IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#dev
/2021/12/28
~AreEnn
~R4SAS
~acetone
~orignal
~villain
@onon
&N00B
+relaybot
DUHOVKIN_
Guest7184
Komap-
Most2
Nausicaa
Nikat
Ruskoye_911
Vort
Xeha
anon3
b3t4f4c3
fidoid
karamba_i2p
nemiga
not_bob_afk
plap
poriori
profetikla
qend
segfault
soos
teeth
tetrimer_
uis
un
unlike
user
weko
whothefuckami
orignal R4SAS надо будет пересобрать
orignal я там что то поломал
orignal откатил
zzz доброго времени суток
orignal привет
orignal are you really zzz?
zzz да
orignal we also speak english here
orignal not a problem
zzz had to fix i2ptunnel for it to work, ilita uses "IRCv3 message tags" which we didn't handle
orignal I think we don't strip it out or what?
acetone zzz: welcome to russian land
orignal фand i2pd land ))
zzz it's a negotiated parameter between the irc client and server. Hexchat supports it, so ilita sent it
zzz but our irc filter didn't know how to parse it
orignal should I change it in IRC tunnel code on in unrealirc settings?
orignal *** afk ***
zzz no, it's fine
zzz nobody ever complained before
orignal exactly
orignal we have bunch of Java users here
caustic Привет всем. Вопрос по использованию I2PD: Насколько критично НЕ ставить последнюю версию 2.40.0?
_mblw_ на много
_mblw_ caustic, а это так сложно,обновить или усьановить поверх
caustic _mblw_ , скомпилировать*
R4SAS orignal: эмм
R4SAS хорошо
R4SAS caustic: и в чем же проблема?
R4SAS специфичная система?
caustic оказалась в следующем: библиотеки libboost обновились. С libboost_*.so.1.77.0 на 1.78.0 цыферка поменялась. Наделал ссылок обратно на 1.77.0, роутер снова заработал, однако компилировать уже не даёт, ему очень хочется старый libboost походу
R4SAS какая система то?
caustic Linux Opensuse Tumbleweed
R4SAS так для сусанина же вроде есть сборки
caustic да, даже в офф репах, но там версия 2.38. Вот у меня и вопрос был: насколько критично не ставить последнюю версию
caustic в явовском i2p там роутер прям автообновляется - надо видимо так, а в i2pd фиг знает
R4SAS если учитывать что каждый релиз есть фиксы всяких вещей - критично
R4SAS с 2.38 было много фиксов с памятью
R4SAS надо просто сесть и сделать фиксы для сборки
R4SAS чтобы на федора копр собиралось
R4SAS блин, опять пересобираться
R4SAS ща
R4SAS уж не проделки ли это чьи то, что опять флуд криво публикует
orignal проблема похоже где то длина буфера бьется
orignal публикует кого? reg?
orignal придется профилировщик таки делать
R4SAS да
R4SAS сейчас опять долго пробивалс
R4SAS жду когда туннели сдохнут и перезапускаю рег
orignal только пересобери
orignal скорее всего потому что побилась память
R4SAS уже пересобрал
orignal я думаю брать эти буфера из пула
orignal на флудфиле резко улучшит производительность
R4SAS zzz: btw, I see at my reg.i2p checker that postman's services responds to leaseset lookup
zzz yeah it looked like the router was up but the irc server was down
R4SAS everything is down
zlatinb tracker2 503
exokientic womp womp ):
zlatinb muwire still works :P
R4SAS I think he is running i2p and services in containers, so only network bridge interface is broken
acetone it's give me a hope
zzz irc.echelon.i2p now up
R4SAS перезапустил reg
HidUser0 [21:33:04] <~orignal> проблема похоже где то длина буфера бьется
HidUser0 буфер динамический или статический?
HidUser0 прошу прощения, мне очень интересно
HidUser0 короче в стеке или в куче хранится?
HidUser0 стек еще как то канарейкой защищен, а если это куча, то это фиаско
orignal HidUser0 в куче
orignal динамический для хранения буфера RouterInfo
HidUser0 оххх
orignal да я просто накосячил
orignal уже откатил этот коммит
HidUser0 а, ок
orignal там просто буфер для проверки подписи вылазит за пределы
exokientic well, I think I may have solved my "Error - Symmetric NAT" issue
orignal what was it?
exokientic it had to do with the "source NAT" chain in my mikrotik router
exokientic destination NAT was working just fine allowing thing "in" to the router on the port selected for i2pd UDP/TCP
exokientic but, I had an 'src-nat' rule that was set to "masquerade"
exokientic I dont "fully" understand exactly what 'masquerade' is doing
exokientic but, as I can gather, it is meant to help when you are behind an internet service provider that does NOT assign you a static WAN ip
exokientic essentially, ALL residential ISP plans
exokientic so, my ISP provided WAN ip -can- get updated from the ISP DHCP pool from time to time
exokientic when that happens; and service that is using the now expired WAN IP will report that it is disconnected
exokientic any service*
exokientic so, the "masquerade" src is meant (as I understand it) to "sense" that the the external WAN IP has been changed (ISP lease expired, new IP assigned) and will then use the NEW WAN IP for all currently open NAT's
Словесник-Былинник exokientic : i also has same issue, but if you configure i2pd port to set number and then configure you router to do port forwarding TCP/UDP on that port... it may solve your problem as i did for me.
exokientic Словесник-Былинник> exactly so!
exokientic but the interesting thing:
exokientic I set a unique port number un my i2pd config
exokientic and I "forwarded" that using dst-nat
exokientic and it works awesome
exokientic for packets coming in
exokientic sometimes
exokientic when packets attempt to "leave" my router from i2pd, my masquerade rules changes the port to some randomly selected port
exokientic unstead of using the same port that it came in on
Словесник-Былинник is masq. so important that you need it ?
exokientic that is a GREAT question
exokientic I am not sure yet :D
exokientic as a test
exokientic I put a new rule BEFORE the masquerade
exokientic that is just a basic standard src-nat
Словесник-Былинник i have no experience with masq. so im not sure
exokientic I set the external WAN IP to be static
exokientic and I manually set it to "point" to my current ISP provided WAN IP
exokientic as soon as I put those rules in my NAT list, and moved them ABOVE my masquerade rule:
exokientic traffic instantly started flowing over those rules
exokientic I went to the i2pd web console page
exokientic ran a peer test
exokientic and the Error - Symmetric NAT went away, Network Status: OK
Словесник-Былинник ok this is logical ... rules are applied in sequence
exokientic exactly so
exokientic and, by defualt in my router, there is only -one- src-nat rule -the masquerade
exokientic so, the way the firewall rules work, as I undertand it;
exokientic this src-nat is going to work perfect, so long as my public wan IP doesnt change
exokientic as soon as my ISP lease expires and I get a new one, the rule will stop working
Xeha using masq for src is only useful if you want to change the IP of the outside world.
exokientic BUT, that is why I left the masquerade rules at the bottom of the list
exokientic if for some reason my new rules "brakes itself" traffic will flow down the list to the masquerade rule
Xeha typical you only need or want masquerading in DNAT
Словесник-Былинник basicvallu having static IP will resolve your issue for good, right ?
exokientic Xeha> very intersting! thank you for the input, I have a VERY rudimentary understanding of it at this point
exokientic does it seem odd that MikroTik ship their RouterOS operating system with a defualt configuration with a masqueraded src-nat?
Xeha masquerading in SNAT replaces the IP of the server you get the paket from, to a local mappen one. Your client will no longer see the servers IP but a local one
exokientic Словесник-Былинник> basicvallu having static IP will resolve your issue for good, right ? -> essentially, exactly so, a static WAN IP would absolutely fix this for good
exokientic "masquerading in SNAT replaces the IP of the server you get the paket from, to a local mappen one. Your client will no longer see the servers IP but a local one" -THANK YOU!
Xeha masquerading in DNAT is neccessary for most people. If you talk to a server 1.2.3.4 on port 80, the server sees your official IP and not your local LAN one.
Xeha Masquerading replaces the official IP with your local one, so traffic flows to your PC and dosnt "stop" at your router.
exokientic interesting indeed
exokientic because I dont have any DNAT masquerade rules at all in my routers NAT config page
Словесник-Былинник static ip's are not that expensive i guess .. a few bucks
Xeha well you can do SNAT with masq too, but thats silly
exokientic but, oviously, all my 'local' devices inside my LAN are getting packets through my router :D
Xeha yes they get the pakets through, but to them all servers are on the same local net
Xeha since the outside IPs get masqueraded to a local one
exokientic "Xeha> well you can do SNAT with masq too, but thats silly" -MikroTik does a LOT of 'silly' things when it comes to network configuration implementation!
Xeha mikrotik has excellent HW, but i'd only use them as switches, ie l2 mode
exokientic this is kind of what I am discovering, that is why I selected the mikrotik, best bang for the buck on the hardware end
exokientic I am about "this" close to flashing this thing with OpenWRT
exokientic my model is fully supported in openwrt
Xeha the most rudimentary router that does NAT for a typical net is just 2 iptables rules:
Xeha iptables -A FORWARD -i ${WAN} -o ${LAN} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Xeha iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
Xeha #1 says allow all trafic from WAN if "we" initiated the connection.
Xeha #2 says replace the local IP with the routers official one
Xeha official being the WAN interface
exokientic well now, I recognize those two rules
exokientic those are the two defualt rules in OpenWRT
Xeha when you open a port for i2pd, you specify a DNAT (destination NAT, you want to NAT something to destination X)
exokientic *following along*
Xeha now if you use a SNAT with masq, i2pd will see all servers having the same IP (your routers one)
Xeha the DNAT changes the destination (destination was orriginally your official IP)
exokientic it seems like i2pd wouldnt like that ver much...?
Xeha SNAT changes the source (the server/outside that sent you the paket)
Xeha i saw an example with symmetric NAT and i2pd still worked, since it relies on the netDb
exokientic well, technically it was still "working"
exokientic when my console reported error - symmetric nat, I was still connected to the i2p network
exokientic services still worked
Xeha symmetric NAT means you have a DNAT+SNAT with (optional) masquerading
exokientic my router "build" just got shot in the dick
exokientic # of tunnels crashes to a very low number
Xeha networking isnt that complex ;) understading the basics gives you a lot of insight and power
exokientic "symmetric NAT means you have a DNAT+SNAT with (optional) masquerading" -dude, thank you so much for explaining this to me
exokientic so if I am understanding this correctly;
exokientic I started my configuration (pre-i2pd) with a defualt SNAT with masquerading
exokientic following online guides, I added the DNAT for TCP/UDP on my super secret listen port
exokientic well look at that
exokientic now I have DNAT + SNAT -with- optional masquerading :D
Xeha you likely had masquerading on both interfaces
exokientic that makes the most sense to me
Xeha it might have been a typo too when you started, since S is just left of D
exokientic I have a feeling the MikroTik is (obviously) runnning masquerade on the DNAT
Xeha but masquerading dosnt need typing dnat/snat
Xeha you run masquerading on a interface
Xeha iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE # this means everything after your done with routing that is going via the outside interface should be masqueraded
Xeha you very likely had two of those, one for the LAN and another for the WAN
exokientic okay, interesting
exokientic this may be some trickery with how mikrotik labels and names things
exokientic if I go into this defualt 'masquerade' rules on my tik:
exokientic it is applied to the chain: srcnat
exokientic it is applied to the "out" interface 'WAN'
exokientic ipsec policy-out = none
Xeha then "srcnat" is either wrong or misleadingly labeld? i dont know how their labels and things work
exokientic action = masquerade
exokientic it is HIGHLY likely it is a misleading label
exokientic I have found a LOT of this in mikrotik
Xeha i was fed up early with ugly home routers so i've never used one again
exokientic they like to call the switch a "bridge" even though that switch WONT be doing "bridging" -as an unrelated example
Xeha most of these routers and their NAT/FW rules just confuse people and make things more complicated or broken :(
exokientic so fucking true
exokientic coming from ASUS land myself
Xeha a bridge is usually if you add 2 PHYs as one interface
exokientic they try to make things "easy" on the user, but all it really does is hide what is actually happening
Xeha of course that would act as a switch too ;)
Xeha indeed
Xeha but sadly, this is what the moronic user demand :(
exokientic exactly! hence the confusion on the nomenclature
exokientic "The customer is -ALWAYS- right."
Xeha good thing this dosnt work in tech. im so happy a computer dosnt care about my feelings and only hard facts
Xeha and the "tech" stuff you can buy that tries to do it, ugh.. no thanks for me
exokientic hahahahaha
exokientic sudo : PERMISSION DENIED -user is in a bad mood right now :: please try again later
Xeha sudo insults people, but most distros turn it off by default
Xeha eg:
Xeha Password:
Xeha What, what, what, what, what, what, what, what, what, what?
Xeha Password:
Xeha Your mind just hasn't been the same since the electro-shock, has it?
exokientic bahahahaha
exokientic tell your therapist about how the linux shell has been gaslighting you
Xeha enter visudo and add "insults" to the Defaults
Xeha if the distro didnt disable at build time, you'll have it :)
exokientic thats too good not to enable
exokientic so, to recap, if I am understandning this all correctly, I should be able to nuke the SNAT rules in my NAT table
exokientic if, after I "disable" the SNAT - Masquerade rule: all service/ internet access from the LAN still works as intended...
Xeha you will need masquerading for stuff going out on the wan interface
Xeha but SNAT masquerading replaces the servers IP, not your non-routeable LAN IP
Xeha but it depends on which interface its applied to
exokientic then I can assume that rule was not required for the DNAT masquerade that directs packets through my router to my internal devices
Xeha DNAT is needed to change the destination (destination from official IP (your router) to your LAN IPs computer)
exokientic perhaps I change the masquerade rule
exokientic leave it applying to the "out" 'WAN' interface
exokientic but change it from the SNAT to the DNAT chain?
Xeha yes, masquerade should be for the wan interface
Xeha cant help you much with that, since i dont know how these things map to actual iptables rules
exokientic understood
exokientic you have been a MASSIVE help for me already!
Xeha nice :)
exokientic going to need to spend some time digesting the basics that have been laid out
exokientic and then I can figure out how to apply them to mikrotiks implementation of iptables
exokientic I "believe" this mikrotik gui is merely being used to create an iptable markup
Xeha of course, do you think the kernel knows mikrotik labels. hahaha
exokientic so perhaps it will make more sense if I work from the command line
exokientic lol, thank you for helping me "walk" (crawl?) through this ;)
Xeha most home router things flush all rules and create a own set. ie, if you use a manual iptables command it likely wont be persistent and flushed soon after.
Xeha if you can run some commands directly, take a look at: iptables -L -n -v && iptables -L -n -v -t nat
exokientic hey, look at that, some iptable rules :D
exokientic starting from the top...
exokientic Chain INPUT (policy ACCEPT 29597 packets, 9291K bytes)
Xeha dont paste 100 lines here pls :D
exokientic directly under that line
exokientic hahahaha
exokientic no, just looking at the first one
exokientic the line directly under that rule has a bunch of headers
exokientic "pkts bytes target prot opt in out source destination"
exokientic but there are no values under those headers
Xeha that means the input chain has no rules, which makes sense since the policy is ACCEPT
Xeha take a look at the nat table, -t nat
exokientic 4 rules
exokientic 1. prerouting
exokientic 2 input
exokientic 3 output
exokientic 4 postrouting
exokientic all set to policy = accept
exokientic all counters at 0
Xeha find the MASQUERADE
exokientic (packets/ bytes)
Xeha its in POSTROUTING
exokientic hmm, doesnt appear to be displayed by the command, this what I see in the 'postrouting' string
exokientic sting 1: Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
exokientic string 2: pkts bytes target prot opt in out source destination
Xeha no rules?! that dosnt sound right.
exokientic ohh god damnit
exokientic this is funny
exokientic I am in the wrong console
Xeha did you run it on your local one?
exokientic bahahahahaha
Xeha thought so!
exokientic that would be the iptables for my ASUS that is running OpenWRT
exokientic which has its firewall disabled
exokientic oaky then
exokientic one more time...
Xeha just search all masquerade lines
Xeha iptables -L -n -v -t nat | grep -i masq
Xeha FYI; if theres DNAT rules for I2Pd, dont post them (due to the port)! Same goes if theres public IPs in there.
exokientic so yeah, mikrotiks self baked linux kernel doesnt use "iptables"
exokientic womp womp
Xeha they just might not have installed the binary
Xeha does nftables exist?
Xeha or ebtables
exokientic negative
Xeha rubish
exokientic getting even closer to flashing this thing with OpenWRT
Xeha if its supported, do it
exokientic I dont have any desire to learn mikrotiks flavor of linux firewall implementation
exokientic its fully supported in OpenWRT
Xeha then gogo :)
exokientic hw offloading works
exokientic OpenWRT is happening
exokientic it will be SO MUCH easier to set this thing up proper
exokientic R4SAS it seems is also running an OpenWRT router
exokientic when I was discussing some of these issues with R4SAS yesterday, we discovered that his router uses the exact same chipset as my mikrotik router
exokientic MediaTek MT7621AT
Xeha i got into mikrotik HW due to wanting 10G SFP+. now i have it in two of my DCs and at home :)
exokientic Okay, well then; I will be back once I have OpenWRT flashed on this thing
exokientic yeah, I was pretty close to getting the MikroTik hEX S router instead of the basic hEX (rb750gr3) that I got
Xeha im quite sure you can set it up yourself. you should understand what DNAT/SNAT is and what masquerading does
exokientic hEX S router has one SFP+ port
exokientic :) I am pretty confident I can get OpenWRT running properly with the understanding you have provided for me today!
exokientic thank you again Zeha!
exokientic well, I have some seemingly related information to report.... it might not be "useful" to anyone because it might be mikrotik specific...... but, here it goes:
exokientic I am browsing through mikrotiks documentation about the implementation of NAT and firewall rules
exokientic and I notice this:
exokientic "Whenever NAT rules are changed or added, the connection tracking table should be cleared otherwise NAT rules may seem to be not functioning correctly until connection entry expires."
Xeha exokientic: connection tracking is usually refered as conntrack which also has a userspace binary conntrack
exokientic hmmm, I have been changing NAT rules all over the place
exokientic so I found mikrotiks command for clearing that
exokientic */ip firewall connection remove [find]
exokientic I run it
exokientic and whoa look at that
Xeha ugh, thats the actual command?
exokientic i2pd web console says its firewalled now
exokientic I run a peer test
exokientic now it says error - symetric NAT
exokientic lol, yep
exokientic thats how you do it on the mikrotik
exokientic run a peer test again
exokientic now it says testing
exokientic run a few more peer test
Xeha seriously, ditch that thing lol
exokientic network status = ok
exokientic ditching imminently
Xeha yes i had that too, only to later return to symmetric NAT
Xeha but it was actually a symmetric NAT, was a weird k8s deployment of a friend of mine
exokientic so, it kind of seems like my router might be doing some kind of automatic flush of the connection tracker
exokientic like periodically on a timer?
exokientic and when that happens
exokientic i2pd gets upset
Xeha they have a timeout
exokientic reports firewalled or symmetric nat
Xeha your issue is with wrong masquerading or with a shitty SNAT rule
Xeha on your openwrt, type conntrack -L
Xeha you'll see which things are active (ESTABLISHED) and which are timing out
Xeha there you also see the mapping, if thats of interest to you
exokientic "your issue is with wrong masquerading or with a shitty SNAT rule"