~AreEnn
~R4SAS
~acetone
~orignal
~villain
@onon
&N00B
+relaybot
DUHOVKIN_
Guest7184
Komap-
Most2
Nausicaa
Nikat
Ruskoye_911
Vort
Xeha
anon3
b3t4f4c3
fidoid
karamba_i2p
nemiga
not_bob_afk
plap
poriori
profetikla
qend
segfault
soos
teeth
tetrimer_
uis
un
unlike
user
weko
whothefuckami
orignal
R4SAS надо будет пересобрать
orignal
я там что то поломал
orignal
откатил
zzz
доброго времени суток
orignal
привет
orignal
are you really zzz?
zzz
да
orignal
we also speak english here
orignal
not a problem
zzz
had to fix i2ptunnel for it to work, ilita uses "IRCv3 message tags" which we didn't handle
orignal
I think we don't strip it out or what?
acetone
zzz: welcome to russian land
orignal
фand i2pd land ))
zzz
it's a negotiated parameter between the irc client and server. Hexchat supports it, so ilita sent it
zzz
but our irc filter didn't know how to parse it
orignal
should I change it in IRC tunnel code on in unrealirc settings?
orignal
*** afk ***
zzz
no, it's fine
zzz
nobody ever complained before
orignal
exactly
orignal
we have bunch of Java users here
caustic
Привет всем. Вопрос по использованию I2PD: Насколько критично НЕ ставить последнюю версию 2.40.0?
_mblw_
на много
_mblw_
caustic, а это так сложно,обновить или усьановить поверх
caustic
_mblw_ , скомпилировать*
R4SAS
orignal: эмм
R4SAS
хорошо
R4SAS
caustic: и в чем же проблема?
R4SAS
специфичная система?
caustic
оказалась в следующем: библиотеки libboost обновились. С libboost_*.so.1.77.0 на 1.78.0 цыферка поменялась. Наделал ссылок обратно на 1.77.0, роутер снова заработал, однако компилировать уже не даёт, ему очень хочется старый libboost походу
R4SAS
какая система то?
caustic
Linux Opensuse Tumbleweed
R4SAS
так для сусанина же вроде есть сборки
caustic
да, даже в офф репах, но там версия 2.38. Вот у меня и вопрос был: насколько критично не ставить последнюю версию
caustic
в явовском i2p там роутер прям автообновляется - надо видимо так, а в i2pd фиг знает
R4SAS
если учитывать что каждый релиз есть фиксы всяких вещей - критично
R4SAS
с 2.38 было много фиксов с памятью
R4SAS
надо просто сесть и сделать фиксы для сборки
R4SAS
чтобы на федора копр собиралось
R4SAS
блин, опять пересобираться
R4SAS
ща
R4SAS
уж не проделки ли это чьи то, что опять флуд криво публикует
orignal
проблема похоже где то длина буфера бьется
orignal
публикует кого? reg?
orignal
придется профилировщик таки делать
R4SAS
да
R4SAS
сейчас опять долго пробивалс
R4SAS
жду когда туннели сдохнут и перезапускаю рег
orignal
только пересобери
orignal
скорее всего потому что побилась память
R4SAS
уже пересобрал
orignal
я думаю брать эти буфера из пула
orignal
на флудфиле резко улучшит производительность
R4SAS
zzz: btw, I see at my reg.i2p checker that postman's services responds to leaseset lookup
zzz
yeah it looked like the router was up but the irc server was down
R4SAS
everything is down
zlatinb
tracker2 503
exokientic
womp womp ):
zlatinb
muwire still works :P
R4SAS
I think he is running i2p and services in containers, so only network bridge interface is broken
acetone
it's give me a hope
zzz
irc.echelon.i2p now up
R4SAS
перезапустил reg
HidUser0
[21:33:04] <~orignal> проблема похоже где то длина буфера бьется
HidUser0
буфер динамический или статический?
HidUser0
прошу прощения, мне очень интересно
HidUser0
короче в стеке или в куче хранится?
HidUser0
стек еще как то канарейкой защищен, а если это куча, то это фиаско
orignal
HidUser0 в куче
orignal
динамический для хранения буфера RouterInfo
HidUser0
оххх
orignal
да я просто накосячил
orignal
уже откатил этот коммит
HidUser0
а, ок
orignal
там просто буфер для проверки подписи вылазит за пределы
exokientic
well, I think I may have solved my "Error - Symmetric NAT" issue
orignal
what was it?
exokientic
it had to do with the "source NAT" chain in my mikrotik router
exokientic
destination NAT was working just fine allowing thing "in" to the router on the port selected for i2pd UDP/TCP
exokientic
but, I had an 'src-nat' rule that was set to "masquerade"
exokientic
I dont "fully" understand exactly what 'masquerade' is doing
exokientic
but, as I can gather, it is meant to help when you are behind an internet service provider that does NOT assign you a static WAN ip
exokientic
essentially, ALL residential ISP plans
exokientic
so, my ISP provided WAN ip -can- get updated from the ISP DHCP pool from time to time
exokientic
when that happens; and service that is using the now expired WAN IP will report that it is disconnected
exokientic
any service*
exokientic
so, the "masquerade" src is meant (as I understand it) to "sense" that the the external WAN IP has been changed (ISP lease expired, new IP assigned) and will then use the NEW WAN IP for all currently open NAT's
Словесник-Былинник
exokientic : i also has same issue, but if you configure i2pd port to set number and then configure you router to do port forwarding TCP/UDP on that port... it may solve your problem as i did for me.
exokientic
Словесник-Былинник> exactly so!
exokientic
but the interesting thing:
Словесник-Былинник
well :)))
exokientic
I set a unique port number un my i2pd config
exokientic
and I "forwarded" that using dst-nat
Словесник-Былинник
yes that is what i did
exokientic
and it works awesome
exokientic
for packets coming in
exokientic
but
exokientic
sometimes
exokientic
when packets attempt to "leave" my router from i2pd, my masquerade rules changes the port to some randomly selected port
exokientic
unstead of using the same port that it came in on
Словесник-Былинник
understoof
Словесник-Былинник
is masq. so important that you need it ?
exokientic
that is a GREAT question
exokientic
I am not sure yet :D
exokientic
But
exokientic
as a test
exokientic
I put a new rule BEFORE the masquerade
exokientic
that is just a basic standard src-nat
Словесник-Былинник
i have no experience with masq. so im not sure
exokientic
I set the external WAN IP to be static
exokientic
and I manually set it to "point" to my current ISP provided WAN IP
exokientic
as soon as I put those rules in my NAT list, and moved them ABOVE my masquerade rule:
exokientic
traffic instantly started flowing over those rules
exokientic
I went to the i2pd web console page
exokientic
ran a peer test
exokientic
and the Error - Symmetric NAT went away, Network Status: OK
Словесник-Былинник
ok this is logical ... rules are applied in sequence
exokientic
exactly so
exokientic
and, by defualt in my router, there is only -one- src-nat rule -the masquerade
exokientic
so, the way the firewall rules work, as I undertand it;
exokientic
this src-nat is going to work perfect, so long as my public wan IP doesnt change
exokientic
as soon as my ISP lease expires and I get a new one, the rule will stop working
Xeha
using masq for src is only useful if you want to change the IP of the outside world.
exokientic
BUT, that is why I left the masquerade rules at the bottom of the list
exokientic
if for some reason my new rules "brakes itself" traffic will flow down the list to the masquerade rule
Xeha
typical you only need or want masquerading in DNAT
Словесник-Былинник
basicvallu having static IP will resolve your issue for good, right ?
exokientic
Xeha> very intersting! thank you for the input, I have a VERY rudimentary understanding of it at this point
Словесник-Былинник
basically
exokientic
does it seem odd that MikroTik ship their RouterOS operating system with a defualt configuration with a masqueraded src-nat?
Xeha
masquerading in SNAT replaces the IP of the server you get the paket from, to a local mappen one. Your client will no longer see the servers IP but a local one
exokientic
Словесник-Былинник> basicvallu having static IP will resolve your issue for good, right ? -> essentially, exactly so, a static WAN IP would absolutely fix this for good
exokientic
"masquerading in SNAT replaces the IP of the server you get the paket from, to a local mappen one. Your client will no longer see the servers IP but a local one" -THANK YOU!
Xeha
masquerading in DNAT is neccessary for most people. If you talk to a server 1.2.3.4 on port 80, the server sees your official IP and not your local LAN one.
Xeha
Masquerading replaces the official IP with your local one, so traffic flows to your PC and dosnt "stop" at your router.
exokientic
interesting indeed
exokientic
because I dont have any DNAT masquerade rules at all in my routers NAT config page
Словесник-Былинник
static ip's are not that expensive i guess .. a few bucks
Xeha
well you can do SNAT with masq too, but thats silly
exokientic
but, oviously, all my 'local' devices inside my LAN are getting packets through my router :D
Xeha
yes they get the pakets through, but to them all servers are on the same local net
Xeha
since the outside IPs get masqueraded to a local one
exokientic
"Xeha> well you can do SNAT with masq too, but thats silly" -MikroTik does a LOT of 'silly' things when it comes to network configuration implementation!
Xeha
mikrotik has excellent HW, but i'd only use them as switches, ie l2 mode
exokientic
this is kind of what I am discovering, that is why I selected the mikrotik, best bang for the buck on the hardware end
exokientic
I am about "this" close to flashing this thing with OpenWRT
exokientic
my model is fully supported in openwrt
Xeha
the most rudimentary router that does NAT for a typical net is just 2 iptables rules:
Xeha
iptables -A FORWARD -i ${WAN} -o ${LAN} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Xeha
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
Xeha
#1 says allow all trafic from WAN if "we" initiated the connection.
Xeha
#2 says replace the local IP with the routers official one
Xeha
official being the WAN interface
exokientic
well now, I recognize those two rules
exokientic
those are the two defualt rules in OpenWRT
Xeha
when you open a port for i2pd, you specify a DNAT (destination NAT, you want to NAT something to destination X)
exokientic
*following along*
Xeha
now if you use a SNAT with masq, i2pd will see all servers having the same IP (your routers one)
exokientic
bingo!
Xeha
the DNAT changes the destination (destination was orriginally your official IP)
exokientic
it seems like i2pd wouldnt like that ver much...?
Xeha
SNAT changes the source (the server/outside that sent you the paket)
Xeha
i saw an example with symmetric NAT and i2pd still worked, since it relies on the netDb
exokientic
well, technically it was still "working"
exokientic
when my console reported error - symmetric nat, I was still connected to the i2p network
exokientic
services still worked
Xeha
symmetric NAT means you have a DNAT+SNAT with (optional) masquerading
exokientic
my router "build" just got shot in the dick
Xeha
:D
exokientic
# of tunnels crashes to a very low number
Xeha
networking isnt that complex ;) understading the basics gives you a lot of insight and power
exokientic
"symmetric NAT means you have a DNAT+SNAT with (optional) masquerading" -dude, thank you so much for explaining this to me
exokientic
okay
exokientic
so if I am understanding this correctly;
exokientic
I started my configuration (pre-i2pd) with a defualt SNAT with masquerading
exokientic
following online guides, I added the DNAT for TCP/UDP on my super secret listen port
exokientic
well look at that
exokientic
now I have DNAT + SNAT -with- optional masquerading :D
Xeha
you likely had masquerading on both interfaces
exokientic
that makes the most sense to me
Xeha
it might have been a typo too when you started, since S is just left of D
exokientic
I have a feeling the MikroTik is (obviously) runnning masquerade on the DNAT
Xeha
but masquerading dosnt need typing dnat/snat
Xeha
you run masquerading on a interface
Xeha
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE # this means everything after your done with routing that is going via the outside interface should be masqueraded
Xeha
you very likely had two of those, one for the LAN and another for the WAN
exokientic
okay, interesting
exokientic
this may be some trickery with how mikrotik labels and names things
exokientic
if I go into this defualt 'masquerade' rules on my tik:
exokientic
it is applied to the chain: srcnat
exokientic
it is applied to the "out" interface 'WAN'
exokientic
ipsec policy-out = none
Xeha
then "srcnat" is either wrong or misleadingly labeld? i dont know how their labels and things work
exokientic
action = masquerade
exokientic
it is HIGHLY likely it is a misleading label
exokientic
I have found a LOT of this in mikrotik
Xeha
i was fed up early with ugly home routers so i've never used one again
exokientic
they like to call the switch a "bridge" even though that switch WONT be doing "bridging" -as an unrelated example
Xeha
most of these routers and their NAT/FW rules just confuse people and make things more complicated or broken :(
exokientic
so fucking true
exokientic
coming from ASUS land myself
Xeha
a bridge is usually if you add 2 PHYs as one interface
exokientic
they try to make things "easy" on the user, but all it really does is hide what is actually happening
Xeha
of course that would act as a switch too ;)
Xeha
indeed
Xeha
but sadly, this is what the moronic user demand :(
exokientic
exactly! hence the confusion on the nomenclature
exokientic
"The customer is -ALWAYS- right."
exokientic
right?
Xeha
good thing this dosnt work in tech. im so happy a computer dosnt care about my feelings and only hard facts
Xeha
and the "tech" stuff you can buy that tries to do it, ugh.. no thanks for me
exokientic
hahahahaha
exokientic
sudo : PERMISSION DENIED -user is in a bad mood right now :: please try again later
Xeha
sudo insults people, but most distros turn it off by default
Xeha
eg:
Xeha
Password:
Xeha
What, what, what, what, what, what, what, what, what, what?
Xeha
Password:
Xeha
Your mind just hasn't been the same since the electro-shock, has it?
exokientic
bahahahaha
exokientic
tell your therapist about how the linux shell has been gaslighting you
Xeha
enter visudo and add "insults" to the Defaults
Xeha
if the distro didnt disable at build time, you'll have it :)
exokientic
thats too good not to enable
exokientic
so, to recap, if I am understandning this all correctly, I should be able to nuke the SNAT rules in my NAT table
exokientic
if, after I "disable" the SNAT - Masquerade rule: all service/ internet access from the LAN still works as intended...
Xeha
you will need masquerading for stuff going out on the wan interface
Xeha
but SNAT masquerading replaces the servers IP, not your non-routeable LAN IP
Xeha
but it depends on which interface its applied to
exokientic
then I can assume that rule was not required for the DNAT masquerade that directs packets through my router to my internal devices
exokientic
hmmm
Xeha
DNAT is needed to change the destination (destination from official IP (your router) to your LAN IPs computer)
exokientic
perhaps I change the masquerade rule
exokientic
leave it applying to the "out" 'WAN' interface
exokientic
but change it from the SNAT to the DNAT chain?
Xeha
yes, masquerade should be for the wan interface
Xeha
cant help you much with that, since i dont know how these things map to actual iptables rules
exokientic
understood
exokientic
you have been a MASSIVE help for me already!
Xeha
nice :)
exokientic
going to need to spend some time digesting the basics that have been laid out
exokientic
and then I can figure out how to apply them to mikrotiks implementation of iptables
exokientic
I "believe" this mikrotik gui is merely being used to create an iptable markup
Xeha
of course, do you think the kernel knows mikrotik labels. hahaha
exokientic
so perhaps it will make more sense if I work from the command line
exokientic
lol, thank you for helping me "walk" (crawl?) through this ;)
Xeha
most home router things flush all rules and create a own set. ie, if you use a manual iptables command it likely wont be persistent and flushed soon after.
Xeha
if you can run some commands directly, take a look at: iptables -L -n -v && iptables -L -n -v -t nat
exokientic
hey, look at that, some iptable rules :D
exokientic
starting from the top...
exokientic
Chain INPUT (policy ACCEPT 29597 packets, 9291K bytes)
Xeha
dont paste 100 lines here pls :D
exokientic
directly under that line
exokientic
hahahaha
exokientic
no, just looking at the first one
exokientic
the line directly under that rule has a bunch of headers
exokientic
"pkts bytes target prot opt in out source destination"
exokientic
but there are no values under those headers
Xeha
that means the input chain has no rules, which makes sense since the policy is ACCEPT
Xeha
take a look at the nat table, -t nat
exokientic
4 rules
exokientic
1. prerouting
exokientic
2 input
exokientic
3 output
exokientic
4 postrouting
exokientic
all set to policy = accept
exokientic
all counters at 0
Xeha
find the MASQUERADE
exokientic
(packets/ bytes)
Xeha
its in POSTROUTING
exokientic
hmm, doesnt appear to be displayed by the command, this what I see in the 'postrouting' string
exokientic
sting 1: Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
exokientic
string 2: pkts bytes target prot opt in out source destination
Xeha
no rules?! that dosnt sound right.
exokientic
ohh god damnit
exokientic
this is funny
exokientic
I am in the wrong console
Xeha
did you run it on your local one?
exokientic
bahahahahaha
Xeha
thought so!
exokientic
that would be the iptables for my ASUS that is running OpenWRT
exokientic
which has its firewall disabled
exokientic
ROFL
exokientic
oaky then
exokientic
one more time...
Xeha
just search all masquerade lines
Xeha
iptables -L -n -v -t nat | grep -i masq
Xeha
FYI; if theres DNAT rules for I2Pd, dont post them (due to the port)! Same goes if theres public IPs in there.
exokientic
okay
exokientic
so yeah, mikrotiks self baked linux kernel doesnt use "iptables"
exokientic
womp womp
Xeha
they just might not have installed the binary
Xeha
does nftables exist?
Xeha
or ebtables
exokientic
negative
Xeha
rubish
exokientic
getting even closer to flashing this thing with OpenWRT
Xeha
if its supported, do it
exokientic
I dont have any desire to learn mikrotiks flavor of linux firewall implementation
exokientic
its fully supported in OpenWRT
Xeha
then gogo :)
exokientic
hw offloading works
exokientic
yeah
exokientic
OpenWRT is happening
exokientic
it will be SO MUCH easier to set this thing up proper
exokientic
R4SAS it seems is also running an OpenWRT router
exokientic
when I was discussing some of these issues with R4SAS yesterday, we discovered that his router uses the exact same chipset as my mikrotik router
exokientic
MediaTek MT7621AT
Xeha
i got into mikrotik HW due to wanting 10G SFP+. now i have it in two of my DCs and at home :)
exokientic
Okay, well then; I will be back once I have OpenWRT flashed on this thing
exokientic
yeah, I was pretty close to getting the MikroTik hEX S router instead of the basic hEX (rb750gr3) that I got
Xeha
im quite sure you can set it up yourself. you should understand what DNAT/SNAT is and what masquerading does
exokientic
hEX S router has one SFP+ port
exokientic
:) I am pretty confident I can get OpenWRT running properly with the understanding you have provided for me today!
exokientic
thank you again Zeha!
exokientic
Xeha**
exokientic
well, I have some seemingly related information to report.... it might not be "useful" to anyone because it might be mikrotik specific...... but, here it goes:
exokientic
I am browsing through mikrotiks documentation about the implementation of NAT and firewall rules
exokientic
and I notice this:
exokientic
"Whenever NAT rules are changed or added, the connection tracking table should be cleared otherwise NAT rules may seem to be not functioning correctly until connection entry expires."
Xeha
exokientic: connection tracking is usually refered as conntrack which also has a userspace binary conntrack
exokientic
hmmm, I have been changing NAT rules all over the place
exokientic
so I found mikrotiks command for clearing that
exokientic
*/ip firewall connection remove [find]
exokientic
I run it
exokientic
and whoa look at that
Xeha
ugh, thats the actual command?
exokientic
i2pd web console says its firewalled now
exokientic
I run a peer test
exokientic
now it says error - symetric NAT
exokientic
lol, yep
exokientic
thats how you do it on the mikrotik
exokientic
run a peer test again
exokientic
now it says testing
exokientic
run a few more peer test
Xeha
seriously, ditch that thing lol
exokientic
network status = ok
exokientic
!!!
exokientic
ditching imminently
Xeha
yes i had that too, only to later return to symmetric NAT
Xeha
but it was actually a symmetric NAT, was a weird k8s deployment of a friend of mine
exokientic
so, it kind of seems like my router might be doing some kind of automatic flush of the connection tracker
exokientic
like periodically on a timer?
exokientic
and when that happens
exokientic
i2pd gets upset
Xeha
they have a timeout
Xeha
no
exokientic
reports firewalled or symmetric nat
Xeha
your issue is with wrong masquerading or with a shitty SNAT rule
Xeha
on your openwrt, type conntrack -L
Xeha
you'll see which things are active (ESTABLISHED) and which are timing out
Xeha
there you also see the mapping, if thats of interest to you
exokientic
"your issue is with wrong masquerading or with a shitty SNAT rule"
exokientic
agreed