~R4SAS
~acetone
~orignal
~villain
&N00B
+relaybot
AreEnn
DUHOVKIN_
Guest7184
Komap-
Most2
Nausicaa
Nikat
Ruskoye_911
Vort
Xeha
anon3
b3t4f4c3
fidoid
nemiga
not_bob_afk
onon
plap
poriori
profetikla
qend
segfault
soos
teeth
tetrimer_
uis
un
unlike
user
weko
whothefuckami
R4SAS
я думаю удастся протолкнуть 2.40.0 в wrt
R4SAS
и попробую сразу бекпорты на 19.07 и 21.02
orignal
ага
orignal
хорошо бы
orignal
жалуются что много изменений за раз ))
R4SAS
ага, я же переписывал почти полностью
exokientic
still working on compiling i2pd from source with the proper debugging flag enabled to I can share my core dump the next time i2pd.service fails...
exokientic
but I have a seperate question...
exokientic
While I have been researching, magically, my i2pd router has passed the 12-14hr windows where it has been failing recently...
exokientic
currently at 20hrs and 40mins uptime
exokientic
systemctl status says its used 10hrs of CPU time
exokientic
-but-
exokientic
on my web console page;
exokientic
I see:
exokientic
Network Status: Error - Symmetric NAT
exokientic
what does that mean?
exokientic
Is that like 'double NAT' like when you have one router behind another router without bridging one of the routers?
exokientic
I wonder why that would happen 'randomly'
exokientic
I haven't changed anything in my network environment that would cause double NAT
exokientic
And i2pd has been running for weeks in my network environment without throwing that error...?
orignal
symmertic NAT menas you are in troubles
orignal
your must trrow your router
exokientic
:D
exokientic
like, out the window?
orignal
yes
orignal
and buy new one
exokientic
like, a different model of router?
R4SAS
also it can be that you ISP make such stuff
R4SAS
Symmetric NAT means that your internal port is masquaraded as other on external gateway which is on ISP side
R4SAS
example: you see your address in webconsole as 1.2.3.4:34567, hole-punch used to bypass NAT, but your ISP uses other than 34567 as external port to internet
R4SAS
like 1.2.3.4:63244
R4SAS
that causes Symmetric NAT error
exokientic
doing a little reading...
exokientic
and it looks like RouterOS (the operating system running on MikroTik routers...)
exokientic
runs all NAT through masquerade using a service called SNAT
exokientic
(Symetric)NAT
exokientic
Blinded message
R4SAS
SNAT is Source NAT ьфниу
R4SAS
mabe*
exokientic
ahaha
exokientic
ah ha
exokientic
I am looking into right now
R4SAS
also here is DNAT - destination nat
exokientic
But, it looks like it might not be possible to configure the mikrotiks RouterOS to use "full cone NAT"
exokientic
This is what I think I am undertanding so far...
R4SAS
can be
exokientic
My router IS listenin properly through the NAT on the port I selected for i2pd
R4SAS
so here 2 places where such thing can happen
exokientic
but when my router sends that trafffic back "out" again it 'masquerades' it to a different port...?
R4SAS
you can try connect your PC directly to ISP and try that way
R4SAS
to make sure
R4SAS
it masquarades it original port
exokientic
Well, I think this could explains my i2pd service failing now after a period of time
R4SAS
34567 -> router -> 63244 -> inet -> Bob
R4SAS
Bob -> inet -> 63244 -> router -> 34567
exokientic
I just switched from an old ASUS router to this new mikrotik
exokientic
I am willing to bet my old ASUS router was performing full cone NAT
exokientic
THE GOOD NEWS IS:
exokientic
My new MikroTik router fully is fully supported in OpenWRT
R4SAS
are MT uses Atheros?
exokientic
So, if I cant make RouterOS work right, I am not married to it yet, I -just- started learning it
exokientic
hmmm, good question!
exokientic
let me checkk
exokientic
my ASUS used all broadcom
exokientic
my mikrotik (rb750gr3) uses: MediaTek MT7621A
R4SAS
ha
R4SAS
same as mine
R4SAS
but I use other thing, not MT
exokientic
small world ;)
exokientic
you run a mikrotik?
exokientic
gotcha
exokientic
do you use the operating system that came with the router?
R4SAS
no, really no
exokientic
I am -seriously- considering just ditching routerOS right now and flashing OpenWRT on this thing
exokientic
I flashed OpenWRT on my ASUS last night and I -love- it
R4SAS
i flashed router after 30 minutes after unboxing )))
exokientic
hahahahaha
R4SAS
to 19.07.6 at start
exokientic
if you dont mind my asking, whats your preferred router OS
R4SAS
now 21.02.1
exokientic
okay
exokientic
WRT then
R4SAS
yup
R4SAS
there Xiaomi Mi Router 4A Gigabit Edition
exokientic
yeah I just flashed by ASUS with 21.02.1
exokientic
As it will no longer be a router...
R4SAS
it still can de as AP in lan
R4SAS
can be*
exokientic
I turned off dnsmasq, turned off the firewall, and bridged all the ports together
exokientic
reconfigured the WAN interface to be a clone of the LAN interface settings
exokientic
and put it on the same vlan
R4SAS
hehe, classic
exokientic
boom, 5 port unmanaged switch
exokientic
it was so easy to configure and worked so well I instantly fell in love with the interface
exokientic
i like the conbination of web console and command line
R4SAS
how much ram in your asus?
exokientic
it works very well together
exokientic
the asus has 256mb, but OpenWRT 'highmem' isnt supported on my model so OpenWRT can only use 128 ):
exokientic
asus rt-n66u
exokientic
Yaaaaa, I am going to give RouterOS the 'college try'
R4SAS
hm, on wrt wiki I see that 5GHz didnt supported
exokientic
If I cant make 'full cone NAT' work this thing is getting OpenWRT
exokientic
you are correct!
R4SAS
pretty shit, that broadcom
exokientic
thankfully I just purches a few used Ruckus R600 enterprise grade access points
exokientic
I am -over- the all in one router/switch/AP combo units
exokientic
And I am kind of over consumer grade networking gear
exokientic
livin that gigabit life baby
R4SAS
you can run i2pd on asus btw
exokientic
I actually JUST figured tha out last night!
exokientic
i2pd has a package for openWRT
exokientic
that really 'sealed the deal'
exokientic
its funny, I moved out to the literal national forest
exokientic
and the community I moved into just happens to have verizon FiOS fiber to the house
R4SAS
it has, but old one
R4SAS
I'm building package myself for now
exokientic
Now, my russian is a little rusty...
exokientic
But did I see chatter just a few minutes ago about pushing a newer i2pd version to the OpenWRT repo?
R4SAS
yup
exokientic
:D
R4SAS
I'll try push backport to 21.02.1 to make sure current fw version will be able to use latest package
exokientic
pretty cool stuff
exokientic
awesome!
exokientic
You know, I only discovered "i2p" about a month ago
exokientic
And I have been impressed multiple times over by the 'community' around this project
orignal
exokientic we are running i2pd on openwrt
orignal
even floodfiils
exokientic
Well, your going to have another openwrt i2pd node to add to the list pretty damn soon here
exokientic
as an interesting note;
exokientic
My Network Status now says "Firewalled"
orignal
firewalled is fine
exokientic
interestingly, when I go to my mikrotik routers web console...
exokientic
I can look at my firewall rules and see the traffic being processed in real-time by each rule...
exokientic
there is no longer any traffic going across my tcp/udp port forward
exokientic
i2pd web console shows ~9 Kbps going through transit atm
exokientic
I have gotten that as high as 1-3Mbps
exokientic
This seems unsuprising given that i2pd thinks its behind a firewall
exokientic
I have a feeling things go like this;
exokientic
I start the i2pd router and everything seems fine
exokientic
at some point down the line my new mikrotik masquerades the port to something i2pd doesnt like
exokientic
Error - Symmetric NAT
exokientic
when this situation doesnt 'fix itself' after some period of time
exokientic
It goes to firewalled
exokientic
and presumably will sit there until it gets unhappy enough to crash the i2pd.service
R4SAS
peer test can be runned to check it
R4SAS
24MB after 5 hours on wrt
orignal
отлично
orignal
я кстати придумал что надо сделать
orignal
надо из RI выкинуть m_Properties
orignal
потому что оно нужно только для своего
exokientic
well then, lets run a peer test...
exokientic
hmm
exokientic
Success: Command Accepted
exokientic
for shits and giggles...
exokientic
I am going to reboot my mikrotik router and let i2pd stay running
exokientic
its just sitting in a firewalled state with barely any throughput right now
exokientic
I wonder what a frehs reboot state will do to things...
exokientic
for reference beforeI do so...
exokientic
being firewalled has not effected my number of client tunnels at all, currently at ~500 client tunnels
exokientic
it knocked down my transit tunnels from 500-600, down to ~15
exokientic
and number of visible routers on the network has gone from ~5000 down to ~2200
exokientic
floodfills has only dropped from ~1600 down to ~1500
exokientic
bah humbug
exokientic
after mikrotik reboot, i2pd still shows firewalled
orignal
firewalled is fine
exokientic
I mean, I am still 'connected' to the network (clearly, my texts are getting through)
exokientic
but doesn't the firewalled state effect the "performance" of my i2pd router?
exokientic
okay.... I "may" have fixed it
exokientic
the firewall rules operate under an "order of priority"
exokientic
there is a single list, and traffic starts at the top of the list and moves down through the rules
exokientic
so, in my firewall rules, under NAT, by defualt there is the srcnat (source-nat) "masquerade" applied to the 'WAN -out' interface
exokientic
I had my tcp/udp dst-nat's sitting "under" this rule
exokientic
I "simply" moved the masquerade ruled down the list, UNDER my i2pd dst-nat (port forward) rules
exokientic
after a few refreshed the i2pd web console page now says Network Status: OK
exokientic
transit tunnels and visible routers are slowly going up
exokientic
and I can see traffic moving across my port forward rule again
exokientic
:D
exokientic
all 4Kbps of it, but at least its not a dead line
exokientic
ohhh 8Kbps
exokientic
nice, things are building
exokientic
I am thinking I will let thing runs for a few days in an attempt to verify things are actually stable now
exokientic
THANK YOU to everyone here for your help!
exokientic
okay
exokientic
at the risk of beating a dead horse, I would like to go over different types of NAT and how they would interact with an i2pd router;
exokientic
lets start with the "most open" type of NAT and work back to the "most restrictive" type of NAT
exokientic
"Full cone: A full-cone NAT establishes an external UDP port when sending an outbound packet and will forward traffic sent to that port from any IP address and any port back to the originating port on the internal system."
exokientic
Okay
exokientic
It seems like THAT is what i2pd needs
exokientic
any IP address and any port gets to send traffic "back" to my i2pd port
exokientic
Given that i2pd tunnels are uni-directional...
exokientic
This seems like it would be a requirement
exokientic
essentially, EVERY SINGLE outbound packet, if it gets a response, the response will come back from a DIFFERENT IP address and port than it left from
exokientic
So it seems like Full cone NAT is required for i2pd to function optimally
exokientic
next on the list...
exokientic
"Restricted cone: This type of NAT maintains some level of state and requires that replies come from the same IP address as the initial request was sent to."
exokientic
This already looks like its going to cause a problem
exokientic
If the reply to an outbound packet comes back from a different IP than the outbound packet was sent to, the 'restricted cone' NAT is going to reject it
exokientic
Bob can say something to sally
exokientic
But Bob wont hear the reply
exokientic
next on the list...
exokientic
"Port-restricted cone: Replies must come from the same IP address and port as the request."
exokientic
Obviously, even worse than before;
exokientic
given the concept of routing through the i2pd network in general, this should essentially never happen; 2-way communication over the same IP address and port?
exokientic
and lastly...
exokientic
"Symmetric: In addition to the requirements for a port-restricted code NAT, the symmetric NAT will create a new mapping of internal IP address and port to external IP address and port for traffic sent to every individual external host."
exokientic
Blinded message
exokientic
well that sounds like a non-starter
exokientic
so, question:
exokientic
I have created dst-nat (destination nat) rules, that are "allowing" packets from -any- source that attempt to access the port number I have selected for i2pd (TCP/UDP)
exokientic
these rules are applied to the WAN port, and are configured to direct those packets to the IP address of the 'computer' that is running i2pd
exokientic
so, that is "inbound" ...
exokientic
what about the "outbound" ...?
exokientic
my mikrotik has one 'src-nat' rules (source nat)
exokientic
the "masquerade" rule
exokientic
Specifically; should I also create some src-nat rules for i2pd traffic the will go BEFORE this masquerade?
exokientic
Because, as I see it right now; i2pd traffic is coming "in" just fine through the port I have selected for it...
exokientic
But, -everything- that leaves my router is going through that src-nat masquerade rule
exokientic
unless I create a new src-nat rule that i2pd traffic can hit before the masquerade
exokientic
or, unless I kill the src-nat masquerade rule altogether...
exokientic
as I understand it; I could change the src-nat rule from the "masquerade" type, to the standard "src-nat" type
exokientic
and then give it a static "To Address" that is my ISP provided WAN IP
exokientic
but if I set that statically, anytime my ISP updates that IP I will have to manually re-configure...
exokientic
hmmmmmm
orignal
firewalled affects amount of transit only
exokientic
bahhhhh
exokientic
wake up this moring, 1 day 12 hours of uptime
exokientic
but its back to being 'firewalled' again, and traffic flow has slowed to a crawl
exokientic
quite odd that it will bounce between the "OK" state and the "Firewalled" state when I am not actively changing anything on my side
orignal
it's possible
orignal
most likely your UDP is not stable
exokientic
back ;)
exokientic
UDP unstable....?
orignal
yes
exokientic
hmmm
orignal
you lose too many UDP packets
exokientic
okay
exokientic
doing some testing with nmap
exokientic
and when I try to ping UDP on my i2pd open port from the internet I get this result:
exokientic
Open | filtered
exokientic
nmap says this means:
exokientic
"No response received (even after retransmissions)"
exokientic
well then, clearly that represents a problem!
exokientic
hmmm, might just be a "feature" of how nmap deals with udp scanning
exokientic
nmap sends empty packets to the desired IP/ port number over the UDP protocol
exokientic
most commonly, the empty packets get passed to the listening service (i2pd) and the service doesnt know what to do with the empty packets, so it just drops them
exokientic
as the packets are getting dropped and not returned, nmap cant tell if the port is firewalled or open
exokientic
its not exactly suprising that i2pd doesnt "respond" to empty packets coming in over UDP...
evil
алоха может ли мой инстанс xmpp.me.i2p общаться с xmpp.ilita.i2p? а то у меня чёта не получается
orignal
это к Словесник-Былинник
evil
Словесник-Былинник может ли мой инстанс xmpp.me.i2p общаться с xmpp.ilita.i2p?
evil
orignal кст поч reg.i2p опять лежит
orignal
счас R4SAS появится спросим
R4SAS
orignal: опять туннельные пидоры
R4SAS
вероятнее всего
R4SAS
orignal: алярм
R4SAS
придется рестартить
orignal
что там случилось?
orignal
последний код возьми
R4SAS
опубликовало на говно видимо
R4SAS
уже взял
Словесник-Былинник
evil : общаться хмпп как федеративная штука может, однако пока все тесты ноды не будут завершены ( для бенефита клиентских приложений), смысла федерации нет. Будет федерироваться в конце января когда все отладим.
R4SAS
а надо ли
R4SAS
ыот в
evil
Словесник-Былинник кстати аналогичный вопрос с почтой, мой инстанс может федерироваться с mail.i2p?
R4SAS
вот в чем вопрос*
R4SAS
а при чем здесь мыло?
Словесник-Былинник
evil: я не понял вопроса .. почта то отдельная херня, к пубсуб отношения не имеет.
evil
R4SAS при том, могу ли я со своего селф-мыла в i2p отправлять на mail.i2p
evil
ловесник-Былинник предыдущий вопрос больше к тебе относится
evil
бл
evil
Cловесник-Былинник
Словесник-Былинник
я знаю ...
evil
ахахаха
Словесник-Былинник
evil: если ты о своем собственном "федеративном" мыло сервере .. то это было сделано давно ( проверялось в работе, но не пошло в массы )... ПСИХ это сделал и есть исходники на го
evil
Словесник-Былинник а на постфиксе низя?(
Словесник-Былинник
попробуй, будет интересно ... но имей ввиду то постфик проверят днс :) ... продется конфигать по тоннелям, а ститические тоннели эти не федерация уже, а псевдо федерация.. согласен ?
evil
Словесник-Былинник ну я уже пробовал поэтому и пишу, про тоннели если скажешь как то попробую
Словесник-Былинник
evil: я "игрался" с этим > года назад... потому помощь от меня будет минимальная ( забыл все и потерял). Мыло считаю повторением Хмпп .. Все мыльные опции есть в хмпп и более.
evil
Словесник-Былинник ок, напишу тогда когда сформулирую
Словесник-Былинник
в 2х словх так будет:
Словесник-Былинник
плерома, к примеру. не знает если появился новый плерома инстанс на и2п, но если юзер дает адрес типа узер@новыйинстансе ... Плерома с ним федерируется БЕЗ изменения конфигов или тоннелей ... динамически !!!
Словесник-Былинник
В случае Постфих, все инстансы Маил серверов должны знать о друг друге и создать тоннели ( работа администртатора ) .. динамики там нет ... тоннели вручную ... Ясно о чем я ?
evil
ловесник-Былинник да
Словесник-Былинник
Вот Псих пытался модуиль САМ написать который эти тоннели будет строить динамически ... ни вот вся картина