#networking

what now

bada bing!

i logged in

type help

info

Something

Do you know for a fact the 6A Cable is good?
broken cables are uncommon, but absolutely do happen

don't even need putty

So 6A should work but it's just broken?

Wow what a waste of money

6e isn't a standard?

what?

@copper rover do you want to do this in dms

ah nevermind

never heard of it

Wait no, I made a typo

My 6A doesn't work and my 6E does

got a cable tester?

No

I'm not that free at the moment. But yeah, try a few of those commands. Unless there's documentation out there to enable TFTP

How does that work

The tester, what is it

@copper rover so i need to enable tftp in ssh?

Kinda stumbling in the dark

tests to see if all the pairs work

Yeah, see if you can

alr

for continuity

ty

it's a device that plugs into a network cable, and tests to make sure all the wires inside it work correctly / are crimped in the proper order

Oooh

@peak cloak having issues over here with my VPN..

DNS is not working properly

@copper rover umm

Very good news

hehe

So, you have a way

yes

im kinda starting to understand

its like cmd

but your on the chip

https://superuser.com/questions/791909/copy-file-from-network-device-to-local-computer-via-tftp

Yes

i need to put, right?

Basically you need to instruct the router to get the file from your TFTP server hosting the file

i dont have a tftp server tho..

how do i make one

check tftp server tab

on tftpd64?

Yeah, I think that also can serve files from your PC if I'm not mistaken

ok

its open

Be sure your local Windows firewall isn't blocking it though

i set it to work with private and public

so both will work

The real question is this. Once the router downloads the file, does it know what to do with it? I'm assuming that's the flash process?

maybe

if theres a flash command

Dunno

how about we put it on first

and then figure out how to flash

Sure

i think thats good

seems reasonable. It's not like you're going to make the router any worse condition

lol

yeah xd

even if i do brick it

that makes it better for me

exactly.

alr

to make a tftp server

i need to

install tftp client first

Rather be tshooting DNS issues right now instead of SIP

@hollow marlin I managed to connect with l2tp

BRB, need to go for awhile

And am now in the router config througj socks proxy with my server

alr

But I think fw is blocking 53

ill try to solve it

I enabled dns on my other mikrotik, and I can reach that one

Strange, 6A works on my other computer

But not on my main computer

6E works on both

And my CAT.6 (it doesn't have a letter) works on both too

@hollow marlin test.

@tame carbon imma go swap it with my main router and see if it get a update

That'll do it

@hollow marlin ok so I can do dns from commandline now, I accepted input on 53 from all dynamic interfaces

But applications still cant resolve addresses

If you torch an interface, where do you see the request dying? what does it show for connection in the FW

It shows up in torch

But dst address is incorrect

on request or reply?

Sorry, phone is not on vpn rn

@tame carbon well crap

Src address matches my phone's LAN, and it hits the bridge at 192.168.99.0/24

so im gonna have to force on a version that was never meant to be on here

@hollow marlin not sure if this is a router issue, something in my client is funny.

Its not even honoring me using 1.1.1.1

3 rx/tx should mean its successful. Try a PCAP through winbox

Cant do winboz

GUI works too

Hope you can read

@tame carbon wait bu do you know the reason why isps lock down routers?

Does MTU have anything to do with this?

Its on 1300

Remove the 192.168.99.10 from the DNS server, and try again

No MTU issue, packets are still well under in bytes

Wow wait

@hollow marlin if i go to ip addresses

Theres the 192.168.99.10 on network 10.0.0.1

That can't be right.

Its a 32

wtf, you can have multiple addresses under an interface

That's the address of the l2tp session

This is wack af

Under the PCAP, if you click on the packet you can see the header, look at the responses for each to see if its responding with the address or not

I think something is seriously broken

Its responding to the wrong address

where is the 10.x address originating from?

OH?!

OH?!

Is it working?!

Nope

@hollow marlin i think thats the local address my phone gets

Oh is this a VPN directly to your phone?

Nah, laptop to home

And all works, except dns

@hollow marlin ugh, I probably will have a look at this when I am back homr

I guess I cannot picture the layout. That address list is throwing me off lol

@hollow marlin i think my ppp profile is not configured properly

Possibly but equal request/reply should mean its successful. are you testing DNS with the laptop?

There's a seperate /24 and bridge for all vpn

@hollow marlin yeah nslookup and I put the IP of my mikrotik as dns server

Then it works

But not automatically for all other programs

@hollow marlin when I return home next week, I think I need to relearn how to properly configure l2tp

Because This was hastily put together, and worked at first glance

It might be because you are using the wrong addresses. You'll want to create separate interfaces for the tunnel interface

@hollow marlin are you willing to help me out with this next week?

If I attempted this now, I'd lock myself out

Sure thing

And besides the poor config, I can at least access my NAS

Which is most important

Is this the config on your local side?

Nah, Im connected with l2tp right now

And those screenshots are all from thr rb4011

does anyone know how to put a file onto a router using tftp in ssh

tftp -p file.bin

o

Might need a -r

To specify a remote

still

nothing

dont i need to state where the file is?

Click this before making any changes. If you break something and it loses connection, it will revert back to when it was clicked

That way you can try fixing it remotely without screwing yourself over

Yeah, I'm aware. But I think for now, I'll crack open another cold one and watch the sunset

Ill fix the vpn next week

That works as well lol

@tame carbon doesnt tftp only work if the firmware is corrupt

😐

Idk

man i need him rn

but he left :(

@hollow marlin do you know how to do tftp?

@green forge sorry, I'm technically on holiday

Not on pc all day long

Normally 18hours/day

oh ok

tftp doesn't care about the firmware. tftp is just a method of transferring the file. It doesn't care about the intention as to why you want to do that.

yay your back!

The idea is to send the firmware from your local PC (hosting the file) to the router. Then flashing that firmware to the router.

In some cases, it will flash the firmware as you transfer it. I've seen this before with some printers

i tried other meathods that people suggested which didntwor

the thing is

how do i makemy pc a tftp server

https://www.youtube.com/watch?v=YdVEonLMWYs

The magic of YT

ill take a look at it

uhh where is tftp space directory

BTW, I had to leave because of some server issue. It's what happens when someone doesn't do as I recommend such as put the HyperV box on a UPS, and a brownout occurs.

ono

Yeah, dirty shutdowns are never fun

mhm

what does this mean

I believe that's the directory that will host your firmware file

umm

it tells me to set it to 172.xx

this is why I don't like yt tutorials

but i dont have a 172

only 192

Create a folder under C:\TFTP and place your firmware file there

i put it in my storage drive

OOHH

wt

it doesnt save it

or it did

alr

so i put file in folder

now what im supposed to do

The point is that the file need to be located in a folder that TFTP will host from. From the perspective of the client (in this case your router because it will pull from your computer) that will be its root directory.

yes

hold up

So, it doesn't really matter where you physically have that file you want to send to the router, so long as the TFTP server settings are pathed to point to that directory

what are you trying to do?

why does the program go back to defalt after restart it

what does L2TP have to do with it

oh ok

maybe i need to install the tftpd32 version, not 64?

@tame carbon what exactly are you trying to do and what isn't working?

That doesn't matter

It runs it runs. That's what matters

But why does all the settings that i just did go back to defalt

Is there no save or ok button?

GOT IT

Keep in mind I haven't used that program. But basically it should save whatever changes to you make

i just need to be admin mode

Ahh ok,

alr

you know what i found funny

while you were gone

i plugged it into the internet

and did a software update check

said that no new updates

so maybe

we might be the first to allow a new version of this firmware to be on a isp locked router

Possibly.

They do purchase hardware in bulk and then upload custom firmware. Basically it's tailored to that specific ISP. I'm guessing that was a managed router so they could remote in and assist customers.

it is

oohhh

thats why they dont want you to update

so then they could help you

So, not sold but leased equipment. Maybe someone didn't return the equipment and just dumped it at Goodwill

but at least they could have included a thing so you could upgrade the router if you dont have cci anymore

No, I don't think that was it. I don't think it was sold, but leased monthly as part of the subcription

it was in a goodwill

Meaning, I don't think that router should have ever fell to a 2nd hand market

But whatever, it's yours now

I'm sure the ISP billed the original customer for non-returned equipment in full. lol

yeah

xd

so im kinda lucky that i got a isp locked router?

Kinda, yeah...IF you can get it to work with your own firmware

WWDRT might be an option too you can try later if it's compatible

yeah lets try this first

agreed

so im guessing the server is online

should i start up the putty?

Sure

logged in

See if you can run the TFTP command from the router via SSH and specify the IP address of your computer hosting the file

well i know that ssh has tftp command

but i dont know like how to make that command

ssh is just terminal into the OS on the router. Think of it was a remote session to the command prompt INSIDE the router. Nothing is being executed on your PC when you SSH into a remote device.

so like cmd?

but remotely?

Yeah, CLI (command line interface)

ok

It's like connecting a monitor and keyboard to the router. Command executed inside of it

only terminal text and not GUI

no graphics

Pretty sure he is using the wrong tunnel addresses and resulting in asymmetric routing

do i get first and then put?

just a moment

alr

@hollow marlin crystal specified to use 10.0.0.1 for the client side and 192.168.99.10 for the router side

the use of 192.168.99.10 is not necessary

it uses another address for no reason, might as well be 192.168.99.1

tftp -g -r firmwarefile ipaddress.

replace firmwarefile with the name of your actual file you're trying to download.
replace ipaddress with the actual IP address bound to the TFTP service on your PC, probably same IP as your computer

so crystal's laptop will be getting the IP 10.0.0.1

but dont i have to specify where the file is located?

No, I don't think so.

and it looks like it is connected, so I am wondering what is not working?

alr

lets try this

ohno

Example, I host TFTP from my PC using that application and place it under C:\My Stuff\Stuff-n-stuff\firmware.bin

When I connect to it from the router, the root directory is Stuff-in-stuff. So you should only have to specify the file name

do i have to use the tftp server ip or the routers?

server ip.

hmm

You're getting the file from a source. The source is not the router

still read only file system

Hmmm. just a sec

lemme google it

@copper rover https://superuser.com/questions/328470/how-can-i-make-the-read-only-file-system-writable-on-busybox

this has alot of info

you shouldn't have to make the read only file system writeable on busybox, that is what /tmp is for

it's not a busybox. That's what search came up as

Basically the file system on the router looks to be in read-only mode. At least from what I can see

right but isn't that typical?

shoot

how do we make it readable

usually you would have a /tmp folder that you can write to

Trying up download new firmware to the router. We're not sure if this can be done however

hold up

i just did /tmp

what folder is the firmware supposed to be placed in to apply to the router?

...

No clue

uhhhh

Long story short....

wait

does serial make things more accessable?

He has a netgear router that's been flashed with custom ISP provided firmware. He obtained this equipment from a Goodwill. It's either ewaste, or can be hacked to be reflashed with stock firmware again

Trying to correct it 😉

but i really need it to work due to all my other routers being 100mgb

this is the only 1gb

one i have

just need to update it for security

did you try this procedure first? https://kb.netgear.com/000059633/How-to-upload-firmware-to-a-NETGEAR-router-using-TFTP-client

this is kinda fun but challenging in a way

you see, thats if the firmware is corrupted

which i tried to corrupt with no avail

and no documentation on how to make the router go into tftp mode without corrupted firmware

I think @tender hazel is on the right track.

See, the custom firmware might still contain common code with the original Netgear. Meaning it's hard-coded to look at 192.168.1.10 when downloading firmware from TFTP.

You'll have to set that static IP to the NIC, and then connect a single patch cable from the router to your PC, then follow those steps

nic??/

NIC = Network Interface Card

so my pc

Yes

where do i change my static ip

Essentially, the router has to request the file upon bootup.

so we need to trick it to download the file?

@tender hazel i appreciate the help

https://www.youtube.com/watch?v=5iRp1Nug0PU

mmm yt

But me being drunk rn, cant really do networking

ofc

oh ok heh

tell me a random thought in your head

Beer

nice.

@tame carbon you configured things so that the l2tp client will get the ip 10.0.0.1 and the router will use 192.168.99.10 on the local side.. there is no need to use a separate IP for that, you can just use the same 192.168.99.1 that the router already has

but that isn't anything to do with your problem

Oh really? I thought those had to ne different

Lemme get on laptop

Earier to type

no - the "local address" can be set to basically any IP the router already has on any interface - the only IP you would want to avoid using as the "local address" is the one that you are using to remotely connect to the device with L2TP

so leave the local-ip blank

no - set it for like 192.168.99.1

instead of .10

@tender hazel discord breaks when I turn on my vpn, which I need to configure this..

which is kinda why I wanted to fix this next week

@tender hazel and remote-address can be blank then?

or the same?

Can't you tell the VPN to not use it as the default GW?

remote address should be the address that you want your computer to get.. if you want to have a pool of addresses instead you can configure that through the profile.. but if it is just you it is easier to specify it in the secret like you are

10.0.0.1 is fine for that

so remote-address can be left as you have it

but the default mikrotik firewall, assuming you are using that or some variation on it, is going to block you from getting online

Quite the contrary.

I can reach any public IP

all works.

except DNS.

even traceroute properly reports it

I made sure to add an accept rule for port 53 input

Wouldn't this be easier from router settings lol?
Or am I stupid?

but I think my client is borked.

what dns servers are you trying to use?

192.168.88.1

and I also tried 192.168.99.1

which is the IP of the mikrotik on bridge-vpn

that's the bridge that the l2tp-server binds to

@copper rover done

@green forge needs to host a file from his PC via TFTP via a static IP

@tender hazel if I do nslookup google.com 192.168.88.1 it works.

@sour minnow its a locked down isp router

oh

It's basically junk. Trying to res it to work again

the L2TP server doesn't actually bind to a bridge

its a config field though?

@copper rover i set the static ip to 192.168.1.4

yeah that field is for something called BCP (bridge control protocol) but >99% of L2TP clients/servers do not have BCP support

@tender hazel mh. that would explain why the accept rule on interface list didnt work. But did work if I selected dynamic

Well, the idea is that the same recovery method for the default Netgear firmware (per those instructions on their site) should still be applicable for the custom firmware the ISP loaded. We don't know that for a fact, but it's an educated guess that the did keep it the same

@tender hazel I tried overriding the DNS server on my client, to use 1.1.1.1 instead

but even that didn't work

so that setting won't really do what you want unless you are establishing l2tp from mikrotik to mikrotik

so much stuff going on

what you can do is make a special profile for l2tp

OOHHHH

https://i.imgur.com/DFlhNPE.png

like so

nggh ok, let me try :D

setting interface list to LAN (assuming you are using the default config or something similar) will take care of teh proper firewall stuff

I just poked a hole in my firewall

so I can access webfig without vpn

through a socks proxy on my server

you can start by making a copy of the default-encryption profile

and make the changes to that

since some of the other settings are better

sorry discord crash

ka-ching https://i.imgur.com/Q7walnN.png

@tender hazel any way I can copy a config from webfig?

theres no button to do so

you can export config to a file and then download the file

https://i.imgur.com/kP0Z1xA.png

half the fields are missing.

@copper rover so we need to now find a wayto make the filesystem not read only?

yeah setting interface list to LAN is ok in the default-encryption as long as you aren't using default encryption for something else like a pppoe client

@tender hazel nah its literally not used by anything, other than my VPN.

THere's a 2nd device that uses the VPN, but thats not important right now

ok then yeah that is fine..

im gonna start the server

No, I think that's a fools errand. We need the router to request the firmware file and flash itself

@tender hazel bridge-learning doesnt exist, is that important?

what will happen once that is done is when you connect to the vpn you will automatically get added to the interface list LAN

no

I dont think Mikrotik lets you export with the Webfig right?

thats what i wrote before my discord crashed

and it got lost

@plain siren I can always connect via ssh if need be

Only commandline/Winbox IIRC

@plain siren there is a terminal in webfig

there's a button in the upper right corner of the webfig window that calls up the terminal

oh then you can just export from that with literally export file=file.config right?

yup

Ok, so I set both DNS and local address, as well as LAN interface list

ok

anything else I Need to look at ?

I set some configurations in the secret too

how are you doing this while drunk?.

no, everything else should be just fine

How do you do this while sober?

@green forge most of the time when I am in this channel, I'm stoned.

^

Its just.. germans don't approve

so I get drunk instead

I get both sometimes

ah makes sense

@green forge
6. Turn router OFF for 10 seconds and then turn it back ON.
7. Watch the Power LED. It will start with an orange color and then start flashing.
8. Press PUT button on the Tftpd64 utility to perform the firmware upload.
9. You should see a pop up saying that “0 block retransmitted”. If not, you may need to repeat above.

Then I spend like 3 days on #tech-support trying to get a high score

@tame carbon I had looked at your config in the secret and it was fine

alc + weed = nausea for me. :P

https://i.imgur.com/IaqNAr8.png

@tender hazel are you sure ?

thats for tftp client, and idk if it will work again

except for the local address

Leave that blank?

well here goes nothing

you can leave that blank now that you have it set in the default-encryption profile instead

@tender hazel and remote-address is just the local IP that appears on the client itself right?

yes, it is the IP that the client gets

If I have mutiple secrets, do I modify this to 10.0.0.2 ?

yes, if you have a second client you can do that

the other thing you can do is if you want dynamic, you can make a pool called something like VPN-pool, set a range like 10.0.0.1-10.0.0.20, and set VPN-pool as the remote address in the default-encryption PPP profile

that's if you want dynamic VPN IP allocation

I think I had that at one point yes.

but since it is just you, static is fine

ok. lets try to connect

test

okay I'm now connected via vpn

great

 crystal@watomat  ~  ip route
default dev ppp0  proto static  scope link  metric 50 
default via 192.168.1.1 dev wlp3s0  proto static  metric 600 

umm

 ✘ crystal@watomat  ~  traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  192.168.99.1 (192.168.99.1)  30.820 ms  30.797 ms  30.789 ms
 2  46.243.152.3 (46.243.152.3)  31.830 ms  31.825 ms  31.819 ms

great

Seems to work

yup

lets see if chrome plays ball.

Nope.

no DNS.

@copper rover it wont work, i tried doing this before and the block #0 wouldnt move

do you have DNS over TLS or whatever enabled in Chrome Settings?

Discord just died

On phone now

but when you use nslookup it is fine?

you can resolve against the router just fine with nslookup?

And the firmware file is named what it's expecting, yes?

what should i name it?

it has the .chk at the end

i called it updatedversion.chk

your issue has to be client side

the mikrotik itself is set up just fine

Leave it the same name as you've downloaded it. Don't rename

ok

something is screwy on your computer

maybe you are overriding the DNS somewhere

@copper rover port needs to be 69 right?

Based on those instructions, I'm going to say "yes"

Waiiit

Hold on

Can you DM me your config @tame carbon

Which one

/ppp profile set <profilething> dns-server=

did we do this?

Yes

@copper rover never blinks, man this is tough

I think the dns is overridden on the client side so the ppp profile supplied dns server is not being used

it is a client side setting that is wrong

So " It will start with an orange color and then start flashing" never occurs?

Lemem just ask a stupid question

Is there 2 or 1 DNS servers defined?

you see its always orange

lemme open it tosee the led color

If you only define one on Mikrotik shit, itll bug.

Idk why

You have to leave it unplugged for 10 seconds, then plug it in, and then you should get that sequence

The power that is

To the router

It should be part of its boot sequence.

shrug

And last stupid question: did we ip dns set allow-remote-requests=yes?

I can do nslookup from shell just fine

@plain siren allow remote requests has to be set, otherwise the resolution wouldn't work from the command line

yeah

thats why I said it was a stupid question

Theres an accept rule on all dynamic Interfaces

So it works

Just not on my client

When attempting to use system wide vpn

what if you override the home settings on the client side

the home vpn settings

hard set dns of 192.168.99.1 instead of getting automatically

you shouldn't have to do that, but try it

I tried that earlier, didn't make a difference

got the cover off

I removed it just now, to make sure it uses the provided ond

That didnt make a difference either

Ah yeah

cover off??? 0_o

Why? I don't understand why you need to take that off

Crystal, do me a favor just for shits and giggles

I even enabled dns on my 2nd tik

I am having a bug that might be related on my shit

And I could reach it, but didn't work either

i need to see the true color of the led

Add 8.8.8.8 to the DNS Server list if you only have 1 listed

its orange

I know it sounds stupid but this is annoying me

Uhh, ok. Umm, if it make that easy for you, sure.

Like so?

yes

DNS Doesnt work with my S-S VPN on my Mikrotik Endpoint if I use only 1 DNS Entry.

Basically, it should light up orange and then flash

It has to be 2.

L2TP over IPSec

That's when you're supposed to press the PUT button

Waaaaaaat

well the led doesnt flash

just kinda sits there

Omg dont tell me

Nope

whew

In your Firewall you have NAT enabled right?

Yes...

yes, crystal is able to ping online

@copper rover dam it

what do i do now.

we cant copy files to it

in ssh

Couldve been static, i cover all stupid bases

we cant get it to blink

cuz it only works when the firmware is corrupted

the client is using something else for dns obviously

what happens when you nslookup without specifying the server name? what server is it using?

maybe we need v1?

It times out

and when it times out does it tell you what server it is using?

Its normally using 127.0.0.1#53

or what server it is trying to use

yeah so there is your problem.. it is something on the system itself, it is trying to resolve against localhost

Let me boot the official distro kernel, just for sanity sake

Using a modified one

it isn't using the provided dns for whatever reason

yeah it is something wrong with the client, it is nothing wrong with the mikrotik config

Ok booting distro kernel

No difference...

check your resolv.conf file

 ✘ crystal@watomat  ~  cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1

Wait... but why is it using itself as a resolver actually... Shouldnt the router be the DNS resolver?

not localhost?

ubuntu?

@copper rover i hit a block, i dont know what to do now

Ubuntu 16 yes.

it is using itself as a dnsmasq server

we cant trick it

to intall it

ugh ew

perhaps dnsmasq isn't running

● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
   Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
  Drop-In: /run/systemd/generator/dnsmasq.service.d
           └─50-dnsmasq-$named.conf, 50-insserv.conf-$named.conf
   Active: active (running) since vr 2021-04-23 23:04:34 CEST; 5min ago
  Process: 1446 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS)
  Process: 1324 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS)
  Process: 1142 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS)
 Main PID: 1406 (dnsmasq)
    Tasks: 1
   Memory: 4.4M
      CPU: 93ms
   CGroup: /system.slice/dnsmasq.service
           └─1406 /usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -r /var/run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,19036,8,2,49aac11d7b

what's in /var/run/dnsmasq/resolv.conf?

@tender hazel wait...

apr 23 23:04:24 watomat dnsmasq[1142]: dnsmasq: syntax check OK.
apr 23 23:04:24 watomat dnsmasq[1406]: started, version 2.75 cachesize 150
apr 23 23:04:24 watomat dnsmasq[1406]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
apr 23 23:04:24 watomat dnsmasq[1406]: using nameserver 127.0.0.1#40
apr 23 23:04:24 watomat dnsmasq[1406]: no servers found in /var/run/dnsmasq/resolv.conf, will retry
apr 23 23:04:24 watomat dnsmasq[1406]: read /etc/hosts - 18 addresses
apr 23 23:04:34 watomat systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.

this is... ^ interesting..

nameserver 127.0.1.1

https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1090589

https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known-Issues

"In your case /var/run/dnsmasq/resolv.conf is empty or absent. This suggests that you are not using resolvconf in the normal way, or not using it at all."

@tender hazel someones suggested this: https://i.imgur.com/1XXaaAD.png

Hah here it is

ahh yes that's it

https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known-Issues#networkmanager--162-and-systemd-resolved-ignoring-vpn-servers-dns

routiing found it

oops

rouing

ok, summarize drunk me can't read pages right now

do I just modify my NetworkManager.conf ?

https://i.imgur.com/J4ZbIlG.png

Yeah, I was hoping there was a way to manually put it in recovery mode

@plain siren that line is already present.

@copper rover there might be a way of manually putting into recovery mode by holding down the reset button for a certain number of seconds, like with mikrotik?

im stumped

^

Wort a shot. I'm still looking online to see

I think the reset button just clears config, but more than likely that's a point of interest to initiate that function...if it exists

you see

if i reset it

the cciadmin password stays on

so that means

that that is kept somewhere else

The password is the default in the custom firmware

yes

You're trying to replace the firmware. That will also clear the old default CCIADMIN account too

@tender hazel I think...

I fixed it..

I commented the line dns=dnsmasq (prefixed with #)

restarted the network daemon

now it seems to work ? :o

Once the firmware is replaced with stock from Netgear, that will give it the default netgear admin account as though it's a retail unit

interesting

https://i.imgur.com/tufwaWb.png

Yeah, so DNS works now.

wtf.

mhm

I think it has to do with this

This is why

Does the power light always stay amber (orange)?

Or does it turn green after awhile?

@plain siren

✘ crystal@watomat  ~  cat /etc/NetworkManager/NetworkManager.conf 
[main]
plugins=ifupdown,keyfile,ofono
#dns=dnsmasq

[ifupdown]
managed=false

I commented that line, and now it works.

So if you set managed to true, I wonder if dnsmasq would work

I can try.

always stays orange

Removed the comment, and set managed to true

Let's see

im gonna laugh if it works.

pls dont work

I owe you a drink if it does

Does it ever change status when powered off and then back on? Does it ever flash at any time?

@plain siren nope.

systemd-resolve --status

what does that say

well all the lights go on while booting

@plain siren invalid option

i can record boot sequence

@tame carbon systemctl status systemd-resolved

resolvectl query google.com

Inactive - Deax

Dead*

@green forge Try this . It's where you force recovery mode then push the file to the router. It might work, or might not.

https://kb.netgear.com/000059634/How-to-upload-firmware-to-a-NETGEAR-router-using-Windows-TFTP

Read those steps

dead

systemctl start systemd-resolved

use windows?

Sure. why not?

Turn router OFF for 10 seconds.
Hold down the reset button on the back of router with a paper clip.
Power ON the router while holding down the reset button.
Watch the Power LED. It starts with an orange color, and then start flashing.

Ok its running nos

Now*

UMM

caps sry

Connected to vpn, lemme see if it works now

I know. But what else you going to try?

ok

lemme chug this thing

oke done

@plain siren service is running, still timing out

lets see

systemd-resolve is something different from dnsmasq

systemd-resolve --status

But it was working momentarily when I commented the dns config line

Yeah I would just revert

Waiiiiiiiit I just got a VM running and I noticed something

@green forge I think by holding down the reset button WHILE power it up might be what unlocks the router to accept a TFTP connection to upload firmware to it.

ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf < omegalul

Why isnt this done by default

wtf ubuntu

Fucking stub dns shit

it auto generates the /etc/resolv.conf

well

and I think systemd-resolve is actually in ubuntu 18 but crystal is using 16 I think

@plain siren that file in /run/systemd/resolve/resolv.conf doesn't exist.

This is 16 LTS.

Ubuntu DNS hell. Been there with PiHole. And I forgot all about that

what happens if you run resolvconf

Ahhhhhhhhh no wonder

Welp

@copper rover cannot read from local file, does it require full path again?

It works now

Thanks guys ❤️

o gg

commenting dns=dnsmasq did the trick.

we hopefully will be done soon too

if all wants to work

@tender hazel now I can finally watch netflix without german synchronization

Well, first see if the router can go into recovery mode via the status lights. If it does follow that power up sequence, chances are you can push the firmware through with TFTP

what is german synchronization?

Goose stepping?

@tender hazel basically. all movies in germany are dubbed.

and it ruins the acting

wow

because you get some generic german voice over

yeah that's.. terrible

its same in cinemas here

EXCEPT

I can't stand dubbed movies, I always would rather watch with subtitles if I don't understand the language

in Rammstein.

That's a US military base, and that Cinema plays unsynchronized movies

are those terms synchronized and unsynchronized normal for movies? I have never heard them before

except when I think of audio being unsynchronized with video it means that the audio is early or late compared to video

 ✘ crystal@watomat  ~  systemctl status xl2tpd
● xl2tpd.service - LSB: layer 2 tunelling protocol daemon
   Loaded: loaded (/etc/init.d/xl2tpd; bad; vendor preset: enabled)
   Active: active (running) since vr 2021-04-23 23:31:10 CEST; 6min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 3227 ExecStart=/etc/init.d/xl2tpd start (code=exited, status=0/SUCCESS)
    Tasks: 1
   Memory: 116.0K
      CPU: 8ms
   CGroup: /system.slice/xl2tpd.service
           └─3348 /usr/sbin/xl2tpd

apr 23 23:31:10 watomat systemd[1]: Starting LSB: layer 2 tunelling protocol daemon...
apr 23 23:31:10 watomat xl2tpd[3313]: Not looking for kernel SAref support.
apr 23 23:31:10 watomat xl2tpd[3227]: Starting xl2tpd: xl2tpd.
apr 23 23:31:10 watomat xl2tpd[3348]: xl2tpd version xl2tpd-1.3.6 started on watomat PID:3348
apr 23 23:31:10 watomat xl2tpd[3348]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
apr 23 23:31:10 watomat xl2tpd[3348]: Forked by Scott Balmos and David Stipp, (C) 2001
apr 23 23:31:10 watomat xl2tpd[3348]: Inherited by Jeff McAdams, (C) 2002
apr 23 23:31:10 watomat xl2tpd[3348]: Forked again by Xelerance (www.xelerance.com) (C) 2006
apr 23 23:31:10 watomat xl2tpd[3348]: Listening on IP address 0.0.0.0, port 1701
apr 23 23:31:10 watomat systemd[1]: Started LSB: layer 2 tunelling protocol daemon.

@plain siren something something , you just figured it out??

it was xl2tpd, its interfering with network managers UI config.

@copper rover you know, if i hold down the reset button after the router booted up, for like 20 secs, it starts blinks, but nothing changes in the tftpd64

it has to be disabled

or the whole thing resets

on runtime

@plain siren should I care about this? or is it good as it is right now?

I wouldnt touch it unless it becomes an issue

What if you hold down the reset button before plugging in power to the router?

ok

but you could just systemctl disable xl2tpd

are you sure?

and "systemctl stop xl2tpd`

I just fixed my own issue with that xD

literally same shit

I stopped the service

VPN still works

It says count 10 flashing power LED and release the button. That's when you press enter to start the TFTP transfer

and so does DNS.

@copper rover the tdtp doesnt even move tho

Try the TFTP client. But those instructions should be self-explanatory on how to do it with the Windows command prompt

Make sure you're running it from the same path the firmware file is in

it should work

but it doesnt

what

FYI, Got to leave in 15

#overclocking

what speed

and what are you paying for

and what did you pay for

smells like dns

Check this out.

https://wnsnty.xyz/entry/how-to-install-dd-wrt-on-cox-netgear-r6300v2

dd wrt

ah

Right, but look at what he had to do with the Cox provided unit

probobly default ISP

Real insightful. Had to use USB to push it with a pinned connector to the board

you can change it network wide if you want to

idk how to specifically on ipad

So, it's not entirely a lost cause here. It might be salvageable. Don't give up yet 🙂

@tender hazel @plain siren @hollow marlin thanks again for all the help. Wouldn't have been able to do it without you guys ^^

You be looking at a factory reset if the credentials are lost.

Yup, by design

Try look up the default user/pass for it.

too much work and wrong model

jeez why do companys make this so hard

I bet it uses signed binaries too

Because they're dickheads?

lol

i really want to go to goodwill rn and get a new one

Because they want to use your router to do their Diagnostics Work and Telemetry

i was in one goodwill and i saw one WITH ITS PEEL ON

@green forge do yourself a favor, and buy a mikrotik instead :)

@green forge that's the last router you'll ever own.

ISP Routers are basically big ass sensors for them

They locked that one up tight.

like why tf do you lock it in the first place

to prevent exactly what you are trying to do right now

Because that would be one big ass whooping security hole otherwise

oh big ass security hole?

well the firmware is alr one

Yup.

Yeah, imagine hitting one of the side-of-the-road access systems and then just... attacking an entire neighborhoods routers

@green forge I thought you have the r6300v2?

i do

Boom, you now have a MITM for an entire local area

model and specs say it is

https://wnsnty.xyz/entry/how-to-install-dd-wrt-on-cox-netgear-r6300v2

You're saying those are wrong pictures?

let me explain.

Serial TFTP Flashing

lemme take a few pics of this thing

You gotta solder these suckers

to the UART Debug port

my eee box has a serial port built in

Yeah, but you can get a cheap soldering gun

even battery powered one

Yeah but that serial port and the "DEBUG UART" is prob 2 diff things

have it alr

nicceeee

From 64 to 128 GB ram

64gb extra for 70€

I see 8 drives in that Dell PowerEdge server. Why are only two active?

Oh, no drives in the caddy

duh

first 4 to the left is the vm pools

the boot drive is inside the chassis

the 2 in the right are truenas drives

pics are coming

and the last 2 drives to the right are other vms

I'm perpexed the drives don't have power LEDs on them though.

at some weird way two of my drives use the led the inverted way

thats why thesse 2 led lights up

here

@copper rover hopefully this explains your thoughts

https://cdn.discordapp.com/attachments/375449815275929622/835271708914221056/unknown.png

Crazy, ok. Looks to be an R720 unit

its an R720

Yeah, I"ve worked on em before. Normally with a PERC

That's the same board in the link

https://wnsnty.xyz/entry/how-to-install-dd-wrt-on-cox-netgear-r6300v2

completely different firmwar

e

Firmware has nothing to do with it. It's the same board, same PCB. In theory, you should upload other firmware the serial way

Ive got an old computer with an i7 and i was wanting to turn it into a home server but i also want to have it be my router. Anyone done this before? not sure if i can have it (or if its even a good idea) be a router and a server at the same time. I seen some os for being a router, possible to do with a vm? i couldnt find any software that i could just install.

GTG.

not yet but when i upgrade my internet. When i get starlink ill probably try to set something up

What my lab used to look like back in 2015

@copper rover did you see the pictures

oh ok

VyOS

thank you

that's for router

if you want to host vms you would want a hypervisor like proxmox

I wouldn't recommend having your core router being a full x86 machine and instead have a dedicated hardware router

similar to my current one

https://cdn.discordapp.com/attachments/387022787480387605/829745549652918312/20210401_121908.jpg

nice

what are you using for routing?

pfsense

ah

running on a optiplex 7010

I don't like software routers

had for 3 years and had no issue

@stiff panther what kind of throughput do you get on that??

I guess I shouldve expanded that VyOS would be ran in a VM but this is correct

yep

Isnt all routers software routers?

I run vyos as my kubernetes edge router

I meant like a dedicated box

not a full x86 machine

quite good actually

😛 Im being facetious

@plain siren well, except those fabric based routers like Juniper

they use ASICs

and then instead of nating I setup static routes between that and my core router which is a ER-X (HEX-S is coming soon hopefully)

and with Router OS v7 may well become something we can all use

hardware offloaded routing

Can I offload it to AWS instead

AWS Lambda router

• an actual question I got regarding hardware offloading for networking one time *

this is a thing

wat

Yeah

wut xD

https://github.com/Nike-Inc/lambda-router < not the router you are thinking tho

@plain siren thats just HTTP request routing.

the bridge mode in this new ISP gateway I upgraded to a few months ago is kinda weird

http://optiputer.net/publications/articles/TSUKISHIMA-OFC-NFOEC06-FirstApplicationTrial.pdf But there is also this

the gateway itself still gets public v4 and v6 addresses, and so does my router, but of course they are different ones

@copper rover well, thank you for helping me out. Ill see if i can do it, but thank you spending 4 hours trying to get this thing to work

it seems a waste of addresses

I mean that is a router..

why does the gateway still need to get public v4 and v6 when it is bridging to me anyway

@peak cloak nah its a layer 7 mechanism.

I find it kinda bizarre

they obviously aren't worried about wasting IPs

routing http is still, by definition a router...

huehuehue

traefik uses the term routers

@peak cloak yeah its request routing

But its not the same as 'Routing' in an IP network

There's no end to end connection

Sure there is, your browser and a NodeJS/nginx/whatever server

speaking of traefik, trying to get it to get it to get certs from let's encrypt but it's just not working

cannot get ACME client get directory at 'https://acme-staging-v02.api.letsencrypt.org/directory': Get https://acme-staging-v02.api.letsencrypt.org/directory: dial tcp: lookup acme-staging-v02.api.letsencrypt.org on 10.96.0.10:53: server misbehaving"

seems like issue with DNS?

restarted coredns pod

no luck

10.96.0.10:53 ?

I encountered the "server misbehaving" error when an internal authoritative DNS server did not resolve the public domain name.

I had this problem once, that fix was in my bookmarks lol

coredns cluster ip

huh

Welcome to the club

LOL

'normal' dns?

is kubedns crashing

No

At least not the pod

Restarted coredns deployment

No luck

Did you change your public IP from the node?

Wdym?

This is all local

Behind nat

Did you change your public facing IP allocation however

like did you change the NAT Public IP

While kube-dns was running

Oh, no

I'm running metallb if that makes any difference

AH

Ok for the said traefik container

You have to use a public DNS first

How exactly would I do that

So traefik needs to have a hardcoded DNS in its config

Link to docs would be fine

version: "2"
services:
  composeservicefortraefik?:
    dns:
      - 1.1.1.1```
would be a compose example

so set the container dns

I dont know the docs I know this from tho so

But ACME requires Authoritative DNSSEC (internally) Validated Resolves.

Ah ok

I'll try that

wait, if all local services use 1.1.1.1, couldn't you translate destination on the router, to force it to use your own DNS ? :o

dns doesnt do verification checking at all

no, you dont have zone delegation so the DNSSEC Signature would fail

ACME Does.

The ACME Client.

No "resolve fail" but "server misbehaving"

Misbehaving cuz invalidated sig

yawn I'm gonna head off

its 00:45

time for my beauty sleep

I wont be long myself

cya

l8r

@peak cloak i think i found out what isp locked down this router

huh

@copper rover i got telnet to work, just that gearguy and geardog dont work

and i dont know what to do next

telnet into your router? @green forge

yes

heres a better explanation

does anyone know how to do telnet on a isp locked netgear router?
i got telnet to open up in putty
but i wasnt able to login, i was using gearguy and geardog

so you don't have the creds for it?

nope

i reset many times

what router?

i did telnet enable

its a netgear r6300v2

spectrum wifi locked down

i think

did you try admin:password?

you see

if i want to log into this thing

its username: admin Password: cciadmin

not admin password

heres a pic

give admin:password a try

i did

ah

is it upercased?

Upper**

It's for an older firmware version, but this unauth disclosure exploit may still work

https://www.exploit-db.com/exploits/41205

i have it on my desk for quick turn off or reconnection

@thorny vector i cant install any new or old version of firmware due to it being locked down

I'm saying the exploit may not be patched out.

o

what do i do with it now

to try to use the exploit?

how do i open it in the first place

it's a python script

i have python installed

but it just closed immediately

it's a cli thing

Another more recent RCE exploit too

https://securityreport.com/netgear-routers-vulnerable-to-root-code-execution-no-patch-yet/

hm?

command line

This is why I don't use consumer routers, lol