Max_P

Max_P , 4 days ago

So what's stopping the workers from saying no? If they have labor shortages then the job market should be favorable to the workers as you gotta be the most attractive employer, which would be those that don't abuse that law and overwork their employees. It's not like they can force people to work.

Or just go anywhere else in the EU.

Max_P , 9 days ago

There's a bug with explicit sync? I'm running patched KWin 6.0.5 and no issues whatsoever with Firefox.

Max_P , 16 days ago

Felons should be able to vote, even while in prison. Otherwise you just have to make sure your political opponents are all charged with a felony and skew and keep skewing the results because those people can never vote to potentially make their crime no longer a crime.

Like, if they ever make it a crime to be gay, now they've basically also stopped gays from being able to vote on the issue. That's not good democracy.

Max_P , 1 month ago

Paywalled medium article? I'll pass.

Fuck employers that steal from their employees paychecks though.

Max_P , 1 month ago

The page just deletes itself for me when using that. It loads and .5 second later it just goes blank. They really don't want people to bypass it.

Max_P , 1 month ago

The guy that manages Kbin has been having personal issues and stepped away from the fediverse so yeah Kbin is kind of in limbo at the moment and indeed not well moderated. There's mods but there's just so much they can do. The software doesn't federate the deletions so even if they're gone on Kbin, they remain everywhere else.

Max_P , 2 months ago

Kbin is not currently maintained due to the guy that makes it having personal issues and not having time to keep up with it. Some instances are even defederating kbin due to spam not being cleaned up and also some bugs sending the same activities over and over again.

No spam on my end on Lemmy.

Max_P , 2 months ago

It's default since systemd afaik. I think systemd-tmpfiles manages this. It's never been a problem for me, it pretty much remains fairly empty most of the time. Most things like sockets are in /run which is also tmpfs.

Max_P , 4 months ago

That’s not quite what masquerade does. Masquerade enables NAT, essentially.

Without masquerade, the router would send packets out like 192.168.0.109->8.8.8.8 and your ISP would be like “what is that IP I don’t know how to route that”. With masquerade on, the router remaps it to its own WAN IP so you have like 3.16.87.54->8.8.8.8, your ISP can handle that, and when the reply comes back, the router then switches it back to the correct internal IP.

Max_P , 4 months ago (edited 4 months ago)

That works too. Ultimately they’re all NAT, that’s why they’re in the NAT table to begin with. Masquerade specifically is to rewrite the traffic as if it was originating from the router itself, which can be useful if you don’t know which interface it’ll go out, you just want it to NAT no matter where. SNAT just rewrites the source address so it’s a bit less smart. There’s also DNAT to rewrite where the packet will go. It’s not just addresses either, you can rewrite ports too. There’s also REDIRECT.

Just different ways of doing similar things, but they’re all doing network address translation. For OpenWRT’s purposes it is indeed what everyone thinks of a NAT, the most simple and common one. Past that a GUI becomes more of an annoyance than a feature anyway, so might as well go for scripts or at least raw iptables rules.

There’s also the whole connection tracking system on top of the firewall rules. If you’re clever you can make a load balancer right in iptables, since connection mappings will stick. You don’t have to always rewrite it the same for every packer.

Max_P , 5 months ago

but then Router B responds with Destination unreachable (Network unreachable),

That’s… interesting. Router B shouldn’t be involved at all with this, it should be blindly forwarding the packets. That’s a layer 3 error!

How’s the bridge set up? Have you made sure router B doesn’t do DHCP and doesn’t take the IP of router A by accident?

Max_P , 5 months ago

Hmm, I see, it’s not a real L2 bridge, it’s a hacky pretend one that relays.

I don’t have a solution for this particular situation, but I do have a suggestion on how I would do it:

• Make B have its own subnet, say, 192.168.1.0/24, assuming that A is on 192.168.0.0/24. Enable DHCP and everything, it’s now it’s own full network.
• Make B a client of A with a static IP, like 192.168.0.2. That makes B present on A’s network.
• Add a route on A for B’s network: 192.168.1.0/24 via 192.168.0.2.
• Disable NAT on B, just set A as the default route. Since A can talk to any IP on B, B doesn’t need to NAT, A can handle it for both networks.

Now, both routers should be able to exchange traffic while being responsible of their own subnet. The only thing missing would be to handle broadcasts so stuff like Bonjour/Avahi works correctly. But as a whole both layer 2 and 3 would behave a bit more cleanly with less surprises.

I think what’s going on is B sorta pretends to be A in some way to do the relaying but something is going wrong.

Max_P , 5 months ago

Sounds about right.

I think I set this right: Network->Routing->Add->(Interface: wwan, Route type: unicast, Target: 192.168.0.1/24, Gateway: 192.168.1.1)

That doesn’t seem right. If you’re using the exact same subnet numbers I’ve used for example: that’s be target 192.168.1.0/24 (B’s network) gateway 192.168.0.2 (B’s IP on A’s network as a WiFi client).

Router B is on two networks at the same time: its own (192.168.1.1/24) and A’s network (192.168.0.2/24).

Router A is only on its own network (192.168.0.1/24) and talks to router B as just a client on its network (192.168.0.2). Whenever it has data to send to the 192.168.1.x network, it sends it to 192.168.0.2 which is on that network and will relay it.

How would I go about doing this? I can’t find any definitive information on how to disable NAT in OpenWRT.

Router B would wan configured as a WiFi client with a static IP of 192.168.0.2/24 and default gateway of 192.168.0.1 (router A). The regular default route will do just fine, as that will cover A’s network as well. We’d only need to configure more if there was a third router involved. From there you just need to disable IP masquerading option in Network -> Firewall (you want it unchecked):

Firewall configuration for zone “want”

You don’t need masquerade even though it’s technically a “wan” because A knows how to send traffic to B’s clients, so B itself doesn’t have to pretend its clients come from itself.

I do need this. I believe this would then require an mDNS reflector, right (it wasn’t required before as relayd was bridging the networks)?

Correct. I found this: blog.christophersmart.com/…/resolving-mdns-across…

If that proves too complicated, I’d consider trying out the GRE tunnel method your original article suggests as an alternative to relayd. It’s kind of like a super basic VPN that I think can be hardware offloaded so I wouldn’t expect much of a performance hit, maybe even less than the relayd option.

Max_P , 5 months ago (edited 5 months ago)

I think you also need to enable full forwarding to and from wan on Router B. I forgot it defaults to not doing that. Set input, output and forward to ACCEPT on Router B on the wan zone, and make sure you also allow forwarding to and from the lan zone. Router A should be fine, I assume A’s WiFi and LAN is the same?

Basically now, Router A sends the traffic to B but B doesn’t forward it to its LAN. But since we don’t have NAT, A’s devices addresses B’s devices directly, not B itself, and there isn’t any connection tracking happening, so it doesn’t “remember” to allow the ping response back in. If you WireShark this, I bet B is successfully sending packets to A and A’s devices, and A’s packets make it all the way to B but B doesn’t forward it to its own LAN, and it stops there.

Can you post the output of ip ro and ip a on both routers? (Feel free to redact your public IP/ISP stuff if it shows up)

Max_P , 5 months ago

Interesting, lan zone doesn’t allow forward from wan but wan does allow both ways, maybe that’s the one missing. I expect OpenWRT to wire it up both ways automatically… OpenWRT is a mystery sometimes.

Actually no, both show unspecified. You need both zones to allow both ways from the other zone.

Max_P , 5 months ago

Erm, okay that’s not looking promising. It’s starting to look like Router A doesn’t like this setup at all. It’s not routing B’s traffic, possibly because it’s not the subnet it expects to serve. Ugh. Check all the options you can in Router A if you can find something that will allow it to work.

You can fairly easily test that by enabling masquerading on B. It’ll break most of what we just set up but it’ll confirm that.

We still have some options on the OpenWRT side to make it masquerade only public traffic but now I’m wondering if A will even let you port forward to something on B. I would try that now and see if it works.

Is A able to ping B and devices on B, or only on A? A itself has a route for B’s subnet right?

Max_P , 5 months ago

That’s a kernel thing that dates from the 90s where allocating a quarter to half of your RAM for write caching made sense. These days we have more RAM than the USB stick we’re writing to, so it fits well into the buffer to be flushed asynchronously.

You can tweak some sysctls to make it less of a thing: unix.stackexchange.com/a/640826

Max_P , 5 months ago

Bit more context behind that now that the coffee kicked in:

• Back then everyone had HDDs which strongly prefers sequential reads and writes. So if you can buffer all those in RAM, the system can optimize the throughput.
• For the most part, IO happens on internal, non-removable drives so it makes sense to let applications write to RAM and do the flushing to disk in the background. For example, Firefox can write to its cache without having to worry whether it’ll slow down the browser too much. Generally makes applications much snappier, especially single threaded ones that vastly predates async runtimes.
• If the program does IO on multiple drives, by acknowledging the write on one immediately may let the program perform IO on the next file, which the kernel can then flush to both drives in parallel.
• By acknowledging the write immediately, the modified file is also immediately available to other programs on the system which can access the file immediately, from RAM, as it’s still being flushed to disk in the background.
• The buffering allows writes to potentially cancel a pending write. If you’re updating multiple files for example, the kernel can delay updating the filesystem state to do it just once with the updated file list.
• That’s largely why Linux works so much better with millions of tiny files compared to Windows.
• You can still get speed benefits even with modern NVMe doing this. Those are so fast the kernel can run out of stuff to write before it’s gotten around to wake up the application for more. Instead let the application fill up the buffer fast, and only then, block the application.

Pretty much the only time this matters and becomes confusing is when you’re copying a file and wanted an accurate transfer rate, and the target disk is much slower than the rest of the computer, ie. USB sticks and SD cards.

Example case: updating your system. The package manager will write a whole bunch of files everywhere, but also run a bunch of commands to update some other files, rebuild caches and indexes, maybe do some computations and compiling. The package manager will call sync at the end of the process, and it’s likely by the time you get there, most of the data will have been flushed to disk. So it runs much faster.

Max_P , 6 months ago

One use case I’ve seen professionally is that if you’re in a datacenter shared with other people, one could easily plug a laptop or change your switch ports or whatever and see your database traffic or whatever. Or in the case of the cloud, it makes it so nobody can snoop on your traffic at the router or hypervisor level.

I’ve seen VMs getting traffic they shouldn’t be getting, so even if you trust your provider, bugs happen.

---

On smaller, regular LAN, some devices are pretty innocent on their own but may have vulnerable firmware and become part of a botnet, which then can be used for attacks like ARP spoofing.

I’ve had a conference room IP phone with a public IPv6, from another country, that triggered CPU warnings. It was being used to crawl our website and it was hitting some heavier pages and was trying all sorts of known exploits.

---

On my own home LAN, I just have VLANs and SSIDs based on trust level, but for the most part nothing that would be sensitive. I guess you could copy all of my Linux ISOs.

Max_P , 6 months ago

That’s managed by PAM: man.archlinux.org/man/faillock.8.en

I think it’s mostly intended for remote access like when SSH’ing in, it locks up after too many bad attempts.

When you have physical access a lot of security stops being relevant. Although for users with full disk encryption, that’d also force the attacker to wipe the keys in RAM so it’s still got some value.

Max_P , 6 months ago

I doubt it’ll do anything, or at worse something that can be easily fixed by resetting a config file somewhere. It’s much less weird than even switching between Gnome and KDE.

For the most part, only KWin and KScreen and maybe Plasma Shell might care but I’d expect nothing worse than a panel going to the wrong monitor.

For your input redirection, have you tried running it in gamescope or a rootful xwayland? Not sure gamescope has much special sauce since it’s based on wlroots and also runs xwayland, but they may have extra hacks for input grabbing.

Max_P , 7 months ago

Advertisers are just using their free speech to decide they don’t want to pay to have their speech presented next to hate speech. Nobody’s silencing anyone. Elon could do just fine with no ads, he’s just greedy and also wants hate speech to be profitable.

Max_P , 8 months ago

The switch can put out 15.4W, but it doesn't control how much power flows. The device can draw 15.4W if it wants to but it won't necessarily do so. The switch can lower the voltage it supplies, and it can cap the power output by lowering the voltage it supplies, but it can't push a certain amount of power. That would violate the fundamental physics of electronics.

Put a 2.4kΩ resistor as the "device", and at 48V, the absolute maximum that will flow is ~1W. The switch would have to push 196V to force that resistor to use 15.4W which would put it way out of spec. And there's nothing preventing the device from being smart enough to adjust that resistance either to maintain 1W. That's basic Ohms law.

The device must negotiate if it's going to use more than the default 15.4W, or it can advertise it's low power so the switch can allocate the power budget to other devices as needed. But the switch can only act as a limiter, it can't provide more than the device takes. It can have the ability to provide more than the device takes, but simply can't force the device to take more.

Max_P , 8 months ago

I'll add, it also depends on the efficiency of the local power supplies if those devices were using wall warts. Those are often pretty generic, and may only be used at 25% which for some wall warts would be outside of their top efficiency curve. A single power supply in the form of PoE can be more efficient if it lets both the switch and PoE regulator on the device operate at a better efficiency point.

In some way, stepping down 48V DC down to 3.3/5V is a bit easier than stepping down the 168V that results from rectifying 120V AC to DC. But the wart could be stepping down the 120V to 5V first with a simple AC transformer which are nearly always more efficient (95%+) than a DC/DC buck converter, but those can still reach 90% efficiency as well.

In terms of cabling, power loss is a function of current and length (resistance). AC is nice because we can step it up easily and efficiently to extremely high voltages as to minimize the current flowing through the wire, and then step it back down to a manageable voltage. In that way, american 120V has more loss than rest of the world 240V, although it only matters for higher power devices. That also means that the location of the stepping down matters: if you're gonna run 30m of ethernet and a parallel run of 30m of 5V power, there will be more loss than if you just ran PoE. But again, you need to account the efficiency of the system as a whole. Maybe you'd have a wart that's 5% more efficient, but you lose that 5% in the cable and it's a wash. Maybe the wart is super efficient and it's still way better. Maybe the switch is more efficient.

It's going to be highly implementation dependent in how well tuned all the power supplies are across the whole system. You'd need either the exact specs you'll run, or measure both options and see which has the least power usage.

I would just run PoE for the convenience of not having to also have an outlet near the device, especially APs which typically work best installed on ceilings. Technically if you run the heat at all during the winter, the loss from the power supplies will contribute to your heating ever so slightly, but will also work against your AC during summers. In the end, I'd still expect the losses to amount to pennies or at best a few dollars. It may end up more expensive just in wiring if some devices are far from an outlet.

Max_P , 8 months ago

If they don't hang outside the window they'd have to hang inside the window, and would need a more complicated ventilation system to take air from outside, heat it up and vent it back outside. At that point you'd have a window mounted two hose AC anyway.

So yes, your next best option is going to be a two hose portable AC. One hose takes air from the outside to cool the condenser, one hose to throw that hot air outside.

Single hose works too, but they're less efficient because they take cold inside air, cool the condenser and vents it outside, which waste some of the air it just cooled for that and it creates negative air pressure inside which will bring hot air from the outside to replace it from any cracks and holes in the house.

Max_P , 9 months ago

I do, Postfix and Dovecot. Mine’s got 10 years of history so I’ve been spared being blocked everywhere.

Most will tell you the software side is not too bad these days but the constant fighting to get your emails through can be really rough.

Personally I find it useful if only for the sake of just registering every service to its own unique email address so I can track who got my data where, and I get the privacy of Google not knowing every site I’m registered with. I still use my Gmail when I want to be sure it goes through.

I really don’t send that many emails so it works pretty well for me.

Max_P , 9 months ago

Or if OP really can’t do that (that’s by far the best solution), KDE Connect also lets you hardcode some IPs it’ll try to connect to. Given the computer is on the main network, using the IP of the computer directly would make it work fine behind the second router.

But ideally, they really should be the same network.

Max_P , 10 months ago

Basically buying time to attempt to win the election and abuse power to pardon himself or block prosecution, and if that fails, he’s still gonna have plenty of time to flee the country before his court date is due. Or drag it on until after statute of limitation.

Max_P , 10 months ago

You can probably ask them to pull the wires there but not install or terminate them for a patch panel.

Because you specified a patch panel, they probably quoted for the installation of the rack and the patch panel, as it’s not there and therefore they need it to complete the task completely.

You’ll end up with loose unterminated wires you can then just put an RJ45 plug on and wire directly to a switch or whatever.

I’d just manage the actual patching with VLANs on the switch. Unless you plan a more complex setup with some jacks going directly to a server or other routers/switches, it should be plentiful to just have 24 live ports you can plug devices into. Fair amount of switches can be simply wall mounted without a rack.

Max_P , 10 months ago

The author is basically going like “I registered an E-Mail address and used my usual username. I don’t know which provider I picked, I just picked one in the middle of a list. People can’t seem to find me with just my username! It’s too complicated!”

Max_P , 11 months ago

Really wish people would run those things through our departments first before buying expensive enterprise grade shitware.

That way we’d at least get a chance to negotiate the specs. You want to give you that much compute? Please justify why you need that much compute and we might approve.

Max_P , 11 months ago

Been working quite reliably for me. Just gotta make sure it’s battery usage is set to “Unrestricted” in the power settings for the app, and also disable every smart battery management options in the phone’s settings.

As manufacturers try harder and harder to make the battery last longer/offset the drain caused by all the bloatware they ship with it, lots of phones will aggressively stop any apps running in the background that you haven’t interacted with in a while.

Right now my phone says KDE Connect has been active for 104 hours, which is about how long it’s been since the last reboot. I’ve seen it go in the 200s.