this small-medium ISP and we moved to v6 dual stack a long time ago

The longer some are without IPv4 and some are without IPv6....

We have a problem

that leaves regions becoming inaccessible and growing

whats v4 and v6

a lot of people think that there is no point in IPv6 that we are fine with IPv4 forever with NAT

it is horrible

192.168.0.1
4 Octects in the Address. The IP Address. IPv4

IPv6 is 128 bits, 4x as large address space as v4

@thick minnow what do you mean more complex?

no NAT

the largest address you can have is 255.255.255.255
If you were to check the largest number in binary (11111111) for a Byte (in base8)... its 255.

4 Bytes makes up your IP Address

... that's a non-issue

upgrade your brain ram

and use dns

Ok I don't understand the problem? Is the problem scalability or security?

Sounds more like a you problem, than a protocol problem

Because they solved the scalability problem all the way back in the 90's for IPv4

But the protocol works just fine?

pretty sure you can configure your firewall to filter invalid packets

the extension headers are often ignored because there are issues with the idea

but here's really where the problem is

they came up with an improvement for IPv4 like 30 years ago

we still don't have it rolled out

Gooooot it

if you want to make a new better protocol to replace it, we wait another 40 years?

not going to happen

they can't

IPv6 is it

and the longer that people fight against it, the longer it will take to get there

@thick minnow https://ipv6excuses.com/

IPv8, it's 1024 bit addresses!
You have extensions for days!

ok I thought your problem with IPv4 was scalability.

The fact that IPv6 is actually easier to work with but its apparently hard for engineers to grasp and roll out is frankly pathetic.

@thick minnow https://i.imgur.com/ymfvHoC.png

https://i.imgur.com/pOZmUQP.png

so you're happy with people having to buy VPS's to be able to play online games?

Honestly I can subnet all day, but for some reason I can't figure out hexadecimal so I'm part of the problem lmao

Im happy with IPv4
Except any new website or server that is currently acquired doesnt have an IPv4 address.... So how are you going to access it?

Fade away

I think I have a bingo guys https://i.imgur.com/POXgrSh.png

yup, we have a bingo

What if Discord moved to a new host when Microsoft Purchases it and you dont have IPv6

Wait. What?

Were out of IPv4

There is no more

yet internet is still growing.

So anything new is out of your reach

My local exchange: https://i.imgur.com/FTeUdou.png

The internet is growing. FAST.

and the amount of people behind a NAT is already annoying enough

every single user who is behind a CG-NAT cannot port forward.

or host services

And its even worse

because they only do NAT444 and no v6 support.

We've been out of IPv4 addresses since the 90's scalability isn't the issue, we solved it literally DECADES ago

IPv6 has proven to be in both terms of Management, Reliability, and an actual reduction on a switch stack thanks to the lack of NAT, an improvement. There is 0, and not a damn single one, excuses to not want to push and implement IPv6 other than pure laziness or complacency.

So that really really shouldn't be a part of your argument lol

What...

https://www.lacnic.net/1039/2/lacnic/phases-of-ipv4-exhaustion#:~:text=The term IPv4 exhaustion refers,of their size and frequency.&text=In this case%2C exhaustion refers,address needs of our members. Are you even talking about?

Yes, this, exactly

Each regional IP Numbers authority recently hit P3 Ending.

They are Revoking addresses to force the change.

lol

awesome

This is some mental gymnastics lol I'm goin' to bed.

Mental Gymnastics
Documented by the horses mouth on said website

yeah you are

Yeah like Ubiquiti and they dont even support IPv6

Point?

@tender hazel sometimes...

Those are all excuses

No there isnt. They are nullfied by the fact we have no choice.

v6 is current. v4 is old.

We are OUT of IPv4. time is UP

@thick minnow lol I dont think you know who you're talking to

The IP Authorities have made their statements

You follow or you fade

Rouing is anything but pretentious

No I am pretentious,

👍

Im also an asshole and a douchebag

The problem is, what are you going to do about it and I dont care.

Yeah but that is irrelevant

Vendors have had enough time to adapt.

more than 10 years

Vendors already have adopted it. Its not vendors

its implementations

They are adapting to adopting as thats the goal but either way

Semantics

yawn I'll just wait for my ISP to provide v6

@plain siren what even: https://i.imgur.com/XiEfwBV.png

Find me an enterprise device that hasnt meant industry standards of all points (Security, Reliability, etc etc) by any one of the big 17 out there that hasnt already implemented and even begun focusing on IPv6

2017 was 4 years ago

I said enterprise, not ubiquiti tier

some customers were forced to abandon meraki because of the lack of proper Ipv6 support and the mobile networks moving to 464XLAT

entire teams of salespeople prevented from connecting to the corporate VPN because the meraki didn't support IPv6 and tmobile on 464XLAT

Not the mobile networks faults that terrestrial providers are fucking idiots.

They were faster now they have to compensate for the other sides lack of ability

Well someone just gave away their eyes.

https://arstechnica.com/information-technology/2021/04/man-indicted-for-allegedly-tampering-with-computer-at-public-water-plant/

the issue is that no single person or company has the ability to phase IPv4 out

officials in Massachusetts later said that the Oldsmar facility used an unsupported version of Windows with no firewall and shared the same TeamViewer password among its employees.

if there was someone with that control we would have been on ipv6 by now

FUCKING, Brilliant.

Japan disagrees

Rakutan is fully IPv6 only, management infra included

but if people don't have to do something, they won't feel like they have to do something

yes, but they would be risking people abandoning their own platforms for ones that still supported IPv4

uhhh does no one know about the. you know what never mind, this ones mine.

even more reasons to use v6.

Google, Amazon, and Facebook are full dual stack already

and its not worth the risk for them

You will soon enough anyways

Network Acceleration Alliance? There is a cutover agreement already?

Its this year?

Like guys?

Anyone?

no

ok

Its signed under the ONF

Although AT&T is tarded, they wont make it

just start dropping all v4 traffic

Neither will comcast

you'd be surprised how fast people would switch

we are paying a fortune for public IPv4 right now

ouch I feel that

if we actually didn't have to pay that, we would be able to expand our network so much more quickly

faster service for customers, higher packages

how big of a block

~~ ~ ~ Doesnt matter on IPv6

So amazing

can I have a /4 ?