moin

i installed freebsd on a VM on proxmox, after i setup the network on the freebsd system, i cant reach the internet from my server, i added also default router(gateway)

what card comes up inside freebsd? vtnet0 ?

Thoraxx: ^

yes

and how did you configure it?

dhcp? static?

static

what is it? is it up? what's the default route?

if i type ifconfig, there is status:active

and you have a resolv.conf with a working name server?

yes

the nameserver from my serverprovider

can you ping the nameserver

this is like, the most basic of network diagnosis

also without showing me, it's hard to see if all is well, or you, i don't know, typoded the default gateway

but if the info seems correct it sounds like it's on the proxmox side

you mean the problem is in proxmox?

do other guests on the same network work?

yes my debian server works

and the windows server also

what gateway do these VMs use? your lan gateway or another one?

< rtprio> can you ping the nameserver

< rtprio> what is it? is it up? what's the default route?

both the same, that i get from my provider

if i ping the ip from the nameserver, it tell me "no route to host"

what's `netstat -rna |grep default` show

nothing

then i'm sorry to say you don't have a default route

what is the default rout supposed to be?

the gateway that i get from my provider is 89.163.212.1

so your whole lan is a routable ip range?

on the freebsd vm, type; `route add default 89.163.212.1` and try to connect to the internet

what you mean exactly? sry that i dont understand

i mean it's not 192.168.1.1 or any of the 'usual' LAN default router addresses

rfc 1918

"add net default: gateway 89.163.212.1 fib 0: Invalid argument" comes up

Thoraxx: can you show the output of 'ip addr' and 'ip route show' on the Debian system?

can you pastebin `ifconfig vtnet0`? according to route, you don't have an ip on that network

rtprio sry its a screenshot, because from the proxmox console window i cant copy text: imgur.com/a/7x5A03O

why does the ip address start with 5 if the gatway starts with 89 ?

and what the heck is up with your netmask?

it's a /32. also not helping

this is why 10 minutes ago i wanted to see this

o_O

i might also like to see how your debian system is configured

and that's how your provider told you to do it?

yes

and on the debian system it works

really stumped by this issue where mesa keeps falling back to llvmpipe. I don't even know where to look for diagnostic stuff. dmesg doesn't give me much of a hint

well I figured out how to reliably trigger it. any time the VT switches away from X11 and back, whether manually or during suspend/resume, the iris driver breaks for some reason and it goes to llvmpipe

how do I safely turn off dhclient so I can disconnect ethernet without damaging it? (I've seen PCs in the past this damaged them if you disconnected it beforehand on some OS)

darwin: if you're really concerned about that, just set the interface down before disconnecting. stopping dhclient will do nothing to stop it passing traffic or being electrically active

ok

thanks

so I found this that sounds ever so slightly like the issue that I'm dealing with: forums.freebsd.org/threads/no-3d-ac…resume-on-lenovo-ideapad-520s.85543

Title: No 3D accelerated graphics in Xorg after suspend/resume on Lenovo Ideapad 520S | The FreeBSD Forums

gonna try out the debug.acpi.max_threads variable I think

will also give reset_video a shot though from what I remember reading it causes issues almost as often as it helps

guess none of that helps with the whole thing of switching VTs, once I'm in X11 I basically can't switch out

tried the xf86-video-intel driver and it has the same issue in addition to bringing back the fault errors

after more looking, this seems exactly the issue I'm having: freebsd/drm-kmod #175

Title: amdgpu: Acceleration disabled by VT switch · Issue #175 · freebsd/drm-kmod · GitHub

175 – Syscons does not recover X graphics mode bugs.freebsd.org/bugzilla/show_bug.cgi?id=175

i have same issue. upgraded jail from 12 to 13.2 and pkg unable to fetch pkg: pkgmir.geo.freebsd.org/FreeBSD:12:amd64/quarterly/meta.txz: Not Found forums.freebsd.org/threads/updated-from-system-11-2-to-13-1.86903

Title: Updated from system 11.2 to 13.1. | The FreeBSD Forums

ivaat: what does 'file /usr/bin/uname' say?

let me try from host side with forcing

this worked: freebsd-update -b /usr/local/jails/webprod62 --currently-running 12.3-RELEASE -r 13.2-RELEASE upgrade and freebsd-update -b /usr/local/jails/webprod62 install

previously i did run freebsd-update fetch on guest. dumb me

also the yesterday php issue. on that jail i upgraded this way: freebsd-update -r 13.1-RELEASE upgrade and freebsd-update install

i now remember there was something going on with files merging and i cancelled that

ended up with broken system i assume which just worked http 200 but php blang from web.. i have this jail around.. perhaps i can master it.. to figure out

but php blank*

now new jail upgraded from host. php works correctly

Hi, I was wondering if someone knows how well or not well supported is conda in FreeBSD. Another question is if there is any iniciative to track the development/support of the new Intel NPUs

(since the GPU train seems to have been lost time ago)

Anyone know why an NFS mount (over a VPN) would make an entire system almost unusably slow?

Something to do with IO?

I'm working on vnet jails, currently the jail does not have network. I'm trying to understand how all of the pieces fit together.

The handbook has a line:

$gateway = "192.168.1.1";

Where does this IP address come from?

I'm thinking I need a different value here, but I don't know what it would be.

That's not supposed to be the public IP of the host, is it?

matthewp: It's the default route. What's appropriate there will depend on your network configuration.

My jails share the hosts network stack so I don't specify the GW.

Should it match `defaultrouter`?

defaultrouter in /etc/rc.conf i mean

mynam: Having their own stack and your gateway setting are largely unrelated concepts.

mason: By sharing the stack, the routes are shared no?

Thus no need to set the GW on the jail

mynam: Maybe I'm confused, but in general using VNET and having a distinct stack means your networking inside the jail has to be coherent and complete. If you want to lob out packets to something not on your local network, you're very likely to need a path for them.

I don't want to share a stack because i'd like each jail to have their own postgresql, for example, and not have to worry about giving them all different ports for that.

mason: I missed where matthewp said vnet :)

no worries

matthewp: Give me a second and I'll update some docs I've been working on but that've been set aside.

Blah, not finding the working copy I was updating. Hunting around a bit.

I tried setting $gateway to the external ip address (and also the defaultrouter inside the jail) but that did not work, jail actually wouldn't start.

oh interesting, the defaultrouter in the host is not the same as its ip

but it's also not a 192.* number

matthewp: It's going to be hugely helpful to you to review the networking concepts. The Wikipedia page might be a little too dense, but en.wikipedia.org/wiki/IP_routing has some useful stuff.

Title: IP routing - Wikipedia

Still whipping up some modifications to a guide that might be useful.

I think I mostly understand those concepts.

matthewp: Here, apologies if I've bungled anything in my edits, but wiki.freebsd.org/MasonLoringBliss/JailsEpair-wip is a work in progress example of doing DHCP-based vnet jails on FreeBSD 14: wiki.freebsd.org/MasonLoringBliss/JailsEpair-wip

Title: MasonLoringBliss/JailsEpair-wip - FreeBSD Wiki

ok, this will be helpful, thank you

matthewp: I stalled a bit getting sick, and also I'm digging for a way to allow jail config to be able to reference a dynamic Jail ID for doling out epairs more dynamically.

I suspect I'll have to submit a patch to make this possible, but the idea is "I've got a jail config snippet in /etc/jail.conf.d and I don't have to hardcode an epair number"

Sorry to hear that you got sick, hope you feel better

Not yet. Despite masking for years, after almost four years without it, we've finally (despite the masks) contracted COVID. My lungs aren't working right but I've avoided the hospital so far. Wife's a bit worse than me. Kids are largely better with a couple weird lingering symptoms.

Anyway, right before it hit us I was starting to dig into how to get jail configs access to a dynamic JID, which will mean you can take a config snippet and move it between jail hosts without having to reassign the epair manually during the move.

Oh sorry to hear that, hope you are able to rest

matthewp: Eh, I'm lucky in that I work remotely or I'd be in trouble. I'm generally getting enough sleep, though, and just taking things slow. Thank you.

If I'm both ambitious and successful I'll get a patch in for this so we have it out of the box in FreeBSD 15. We'll see.

your bridge ips are 10.*, mine are 192.* (because i followed some other guide). Are these significant?

matthewp: You'll want to amend the details to match your local config. So, if you're on 192, then yeah, adapt those examples.

well i don't know if i'm on 192

how do I find out?

what config?

The basic notion is that if you have a DHCP server on your network, and a bridge on your host, this will simplify your config.

I have a bridge on my host because I added one. I don't, however, know if its configured correctly.

matthewp: You'll have a better time if you get comfortable with your network. What is giving our addresses, for instance?

Yeah that's a good place to start. My assumption was, I have an IP addressed for my computer, assigned by my network (in this case a VPS), and that everything else should be completely internal.

matthewp: VPS isn't a networking concept. Are you doing all this on a public VPS?

I don't want my VPS provider to need to know about all of my jails. I just assumed it could all be contained within my box, is that not true?

public VPS in that it's on the public internet? Yes.

matthewp: Ah, this changes things. You probably don't want vnet on your VPS... It'd be a very different config. My stuff assumes you're on an open network but chances are you only have one address available to your VPS.

Hm

That's surprising

You might be able to use vnet if you do something interesting with NAT on your host, but I've never tried it.

Well I wanted my VPS to be its own internal network.

If you do NAT, you can reasonably talk to the same port on each jail where each jail has a distinct internal address.

But if that's not what vnet is for, that's good to know!

Yeah.

So, my guide isn't going to help a ton with that unfortunately.

That's ok

So I should not be looking to vnet at all?

Maybe? Let me dig for a sec.

matthewp: I haven't fully read or vetted this, but this appears to tackle the situation you've got: boucek.me/blog/freebsd-jails-with-vnet-and-nat

Title: FreeBSD jails with VNET and NAT · boucek.me

That doesn't seem to bad, i'll try it

In the NAT section, is that passing port 22124 to the jail?

matthewp: I'm no PF expert, but that appears to be passing power 22124 on the host to one of the internal addresses, presumably same port.

yeah that's what im assuming

so if I don't need to pass any ports to the jail, i would exclude that line

I assume the line before it is what allows the jail to access the network

If you're not passing any ports back, are you just accessing the jails from the host?

yes, the host has an HTTP server that it will proxy to jails

That will simplify things a bit, then.

in most cases at least, i might some day add a jail that runs something other than web servers, so knowing how to pass ports is great

matthewp: It's entirely possible this might all be accomplished without vnet. I think the limitation of "one PostgreSQL per system without vnet" is out of date.

Example: forums.freebsd.org/threads/postgresql-in-jail.51528

Title: Solved - PostgreSQL in Jail | The FreeBSD Forums

I'd try with traditional jail networking, myself, each jail just sitting on a 127 address.

really?

How do I assign 127 addresses?

this is helpful: digitalocean.com/community/question…-my-freebsd-jail-to-avoid-conflicts

Title: How do I know what IP to assign to my FreeBSD jail to avoid conflicts? | DigitalOcean

SpaceBass: is the client machine slow? maybe are you running a desktop environment that has some software in it that ends up inadvertently accessing those mounts frequently because the software hasn't been written to accommodate that high latency (KDE/Dolphin comes to mind)

Its server (headless)

But it could be services hitting that NFS share...

rsync and sshfs are significantly faster

How is the share mounted to the client? fstab? At work, my coworkers defaulted to some really small rsize/wsize values that just killed performance anywhere but AIX.

fstab yes

I think nfs just doesnt work well over distance

Do you have it set to TCP?

What's the latency between the two boxes?

not sure what it is then. i run nfs v4 pretty vanilla on small servers without knowing much about it and it hasn't caused any issue for me on the server

round-trip min/avg/max/stddev = 169.990/170.285/170.600/0.226 ms

That's a decent distance

Middle of USA to Finland

I'd be hesitant to recommend UDP over that distance. You could force it to TCP and pull a pcap of the traffic while writing a test file, then pull that pcap into wireshark and look at the conversations. You might see a lot of waiting on replies from the remote end.

Ill try moving it to TCP

Assume it's just a mount flag?

Ya, in the options block add "tcp"

Looks like my server (TrueNAS) is TCP only already

Then remount it

Would be good to check the client side mount options too and make sure it's mounting via tcp there.

Will try with nconnect=16 too

Doing a manual test with sudo mount_nfs -o nfsv4,sec=krb5,nconnect=16 first

the performance is bad on the nfs server or the nfs client (which is also a server) ?

Just the client

Like I've got a terminal window totally locked up for 5 mins just waiting on ls /mnt/nfsshare

like mynam said probably worth looking at the packets

having a small read/write size over a large latency would be a source of bad performance but not to that extent

That's probably it... large number of files on the share

does your ls command ever finish?

And some local services on the client trying to index them

It will eventually

Tried with max number of tcp threads... no change

Guess were using sshfs :/

you can get it working with nfs but it'll take more work and you'll need to look at the packets and other data to see what's happening

but sshfs is also a good option that's quicker

quicker to get working i mean

Not sure what the packets will tell me though... it'll all be encrypted right?

i'm talking about when it's not encapsulated in your vpn

sec=krb5

ah ok

well, you will still see the timing

I wonder how smb does

though actually are you sure the krb option encrypts the data? doesn't just provide authentication?

but yeah if it's 5 minutes wait then it could not have much to do with the network

if it actually finishes. if it hangs forever then that could be the network.

Wish there was a way to see what the system was waiting on

there are ways to do it but i don't know it

you will want to be more specific about what exactly the performance issue is when you say "the system waiting" (your ls example is one good place to start)

ls hanging for many minutes suggests that there is no connection or that you have an MTU blocking the larger response from being returned. but i guess it could just be performance

a tcpdump would tell you if it is performance

agreed

Yeah there could be an MTU issue now that I think about it

1500 too big, 1472 works without fragmenting

So not too bad

Careful messing with the MTU, tho the interface for the VPN will need a smaller MTU because chances are (unless you've changed it) your internet facing NIC will be set to 1500. So 1500 - the VPN overhead will give you the MTU size to use on the VPN interface.

The MTU on my wireguard interface is 1420.

If ?I change it, I'd change it on the VPN

There's a pfSense box on either side of the NFS server and this client

SpaceBass: just one hop between server and client?

2

i wouldn't expect you need to change your mtu for this

does every disk operation take ~5 minutes to complete or what

rtprio: it's over a VPN at a distance of Central US to Finland.

wireguard?

or something else

and does it matter the directory size when you are ls'ing?

SpaceBass said there's a PFSense box on either side. Been a while since I've used it but I'd guess openvpn

hrm

~170ms of round trip latency was reported so if it's chatty, slow, fragmented, and potentially lossy... Lots of things to check.

nfs would not be my first or second choice across an ocean

using nfs4 (tcp) rather than nfs3 (udp) could be s start

Is there a prefence between openvpn and wireguard? I don't see any security related concerns about either project. Wireguard may be faster, openvpn has a longer history. What to choose? I just need a couple of point-to-point connections for remote backup.

I used OpenVPN for years, loved it, but speed wise Wireguard is much faster.

And depending on what you're doing, is easier to setup.

That's my situation as well.

I think wireguard lacks the TLS CA support (tho I could be wrong) so I'd probably use OpenVPN if that's required.

My primary use case is p2p tunnels so I don't get into the road warrior use case much.

Okay, thank you. Wireguard it is, for this project.

Huh. There was a wireguard metaport in fbsd 12, now deprecated. We go with kmod and tools?

yep

tnx.

freebsd rules!

yep

${name}_chdir in rc.subr; does that go in my rc script as is, or do i modify it to match myprogram_chdir="/usr/local/www/myprogram" ?

perlbot paste

i'm sorry?

i'm getting kinda tired of applications that have to be run in a specific place in order to find their shit

What do you mean?

i man this node app needs to be run where i checked out the code or it won't run

Oh

Yes

which is giving me difficulty writing a rc script for it

That stuff is a compleate load of *****

Node and I aren't friends tho....

likwise this go app references its database like ./data

The last rebuild of my website, I tried something like 9 languages. I threw Node out after ~10min. Tried bun, that lasted a couple hours, but I threw that out too. TLDR, wound up with Haskell.

For the most part I'm done with interpreted languges

i find plenty of useful software in node. but it is a pain to deal with

Absolutely!

I like the browse software that's out there to find new stuff.

I find stuff all the time that I really want to setup. As soon as I see something that's JS, that's not just extract and run in the browser, I hit skip because the aggrivation level of dealing with it server side isn't worth it to me.

The latest thing I wanted to setup was video conferencing.

I've messed with Jitsi in the past, lovely tool but difficult to admin.

I found a few alternatives that were all node.

Would up with Galene which is Go and very simple to setup.

So I have Matrix+Fluffychat and Galene for the family to use.

is there a way to store the kernel config outside of the source tree?

just copy it

cp /usr/src/sys/amd64/your-kernel-name ~/

cp /usr/src/sys/amd64/confyour-kernel-name ~/

cp /usr/src/sys/amd64/conf/your-kernel-name ~/

even

lw: build(7), see KERNCONFDIR

can be defined in src.conf(5) so it's consistent across builds

debdrup: thanks

Not having to branch the head of the tree and rebase to maintain out-of-tree changes makes things a lot easier.

yeah... although i'm wondering if it makes sense to keep doing this anyway, since it means i can easily update to a specific commit, or add local patches for testing if i need to. (this is for my build server, not local builds)

One thing that's really powerful is being able to, say, do an include of GENERIC and then do nooptions and nodevice to exclude things you don't want - but still get anything that's newly added.