IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#dev
/2021/12/27
~R4SAS
~acetone
~orignal
~villain
&N00B
+relaybot
AreEnn
DUHOVKIN_
Guest7184
Komap-
Most2
Nausicaa
Nikat
Ruskoye_911
Vort
Xeha
anon3
b3t4f4c3
fidoid
nemiga
not_bob_afk
onon
plap
poriori
profetikla
qend
segfault
soos
teeth
tetrimer_
uis
un
unlike
user
weko
whothefuckami
R4SAS я думаю удастся протолкнуть 2.40.0 в wrt
R4SAS и попробую сразу бекпорты на 19.07 и 21.02
orignal ага
orignal хорошо бы
orignal жалуются что много изменений за раз ))
R4SAS ага, я же переписывал почти полностью
exokientic still working on compiling i2pd from source with the proper debugging flag enabled to I can share my core dump the next time i2pd.service fails...
exokientic but I have a seperate question...
exokientic While I have been researching, magically, my i2pd router has passed the 12-14hr windows where it has been failing recently...
exokientic currently at 20hrs and 40mins uptime
exokientic systemctl status says its used 10hrs of CPU time
exokientic on my web console page;
exokientic Network Status: Error - Symmetric NAT
exokientic what does that mean?
exokientic Is that like 'double NAT' like when you have one router behind another router without bridging one of the routers?
exokientic I wonder why that would happen 'randomly'
exokientic I haven't changed anything in my network environment that would cause double NAT
exokientic And i2pd has been running for weeks in my network environment without throwing that error...?
orignal symmertic NAT menas you are in troubles
orignal your must trrow your router
exokientic like, out the window?
orignal and buy new one
exokientic like, a different model of router?
R4SAS also it can be that you ISP make such stuff
R4SAS Symmetric NAT means that your internal port is masquaraded as other on external gateway which is on ISP side
R4SAS example: you see your address in webconsole as 1.2.3.4:34567, hole-punch used to bypass NAT, but your ISP uses other than 34567 as external port to internet
R4SAS like 1.2.3.4:63244
R4SAS that causes Symmetric NAT error
exokientic doing a little reading...
exokientic and it looks like RouterOS (the operating system running on MikroTik routers...)
exokientic runs all NAT through masquerade using a service called SNAT
exokientic (Symetric)NAT
exokientic Blinded message
R4SAS SNAT is Source NAT ьфниу
R4SAS mabe*
exokientic I am looking into right now
R4SAS also here is DNAT - destination nat
exokientic But, it looks like it might not be possible to configure the mikrotiks RouterOS to use "full cone NAT"
exokientic This is what I think I am undertanding so far...
R4SAS can be
exokientic My router IS listenin properly through the NAT on the port I selected for i2pd
R4SAS so here 2 places where such thing can happen
exokientic but when my router sends that trafffic back "out" again it 'masquerades' it to a different port...?
R4SAS you can try connect your PC directly to ISP and try that way
R4SAS to make sure
R4SAS it masquarades it original port
exokientic Well, I think this could explains my i2pd service failing now after a period of time
R4SAS 34567 -> router -> 63244 -> inet -> Bob
R4SAS Bob -> inet -> 63244 -> router -> 34567
exokientic I just switched from an old ASUS router to this new mikrotik
exokientic I am willing to bet my old ASUS router was performing full cone NAT
exokientic THE GOOD NEWS IS:
exokientic My new MikroTik router fully is fully supported in OpenWRT
R4SAS are MT uses Atheros?
exokientic So, if I cant make RouterOS work right, I am not married to it yet, I -just- started learning it
exokientic hmmm, good question!
exokientic let me checkk
exokientic my ASUS used all broadcom
exokientic my mikrotik (rb750gr3) uses: MediaTek MT7621A
R4SAS same as mine
R4SAS but I use other thing, not MT
exokientic small world ;)
exokientic you run a mikrotik?
exokientic do you use the operating system that came with the router?
R4SAS no, really no
exokientic I am -seriously- considering just ditching routerOS right now and flashing OpenWRT on this thing
exokientic I flashed OpenWRT on my ASUS last night and I -love- it
R4SAS i flashed router after 30 minutes after unboxing )))
exokientic hahahahaha
R4SAS to 19.07.6 at start
exokientic if you dont mind my asking, whats your preferred router OS
R4SAS now 21.02.1
exokientic WRT then
R4SAS there Xiaomi Mi Router 4A Gigabit Edition
exokientic yeah I just flashed by ASUS with 21.02.1
exokientic As it will no longer be a router...
R4SAS it still can de as AP in lan
R4SAS can be*
exokientic I turned off dnsmasq, turned off the firewall, and bridged all the ports together
exokientic reconfigured the WAN interface to be a clone of the LAN interface settings
exokientic and put it on the same vlan
R4SAS hehe, classic
exokientic boom, 5 port unmanaged switch
exokientic it was so easy to configure and worked so well I instantly fell in love with the interface
exokientic i like the conbination of web console and command line
R4SAS how much ram in your asus?
exokientic it works very well together
exokientic the asus has 256mb, but OpenWRT 'highmem' isnt supported on my model so OpenWRT can only use 128 ):
exokientic asus rt-n66u
exokientic Yaaaaa, I am going to give RouterOS the 'college try'
R4SAS hm, on wrt wiki I see that 5GHz didnt supported
exokientic If I cant make 'full cone NAT' work this thing is getting OpenWRT
exokientic you are correct!
R4SAS pretty shit, that broadcom
exokientic thankfully I just purches a few used Ruckus R600 enterprise grade access points
exokientic I am -over- the all in one router/switch/AP combo units
exokientic And I am kind of over consumer grade networking gear
exokientic livin that gigabit life baby
R4SAS you can run i2pd on asus btw
exokientic I actually JUST figured tha out last night!
exokientic i2pd has a package for openWRT
exokientic that really 'sealed the deal'
exokientic its funny, I moved out to the literal national forest
exokientic and the community I moved into just happens to have verizon FiOS fiber to the house
R4SAS it has, but old one
R4SAS I'm building package myself for now
exokientic Now, my russian is a little rusty...
exokientic But did I see chatter just a few minutes ago about pushing a newer i2pd version to the OpenWRT repo?
R4SAS I'll try push backport to 21.02.1 to make sure current fw version will be able to use latest package
exokientic pretty cool stuff
exokientic awesome!
exokientic You know, I only discovered "i2p" about a month ago
exokientic And I have been impressed multiple times over by the 'community' around this project
orignal exokientic we are running i2pd on openwrt
orignal even floodfiils
exokientic Well, your going to have another openwrt i2pd node to add to the list pretty damn soon here
exokientic as an interesting note;
exokientic My Network Status now says "Firewalled"
orignal firewalled is fine
exokientic interestingly, when I go to my mikrotik routers web console...
exokientic I can look at my firewall rules and see the traffic being processed in real-time by each rule...
exokientic there is no longer any traffic going across my tcp/udp port forward
exokientic i2pd web console shows ~9 Kbps going through transit atm
exokientic I have gotten that as high as 1-3Mbps
exokientic This seems unsuprising given that i2pd thinks its behind a firewall
exokientic I have a feeling things go like this;
exokientic I start the i2pd router and everything seems fine
exokientic at some point down the line my new mikrotik masquerades the port to something i2pd doesnt like
exokientic Error - Symmetric NAT
exokientic when this situation doesnt 'fix itself' after some period of time
exokientic It goes to firewalled
exokientic and presumably will sit there until it gets unhappy enough to crash the i2pd.service
R4SAS peer test can be runned to check it
R4SAS 24MB after 5 hours on wrt
orignal отлично
orignal я кстати придумал что надо сделать
orignal надо из RI выкинуть m_Properties
orignal потому что оно нужно только для своего
exokientic well then, lets run a peer test...
exokientic Success: Command Accepted
exokientic for shits and giggles...
exokientic I am going to reboot my mikrotik router and let i2pd stay running
exokientic its just sitting in a firewalled state with barely any throughput right now
exokientic I wonder what a frehs reboot state will do to things...
exokientic for reference beforeI do so...
exokientic being firewalled has not effected my number of client tunnels at all, currently at ~500 client tunnels
exokientic it knocked down my transit tunnels from 500-600, down to ~15
exokientic and number of visible routers on the network has gone from ~5000 down to ~2200
exokientic floodfills has only dropped from ~1600 down to ~1500
exokientic bah humbug
exokientic after mikrotik reboot, i2pd still shows firewalled
orignal firewalled is fine
exokientic I mean, I am still 'connected' to the network (clearly, my texts are getting through)
exokientic but doesn't the firewalled state effect the "performance" of my i2pd router?
exokientic okay.... I "may" have fixed it
exokientic the firewall rules operate under an "order of priority"
exokientic there is a single list, and traffic starts at the top of the list and moves down through the rules
exokientic so, in my firewall rules, under NAT, by defualt there is the srcnat (source-nat) "masquerade" applied to the 'WAN -out' interface
exokientic I had my tcp/udp dst-nat's sitting "under" this rule
exokientic I "simply" moved the masquerade ruled down the list, UNDER my i2pd dst-nat (port forward) rules
exokientic after a few refreshed the i2pd web console page now says Network Status: OK
exokientic transit tunnels and visible routers are slowly going up
exokientic and I can see traffic moving across my port forward rule again
exokientic all 4Kbps of it, but at least its not a dead line
exokientic ohhh 8Kbps
exokientic nice, things are building
exokientic I am thinking I will let thing runs for a few days in an attempt to verify things are actually stable now
exokientic THANK YOU to everyone here for your help!
exokientic at the risk of beating a dead horse, I would like to go over different types of NAT and how they would interact with an i2pd router;
exokientic lets start with the "most open" type of NAT and work back to the "most restrictive" type of NAT
exokientic "Full cone: A full-cone NAT establishes an external UDP port when sending an outbound packet and will forward traffic sent to that port from any IP address and any port back to the originating port on the internal system."
exokientic It seems like THAT is what i2pd needs
exokientic any IP address and any port gets to send traffic "back" to my i2pd port
exokientic Given that i2pd tunnels are uni-directional...
exokientic This seems like it would be a requirement
exokientic essentially, EVERY SINGLE outbound packet, if it gets a response, the response will come back from a DIFFERENT IP address and port than it left from
exokientic So it seems like Full cone NAT is required for i2pd to function optimally
exokientic next on the list...
exokientic "Restricted cone: This type of NAT maintains some level of state and requires that replies come from the same IP address as the initial request was sent to."
exokientic This already looks like its going to cause a problem
exokientic If the reply to an outbound packet comes back from a different IP than the outbound packet was sent to, the 'restricted cone' NAT is going to reject it
exokientic Bob can say something to sally
exokientic But Bob wont hear the reply
exokientic next on the list...
exokientic "Port-restricted cone: Replies must come from the same IP address and port as the request."
exokientic Obviously, even worse than before;
exokientic given the concept of routing through the i2pd network in general, this should essentially never happen; 2-way communication over the same IP address and port?
exokientic and lastly...
exokientic "Symmetric: In addition to the requirements for a port-restricted code NAT, the symmetric NAT will create a new mapping of internal IP address and port to external IP address and port for traffic sent to every individual external host."
exokientic Blinded message
exokientic well that sounds like a non-starter
exokientic so, question:
exokientic I have created dst-nat (destination nat) rules, that are "allowing" packets from -any- source that attempt to access the port number I have selected for i2pd (TCP/UDP)
exokientic these rules are applied to the WAN port, and are configured to direct those packets to the IP address of the 'computer' that is running i2pd
exokientic so, that is "inbound" ...
exokientic what about the "outbound" ...?
exokientic my mikrotik has one 'src-nat' rules (source nat)
exokientic the "masquerade" rule
exokientic Specifically; should I also create some src-nat rules for i2pd traffic the will go BEFORE this masquerade?
exokientic Because, as I see it right now; i2pd traffic is coming "in" just fine through the port I have selected for it...
exokientic But, -everything- that leaves my router is going through that src-nat masquerade rule
exokientic unless I create a new src-nat rule that i2pd traffic can hit before the masquerade
exokientic or, unless I kill the src-nat masquerade rule altogether...
exokientic as I understand it; I could change the src-nat rule from the "masquerade" type, to the standard "src-nat" type
exokientic and then give it a static "To Address" that is my ISP provided WAN IP
exokientic but if I set that statically, anytime my ISP updates that IP I will have to manually re-configure...
exokientic hmmmmmm
orignal firewalled affects amount of transit only
exokientic bahhhhh
exokientic wake up this moring, 1 day 12 hours of uptime
exokientic but its back to being 'firewalled' again, and traffic flow has slowed to a crawl
exokientic quite odd that it will bounce between the "OK" state and the "Firewalled" state when I am not actively changing anything on my side
orignal it's possible
orignal most likely your UDP is not stable
exokientic back ;)
exokientic UDP unstable....?
orignal you lose too many UDP packets
exokientic doing some testing with nmap
exokientic and when I try to ping UDP on my i2pd open port from the internet I get this result:
exokientic Open | filtered
exokientic nmap says this means:
exokientic "No response received (even after retransmissions)"
exokientic well then, clearly that represents a problem!
exokientic hmmm, might just be a "feature" of how nmap deals with udp scanning
exokientic nmap sends empty packets to the desired IP/ port number over the UDP protocol
exokientic most commonly, the empty packets get passed to the listening service (i2pd) and the service doesnt know what to do with the empty packets, so it just drops them
exokientic as the packets are getting dropped and not returned, nmap cant tell if the port is firewalled or open
exokientic its not exactly suprising that i2pd doesnt "respond" to empty packets coming in over UDP...
evil алоха может ли мой инстанс xmpp.me.i2p общаться с xmpp.ilita.i2p? а то у меня чёта не получается
orignal это к Словесник-Былинник
evil Словесник-Былинник может ли мой инстанс xmpp.me.i2p общаться с xmpp.ilita.i2p?
evil orignal кст поч reg.i2p опять лежит
orignal счас R4SAS появится спросим
R4SAS orignal: опять туннельные пидоры
R4SAS вероятнее всего
R4SAS orignal: алярм
R4SAS придется рестартить
orignal что там случилось?
orignal последний код возьми
R4SAS опубликовало на говно видимо
R4SAS уже взял
Словесник-Былинник evil : общаться хмпп как федеративная штука может, однако пока все тесты ноды не будут завершены ( для бенефита клиентских приложений), смысла федерации нет. Будет федерироваться в конце января когда все отладим.
R4SAS а надо ли
R4SAS ыот в
evil Словесник-Былинник кстати аналогичный вопрос с почтой, мой инстанс может федерироваться с mail.i2p?
R4SAS вот в чем вопрос*
R4SAS а при чем здесь мыло?
Словесник-Былинник evil: я не понял вопроса .. почта то отдельная херня, к пубсуб отношения не имеет.
evil R4SAS при том, могу ли я со своего селф-мыла в i2p отправлять на mail.i2p
evil ловесник-Былинник предыдущий вопрос больше к тебе относится
evil бл
evil Cловесник-Былинник
evil ахахаха
Словесник-Былинник evil: если ты о своем собственном "федеративном" мыло сервере .. то это было сделано давно ( проверялось в работе, но не пошло в массы )... ПСИХ это сделал и есть исходники на го
evil Словесник-Былинник а на постфиксе низя?(
Словесник-Былинник попробуй, будет интересно ... но имей ввиду то постфик проверят днс :) ... продется конфигать по тоннелям, а ститические тоннели эти не федерация уже, а псевдо федерация.. согласен ?
evil Словесник-Былинник ну я уже пробовал поэтому и пишу, про тоннели если скажешь как то попробую
Словесник-Былинник evil: я "игрался" с этим > года назад... потому помощь от меня будет минимальная ( забыл все и потерял). Мыло считаю повторением Хмпп .. Все мыльные опции есть в хмпп и более.
evil Словесник-Былинник ок, напишу тогда когда сформулирую
Словесник-Былинник в 2х словх так будет:
Словесник-Былинник плерома, к примеру. не знает если появился новый плерома инстанс на и2п, но если юзер дает адрес типа узер@новыйинстансе ... Плерома с ним федерируется БЕЗ изменения конфигов или тоннелей ... динамически !!!
Словесник-Былинник В случае Постфих, все инстансы Маил серверов должны знать о друг друге и создать тоннели ( работа администртатора ) .. динамики там нет ... тоннели вручную ... Ясно о чем я ?
evil ловесник-Былинник да
Словесник-Былинник Вот Псих пытался модуиль САМ написать который эти тоннели будет строить динамически ... ни вот вся картина