***: KDE_Perry has joined #arpnetworks
mercutio: sounds like your version is too new
you have to downgrade to 6.18 apparently
assuming 6.18 is less than 6.5
maybe you need to upgrade?
because apparently 5.2 is older trhan 5.18
oh apparently it works in 6.14 to 6.18
brycec: '18' > '5'
mercutio: yeah
it may work again now
routeros is good at breaking things
BryceBot: That's what she said!!
mercutio: i seem to remember hearing of version 6.26 being reasonably current?
ant: 6.26 isn't released yet
brycec: just 6.26 is their rc
according to http://www.mikrotik.com/download
mercutio: oh
maybe it was 6.25 then
brycec: 6.25 is latest stable in the 6.x branch, 5.26 and 4.17 respectively
mercutio: maybe i got confused with 5.26 then
isn't routeros 6 way less stable than 5?
*) fixed route cache overflow (ipv4/ipv6 stops working) if ipsec is used;
scary changelogs (that's for 6.25)
brycec: scarier if "didn't fix..." :P
mercutio: whenever i see the changelogs for routeros stuff it always seems to suggest that things are fixed that wen't broken and then were broken
suggesting that things break a lot randomly
ant: i never had stability problems with 6. but i only use my mikrotiks as simple wlan access points
mercutio: i think most of the issues are with mpls, dynamic routing, ppp, queues etc.
so yeah as a dumb switch or bridge it may be stable
ant: imho using mikrotiks as switches sucks because of their weird stp implementation (just like linux sucks in that regard)
mercutio: well not everyone uses stp :/
i doubt most users of routeros do.
ant: i still don't know how to have make a trunk port speak stp properly
mercutio: my switch has stp enabled.
but it defaulted that way :/
i used to be using a unifi wireless ap which was pretty unstable.
but i haven't had a single stability issue with tp-link that i replaced it with.
it's capable of running openwrt etc too. but haven't tried yet.
i got a second one so i could :/
i've got another wireless ap as a client bridging to ethernet ports, which is tp-link too. using gargoyle, and that was pretty easy to install.
***: jpalmer has joined #arpnetworks
jpalmer: ipv6 appears to be down for me. anyone else?
ant: works for me
jpalmer: interesting. I can't even ping my gateway
nevermind. traceroute shows it's an issue on my ISP's side. it's not making it to the first hop past my ISP's gateway.
wait, that can't be right, cuz I can't ping it from another server in california, either.
ant: can you ping 2607:f2f8:ab28::2 or ::1 ?
mhoran: Yes.
jpalmer: both are responding?
mhoran: Both are responding.
ant: from here too
jpalmer: ok, I need to figure this out then. I'm not able to ping it from 3 different networks
mkb: jpalmet, I can ping both (from ARP) but traceroute to ::2 never finishes
m0unds1: traceroutes from comcast & linode in dallas both look ok to me
***: m0unds1 is now known as m0unds
sjackso has joined #arpnetworks
_Zodiac has joined #arpnetworks
_Zodiac has left
mnathani__: How does centralized logon generally for Linux work in Enterprises today?
Assuming we are not falling back on Active Directory and doing things directly in Linux
NIS ?
***: mnathani__ is now known as mnathani_
brycec: ldap/kerberos
which is coincidentally the same underpinnings of AD
(ldap for directory, and kerberos for auth)
Though you could do auth with ldap too, but that's less common; the benefits of kerberos outweigh it
mnathani_: is it kind of roll your own solution with kerberos and ldap, or are there system packages that provide a decent out of box experience
perhaps even commercially supported?
brycec: There are, or have been, some packaged stuff
Novell had something
I haven't touched the area for awhile though
last time I set it up, I used a distro called Zeroshell to serve as my ldap/kerberos root
mnathani_: k
RHEL Probably has their own solution
using LDAP and Kerberos
-: brycec shrugs
brycec: only think I know about RHEL and derivatives is they have a nice wizard/gui for configuring client machines for it
BryceBot: YER A WIZARD brycec
brycec: Thanks BryceBot
BryceBot: No problem, brycec
***: toddf has quit IRC (Ping timeout: 272 seconds)
toddf has joined #arpnetworks
ChanServ sets mode: +o toddf
mnathani_: http://www.gliffy.com/go/publish/7081735
I am wondering if it would be possible to trunk the link between the Mikrotik and the Catalyst Switch, run 2 Vlans across it
one that will present the Bell Fibe Modem on the same Layer 2 as the Cisco 2811 behind the switch
the other for the Lan behind the Mikrotik
brycec: What's the advantage of multiple pppoe sessions? Just more external IP's as opposed to nat?
mnathani_: more public IPs, yes
allowing me to test vpn tunnels
that actually traverse multiple public addresses
mercutio: why separate vlans?
why not just run both pppoe sessions on the same vlan?
mnathani_: as there is one cable between the mikrotik and the catalyst 3750
and the mikrotik already has its pppoe session
and is performing NAT
mercutio: why not route the inbound cable into a switch port
have it on a vlan
and have two more ports on teh switch to terminate pppoe sessions.
on lots of routers you can do ppp relay, but i don't think routeros does that
mnathani_: will pcs behind the catalyst be able to connect via pppoe session as well
mercutio: any that are in the vlan group
you can probably get by with running untagged.
but tagging keeps things nice and separate.
http://forum.mikrotik.com/viewtopic.php?f=1&t=6634
so yeah people want pppoe relay
mnathani_: my google foo landed me on the same page :-)
mercutio: oh that's from 2006
anyway what i'd do is just plug your incoming internet connection into the switch on say vlan 900
then have routerboard plug into a switch port on vlan 900
then any pc's you want with their own pppoe session you allow vlan 900 as well as their normal lan vlan
if you don't tag you're more likely to pollute random arps out the internet connection, i dunno if you midn that or not.
as well as broadcast traffic
depending on where the bridge/segment finishes, it may go to internet or just an upstream modem.
if it's an upstream modem that just feeds you pppoe i wouldn't worry, but if they're bridging again onto the wider network you probably want to avoid that.
mnathani_: only issue with that is - the internet modem and mikrotik device are like 1 foot apart, the switch however is in the next room and only one cable exists between the rooms
mercutio: here cable is a big huge bridged annoyance.
oh.
you could just use a 5 port switch
mnathani_: so thats why I was hoping to run multiple vlans on that cable
mercutio: actually there's an even more complicated idea.
the routerboard is one with a switch?
mnathani_: it is
mercutio: you can run the internet into the switch.
then run ethernet from the switch ports
then plug the switch port on the routerboard into the wan port as well.
i dunno if that's getting too convouled for you :)
mnathani_: could probably just bridge it in software
mercutio: it's better to be switched than bridged.
mnathani_: complicated and convoluted I like - allows for greater learning
mercutio: especially on lower end routerboards.
ccr's don't have switches though.
and lots of the routerboards have funky switch arrangements, so they'll have two different switches for two different groups of ports.
mnathani_: so actually run a cable between the routed port and the 'switch port'
and internet into another switch port
mercutio: the wan port and switch port.
so yeah say ports 5 to 8 are just cut off and used as a switch
that goes nowehre.
well doesn't go into routeros at all
mnathani_: they designate port 1 to wan
by default
mercutio: what model is it?
that is likely to be a different switch
you're still stuck with cpu forwarding to the second switch, to go out for the normal traffic.
but you're cpu forwarding atm anyway.
well i imagine you are cos you're using nat.
mnathani_: Mikrotik RouterBOARD RB2011UiAS-2HnD-IN
mercutio: oh fancy
that should be good for 100 megabit+ pppoe
so yeah wouldn't worry too much about cpu
mnathani_: do I still need to worry about VLANs?
mercutio: Atheros8327 (ether1-ether5+sfp1); Atheros8227 (ether6-ether10)
well you're plugging into a vdsl modem aren't you?
mnathani_: yes
that does NAT also
mercutio: you should be able to get away without
because bridge domain means it shouldn't pass afaik.
mnathani_: however allows pppoe passthrough
mercutio: yeah so traffic won't leak onto the internet.
is it pppoe relay or are you bridging the ptm interface and the ethernet interface?
mnathani_: all I do is dial pppoe from one of the modems switch ports
and it connects and gives me a public ip
mercutio: a lot of the broadcom modems actually let you do quite advanced stuff.
yeah but uhh
hangon
mnathani_: I could just run a second cable
between one of the modem ports to a switch port on the mikrotik
mercutio: Bridge PPPoE Frames Between WAN and Local Ports
my router has under wan service that
but ther'es also a way to just do bridging before that level
under wan service you can do ppp over ethernet, ip over ethernet, or bridging
when adding a connection.
both ways work.
fwiw, it's basically the same on my adsl and vdsl modems, even though they're from different vendors. but they're both broadcom.
http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Example_-_802.1Q_Trunking_with_Atheros_switch_chip_in_RouterOS_v6
looks like you can play with vlans too
mnathani_: where do you seee the bridge pppoe between WAN and local Ports?
mercutio: is your modem broadcom?
it's under advanced setup -> wan -> edit
mnathani_: don't think they allow options like that
the vendor has it pretty locked down
mercutio: what modem is it?
there is one vendor here that uses broadcom and locks it down but you can bypass it
mnathani_: home hub 2000
mercutio: but all the commands are all completely different
i think that's vr9
home hub 1000 is broadcom
and home hub 2000 is meant to be the same as Sagemcom F@st5250
mnathani_: do I need to worry about routing loops if I connect a second ethernet between one of the Internet Modem ports and say Ether3
mercutio: yeah it's broadcom
mnathani_: or perhaps a broadcast storm
mercutio: depends on the switching domain.
or broadcast domain or whatever
wan port is usually in a different domain
mnathani_: ether 1 and ether 3 are in different domains
RandalSchwartz: either one :)
mnathani_: except they both connect to a device with 2 ports in the same domain
mercutio: apparently that pppoe bridge is limited to 35 megabit
i'm still struggling to find good information
can you get a shell on it?
RandalSchwartz: can you put a ring on it?
mercutio: oh i think that's the older sagemcom
hmm ok
maybe the /simplest/ solution
mnathani_: don't think I can get a shell
mercutio: is as you said to plug a second cable from the modem to the routerboard.
then have vlan for it, and have the vlan go to the switch but not into routeros.
mnathani_: will it work if I leave it in the same vlan / untagged even?
mercutio: probably.
so yeah just plug lan to lan
and then everything should magically work?
mnathani_: can't wait to try it
mercutio: but i dunno if routeros will get confused by pppoe coming in more than one place.
it shouldn't actually.
mnathani_: other residents in the home are using the net so I will wait a while
mercutio: heh
that reminds me i have stuff to do today while people aren't around.
there's a conference that i was thinking of going to, but it was too expensive in the end. watching video feed instead :)
but the next talk is meant to be about peering.
mnathani_: which conference?
mercutio: nznog
http://www.nznog.org/home/video_full
there's two new internet peering exchanges suddenly in this city
so it went from like 1 to 3
mnathani_: thats good
mercutio: i dunno how good it is.
mnathani_: do they interconnect with each other?
mercutio: the existing peering exchange was more stable than coresite.
nope.
arp isn't on equinix, which is the other major one in los angeles.
are people meant to go on all 3?
and los angeles is a bigger hub than here.
mnathani_: probably just go on the one closest to their infrastructure?
mercutio: well it looks like things are moving towards multiple location points.
so nearest may still mean all 3 :)
it gives some redundancy
and may mean quicker 10gb adoption
but if you use two of them one for in and one for out, to someone, and one of them has a problem you can still have issues.
mnathani_: what city?
mercutio: auckland
population of about 1.4 million
but covers nz whichi s about 4.5 million i think
it's funny to see how most people have their laptops out while the talks are on.
mnathani_: 1:33pm, shouldnt the break be over?
mercutio: yeah
that's what i was thinking
it looks like more people in there now
i suppose people are slack getting back.
mnathani_: how many folks there do you know?
mercutio: a few.
it's also harder to recognise people by their backs :)
this music really sucks too.
video quality is surprisingly good though
audio quality more so
BryceBot: That's what she said!!
mercutio: for some reason i find most technical talks are downright hard to see/hear at all.
you have to select 720p manually.
and it'd still be nicer if they did 1080p+
mnathani_: mine was automatically 720p
mercutio: i wonder why mine wasn't
maybe it's going to the US
it's using something called livestream or something. i signed up for an account.
mnathani_: just switched to full screen
pretty cool
mercutio: yeah i'm using full screen
dual monitors ftw :)
mnathani_: 4k ftw
:-)
mercutio: haha
my irc is on 4k :)
4k is nice.
finally
mnathani_: how much does it cost to attend in person? and can anyone attend or do you have to be a network operator
mercutio: $250+accomodation+transport.
anyone can attend.
mhoran: Oh goodness. I used to work at Livestream.
mercutio: it's about a 4 hour drive from here.
there's also lots of free alcohol.
i wonder if arp is on peeringdb.
mnathani_: can
it is
mercutio: yeah they are
mnathani_: pretty sure I have seen it on there before
mercutio: http://www.peeringdb.com/view.php?asn=25795
mnathani_: hard to read the slides though
mercutio: yeah it's there
yeah their projector sucks
it looks like it's interlaced too.
mnathani_: the email address is like scrolling colours
mercutio: most people use the routing servers in nz.
as well as the list for the exchange
he has got a good point
windows hah
and an ie icon even
short password :)
mnathani_: have you ever looked at the sql for peeringdb?
mercutio: nope
i didn't even know there was any
mnathani_: http://www.peeringdb.com/dbexport/peeringdb.sql
mercutio: i found out about it through that talk :)
did you know about it?
mnathani_: did not
mercutio: APE is the normal exchange in auckland.
11 hah
they charge per megabit to other cities
he's hopeful
no-one liked my question :)
mnathani_: "can't do a netflix-comcast to us"
lol
mercutio: yeah
the biggest provider here doesn't peer.
mnathani_: whats the benefit of a bilat vs route-server peering?
mercutio: bilat means you can easily turn it off when ther'es an issue
it means you make an individual connection to them, and create a bgp session
which can give more control over routing policy easier.
but menas you have to create bgp sessions with extra participant.
it's usually pretty simple to setup bilat, but you don't generally do it with everyone.
like cloudflare was saying how they don't advertise anycast without bi-lat. they were pretty easy to do bi-lat with.
mnathani_: even amazon
bi-lat only
mercutio: amazon are also only in australia
who was that one?
mnathani_: whats the deal with megaport, is that like a special kind of transit
mercutio: oh sitehost.
yeh.
kind of
intellipath is the special kind of transit
megaport is a new internet exchange with like 9 people on it
but more people getting onto it.
cloudflare peering was actually noticable for web page performance
that's an intersting idea
the other thing about bi-lat is making sure you have contact details.
mnathani_: what did you think of it?
mnathani_: interesting
thanks for sharing
its a whole other world out there
for folks used to canada / us networks
RandalSchwartz: cuba - all satellite
would be cable, but the nearest landfall is the US. oops.
in the other direction, 7000ft trench
brycec: @last up_the_irons
BryceBot: brycec, I last saw up_the_irons 6 days 23 hours 33 min 8 sec ago saying in a channel: now they call it CoreSite.
brycec: Wow, up_the_irons isn't usually this quiet
up_the_irons: no way
6 days?
almost 7 days
brycec: Speak of the friggin devil
mercutio: wow
mnathani_: brycec: almost like you summoned him
mercutio: mnathani_: peering may actually improve in the US if independant fiber providers take off
while it's comcast/verizon/etc it doesn't really encourage it.
brycec: up_the_irons: Please do me a favour and see if you received the e-mail I sent yesterday? Never got an autoresponse from it. (And now the matter is becoming more urgent, so I sent a second email from an address I know works, and does receive the autoresponse)
mercutio: i don't know what canada is like.
brycec: (Pretty, pretty please)
up_the_irons: brycec: what was the email about?
brycec: VPS upgrade
up_the_irons: my queue is mostly empty now
brycec: "mostly"
I really have no idea where the email disappeared to, and the Exchange admin is currently unable to help out
up_the_irons: i see it in the web-based queue, but haven't got it in email yet
brycec: (but I checked and double-checked the To: address -- referring to the email I sent yesterday)
Yeah today's email was *just* sent, seconds before you appeared
Feel free to PM
up_the_irons: i see it in my email now
brycec: Thanks up_the_irons. Btw, do you know if your email/ticket system "replies all" (to addresses that were cc'd originally)?
(And sorry to be a pest. I know you have many other customers :) )
up_the_irons: honestly i have no idea; never tested it and nobody else ever asked ;)
brycec: heh
I'm going to assume either "no" or that something is jinky in email between arp and my work mailbox
mercutio: brycec: you are talking about exchange
brycec: It's worked for every other mail I've sent (not that it's saying much... but seems to work for everyone else at the company, including others that have emailed ARP)
mercutio: ok that's weird
mnathani_: mercutio: we have success. I connected the second cable to the mikrotik, and a VM just connected using pppoe
mercutio: sweet mnathani_
well that's the simplest possible.
so it's bridging to all the ports.
this should also mean you can access your modem easier.
mnathani_: wonder if layer2 loops would be a problem
mercutio: shoudln't be a loop
mnathani_: how would I even detect such a thing
mercutio: as wan port on rb is different domain
by all of your lights blinking madly.
high pings etc. it's quite obvious normally
and in small networks it's pretty easy to notice/fix.
the problem happens in larger networks, when someone has no idea they've done it.
now they're telling APNIC users they should take addresses from ARIN :)
oh wow ARIn haven't been holding back ip addresses enough, so they've been plumetting quick.
mnathani_: are there any commands to run on the mikrotik to detect broadcast storms / loops
perhaps look at cpu usage?
mercutio: you could just look at cpu
i have no idea about stp or anything on routeros
brycec: (or notice when connectivity breaks down...)
tcpdump on any machine would help too, just a flood of traffic
(but as for on the device itself, no clue... my routing and firewalls run *BSD)
mnathani_: whats hardware offloading?
in terms of a networking gateway as mentioned on the talk?
***: toddf has quit IRC (Ping timeout: 265 seconds)
toddf has joined #arpnetworks
ChanServ sets mode: +o toddf
jpalmer has quit IRC (Quit: WeeChat 0.4.2)
mercutio: hardware offloading is when you move some of the smarts of network traffic to the network card or switch
most routers are doing it on the switch atm
it uses propietary drivers.
mnathani_: stuff like packet encapsulation?
mercutio: yeh the switch can do that
most of the atheros switches support it
like used on your router.
routeros support for that stuff is weak afiak
and your router is more powerful than normal cpe's.
i was watcing that talk too
but i got called away, and missed some :(
BryceBot: That's what she said!!
mercutio: the main improvement in cpe's recently has been about power usage.
***: SpaceDump has quit IRC (Ping timeout: 264 seconds)
SpaceDump has joined #arpnetworks
mercutio: mnathani_: there's a talk tomorrow on bufferbloat, that sounds like it may be more interesting than most, as they're trying to go a bit more technical it seems.
mnathani_: mercutio: one thing I didn't think of earlier, DHCP is enabled on the modem and the mikrotik
connecting the 2 could have clients on the mikrotik side get an Ip from the Internet Modem?