03:38:30 is it possible to name a bridge at the time of creation? I found a mailing list thread that said "yes you can, see the manpage" but I'm not finding an example there. 03:45:28 tsundoku: what is it that you want to achieve? to create a bridge you have to specify the bridge name. Can you reformulate the question? 03:48:11 tsundoku: the man page has an example using 'bridge0' as the bridge interface name, with two slaves to it. https://man.freebsd.org/cgi/man.cgi?bridge(4) 03:48:12 Title: bridge(4) 04:11:17 I can't find anything. unless I am completely failing to read, or looking at the wrong manpage, they don't say how to do it, and all the examples I'm finding assume the reader is fine with "bridge0" 04:17:34 yeah no idea what they're talking about 04:17:46 but you can do `ifconfig bridge0 create name whatabridge` 04:18:02 does that rename the bridge or make another one? 04:18:28 creates bridge0 and then immediately renames it 04:18:54 there's no atomic create-as-a-given-name outside of the classic schema, so there's by necessity a msall window where someone can observe the original name in all cases 04:19:01 that may be what was referred to. it's just not apparent and I couldn't find any example of it in the manpage 04:19:11 fair enough 04:19:16 but I get the feeling you just don't want to do two ifconfig calls 04:19:27 I'm trying to unravel what bastille does so I can do some more stuff manually because it can't do what I need on its own 04:19:44 so bastille has already created "ixl1bridge" on its own 04:20:10 I'm getting deeper in the weeds than I intended to because its automatic features won't create two vnets for a jail 04:20:53 a jail can only have one vnet by design 04:21:34 you can do some wonky magic with neseted jails where the outer jail and inner jail each have their own vnet, but you can't have a jail with more than one vnet on its own 04:21:44 s/neseted/nested/ 04:23:02 (this may be a terminology issue where I'm being a bit pedantic, sorry) 04:23:22 that's interesting... someone else told me that there's no limitation on jails and vnets, just that bastille only knows how to do one 04:23:33 that... kind of ruins what I was trying to do 04:23:43 can you give a high-level description of what you're trying to do? 04:24:08 I have a server with multiple physical NICs, each connected to a different VLAN on my core switch 04:24:59 I want to create VNET jails that are on various of those VLANs. most jails only need to be on one, but unless I dramatically change my setup, a few of them need to be on two 04:25:12 I'm coming from Solaris where you can add as many interfaces as you want into a zone 04:26:53 yeah, you shouldn't really need multiple vnets for that 04:26:58 no? 04:27:50 nah, this is definitely just a terminology mismatch. assuming you need to share these NICs with multiple jails, you'll likely just have a bridge per NIC and then an epair per jail 04:28:02 yes, that's exactly what I want to do. 04:28:21 but when I tell bastille to give the jail a vnet, that's what it does automatically, so I thought that was the correct term. 04:29:37 I'm also trying to figure out the best way to configure it so that I'm not just duct-taping things together. 04:29:46 (or defeating anything bastille is trying to do) 04:30:37 yeah, so vnet is the name for the virtualization of the network stack. so a jail gets a new vnet, and that vnet is the container for, e.g., all of the NICs assigned to it, the context in which the TCP stack operates, etc 04:31:07 oh, that's definitely not what I want 04:31:35 it is, though, it's just the concepts on top of a vnet that you care about 04:31:41 that's what bastille wants to do if you aren't putting the jail behind a NAT or something, though. 04:31:47 a vnet gets its own loopback and whatnot, it can bind to privileged ports 04:32:43 oh wait, maybe not by default still 04:32:47 https://bastillebsd.org/blog/2020/02/17/bastille-networking-in-depth/ 04:32:48 Title: Bastille Networking in Depth | BastilleBSD 04:32:59 this is making it sound like what bastille called VNET is literally just a bridge and an epair 04:34:42 yeah, I can see where it gives off that vibe 04:35:35 so I think I get how I need to make my bridges 04:36:08 now I need to figure out how to specify the epairs in the jail.confs. what bastille does with its -V option isn't entirely apparent from the one it generates 04:39:19 i'm actually not sure the usual approach for that; you could certainly assign them in an exec.created script 04:39:32 hm 04:39:51 I'm trying to make this as clean as possible, so... still looking 04:40:34 I can't find where bastille specifies the epair, which is a problem for me needing to create my own extra ones 04:49:31 what exactly *is* jib and what does it create? there's no manpage as far as I can tell. 05:07:20 tsundoku: https://antranigv.am/weblog_en/posts/vnet-jail-howto/ 05:07:23 Title: VNET Jail HowTo | Antranig Vartanian 05:07:42 tsundoku: and this one https://www.skyforge.at/posts/an-introduction-to-jails-and-jail-networking/ 05:07:43 Title: An Introduction to Jails and Jail Networking 05:08:17 thanks 05:08:27 I can already tell this is doing things very differently from bastille, though 05:08:35 this is part of the problem I'm running into... 05:08:50 I think Bastille makes certain assumptions 05:09:07 it does, and I'm trying to figure out what they are, but the developers don't seem to expect you to need to care 05:09:14 so they're not making it easy 05:12:00 I've heard of 'jib' but forget what it is used for. its not part of base as far as I can tell 05:15:03 I think jib is the key to all of it 05:16:56 tsundoku: found it in /usr/share/examples/jail/ 05:17:05 oh? 05:17:52 yeah, so it looks like it creates the epairs on its own 05:18:50 it looks like it's handled in generate_vnet_jail_netblock() in common.sh 05:19:02 using exec.prestart, etc, and calling the jib utility 05:19:16 so i don't see why you couldn't just use some exec.* variables for your additional interface 05:19:41 that's the idea 05:19:56 but I need to figure out the right syntax to use 05:21:34 personally i just i put that kind of initialisation in my own script called from an exec.* declaration. so if there is any way for you to specify those 05:21:40 i haven't used that software so i don't know 05:21:44 yeah 05:21:52 I'd rather not be adding helper scripts into the mix 05:22:10 I want to keep it tidy and as close to the bastille standard as possible, so just, in jail.conf, using jib, ideally 05:22:27 not calling homemade scripts that set up all the network stuff manually in my own way 05:23:22 I think I'm getting closer but there may still be a bunch of trial and error left 05:23:31 OK 05:23:57 right now I'm working on setting up the bridges I intend to use, then I'll see if I can get a jail.conf that will do the thing properly 05:25:29 so we were talking earlier about how to do like `ifconfig bridge0 create name whatabridge` 05:25:37 how would I reflect that in rc.conf? 05:27:05 hmm, i'd think it would be like other rc declarations, like ifconfig_bridge0="name whatabridge inet [...]" - a bit strange since the name will change. not sure 05:27:18 it is a little strange 05:27:31 and I can't find examples of bridges being named in the official documentation 05:28:12 and there's the cloned_interface thing too which I don't understand yet 05:29:54 actually, looks like you can do interface_bridge0_name="whatabridge" and then configure it normally with ifconfig_whatabridge 05:30:08 I'll try that 05:30:41 but yeah i don't think the ecosystem is very well developed yet, and you may find yourself doing more custom things than you originally want 05:31:30 yeah, I'm honestly really disappointed 05:31:53 I've been using Solaris zones for a long time and a friend who is a big FreeBSD believer told me to check out bastille because he thought it would do what I want 05:32:06 I'm getting the impression that it's not really there yet 05:32:21 I can make it work but it's much more crude than I hoped for 05:32:48 maybe it will get there in time... 05:40:05 tsundoku: another option would be cbsd or appjail .... I've not used appjail, and cbsd was more complicated than what I needed, but might suit your needs better than bastille 05:40:56 I'm actually looking to downgrade from bastille to just using /etc/jail.conf.d/jail_xxx.conf type of setup 05:41:15 I'd have to look 05:42:57 I want something that's at least sort of in the direction of Solaris zones and not doing a whole lot of manual handholding 05:44:55 I've not used Solaris zones so can't compare 05:46:33 basically it does all the networking stuff for you. you just tell it which interfaces you want it to have and what you want their IP configuration to be 05:48:44 Solaris had another container technology as well besides Zones. 05:49:04 you maybe thinking of LDOMs? 05:49:08 I never ended up playing with those. 05:49:19 no not LDOMs 05:49:31 then I'm not sure 05:49:35 I'd probably recognize it by name 05:49:51 its been a while since I did anything with Solaris 05:50:17 I'm still using it but I'm about to get off because my machine is old and I'm going to have to eventually... 05:50:59 about ten years ago I played with FreeBSD and jails, on FreeBSD 9, and I didn't like the state of things, so I stuck with Solaris, but now I think it's about time to give up 05:52:07 there is also netbsd and its nvm setup 05:52:16 interesting 05:52:26 I won't touch anything without ZFS for servers anymore, though 05:52:56 just have to wait for netbsd 10 then I think 05:55:11 unfortunately I don't have a whole lot of time on my hands to play around with a bunch of different things, so if I can beat bastille into shape I'm just going to go with it 06:07:46 so I got my bridge up and I got a jail connected to it with an epair, but the network is unreachable form inside the jail 06:07:48 hmm 06:09:21 pf firewall 06:09:26 not running 06:11:12 I think you need it to be running, but have a look at that VNET how to that I sent the link for earlier 06:11:34 I didn't need it running for the automatic jib-created ones 06:12:42 I think with bridges you do need it, as I recall. 06:13:02 but jib creates a bridge, too. 06:13:15 it does the same thing 06:13:41 you either need an address on the epair or a route 06:13:55 there shouldn't be any routing happening 06:14:18 not on the FreeBSD machine. 06:15:29 hmm, if it's IPv4 then i guess ensure you have ARP turned on in the bridge 06:17:30 by route i just mean an entry in the jail's routing table. this should happen if you have an address on the epair 06:17:42 yes, it has the correct default route 06:17:45 but it can't reach the gateway 06:18:49 by gateway you mean the nexthop in the route right 06:19:06 I mean the defaultrouter as configured in rc.conf 06:19:50 well, i guess you know that you need that defaultrouter to be part of a directly connected subnet (one of your epairs) 06:20:13 yes, the epair and the bridge are supposed to be doing that job 06:20:35 not sure about that error then. aside from actually receiving a network unreachable icmp response 06:21:30 on the host system, bridge needs to addm your vlan interface or you need net.inet.ip.forwarding=1 , though i don't know if lack of that would generate network unreachable 06:22:42 there are people who can help with this better than i can who are undoubtedly not here now 06:23:51 yeah I'm afraid I'm going to have to go to bed in defeat tonight 06:28:06 also worth checking you have a non-trivial netmask set on your epair i guess 06:28:31 no, it's nothing obvious like that 07:27:15 Hello, I just read https://www.freebsd.org/security/advisories/FreeBSD-EN-23:16.openzfs.asc and was wondering if there was no binary patch for 14.0. I did freebsd-update fetch, install and reboot, but zfs --version still reports zfs-2.2.0-FreeBSD_g95785196f and uname -a 14.0-RELEASE #0 releng/14.0-n265380 (while I hoped for releng/14.0-n265384) - did I miss something? 08:50:12 jupiter126: check with freebsd-version 09:36:21 try with freebsd-version -kru (k=kernen r=running u=userland) 13:18:13 Updating from 13.2 to 14.0 via freebsd-update tool, I know that there is an Errata "FreeBSD-EN-23:16.openzfs" solved the OpenZFS problem, I wonder is there anything additional I can do, during the upgrade process, to fetch and install that patch, or a regular upgrade process will install all the patches for 14.0 automatically? 13:34:08 is there any m2 pci-e expension card that is known to work well? 13:41:34 tercaL: first update to the latests 13.2p6 then to 14.0R 15:36:08 Oh 15:36:09 Hi 15:37:19 I am not sure if this is freebsd issue or mumble, since I am new to FreeBSD and Mumble. It won't accept my mic input. Same device is output, and playing sound works. Mumble is also playing sound on correct device. But it doesn't hear the mic 15:38:54 I can't use clbin. ssl expired? wat 15:40:30 curl: (60) SSL certificate problem: certificate has expired 15:41:05 Well, the line of interest is: pcm9: (play/rec) default 15:50:48 Ok so I have no idea why, today when I was gonna debugg mic works somehow 17:59:59 Hello, any news on OpenZFS 2.2.2 on FreeBSD? Will it be released as a 14.0-RELEASE-p releas? 18:02:07 it is already in stable/14. maybe it will be in some patch set 18:04:55 so stable != RELEASE, right? 18:05:36 what is your expectation in 2.2.2? 18:05:57 https://www.theregister.com/2023/12/04/two_new_versions_of_openzfs/ 18:05:58 Title: Two new versions of OpenZFS fix long-hidden corruption bug • The Register 18:07:26 the corruption bug is fixed in 14.0-p1 / 13.2-p6, is there something else you want from openzfs 2.2.2? 18:07:31 RELEASE has some corruption bug fixes 18:08:11 I have applied the sysctl setting that is mentioned but that is just a workaround in a bug that aparently has been in ZFS for a long time. 18:08:45 Since 2.2.2 suposedly has fixed this bug I hope to be able to get it via a RELEASE-p upgrade. 18:09:12 "The FreeBSD project has published an errata notice, and made fixes available for FreeBSD 12, 13 and 14." 18:09:28 you will not get 2.2.2 but RELEASE has the fixes cherry-picked 18:09:49 https://cgit.freebsd.org/src/commit/?h=releng/14.0&id=8c25d614b8c95cb4dfe46d6903b8bb764a30c788 18:09:50 Title: src - FreeBSD source tree 18:09:56 https://cgit.freebsd.org/src/commit/?h=releng/14.0&id=36f4f90efb027847d6e4b7a940afbee2ad7b3b7e 18:09:57 Title: src - FreeBSD source tree 18:10:03 https://cgit.freebsd.org/src/commit/?h=releng/14.0&id=1548705269435e980c5984ba87a554d4b329d176 18:10:04 Title: src - FreeBSD source tree 18:10:27 Does this imply that I can remove the sysctl setting that is mentioned in the errata? 18:11:25 I am (or rather my server is) on 14.0-RELEASE-p1 18:12:09 yes, the workaround section in the erratas is for the cases when you can't update to the point release that includes the errata 18:12:36 nimaje: Thank you for clarifying 18:13:26 it even contains "The workaround should be removed once the system is updated to include the fix described in this notice." 18:19:06 How do I explain that FreeBSD eating 2GB RAM because of ZFS and that it is a feature without sounding ironic? 18:20:12 zfs aims to use free ram and give it up when something requests it 18:20:39 Zyxer: just explain that the RAM ZFS uses is freed up if something else needs it, so look at it as "optimising by using available unused resources" rather than "eating ram" 18:21:23 Zyxer: Modern systems keep as much in disk cache as they can as an optimization. Spending electricity on empty RAM isn't useful. 18:26:46 Thanks 18:34:46 how do i check if ikev2 is supported in strongswan? 18:35:55 free RAM is wasted RAM 18:36:21 echelon: not a FreeBSD question per se 18:38:30 echelon: have you tried ipsec statusall? 18:39:12 thorre: thanks 18:39:20 it's showing ikev2 18:39:21 you are welcome ;-) 18:41:58 jupiter126: i had your same question, and came to the same conclusion (or at least question) as you. for now, i am waiting to revert the vfs.zfs.dmu_offset_next_sync sysctl setting 18:51:46 update to the latest point release and revert the setting, the point release should have the fix 18:59:27 What man provides docs for rc scripts vars like required_files? 19:00:09 er.. think I found it... rcsubr 19:00:53 Yeah, that's it. nm. 19:01:34 thorre: you happen to know what it means when you get: parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]? :/ 19:03:27 Looks like a proposal missmatch to me 19:04:02 conn myconnection 19:04:04 ... 19:04:06 ike=aes256-sha1-modp1024,aes128-sha1-modp1024! 19:04:08 esp=aes256-sha1,aes128-sha1! 19:04:10 ... 19:04:28 sorry for the off topic paste :|- 19:05:31 Basically, to the best of my understanding, you have a miss match of the proposed and supported cyphers between the client and the server 19:06:27 i don't have any ciphers configured :/ 19:18:23 thorre: happen to know what the log path for strongswan? /var/log/messages isn't registering anything 19:22:06 do a "ls -lrt" in /var/log and check wich files got updated last. Check the contents of daemon 19:30:44 hello there i have bug in freebsd 13.2 p6 i try run inspircd version 4 and i get error and this a error Undefined symbol "_ZN3fmt2v912format_errorD1Ev" 19:32:25 someone can help to me please? 19:33:41 did you build it or install it via pkg ? 19:39:18 i run it look the version 3 is run good but when i run the version 4 i get error 19:41:01 i think something in freebsd not working good 19:42:06 i think the error come from system Undefined symbol "_ZN3fmt2v912format_errorD1Ev 19:43:14 but where did you get the binary you are trying to run from? as version 4 is in alpha, my guess would be you build it yourself, but instead of getting such an error at runtime you should have got it at build time 19:45:12 I was thinking might be a missing library or something like that, or a version mismatch 19:48:05 yeah, but that shouldn't happen at runtime with a freshly build binary, it should have failed to compile instead (but of course that "freshly build binary" is just an assumption because inspircd version 4 is in alpha and likely wrong) 19:57:20 Is it possible to read LUKS on FreeBSD? 20:03:14 hm, there is https://www.freshports.org/devel/libluksde/ but no idea if it works 20:03:15 Title: FreshPorts -- devel/libluksde: Library and tools to access LUKS Disk Encryption encrypted volumes 20:08:08 anyone attempt an in-place upgrade from 13.x to 14.0? Have one running now. Hope I don't brick this ting. 20:11:14 i have a update to 13.2.p6 20:12:54 I just updated to that, wanting to see what 14 is like. I'm pretty green anymore with BSD. I haven't touched it in like 2 decades 20:13:08 i cant see the update to 14 20:13:28 i dont have it in system 20:13:57 and now i also run it https://www.freshports.org/devel/libluksde/ and again i get error 20:13:59 Title: FreshPorts -- devel/libluksde: Library and tools to access LUKS Disk Encryption encrypted volumes 20:14:04 I kicked it off with freebsd-update -r 14.0-RELEASE upgrade 20:17:48 ah, so you updated from -p5 to -p6 and then you got that error? that shouldn't happen normally, point releases should stay ABI compatible, no idea where that symbol should come from and why it doesn't anymore 20:18:51 yes i get error only from inspircd version 4 but not version 3 20:19:17 update completed. Moment of truth... 20:24:41 The excitement is unbearable 20:25:24 * thorre has been doing unix and unixlike updates since the 90s. Still exciting and anxeity inducing for some reason. 20:25:40 Despite we always manage to fix misshaps and errors. 20:26:55 the excitement of discovery 20:31:03 So far so good, but for some reason it didn't initalize the graphics driver automatically 20:31:22 glad to see you "on the other side" daneurysm 20:32:00 heh, if it went completely sideways, I would have just installed via ISO. Wouldn't be the first time 20:35:17 * thorre has been nursing the same server (at home) for the past ~5 years 20:36:19 Just killing it has never been an option. At work I only have cattle so I indulge myself with a server "pet" at home. 20:36:48 * thorre also has a cat but cats are more like enteties than pets. 20:37:53 drwxr-xr-x 2 root wheel 2 Sep 29 2016 mnt // I thought this box was older than this. I must be misremembering. 20:38:21 :-) 20:40:06 zfs get creation zroot 20:40:08 NAME PROPERTY VALUE SOURCE 20:40:10 zroot creation Tue Mar 6 19:34 2018 - 20:42:15 :) 20:49:24 The impressive thing is that I have screwed up so many upgrades. Missed bootloader (zfs) upgrades etc. The blody server is still running strong. Corrupted files? No problem, just scrub the file system once ow twice. Unexpected powercut no problem etc. If we would submit any of the "high end" stuff at work for similar "administratio" they would be fucked up beyon repair. 20:50:00 FreeBSD always delivers. 20:51:20 I find it a pity that so many admmins nowadays do not apreciate the no frills operations systems. 20:53:40 Yes, I know that NetApp etc. use a lot of FreeBSD under the hood but when arguing about FreeBSD at work I am often met with the "what about all the liabilities" argument that RedHat and the other commerical players have "solved" with service contracts. 20:54:06 Do we know if something similar (that covers IPR liabilities) exists in the FreeBSD space? 20:54:24 IPR = Interlectual Property Rights 20:55:17 For example, how does NetAapp handle it's involvement in FreeBSD? 21:12:53 how do i get the list of fib #'s for my existing routing table? 22:06:42 @scoobybejesus, ok thanks ^^ am not the only one ;) 22:31:43 Lotta patches... Glad I waited 22:40:00 I'm still at a loss as to why jails connected to my bridges with an epair aren't reaching the network... 22:40:20 everything looks right, but it's just not happening 22:40:43 tsundoku: which network? internal or do you mean NAT? 22:40:48 no NAT 22:40:51 Testing with something other than ICMP, right? IIRC ICMP is disabled by default 22:40:56 yes 22:40:58 k 22:41:10 I have a bridge with an interface as a member 22:41:34 I have an epair set up through bastille (external bridge vnet) with a on the bridge and b as the vnet inside the jail 22:41:58 but let me try again to make sure I wasn't just testing ICMP earlier 22:42:03 how would I enable ICMP for that? 22:43:04 Erhard: ICMP is not disabled for VNET jails 22:43:16 okay, so it's definitely not working 22:43:45 I have never tried bastille 22:43:45 Don't you have to allow raw sockets? 22:44:17 the setup I have isn't bastille-specific. bastille is just doing the epair setup with ifconfig, but it's all bog standard 22:44:33 Erhard: hmm you might be right 22:44:36 I get "ping: sendto: Host is down" when I try to ping the gateway 22:44:51 tsundoku: allow.raw_sockets should be 1 22:44:54 probably 22:44:56 Would probably get a perm error if it were the sockets 22:45:11 But I can't recall 22:45:13 tsundoku: do you see traffic on your interface on the host side? 22:45:30 Erhard: lemme test actually 22:46:03 is allow.raw_sockets a jail.conf value? 22:46:17 allow.raw_sockets=1; in jail.conf 22:46:40 ping: ssend socket: Operation not permitted 22:46:42 Without it 22:46:54 seems to work without raw_sockets 22:47:02 13.2-RELEASE-p5 22:47:03 so I have two jails on two different bridges right now 22:47:11 I think you can set it in sysctl as well 22:47:13 one is on a bridge I made myself, and another is on a bridge bastille made automatically 22:47:19 shows as allow.noraw_sockets 22:47:19 the bastille-created bridge works. mine doesn't 22:47:34 and the one that works doesn't have allow.raw_sockets set in jail.conf 22:48:01 in sysctl it is: security.jail.param.allow.raw_sockets: 0 22:48:01 security.jail.allow_raw_sockets: 0 22:48:09 allow.noraw_sockets is set 22:48:10 I think this may be a red herring 22:48:11 ping works 22:48:24 Doesn't work here in a jail without those settings 22:48:33 Erhard: VNET or regular? 22:49:14 security.jail.param.allow.raw_sockets: 0 22:49:34 I think it works in the vnet jail, but not the others. 22:49:48 Without those systctls set (set to 0) 22:50:05 okay, so the whole thread of discussion around allow.raw_sockets is irrelevant to vnet jails? 22:50:32 I cannot say for sure but it does not seem to affect my VNET jails 22:50:35 for the record I'm not getting any "operation not permitted," just "host is down" when I try to ping other IP addresses on the network the bridge is supposed to be connected to 22:50:44 I think that is a different issue. 22:50:50 WOul ignore the raw sockets thing for now 22:50:52 tsundoku: tcpdump your bridge interface 22:50:54 or the epair 22:50:57 run ping 22:51:11 sure, just a moment 22:51:15 Or test with telnet google.com 80 and see if you get a connection. 22:51:32 you'd need to have routing enabled 22:51:42 and a working resolv.conf 22:51:56 it should, but right now I'm just trying to ping the gateway to keep it simple 22:53:01 telnet to any local server you know is up by ip ;-) 22:54:04 okay I'm getting something 22:54:14 looks like just ARP requests 22:54:29 "14:53:45.820021 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.4.255.254 tell 10.4.0.13, length 28" 22:54:37 10.4.255.254 is the gateway, 10.4.0.13 is the jail 22:54:49 that's from tcpdump of the bridge end of the epair 22:55:07 so the ARP requests aren't getting answered? 22:55:23 You have a route setup? 22:55:30 yes but that's not the issue right now 22:55:39 I'm just trying to ping the gateway. no routing involved. 22:55:47 Through the epair 22:55:53 what do you mean 22:56:31 On my vnet jail I use an exec.prestart to set a route. 22:56:43 It's been a while since I set this all up, mind you. 22:56:56 So I don't know what the hell I am tlaking about, but I recall needing that. 22:57:03 the default route is set in rc.conf inside the jail 22:57:26 but that shouldn't be relevant to this because I'm not trying to leave the network the jail is on? 22:57:53 I have this in rc.conf: ifconfig_epair0a="192.168.20.2/24" 22:57:53 defaultrouter="192.168.20.1" 22:58:00 sure but 22:58:12 defaultrouter only matters when the destination is outside the network 22:58:26 But then in jail.conf route add 192.168.250.0/24 192.168.20.2 22:58:27 right now what I'm trying to do is ping the defaultrouter itself. not send anything through it. 22:58:49 That may be to get to my other jail. nvm. 22:58:55 Carry on. I'll shut up 22:59:19 yeah, that looks like a specific route to reach another network 22:59:34 so if I were in your jail I'd be pinging 192.168.20.1 22:59:41 and getting nothing 22:59:44 iT'S SO MY WIREGUARD JAIL CAN REACH THE DNS JAIL. 22:59:51 Oops. Sorry for caps 23:00:06 teehee I was about to say "you okay over there?" 23:02:13 tsundoku: 10.4.255.254 is your gateway? 23:02:33 yes, for this network 23:02:59 do you have that address up on the bridge for these jails' epairs? 23:03:26 it doesn't belong to the bridge, but it's connected 23:03:43 oh, is it a member of the bridge? 23:03:56 10.4.255.254 specifically 23:04:08 10.4.255.254 is not on the FreeBSD machine at all. it's elsewhere on the network. 23:04:15 what are you expecting then 23:04:26 the bridge just has the interface and the jail epairs as members. there's no IP setting on that 23:04:28 first ping the host from the jail 23:04:53 the physical interface is plugged into a port on a switch that is carrying this network 23:04:56 try pinging the IP on the host running the jails from inside a jail or vice versa 23:04:57 the host isn't on this network 23:05:02 oh 23:05:18 do you have only one jail? if there are two, can they ping each other? 23:05:32 I only have one on this network right now 23:05:48 and no firewall active? 23:05:51 correct 23:06:47 the bridge is supposed to just be a dumb link between the physical interface and the epairs 23:06:49 so epair is bridged with the interface that is on the same network as the gateway? 23:06:56 correct 23:07:07 and this setup does work, if I let bastille create the bridge. 23:07:13 so I think something is wrong with the bridge I created myself. 23:07:25 is the bridge UP? 23:07:35 brj: flags=1008843 metric 0 mtu 1500 23:08:19 I know this is a stupid question 23:08:32 maybe it's no! 23:08:34 *not 23:08:38 let me try to confirm 23:08:39 check ifconfig 23:09:37 so it doesn't specifically say LOWER_UP, but neither does the bastille-created one that works 23:09:45 does it have UP though 23:09:49 no 23:09:52 :| 23:09:57 ifconfig up 23:09:58 igb0bridge: flags=8802 metric 0 mtu 1500 23:10:02 problem solved 23:10:06 that's the one bastille created. it works. 23:10:11 svcbridge: flags=8802 metric 0 mtu 1500 23:10:15 this is the one I created. it does not work. 23:10:21 see a difference? I don't 23:10:29 please try `ifconfig svcbridge up` 23:10:34 sure, why not 23:11:07 svcbridge: flags=1008843 metric 0 mtu 1500 23:11:11 but... no change in behavior 23:11:24 I have never tried downing the bridge myself 23:11:41 epairs are up too? 23:11:50 yes, epairs have been up 23:12:04 so there is *one* difference I can see 23:12:17 the epair on the bridge bastille created has both an ether and a hwaddr value 23:12:25 the epair on the bridge I created only has ether, no hwaddr. 23:12:41 well I do not have hwaddrs either 23:12:50