From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3on0072.outbound.protection.outlook.com [157.55.234.72]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id BB7FC21F339 for ; Tue, 14 Apr 2015 12:48:52 -0700 (PDT) Received: from AM2PR07MB0930.eurprd07.prod.outlook.com (25.162.37.13) by AM2PR07MB0786.eurprd07.prod.outlook.com (25.161.70.27) with Microsoft SMTP Server (TLS) id 15.1.136.25; Tue, 14 Apr 2015 19:48:49 +0000 Authentication-Results: lists.bufferbloat.net; dkim=none (message not signed) header.d=none; Received: from [IPv6:2001:470:183f:da2b::6f83:3b88] (2001:470:183f:da2b::6f83:3b88) by AM2PR07MB0930.eurprd07.prod.outlook.com (25.162.37.13) with Microsoft SMTP Server (TLS) id 15.1.136.25; Tue, 14 Apr 2015 19:48:46 +0000 Message-ID: <552D6F0C.10500@darbyshire-bryant.me.uk> Date: Tue, 14 Apr 2015 20:48:28 +0100 From: Kevin Darbyshire-Bryant User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: "cerowrt-devel@lists.bufferbloat.net" References: <552CDDB9.40909@darbyshire-bryant.me.uk> In-Reply-To: <552CDDB9.40909@darbyshire-bryant.me.uk> X-Forwarded-Message-Id: <552CDDB9.40909@darbyshire-bryant.me.uk> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms020200090806020901020500" X-Originating-IP: [2001:470:183f:da2b::6f83:3b88] X-ClientProxiedBy: CY1PR13CA0042.namprd13.prod.outlook.com (25.162.30.180) To AM2PR07MB0930.eurprd07.prod.outlook.com (25.162.37.13) X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:AM2PR07MB0930; UriScan:; BCL:0; PCL:0; RULEID:; SRVR:AM2PR07MB0786; X-Forefront-Antispam-Report: BMV:1; SFV:NSPM; SFS:(10009020)(164054003)(479174004)(51704005)(24454002)(51914003)(50986999)(92566002)(2950100001)(2501003)(42186005)(84326002)(15975445007)(87976001)(122386002)(4001350100001)(568964001)(5890100001)(76176999)(33656002)(19617315012)(77156002)(107886001)(2351001)(512874002)(110136001)(74482002)(86362001)(65816999)(450100001)(46102003)(65956001)(83506001)(62966003)(36756003)(64126003)(19580405001)(19580395003)(16236675004)(54356999)(3826002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM2PR07MB0930; H:[IPv6:2001:470:183f:da2b::6f83:3b88]; FPR:; SPF:None; MLV:sfv; LANG:en; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5002010)(5005006); SRVR:AM2PR07MB0930; BCL:0; PCL:0; RULEID:; SRVR:AM2PR07MB0930; X-Forefront-PRVS: 054642504A X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Apr 2015 19:48:46.8974 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM2PR07MB0930 X-OriginatorOrg: darbyshire-bryant.me.uk Subject: Re: [Cerowrt-devel] Routed LANs vs WOL & Windows troubles X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Apr 2015 19:49:21 -0000 --------------ms020200090806020901020500 Content-Type: multipart/alternative; boundary="------------010700010004000803050206" This is a multi-part message in MIME format. --------------010700010004000803050206 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ooops forgot to include my reply to Alan on the list, forwarded for the 'benefit' of everyone. You'll be pleased to know I've concluded my experiments with routed home networks :-) -------- Forwarded Message -------- Subject: Re: Routed LANs vs WOL & Windows troubles Date: Tue, 14 Apr 2015 10:28:25 +0100 From: Kevin Darbyshire-Bryant To: Alan Jenkins On 13/04/2015 23:25, Alan Jenkins wrote: > O > Discovered that a couple of iphone based apps for my Sky set top box, > > Yamaha AV Receiver & TV won't do device discovery either. > > > Sounds about right :-). > =20 > > > Battling on, > > Kevin > > =20 > In case I'm being stupidly ambiguous: I hear pain without a specific > gain here. > > We haven't given you a number to say it makes your life better. Also > we know wifi needs a bunch more work. You're absolutely right which is why later today things are going back to firmware defaults and I shall be retreating to 192.168.230/24 with the default bridging across LAN & WAN ports. > > If you _can_ see a subjective difference from the blocking of > multicast in a home network, or something? I think everyone would > love to hear it. No, of course I can't. It was just theoretically the 'right thing to do' and I suppose some idiot has to try it....I don't mind being an idiot, comes naturally :-) > > Thanks for the firewall explanation in particular, personally I found > that interesting. Something useful has come out of this experience/experiment then :-)=20 I'm probably a little more aware of windows firewall behaviour than the average home user after my experiences with IPv6. Windows may acquire IPv6 addresses via DHCPv6 but since this protocol doesn't propagate a 'netmask' it has to treat each address as a /128. It then solicits/looks out for RA broadcasts that tell it which IPv6 prefixes are 'on-link' (ie prefix length/local subnet) There was an early bug in dnsmasq's RA broadcasts which didn't have the relevant bit set (and I was experimenting using dnsmasq for all my dns/dhcp4/6 needs and ditching radvd) the net result was that I couldn't ping local IPv6 Windows boxes because they weren't considered 'on-link alias local-subnet'. Windows limits a number of services to local subnet only including file sharing. At present, without an obvious automatic mechanism for servers to expand the 'local subnet' pool, Windows file sharing is going to be very problematic in the home across subnets. > > Ah. I meant server in the technical sense: the PC providing the file > service. > > So I believe there is no automatic solution for this case in Windows. > > I'm sure sysadmins could script or gpo it, deploying to managed pcs.=20 > But not the kind of scripts pcs will run automatically on a given IP > network :). Even if the network is marked as trusted ("home" / "work" > / "private network"). > > Also if anyone tries to use "Homegroup" - the wizard stuff in win 7+ - > AFAICT it specifically only works on a single subnet. Agreed. > > I've both Samba & avahi running on the router, in theory configured= to > do the required SMB/WINS name collecting/forwarding. Similar with > Avahi > for mDNS stuff. > > > The Samba WINS server is almost working, seems to be advertising ev= ery > other box...except the server. So close! > > > Annoying! > > Obviously, like I mentioned about dnsmasq, if WHS isn't configured > through DHCP & you set it with a purely static IP instead - it's not > going to pick up WINS from DHCP. It can be configured statically.=20 > https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ClientConfi= g.html#id2575612 I've a static mapping within dnsmasq, so all servers get everything they need via DHCP4/6/RA but they do all stay at the same address....I have to nail *something* down (well in IPv4 at least. Don't get me started on IPv6 SLAAC/Privacy addresses/DUID...and name resolution, oh yes and IPv6 firewall 'pin hole' solutions) > > `ipconfig /all` will show name resolution config somewhere, which > includes the WINS server. > > If WHS 2011 denies the existence of your WINS, there is a hack to > create static entries in samba[1]. There is also a deprecated > config[2] to forward wins queries to dns (I do not endorse this, but > it means you could use a dns entry). > > [1] > https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrow= sing.html#id2584250 > [2] > https://www.samba.org/samba/docs/using_samba/ch07.html#samba2-CHP-7-SEC= T-1.4.1 Thanks for that - it may yet come in handy. > > > > >> 4) (A bonus Monty Python question) I've a second wireless > access point > >> at the other end of the garden, attached by a suitable length > of Cat 6. > >> Devices at mid travel point ideally roam from House wifi to Shed= > >> wifi...but now they change IP address as well. To be honest > I'm not > >> sure how this actually works in a bridged environment either > since the > >> MAC now migrates from local wireless bridge interface to local > wired > >> interface and potentially back again as I wander around the > garden...how > >> does it really know where to send frames to this magically roami= ng > >> device? > > > > Yes they can't keep the same IP address on a different subnet :).= > > There are common cases where you don't notice and it wouldn't > matter. > > > > There are references for bridging. Basically it's an optimizatio= n > > over flooding packets to every single port (old-style dumb hub). = As > > soon as you send a frame from your MAC, all the bridges/switches = in > > between "learn" where you are now. If the target isn't known > yet, the > > frame is just flooded. > > > > Maybe this helps: http://computer.howstuffworks.com/ethernet12.ht= m > > > Toke has given some instruction on this. After some sleep I may ev= en > understand it :-) > > > Toke's setup sounds like a commercial "wireless controller". Each > wifi AP is trunked back to the main router, which bridges all the wifi > together (but doesn't bridge to wired access). Wifi is a single > subnet again. IPs don't change when roaming between APs anymore. I get what you're saying. The 'gain' is that 5Ghz(1 AP) & 2.5Ghz (2 AP) & Wired (2 'AP') are still different subnets. I sort of got this working by messing with vlans (effectively partitioning a LAN port out of the LAN group and placing in it in a bridge with local 2.5Ghz & remote AP 2.5Ghz) Unfortunately due to some Archer C7 strangeness with the vlan process it started dropping packets, no matter which wireless or wired port, so I gave up on that idea. There have been many hurdles on this journey and I've pretty much smashed into every one. So in short, I shall now stop trying to be so darn clever (ha!) and hit the factory reset button :-) Single subnet, bridged WLANs/LANs here I come.........phuuut! Kevin --=20 Thanks, Kevin@Darbyshire-Bryant.me.uk --------------010700010004000803050206 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ooops forgot to include my reply to Alan on the list, forwarded for the 'benefit' of everyone.=C2=A0 You'll be pleased to know I've concl= uded my experiments with routed home networks :-)


-------- Forwarded Message --------
Sub= ject: Re: Routed LANs vs WOL & Windows troubles
Dat= e: Tue, 14 Apr 2015 10:28:25 +0100
Fro= m: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
To:= Alan Jenkins <alan.christopher.jenkins@gm= ail.com>


On 13/04/2015 23:25, Alan Jenkins wrote:
O
<snip>
Discovered that a couple of iphone= based apps for my Sky set top box,
Yamaha AV Receiver & TV won't do device discovery either.

Sounds about right :-).
=C2=A0

Battling on,

Kevin
=C2=A0
In case I'm being stupidly ambiguous: I hear pain without a specific gain here.

We haven't given you a number to say it makes your life better.=C2=A0 Also we know wifi needs a bunch more work.<= br>
You're absolutely right which is why later today things are going back to firmware defaults and I shall be retreating to 192.168.230/24 with the default bridging across LAN & WAN ports.

If you _can_ see a subjective difference from the blocking of multicast in a home network, or something?=C2= =A0 I think everyone would love to hear it.
No, of course I can't.=C2=A0 It was just theoretically the 'right t= hing to do' and I suppose some idiot has to try it....I don't mind being an idiot, comes naturally :-)

Thanks for the firewall explanation in particular, personally I found that interesting.
Something useful has come out of this experience/experiment then :-)=C2=A0 I'm probably a little more aware of windows firewall behaviour than the average home user after my experiences with IPv6.=C2=A0 Windows may acquire IPv6 addresses via DHCPv6 but since= this protocol doesn't propagate a 'netmask' it has to treat each address as a /128.=C2=A0 It then solicits/looks out for RA broadcas= ts that tell it which IPv6 prefixes are 'on-link' (ie prefix length/local subnet)=C2=A0 There was an early bug in dnsmasq's RA broadcasts which didn't have the relevant bit set (and I was experimenting using dnsmasq for all my dns/dhcp4/6 needs and ditching radvd) the net result was that I couldn't ping local IPv6 Windows boxes because they weren't considered 'on-link alias local-subnet'.=C2=A0 Windows limits a number of services to local subnet only including file sharing.

At present, without an obvious automatic mechanism for servers to expand the 'local subnet' pool, Windows file sharing is going to be very problematic in the home across subnets.

Ah.=C2=A0 I meant server in the technical sense: the PC= providing the file service.

So I believe there is no automatic solution for this case in Windows.

I'm sure sysadmins could script or gpo it, deploying to managed pcs.=C2=A0 But not the kind of scripts pcs wil= l run automatically on a given IP network :).=C2=A0 Even if= the network is marked as trusted ("home" / "work" / "private network").

Also if anyone tries to use "Homegroup" - the wizard stuff in win 7+ - AFAICT it specifically only works on a single subnet.
Agreed.

I've both Samba & avahi running on the router, in theory configured to
do the required SMB/WINS name collecting/forwarding.=C2=A0= Similar with Avahi
for mDNS stuff.

The Samba WINS server is almost working, seems to be advertising every
other box...except the server.=C2=A0 So close!

Annoying!

Obviously, like I mentioned about dnsmasq, if WHS isn't configured through DHCP & you set it with a purely static IP instead - it's not going to pick up WINS from DHCP.=C2=A0 It can be configured statically.=C2= =A0 https://www.samba.org/samba/docs/man/Samba-HOWTO-= Collection/ClientConfig.html#id2575612
I've a static mapping within dnsmasq, so all servers get everything they need via DHCP4/6/RA but they do all stay at the same address....I have to nail *something* down (well in IPv4 at least.=C2=A0 Don't get me started on IPv6 SLAAC/Privacy addresses/DUID...and name resolution, oh yes and IPv6 firewall 'pin hole' solutions)

`ipconfig /all` will show name resolution config somewhere, which includes the WINS server.

If WHS 2011 denies the existence of your WINS, there is a hack to create static entries in samba[1].=C2=A0 The= re is also a deprecated config[2] to forward wins queries to dns (I do not endorse this, but it means you could use a dns entry).

[1] https://www.samba.org/samba/docs/man/Samba-HOW= TO-Collection/NetworkBrowsing.html#id2584250
[2] https://www.samba.org/samba/docs/using_samba/ch07.html#sam= ba2-CHP-7-SECT-1.4.1
Thanks for that - it may yet come in handy.

>=
>> 4) (A bonus Monty Python question)=C2=A0 I've = a second wireless access point
>> at the other end of the garden, attached by a suitable length of Cat 6.
>> Devices at mid travel point ideally roam from House wifi to Shed
>> wifi...but now they change IP address as well.=C2=A0 To be honest I'm not
>> sure how this actually works in a bridged environment either since the
>> MAC now migrates from local wireless bridge interface to local wired
>> interface and potentially back again as I wander around the garden...how
>> does it really know where to send frames to this magically roaming
>> device?
>
> Yes they can't keep the same IP address on a different subnet :).
> There are common cases where you don't notice and it wouldn't matter.
>
> There are references for bridging.=C2=A0 Basically= it's an optimization
> over flooding packets to every single port (old-style dumb hub).=C2=A0 As
> soon as you send a frame from your MAC, all the bridges/switches in
> between "learn" where you are now.=C2=A0 If the ta= rget isn't known yet, the
> frame is just flooded.
>
> Maybe this helps: http://computer.howstuffworks.com/e= thernet12.htm
>
Toke has given some instruction on this.=C2=A0 Aft= er some sleep I may even
understand it :-)

Toke's setup sounds like a commercial "wireless controller".=C2=A0 Each wifi AP is trunked back to the ma= in router, which bridges all the wifi together (but doesn't bridge to wired access).=C2=A0 Wifi is a single subnet again.=C2=A0 IPs don't change when roaming between APs anymore.

I get what you're saying.=C2=A0 The 'gain' is that 5Ghz(1 AP) &= 2.5Ghz (2 AP) & Wired (2 'AP') are still different subnets.=C2=A0= I sort of got this working by messing with vlans (effectively partitioning a LAN port out of the LAN group and placing in it in a bridge with local 2.5Ghz & remote AP 2.5Ghz)=C2=A0 Unfortunat= ely due to some Archer C7 strangeness with the vlan process it started dropping packets, no matter which wireless or wired port, so I gave up on that idea.=C2=A0 There have been many hurdles on this journey and I've pretty much smashed into every one.=C2=A0 So in sh= ort, I shall now stop trying to be so darn clever (ha!) and hit the factory reset button :-)=C2=A0=C2=A0 Single subnet, bridged WLANs/L= ANs here I come.........phuuut!

Kevin
--=20
Thanks,

Kevin@Darbyshire-Bryant.me.uk


--------------010700010004000803050206-- --------------ms020200090806020901020500 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINnDCC BjQwggQcoAMCAQICAR4wDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoT DVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3 MTAyNDIxMDE1NVoXDTE3MTAyNDIxMDE1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1T dGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENs aWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcJg8zOLdgasSmkLhOr lr6KMoOMpohBllVHrdRvEg/q6r8jR+EK75xCGhR8ToREoqe7zM9/UnC6TS2y9UKTpT1v7RSM zR0t6ndl0TWBuUr/UXBhPk+Kmy7bI4yW4urC+y7P3/1/X7U8ocb8VpH/Clt+4iq7nirMcNh6 qJR+xjOhV+VHzQMALuGYn5KZmc1NbJQYclsGkDxDz2UbFqE2+6vIZoL+jb9x4Pa5gNf1TwSD kOkikZB1xtB4ZqtXThaABSONdfmv/Z1pua3FYxnCFmdr/+N2JLKutIxMYqQOJebr/f/h5t95 m4JgrM3Y/w7YX9d7YAL9jvN4SydHsU6n65cCAwEAAaOCAa0wggGpMA8GA1UdEwEB/wQFMAMB Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRTcu2SnODaywFcfH6WNU7y1LhRgjAfBgNV HSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRaMFgwJwYIKwYBBQUH MAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYhaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20v c2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBAAqD CH14qywGXLhjjF6uHLkjd02hcdh9hrw+VUsv+q1eeQWB21jWj3kJ96AUlPCoEGZ/ynJNScWy 6QMVQjbbMXltUfO4n4bGGdKo3awPWp61tjAFgraLJgDk+DsSvUD6EowjMTNx25GQgyYJ5RPI zKKR9tQW8gGK+2+RHxkUCTbYFnL6kl8Ch507rUdPPipJ9CgJFws3kDS3gOS5WFMxcjO5DwKf KSETEPrHh7p5shuuNktvsv6hxHTLhiMKX893gxdT3XLS9OKmCv87vkINQcNEcIIoFWbP9HOR z9v3vQwR4e3ksLc2JZOAFK+ssS5XMEoznzpihEP0PLc4dCBYjbvSD7kxgDwZ+Aj8Q9PkbvE9 sIPP7ON0fz095HdThKjiVJe6vofq+n6b1NBc8XdrQvBmunwxD5nvtTW4vtN6VY7mUCmxsCie uoBJ9OlqmsVWQvifIYf40dJPZkk9YgGTzWLpXDSfLSplbY2LL9C9U0ptvjcDjefLTvqSFc7t w1sEhF0n/qpA2r0GpvkLRDmcSwVyPvmjFBGqUp/pNy8ZuPGQmHwFi2/14+xeSUDG2bwnsYJQ G2EdJCB6luQ57GEnTA/yKZSTKI8dDQa8Sd3zfXb19mOgSF0bBdXbuKhEpuP9wirslFe6fQ1t 5j5R0xi72MZ8ikMu1RQZKCyDbMwazlHiMIIHYDCCBkigAwIBAgIDCm0/MA0GCSqGSIb3DQEB BQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20g Q2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwHhcNMTQwNzAzMTE1NjM5 WhcNMTUwNzA0MTc0MjQ1WjBxMRkwFwYDVQQNExA2dVNGb1pMU1d2dGgyd2tNMSYwJAYDVQQD DB1rZXZpbkBkYXJieXNoaXJlLWJyeWFudC5tZS51azEsMCoGCSqGSIb3DQEJARYda2V2aW5A ZGFyYnlzaGlyZS1icnlhbnQubWUudWswggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC AQDqCZMbkat9lukbtY+VQ4HBVkcHtcUU1sWZlg7foJ6XEQXCb3ArlyY7V+AldkNY6qRlrlVt YZmSFtDsors5e3Z1VWlEYBZEbnR57t5jmfGYmaaDzc8YsWr5gsUTa+MV/MNHpuAlf9GwgQCQ e7SC7kEzkQZApfB8/zG/a5JxgVXD9c3vK40p3OW27ZqVN9rie5SoLi1KEfQbA//VyPPeDpus oDwYGq6AA82lLFvgBxi1JPlS7M9zToUQCXpvDexQPiok1iqhwYBwX3qmSInlVWnudgaJ25iL m8/9bG5nCIo+dOEZP/bOCEsMzV8n9RaCNu8ilpjMXsHbkgrlvng81CTUFlYWhdMg58CM7N9y gSBjCKuHmJwQbIdsCmuKEOFVLZR8OZzoue6e/HAQlunWEfrr/H4+UYp8yTNLybqfcyZ3k7Sg i207jicY5dVKKFFY8eSB8Ps2svxj6BgrNPZMGzW36zRwaK1MpOZxHItCcuyXo+WkI3/61BZ5 mg34ejrgalQ04887n+4u3XPKnM/IwXfivlOD+n8bOOAGR8iZVlLTVmvypMdX3+wL/yB/w8g1 Ojj9Bk5/ksZb9Eh+3q1cVOOuXa/hcCLLqetNFzlxHjbVXzBKwO9pOs50DVxtv070KalD3iqz 8hCwnDt7odkGHwXyZAErmUSjc6tqVMivid/1swIDAQABo4IC4zCCAt8wCQYDVR0TBAIwADAL BgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSg QyTrQHiayWJq77xyyu7kpPmJ2jAfBgNVHSMEGDAWgBRTcu2SnODaywFcfH6WNU7y1LhRgjAo BgNVHREEITAfgR1rZXZpbkBkYXJieXNoaXJlLWJyeWFudC5tZS51azCCAUwGA1UdIASCAUMw ggE/MIIBOwYLKwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0 c3NsLmNvbS9wb2xpY3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFj Y29yZGluZyB0byB0aGUgQ2xhc3MgMSBWYWxpZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUg U3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBvbmx5IGZvciB0aGUgaW50ZW5kZWQgcHVy cG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA2 BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1MS1jcmwuY3Js MIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5j b20vc3ViL2NsYXNzMS9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRz c2wuY29tL2NlcnRzL3N1Yi5jbGFzczEuY2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRw Oi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBAChYSPOI6HHjtB2zQSGb 7vqo2f/QAum648uoNCFXf/ZmpU42ca6hq/JqsugqbnCY72hNTpCh3JZwTTaBWBvj1vzjjMra pLixIvceaAqMj6vd+L43APuMMmTH9tUUNS1ksXdA2r6STVIbr4p2sbVV3WktLGFnNAy5uXbr mLHay5w6jcmSfTAh1aA49sSvp+8CB6q6uDef2j9X8OE9Ajr5l0mcnGdVOkLZU6Zq20G8jb3p sdqoO9MU5UbKfZCN4/ibr+/0Pj3VZIE3jCEW2DwguN6DIDAYVc6b7RFGf3cWadJrSa887Sc/ 9wzXymTKAyBvfgRQeWcZ+5w4RlOI/TmpNfwxggTdMIIE2QIBATCBlDCBjDELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENl cnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJ bnRlcm1lZGlhdGUgQ2xpZW50IENBAgMKbT8wCQYFKw4DAhoFAKCCAh0wGAYJKoZIhvcNAQkD MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTUwNDE0MTk0ODI4WjAjBgkqhkiG9w0B CQQxFgQUsoGS7k/wfGP3Je7rux4dBzEpTKAwbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQME ASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBpQYJKwYBBAGCNxAEMYGXMIGUMIGMMQsw CQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQ cmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAwptPzCBpwYLKoZIhvcNAQkQAgsxgZeg gZQwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJT ZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBD bGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQQIDCm0/MA0GCSqGSIb3DQEB AQUABIICABm5nGda9Lj/khZ0dZCU7Px9FeCrFu4/1wQPPqHfSR2qil+L2/Q4lRFKZGvp6Azy w1GuV/bQhGURp8gTmQaGayuWH/fdG9BvUby3F9OLF450gX80ciC1crcQq2q5ZjMSiiR9uI5C cPzZHUl4cSqZzFQtEzYkwg79H2XaBofIqszsVA3uDETMdBNRG325InsoOZAs28eiVeaczEbt NZBFhK0nrI/fv63jLQD3LFHZaBJbtLCtEP1J38DdfswMmZngxSTzImwlUjSqM/GfbhkmKUu6 IWIImSr8HVIblYxoFZ8sZ1sddOMpn8oEeXMSJQbPMXJijs7bbiykPUm49aQRrMjfSxK8FVLK 9ri6IBBEWt9MmfNmvVDlH+NQAyxLpKssCyj31kDIcZ9KPhxJm6iMspCoKxCPDWHm4axqnOIj YgKJRwR1bLuUnTiM7w6ts5Cq5gZor0tj047Q023VncZwZivjPQ/tUfmsUREgoEWoQkVyIbW9 LJiHmz/jtozfu2IjIS03JLYEz5keHwDctMXCf/7e/rQkIMcjJxgVwp4OD+wraq1x1FzT5mkb bXWJzbBDyUA7XmE2VwLh9NXEdw7CnygmDGPb5h/DwC2KHEKwoWFdd/1eBWS2Wl9fC1XhBrVw vyTw4xWnzbIgXmptWXpxMlbSQ2K8TQdB5MqzqkutcUV7AAAAAAAA --------------ms020200090806020901020500--