00:03:02 sorry, i should find my charger. don't wait for the post. probably tomorrow 00:19:30 when setting up a RAID 1 situation, is there some sort of performance hit when utilizing UFS over ZFS on a created gmirror? 00:21:57 Gnea, UFS with gmirror is probably fairly close to the same performance as a ZFS mirror. But ZFS had extra work for robustness and so will likely always be just a little bit slower than UFS. Though I have not benchmarked them. 00:22:39 ZFS never rewrites in place. ZFS always writes a new block and then switches from the old block to the new block. 00:22:46 Gnea: if you're asking about ZFS on a gmirror - don't do that, you'll lose ZFS's ability to repair damage. ZFS has built-in mirroring 00:23:17 ivy: that's what I was gearing toward. thank you. 00:23:34 Oh, I didn't think that was what was being asked! Right. Don't do that. 00:23:55 rwp: it's okay, I hadn't gone into much detail just yet 00:24:19 I appreciate your answers 00:24:55 so, next question: does UFS have anything like what ZFS has for damage repair? 00:25:13 or does the geom take care of that? 00:25:27 UFS is mostly a traditional Berkeley Fast File System and if needs to be repaired requires fsck to run on it and try to recover what it can. 00:26:25 Using gmirror will present a redundant storage to UFS but if the file system becomes corrupted then you can only fsck upon it to try to clean up the corruption. 00:27:00 Better to use a zfs in a mirror so that if data blocks become corrupted that it is detected by the extra zfs checksums and repaired from the good side of the mirror. 00:27:02 Okay. So does ZFS just fix itself on the fly then withing having to unmount+fsck? 00:27:26 Yes. ZFS for the most part will automatically detect and automatically fix itself. 00:27:34 That's awesome. 00:27:35 in fact there is no fsck for zfs at all 00:27:52 Sold. "take my money!!" 00:27:56 If one tries to read something that has an underlying data corruption then it is detected and the other redundant block read instead and used to rewrite the corrupted block. 00:28:16 but for this to work you have to give individual disks to zfs - no gmirror, no hardware raid 00:28:31 then that could result in a disaster 00:28:38 Periodically run "zpool scrub" where periodically is by one default every 35 days, run more often if you have cheaper hardware, and it will read everything explicitly to force the repair. 00:29:09 Gnea, "then that could result in a disaster" what part equates to the "then"? What did I say wrong? 00:29:17 (you can still use gmirror for the EFI and swap slices on your root disk - general advice is not to put swap on zfs anyway) 00:29:55 Do not put swap on zfs as zfs itself needs memory and if memory is needed then swap is needed and it can deadlock. The installer always puts swap on a gmirror on a separate partition. 00:30:07 rwp: I was responding to "< rwp> If one tries to read something that has an underlying data corruption then it is detected and the other redundant block read instead and used to rewrite the corrupted block." 00:30:26 Okay. Why did that sound scary? 00:31:24 would that not result in a hardlocked system? potential data loss? 00:31:50 ZFS checksums all data, so it knows which copy of each block is the correct one, it will never overwrite good data with bad data 00:33:14 Regarding swap on zfs I don't think anything has changed since https://www.schmidp.com/2014/01/05/freebsd-10-does-swap-work-on-a-zvol/ and also https://github.com/openzfs/zfs/issues/7734 00:33:25 Ubuntu tried putting swap on zfs https://bugs.launchpad.net/ubuntu/+source/zfs-linux/+bug/1847628 00:33:40 oh dear 00:33:42 Klara Systems posting describing swap system https://klarasystems.com/articles/exploring-swap-on-freebsd/ 00:34:58 Meanwhile what ivy said, zfs checksums all so as to know if a block is corrupted for some reason (disk / ssd / cables / cosmic rays from space). 00:35:45 Cool, I just need to back out the root filesystem from the gmirror that I'm working on, then utilizing that space directly using zpool 00:36:10 I had zfs pull me through a nasty power hardware problem on one of my systems, things really looked grim, but after I figured out it was a bad power connector jiggling dropping power to the drives while they were writing I fixed that, ran a zfs scrub, and had 100% good data after repair ZERO data loss in a raidz2 array. 00:36:39 Nice. 00:37:48 If you haven't done it yet I would start small with a test system using the freebsd installer and let it set things up as a baseline, play with it to become familiar, then read https://wiki.freebsd.org/MasonLoringBliss/ZFSandGELIbyHAND to get more background, then *install for real*. I would not optimize before then. 00:41:02 okay 02:41:42 i found my charger and it is kept yellow and not working. https://pasteboard.co/3ZoJDyeKDYjX.jpg 02:41:51 maybe i should wait 02:44:57 it was dirt cheap that's why i bought it a couple of years ago. the price is now unreasonably high in Ebay. I think had searched it too often and sellers bulked up price, thinking that someone will buy it with the price. 03:09:10 Ok it appears that i used to use geli on coreboot https://pasteboard.co/ywSiEZdV2foo.jpg 03:09:22 you see i forgot the password 03:15:54 You forgot your GELI password? I am sorry for your loss. 03:16:33 rwp: i still have a chance that this keyboard is too old to get my input correctly 03:17:13 I don't recall ever having a Thinkpad keyboard fail in such a way. 03:17:22 But honestly if you have had this system in storage long enough to have forgotten the password for it then what data could be on it of importance? 03:17:56 rwp: i have my own machine-free system 03:18:23 I had an X60 for a while but the scrunged keyboard drove me crazy and I gifted it away to someone else who could use it. 03:20:03 rwp: it is an excellent laptop. but the current price you see now on EBay is scam 03:24:05 i think there has been some discussion of choice of file system protection and installation options last time iirc. i would like to add one: geli + coreboot 03:24:14 eBay prices fluctuate. I always tell people that on the used market to only buy what they know. It's a buyer beware market. 03:24:57 Coreboot is always good. And for me Coreboot systems are the only systems that have what appear to be bug free UEFI booting. All of the vendors UEFI firmware I trip over bugs. 03:25:24 On a laptop using GELI+ZFS to provide for a full disk encryption is definitely the way to go. 03:26:33 rwp: well, my thinkpad does not seem to use uefi but coreboot is not bad. fast and look cool 03:28:57 it wasn't so toy project because i used it quite long. my modern laptop was broken and i had to go out to collect more dishes to buy modern laptop. during the time I had relied on it 03:30:51 i had gone through extremely hard time(still hard time but better) with this machine. very meaningful to me. 07:47:26 how many of you use FreeBSD with a DE on a desktop or laptop as your daily driver for work in the IT or development field? 07:50:15 I'm curious to try it but i've seen where distro's like GhostBSD have users reinstall the OS for some upgrades which makes me think that I'll need to really watch changelogs if I update a FreeBSD system with a DE and used as a workstation. 10:27:35 https://www.freebsd.org/where/ <-- that page seems to have a bug at 14.2 10:28:16 14.2-RELEASE doesn't exist yet 10:28:27 but the beta is downloadable 10:28:40 and the bug is for 14.2-current 10:28:40 OK 10:28:54 there is no 14.2-CURRENT 10:29:07 sure the beta is build from it 10:29:08 only 15.0-CURRNET 10:29:35 nope, build is from releng/14.2 which is derrived from stabe.14 10:29:44 * stable/14 10:31:00 BTW 14.2-STABLE looks fine to me 10:31:04 FreeBSD 14.2-STABLE (VBSD) #52 stable/14-n269449-46d30932876f: Fri Nov 1 08:20:26 CET 2024 10:31:25 it's been available for a while 10:57:39 is there a non-janky way to set the password hash of a user? I have some users that I'd like to recreate on a new host but I don't necessarily know their plaintext password. I do have access to the /etc/master.passwd though and can see their hashes just fine 10:57:59 do I just re-create them and then edit the /etc/master.passwd to paste the hash? 11:00:02 foxxx0: you can just copy+paste your old master.passwd entries into the new, no need to create the user first. then copy their home directories over too 11:03:00 alrighty, then I'll do that. thanks :) 11:04:14 remember to use vipw to edit master.passwd (or manually rebuild the databases afterwards) 11:09:34 mhm, hypothetically speaking, if someone were to just edit using vim ... how would one rebuild the database? (asking for a friend) 11:10:18 foxxx0: pwd_mkdb -p /etc/master.passwd 11:10:31 thanks :D 11:20:12 foxxx0: use vipw(8) 12:05:08 is it possible to partition up an external drive into 4 chunks so bhyve could run 4 vms off of it, 1 vm per chunk? 12:05:20 say 500GB chunks, 4 vms, 2TB external drive 12:06:09 l00py: if you don't want to use files (which is the easiest way), you could simply create four partitions on the disk 12:06:14 why would you want static partitioning instead of just raw files? 12:06:38 oh i can make bhyve store a whole vm's "disk" in just a file on the drive? 12:07:07 that's the usual way you would use bhyve, yes 12:07:25 right now i give bhyve zfs vols to back vms with 12:07:39 what would i format the external drive? 12:07:46 zvols are, for whatever reason, slower than flat files, so i use files even on zfs 12:07:58 (although there's nothing technically wrong with using zvols) 12:08:10 filesystem is up to you, i'd probably use zfs just because i use zfs everywhere 12:08:31 can i put zfs on the single external drive, and have it totally separate from my internal zfs on root mirror? 12:09:12 yes, just create a new zfs pool, see zpool(8) 12:09:55 that's so cool. tyvm 12:10:19 and you can make the flat files only be as large as they need to be, like a sparse zvol does? 12:10:40 so a 500GB vm "disk" is only 20GB in reality if that's all that it's written 12:11:10 yes, if you create them using 'truncate -s 250g disk0.img' or whatever you will get a 250GB sparse file that only uses a few KB on disk 12:12:41 weeee 846 MiB/s over cifs/samba \o/ 12:12:43 amazing, tyvm 12:13:34 ivy if you have this 1 external ssd, would you have zfs store multiple copies or any special stuff to recover from a single drive? 12:13:51 recover from an error in the single drive* 12:14:12 no, if i cared that much about the data i'd use a mirror 12:14:21 ya 12:14:25 ok tyvm 12:14:56 copies=N is somewhat useless because if the disk's basic metadata is damaged, you can't import it to recover the data. that feature only really exists to handle a few bad sectors on laptop disks 12:15:17 (and by 'laptop disks' i mean old 2.5" HDDs more than SSDs) 12:15:20 ya that's what i was thinking, sectors 12:15:26 ok 12:16:02 basically if you have a 1TB SSD and want to use copies=2, just buy two 512GB SSDs and use a mirror instead, price is basically the same 12:16:44 I'd even argue 1tb is cheaper per gb than 512gb, so 2x 1tb won't run you that much more than 2x 512gb probably 12:17:35 also true 12:17:50 unless you buy your SSDs from Apple of course :-d 12:18:03 (yes, i've been looking at the SSD pricing on the new M4 Mac mini...) 12:27:00 sweat, maxxed out my 10G link over samba/cifs. 12:27:12 sequential reads and write both just flatline at 1.2 GiB/s now \o/ 12:29:42 foxxx0: i can do that when zfs is reading directly from cache, but i've never managed it for disk i/o, that seems to top out at 600MB/s or so (on 8x raidz2, 7200rpm) 12:30:03 this HBA is quite old though, that could be the bottleneck 12:31:04 i suppose as each disk does ~100-120MB/s sequential write, that's not too far off what you'd expect 12:32:33 once day i will rebuild this pool using 8TB SSDs, but prices need to drop a bit first :-) 12:38:29 8TB ffs. i'm working with 2TB nvme and feel like a baller 8TB is galactic 12:38:53 ivy - the mac mini you have been specing.. have you "looked" at if there is anything out there to ugprade the hard drive on it? SO far i have seen.. basically you pick it and you can not upgrade it, like the ram 12:39:56 voy4g3r2: correct, the NAND and DRAM is soldered onto the CPU package so you can't upgrade it later 12:40:20 voy4g3r2: my plan is to buy the base storage config (256GB) and use that for the OS, then add a couple of Thunderbolt SSDs for data 12:40:23 this powerbook (12 years old) is getting long in the tooth... 12:40:50 when signal tells me, it will no longer support the OS.. i think it will be retired soon 12:41:09 the hardware doesn't even include an 'SSD' in the normal sense, the controller is on the SoC and it talks directly to the NAND 12:41:39 ivy: i do have 4x 7.68TB NVME raidz1 ... from my benchmarks those could even saturate a 40GBit/s link 12:42:51 voy4g3r2: i don't think i will buy the M4 though, my M1 is still working fine and i'd like to wait until FreeBSD has proper Apple arm64 support so i can repurpose this to a server when i upgrade it 12:42:54 ivy: a m4 pro withj 64 gig of ram does look real pretty 12:43:37 ivy: the 2200 price tag is up there with what i paid for this laptop in 2012 12:43:44 yeah, for CPU performance the M4 Pro is competing directly with the old M1 Ultra in the original Mac Studio, which is a pretty big performance bump 12:46:50 yeah, the intelligence stuff.. no thank you.. i got an ollama (in a bhyve) for that 12:47:10 now i am at the "ceiling" of, applications are depcrating support for applications i use 13:03:04 need to grep for STRING\x00 but only print out STRING 13:03:11 is this possible with BSD grep? 13:03:47 I don't think BSD grep support lookaheads according to re_format(7) 13:04:33 i'd probably use sed for that (which i realise isn't really an answer) 13:05:44 its a good answer for trimming \x00 13:05:54 can i get it to do the search too ... mmm 13:06:41 oh derp we have perl in base system, thats fine 13:06:46 facepalm 13:06:47 yes, you want sed -n, then use a pattern to match the string, s// it, then use 'p' to print 13:08:40 # sed -n '/^root:/ { s/:.*//; p; }' root 13:08:45 something like this i suppose 13:09:57 ripgrep does exactly what i need, scary fast, but not in base 13:14:28 hah. I first do strings, then bsd grep is fine 13:21:19 ivy: sed would work but is surprisingly slow over this 9gb file 13:21:38 that doesn't surprise me, i think your idea to use strings is better 13:21:42 and grep has a handy -m (stop after N matches) which is a great find 13:46:59 getting a bunch of "GEOM_ELI: Crypto request failed (ENOMEM)." in dmesg. affected devices were part of gmirrors, which got degraded and don't add the geli partitions back to the gmirrors after the situation is resolved – anyone know how to fix this without adding them as new consumers to the mirrors and syncing from scratch? 13:48:06 in hindsight, i probably should have set up geli on top of gmirror and not the other way around, but i'd be glad for some bandaid in the meantime. 13:55:12 "geli: Cannot read metadata from /dev/gpt/down-a: Input/output error." nevermind, seems like i got more problems than that :'D 16:21:04 hi everyone, I have "13.1-RELEASE-p3 FreeBSD 13.1-RELEASE-p3 GENERIC amd64" an I'd like to have my sshd exposed to the public at port 22. moreover, i'd like to mitigate the security breaches this might introduce as much as i can.. e.g. i am seeing this in var/log/messages: "error: Fssh_kex_exchange_identification: Connection closed by remote host" and "error: kex protocol error: type 30 seq 3 [preauth]". 16:21:10 is there anything i should be doing about this? how about a standard tool to probe any vulnerabilities in my setup? 16:26:37 yashi: as long as you stay up to date on security fixes, you should have a secure (as much as possible) sshd. consider turning off root login and password authentication, which is good practice for any SSH server on the Internet 16:48:47 yashi: seconding ivy, don't let people log in as root, nor with passwords 17:35:07 yashi: you should probably also be aware that FreeBSD 13.1 is EOL and no longer received security updates. so, don't put that host on the Internet, and upgrade to 13.4 17:37:48 Do we have any old Thinkpad users in here? I'm trying to get one up to date with 14.1 and the new wifii stuff, but have hit an early roadblock with the keyboard. 17:38:03 https://wiki.freebsd.org/Laptops/Thinkpad_T550 <-- what I'm working with 17:38:33 spork_css: i have an old Lenovo X240 here, not sure if that's what you mean by old 17:38:46 currently working fine on 14.something 17:39:20 i did notice it requires 'atkdb' for the keyboard to work, but that's in GENERIC 17:39:35 After updating from 13.x (literally it's been sitting on a shelf for 2+ years), 14.1 works fine (no X though) but I literally can't login or do anything on the keyboard. 17:40:16 Letters type fine, but when I hit "return", say to enter my username, it echoes something like "~5~~". The numpad "enter" works. 17:40:46 Space bar also adds characters. To type a space I use the mouse to copy and paste a space. :) 17:41:21 It reminds me of a slightly funky serial console with the wrong term type set. 17:41:47 In 13.x it worked fine. Hard problem to google. 17:44:47 that's weird. might be worth asking questions@ 17:49:24 Unrelated to that, mine is 2015 vintage, how old is your X240? 17:50:14 Are you using any of the reworked wifi stuff with it and is that working out well? I think I put this away because it had two main issues - doesn't wake from sleep and 2.4GHz-only wifi. 18:03:25 is there a way to remove route when "gateway uses the same route" ? 18:03:46 without reboot :) 18:03:48 what do you mean by that? 18:04:20 i have a route with UG1 flag 18:04:52 when route delete -inet6 fd00::2:0:0/96 18:05:06 i have : delete net fd00::2:0:0/96 fib 0: gateway uses the same route 18:05:26 then you need to find out which other route is referencing this one 18:05:42 i have allready removed the gateway 18:05:53 the route with gateway 18:06:10 Teraii: can you paste the output of 'netstat -rn' somewhere? 18:06:12 fd00::2:0:0/96 fd00::2:0:20 UG1 --- 18:06:23 I'd second the request from ivy 18:06:24 (note the interface removed ---) 18:08:53 no way to remove G flag ? 18:09:52 "route -6 del fd00::2:0:0/96 fd00::2:0:20" doesn't work? 18:10:37 possibly also try "route -6 del fd00::2:0:0 -prefixlen 96 fd00::2:0:20" 18:12:07 same error message 18:12:32 then we'd need a more complete picture with the output of 'netstat -nr' 18:14:15 https://pastebin.com/U3YBxT32 18:16:02 I think your issue might be fe80::%lo0/10 18:16:18 fe80:: link-local routes are supposed to be of prefix-length 64 18:16:31 fe80::/10 includes all of your fe00:: routes 18:16:39 err, nvm. 18:16:46 scratch that, haven't eaten today >.> 18:16:51 =) 18:17:07 all fe80are automated LL :) 18:17:13 all fe80 are automated LL :) 18:20:16 how did you add that route? .... well there they go 18:20:29 it's probably PINNED route, with protection 18:20:52 I'm guessing at some point there was a route for that gateway, otherwise it wouldn't be a valid nexthop 18:21:16 and then just deleting that gateway route invalidated that /96 route as the nexthop is now invalid, not sure why it wasn't automatically cleared up?! 18:21:44 probably dirrect connected route 18:22:00 lost my zenitude and reboot :) 18:22:21 welcome back Teraii , we were asking how you ended up in that situation. did you have a manual route for 'fd00::2:0:20' at some point? 18:22:30 otherwise you wouldn't have been able to use it as a gateway, right? 18:22:49 indeed 18:22:58 or did you have a direct link with a subnet/prefix, that contained fd00::2:0:20 as directly attached? 18:23:09 reboot has removed the route O:) 18:23:37 we are not progressing much with troubleshooting Teraii 18:23:58 there was a route with fd00::2:0:20 18:24:03 in that case, the solution would probably have been to re-add a direct route for 'fd00::2:0:20' as directly connected to an interface, or possibly temporarily re-adding a prefix containing that, to then subsequently remove the static route first, and then the gateway route 18:24:17 but when removed the route with fd00::2:0:/ was not removed 18:25:04 /96 18:25:24 but when removed the route with fd00::2:0:0/96 was not removed 18:26:21 even when interface was destroy (tap1) 18:26:22 personally I'd expect that route to get purged in the same operation, but I'm not too familar with the routing table internals on freebsd. more of a linux user here 18:26:53 since a while we can use multipath routing, so routes have now "weights" 18:26:58 the route was learned via bgpd 18:27:17 and i'm correcting some structure mistake here :) 18:27:27 you have to filter it next time 18:28:05 ho yes 18:28:10 forget that 18:28:42 it's not possible to remove by hand all routes added by routing deamons 18:29:09 when you add it by hand, you should be able to remove it in the same way 18:29:59 ok 18:30:39 it's connected with the transition from rtsock to netlink 18:41:25 Teraii: please compare https://reviews.freebsd.org/D46301 18:44:18 well 18:44:35 we will reboot to force deletion ... 18:45:06 sometime there is no other solutions :) 18:46:01 yes, but filtering them in BGP will prevent that 18:46:49 Teraii: what are you using as routing deamon ? 18:48:17 openbgp 19:04:48 @ivy: well, booted into Windows and the BIOS and same keyboard issue, so I guess it's a Thinkpad issue, not an OS issue. Also clearer in Windows is that it's doing either a PAGE UP or HOME and *then* the carriage return. Very weird. 19:15:53 welp turns out if git fails to clone something it'll just tidy up after itself by deleting 19:15:59 1.6gb and half an hour later\ 19:16:01 'sake 19:28:17 so let's  say i got an external drive i want to format zfs and then put bhyve vm flatfiles on. i plug the drive in then check gpart show to get its dev id like /dev/da1? 19:30:03 l00py: after you plug the drive, check 'dmesg' is the easiest way to find the new device node. then run 'camcontrol devlist' and make sure the model/serial displayed matches what you expect. then partition the disk with gpart 19:30:53 like gpart create -s GPT da1? 19:31:11 if it didn't come with an existing partition table (meaning it doesn't show up at all in gpart list) then yes 19:31:21 i mean gpart show, not list 19:31:34 although if you're planning to use it with zfs, don't use gpart 19:31:40 if it comes with 1 it's safe to use it? 19:31:48 just create the pool directory: zpool create mydisk /dev/da1 19:31:49 oh ya i want to use with zfs 19:31:58 s/directory/directly 19:31:59 wow 19:32:08 well 19:32:10 so 'mounting' hardware is as easy as mounting a dir? 19:32:16 it might be worth deleting the partition table in gpart first 19:32:31 so 'gpart destroy da1' then 'zpool create mydisk da1' (as long as you're sure da1 is the right disk!) 19:32:58 l00py: i'm not sure what that question means exactly 19:36:45 what is the easiest way (akin to pkg install ...) to upgrade 13.1 to 13.4? 19:37:14 ivy "mydisk" is like "zroot" right? 19:37:56 l00py: yeah, that's the name of the pool 19:38:08 so call it 'data' or 'data1' or 'disk1' or... you know, whatever name you like 19:38:51 yashi: freebsd-update fetch; freebsd-update install; (read what it tells you); reboot; freebsd-update install; (read what it tells you); freebsd-update install; (read what it tells you); pkg-static upgrade -f 19:39:19 you may need -r 13.4 somewhere there, i honestly haven't used freebsd-update for years 19:40:57 ivy tyvm. readingman zpool-create rn 19:42:41 Shouldn't need the "-r" arg for freebsd-update if it's isn't a upgrade. A simple update will do. 19:43:24 ek: he said he wants to uppgrade from 13.1 to 13.4 19:43:58 yeah, i think even minor release upgrades require the -r? like i said i don't really remember... 19:44:02 ZedHedTed: That's not an upgrade, though. Technically, it's just an update (same major RELENG.) 19:44:08 maybe someone else has a more useful answer :-) 19:44:41 If he wanted to "upgrade" to 14.1 or something, he'd use "upgrade -r 14.1-RELEASE" as well. 19:44:50 ek, ivy: what's the correct term? minor release upgrade or update? 19:44:59 i'm new to freebsd 19:45:59 ZedHedTed: Same major RELENG would just be an update (when referring to the use of freebsd-update, I guess.) 19:46:31 I've also heard really good things about sysutils/freebsd-rustdate. Apparently, it's much faster than freebsd-update. Of course, it isn't in base, though. 19:47:22 ooh a rust port of freebsd-update? 19:49:25 why use that when you could just use pkgbase 19:49:55 freebsd-update is dying, it has one maintainer who hates maintaining it and it's going away the moment we get pkgbase as default (maybe in 15.0-RELEASE) 19:50:24 ivy: I'm sure hoping pkgbase becomes the norm in 15. 19:50:38 me too! 19:50:47 the future is now 19:51:09 for 14.x, am i better off learning upgrade instead of freebsd-update? 19:51:35 ZedHedTed: what do you mean by "upgrade"? 19:53:46 ivy: wait i think i meant pkg-static upgrade. i missed that part. reading pkg-static's manpage noqw. 19:54:54 pkg-static is just pkg but not linked against dynamic libraries, so it's more likely to work after an upgrade 19:55:13 e.g this was recently required when 15.0 bumped libmd.so.6 to libmd.so.7, installed pkg still needed libmd.so.6 19:55:56 ZedHedTed: Have you looked at the FBSD Handbook yet? It explains everything you need to do with freebsd-update to update to the latest 13.X and to upgrade to 14.X. 19:57:33 You won't need to run a pkg-static -f upgrade when going from 13.x to 13.x, but you will going from 13.x to 14.x. 19:57:55 You'll likely need to upgrade to the latest 13.x before going to 14.x, though. 19:58:08 At least, that's always been recommended. 19:58:27 "freebsd-update fetch install" and follow the directions. 20:00:07 Once you're on the latest 13.x, run a "freebsd-update upgrade -r 14.1-RELEASE" and then follow those directions. 20:01:16 Hrm. Tempted to migrate to Wireguard but I don't like the fact that subnet access is controlled from the client/peer side. 20:20:23 ek: it's not? 20:20:40 AllowedIPs on the client just controls what packets it's willing to send over the link 20:21:20 it's basically a hint to the local system about what to send over the VPN, similar to pushed routes on openvpn 20:21:27 ivy: I've been looking through some docs trying to find out how to limit access to different subnets from the server-side but I can't seem to find any info. 20:22:18 ek: you would use a firewall (like pf) the same way you would with any VPN, basically 20:22:26 ivy: Right. I understand that. But, if the client does route those subnets, it's seems WG will route them without any limitations. So, if the client were privy to the network, they could access anything they wanted? 20:22:39 like if you hand addresses from 192.168.0.0/24 to your IPsec road warrior clients, you firewall what 192.168.0.0/24 can access, right? 20:22:42 I'll have to test it all out, I suppose. 20:23:01 Yep. 20:23:12 so that's exactly the same in wireguard 20:23:35 But, say I'm using OpenVPN, I can choose which subnets on the network to allow a client to access in it's config instead of the firewall. 20:24:12 yeah, you can't do that in wireguard. i'm not familiar with openvpn but i suppose this works more like ipsec 20:24:26 Yep. Seems that way (which is fine.) 20:24:51 how do you control this in openvpn, btw? 20:24:53 Not sure I want to create firewall rules per WG client, but I'll just go ahead and play with it and see what I can come up with. 20:24:59 i actually have used openvpn but probably not for 20 years 20:26:45 ivy: You can set which IPv4/v6 networks you want to allow clients to access in the server configuration. 20:28:00 ah. sort of makes sense wg doesn't do that as it's kernel based 20:28:32 That's my guess. 20:29:25 I just liked that I could configure it server-side to allow all subnets, then limit each client's access via the client-specific-overrides. 20:30:03 So, for myself, I can access everything. But, for a friend that just needs VPN for a specific thing, I can limit them to the VPN subnet or whatever. 20:30:17 you can still do that in wg as all IP assignments are static, fwiw 20:30:33 (i actually wish wg had dynamic IP assignments, but... it doesn't... so that's what it is) 20:32:20 thanks ek 20:33:53 i will keep reading the handbook. next, it's time to boot back into nomadbsd, and see how well things go w/ the iwm driver! 20:34:55 the stock wifi card used rtw880, but had problems establishing and maintaining a connection to any SSIDs i own. so i swapped out the wifi card w/ a 7265 i scrapped from a chromebook. 20:36:09 actually no. i need to charge the laptop first. 20:41:03 ivy: Yeah. I always assigned IP's statically in OVPN anyway just to keep track. But, it does allow dynamic which is nice for larger environments. 20:51:27 recently our openvpn is kernel based too 20:51:36 see opvn(4) 20:52:02 they behave the same with regard to routes added by clients 20:52:37 neither of them filters such routes - vpn is not firewall 20:53:11 firewall rules have to be set to deny clever clients abusing VPN 20:54:13 openvpn allows loading dynamic rules when the client connects, I am not aware of such a scripts for wireguared 20:54:19 wireguard* 21:23:01 well, I sure am learning fast 21:23:13 the zfs VM image does not have a lot of extra space 21:23:26 there's a zfs vm image? 21:23:53 zip: you can expand zpool on disk 21:23:55 so I've had to (1) expand it with qemu-img (2) use gpart to fix the record so it can see the new space (3) tell it to expand the last partition into that space and then (4) tell zfs to use that space for zroot 21:23:59 as long as you make the partition bigger 21:26:04 this is a part of a longer and sillier project to cross-compile the base image for armv7 21:26:15 seeing as the damn armv7 device itself does not appear to be able to doso 21:27:04 anyway I think I'm starting to get a feel for why people like FreeBSD 21:28:02 it's like zfs and jails do a kind of different slice of the cloud pie 21:28:33 like sure you can set up kubernetes and docker and have your lovely reproducible builds and your moveable services and that's lovely until you realise that where the fuck do you store your data 21:29:47 whereas jails are like, okay so you have a system that's been running since 2004 and you want to get it off linode or whatever, and you can just tarball that sucker up, pop it in a jail and resume as though nothing had happened 21:30:04 or, indeed, you can `zfs send` stuff around the place 21:32:00 zip: i mean freebsd is not incompatible with containers, there's podman for example, but generally yes it's a more traditional sort of approach 21:32:05 so sure I can't do evil insane stuff like, uh, `podman run --rm -ti quay.io/curl/curl:latest -- http://www.freebsd.org` 21:32:31 but also most of the time what I wanted out of containers was, well, containment 21:33:12 well, we'll see how I feel once I've had to upgrade a jail and/or its jailed contents I suppose 23:57:36 I don't suppose one of you folks has some insight as to why a win11 client is only achieving ~95 MiB/s sequential write speed to a 10GBit/s samba share? the same win11 client can read from the same share just fine at 1.1 GiB/s, and other clients can write to that same share at 1.1 GiB/s too, just the windows->samba write is painfully slow 23:58:18 iperf3 between win11 client and freebsd14.1 server is achieving 9.3GBit/s in both directions