I created my vnet jail based on docs.freebsd.org/en/books/handbook/jails and networking was working, uptil Oct 30th. Now though, I can't reach out the internet from inside the jail, nor can I reach the jail fromthe outside. I can't even ping the jali's gateway from inside the jail. No configuration changes have been made, I've verified that.

I did do an upgrade to 14.1-RELEASE-p6, which I don't think should matter as its not a kernel upgrade.

Any thoughts or suggestions?

I hear "No configuration changes been made, I've verified that" and I must laugh because everyone *always* says that! :-)

If you have snapshots you can diff between to verify by the way. And if it really is the patch upgrade you could use Boot Environments to boot the previous and it should work if that is the change that broke something.

Meanwhile... Double check /etc/pf.conf and enure it is set up everywhere it is needed.

rwp: yeah I know, that's why I mentioned that *after* checking. :-)

And of course /etc/jail.conf and /etc/rc.conf with cloned_interfaces and ifconfig_bridge0 type configuration is the critical points.

I have /etc/pf.conf setup on the host. I've verified the /etc/jail.conf and /etc/rc.conf, with teh bridge0 and epairs as well.

I am running 14.1-RELEASE-p5 kernel and 14.1-RELEASE-p6 userland and things work here with that combination.

I've run netstat -rn inside the jail but the gateway entry doesn't seem right to me, as it shows epair151 for the interface, and I was expecting epari151b as the interface

However my jails are in need of upgrade. I haven't gottenaroundtuit yet. And I can't pfctl -sr or it coredumps due to the mismatch. Which is annoying.

pfctl inside the jail or outside?

One of my vnet jails is a router for other jails on a labbench network setup and needs to have routing set up inside.

yours sounds complicated, mine is just a simple, straightforward web server, using the vnet example in the Handbook

My jails show my epair ja0 without the a and ja0a is a member of bridge0 leaving ja0 to be attached to the jail.

ok so the netstat output is correct in that case, comapred to yours

Yours is a vnet jail? On the host side "ifconfig bridge0" (use your bridge name) should show the 'a' epair as a member of it. (I think the ends can be swapped symmetrically. What's in a name?)

And it should also show your network device. And if that is your only network device then your IP should be associated on the bridge.

(I am running mine on a multi-NIC system so I attach the bridge to the secondary NIC and don't assign any address there.)

Oops. I looked at the time and I must run off. Sorry. Good luck!

yeah I see the epair151a as a member of my bridge (jail0)

I have a single interface, bge0

thanks, no problem

hmm I don't see any ip for epair151a

Where do people get their /usr/ports from, bsdinstall, or a git clone post-installation? The handbook seems a bit ambivalent as to which is the preferred approach.

Jeanne-Kamikaze: I get mine via git

Is that preferred for development these days? And is it OK to yank an existing /usr/ports in CURRENT and replace it with a git clone?

Jeanne-Kamikaze: porstnap fetch extract iirc

Jeanne-Kamikaze: forums.freebsd.org/threads/new-inst…h-extract-update.33744/#post-185970

Thanks

Jeanne-Kamikaze: also you should consider using poudriere to build ports

Is that mostly to guarantee that stuff works on a clean state? I'm a noob, just working through the handbooks right now. (I also seem to have run into a kernel panic with amdgpu on a current gen AMD GPU.)

Jeanne-Kamikaze: there is nothing wrong if you want to build ports locally from /usr/ports . Also you can probably skip that and use the binary ports from pkg that should work just fine and you wont need to build anything

Jeanne-Kamikaze: and with poudriere, it can run inside a jail and build the ports you want and then you can re-use them in other machine. Since you are learning, you probably dont need to configure poudriere now.. but maybe in the future you might consider it

Jeanne-Kamikaze: i would just install using pkg

pkg update ; pkg search firefox ; pkg install xorg i3wm firefox ...

I'm going to start with that, thanks.

if you want to build, no problem, but it might take very long =p and once you run a "make install", you will get multiple config screens after each port is built. its possible to run all the recursive configs with the command "make config-recursive"

Jeanne-Kamikaze: yeah just go with pkg

also, dont mix pkg with port

thats not reacommended

How do you go about to contributing to a random piece of userland software? Do you pkg install most things except for that one, which you build/modify from ports?

Jeanne-Kamikaze: also, since you got some kernel panic, it should work.. but you may also test with the nomadbsd.org/screenshots.html

nomad should figure out the graphics setttings and even if you dont install it, you can see if it autodetects everything

ghostbsd is also similar

Jeanne-Kamikaze: well you can do that yes.. but thats not recommended.

Jeanne-Kamikaze: also use ZFS if you can, that way you can always create a snapshot before you do anything... and rollback if needed

Thanks. Yeah, ZFS is the default now in bsdinstall.

˜/quit

There are broken links on this page, can you please check them?

Malicious people can take this address and create a link to themselves using your address.

anyone got samba4 to work after win11 24h2?

brought this up many times, but yet to find a solution. so my home server and vpn server is on the same network (same public IP), wg-quick will set a path that the path for the physical interface is the public IP of the wireguard server, all other packets will then pass through wg interface which is then passed to the physical interface, however when i connect to my server which is a different

host behind the same router as the wireguard server it wont pass thorugh the wireguard tunnel and is leaked, which isn't a big deal apart from the metadata and less encryption on it, but some networks allow VPNs but block ports, plus I can't block public IP addresses accessing things on my server and mandate it through the tunnel if I cant tunnel

I can't change the route for the physical interface, freebsd wont let you remove default routes

besides it would break the tunnel

any suggestions on how to force the packets through wg

if I add a route to wg which is higher priority it would loop, wg --> wg --> wg --> wg surely...

you can remove the default route but you would be dissapointed

polarian: are both servers on nat?

Any vm_bhyve users here? I can't for the life of me get networking working on the guest.

DarkUranium: what's up

Just starting with vm_bhyve (or bhyve in general) for the first time ever. I can't quite figure out why, but my (Alpine Linux) guest can't seem to be able to connect to the network. The vm_bhyve thing is setup as per instructions on GitHub, etc.

what switches/bridges did you set up? either via rc.conf or vm-bhyve?

I do have appjail on the same system, which might admittedly be interfering (tl;dr I'm trying out both)

The only bridge I can see is the `vm-public` one from vm_bhyve. Connected to my external IF, renamed to `jext`.

Well, "switch".

I can paste all of ifconfig in a pastebin if desired, it's quite lengthy.

does vm-public have the tun that corisponds to the alpine guest as well as your functioning host interface

You mean tap, or?

yes

It connects to tap1 when the VM starts, but I'm not 100% sure where to check what the VM itself is attached to.

there should be a note in the interface

er, description

tap13: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: vmnet/pihole/0/public

"Opened by PID 15671"? Does appear to match the VM, yes.

`vmnet/docmost/0/public` seems about right, so yeah, it appears connected

(`docmost` is my VM name)

yep

what is the ip of the host and what is the ip of the docmost?

Docmost doesn't have an IP (since it can't seem to reach anything). Host is 192.168.1.8.

BTW, tap1 mac address doesn't correspond to that of docmost. Not sure if that's correct or not, just an observation.

... well, if it doesn't have an IP, not being able to reach anything is kind of expected. Or did you want to run DHCP?

Basically, from the VM, I just get: `ping: sendto: Network unreachable` if I try to ping anything (even localhost)

I mean, I know. I did try DHCP, I also tried assigning it an IP, but the assigned one didn't want to show up outside.

I'd prefer DHCP, though.

I can try a manual IP for now, since that's simpler (but it didn't help much last time --- I've recreated the VM since, during debugging)

that shouldn't be necessary

appjail? github.com/DtxdF/AppJail ? running on the host?

Correct. Like I said, I was trying out both. I am well-aware that the issues might be because of some network config conflict.

(on an unrelated note, do you know of any SW other than CBSD that can handle both jails and bhyve?)

IIRC that's the only one. i wasn't super keen so i keep using vm-bhyve

Yeah, same.

I've been tempted to try out SmartOS, TBH.

It does both, but it's Solaris-based, not BSD.

ANYWAY, this is my networking mess: vpaste.net/73Zde

jext is the external IF. em0 is unused.

jext is a renamed wlan0 if it matters.

In there, vm-public is vm_bhyve's switch and tap1 is the VM.

not sure how the appjail could be interferring, but there is a lot going on there

Same, I don't think it should be, but ...

are you at all familar with tcpdump ?

Not very. I think I might have briefly used it aeons ago.

FWIW, I did check all the usual suspects like net.inet.ip.forwarding being enabled.

console into your vm, and give it an ip

Done.

from your host, `tcpdump -ni vm-public `

Done. There's a lot of traffic, mostly from the PC I'm sshing from.

add a `port \! 22` will help with the ssh

Was actually 54915 UDP, so maybe not that. Either way filter it, thanks.

filtered*

Note that now that I've assigned an IP manually, I can ping the host from the VM (and nothing else), and the VM from the host.

it's a start

ok, from the guest, try a uh, `fetch freeebsd.org`

er, that might not work since you'll see dns probably try to work and fail

but you should see some packets from it

Yeah, these: 14:39:44.030596 ARP, Request who-has 192.168.1.1 tell 192.168.1.9, length 28

(also, s/fetch/wget/ because Linux)

oh right, i forgot

but no arp reply

?

Doesn't look like it, no.

Sorry, multitasking.

(something high-prio came up)

no worriew

Yeah yeah, no reply. Just those messages.

tbh i don't know how bridging would work on wifi

rtprio, shouldn't it be the same as non-?

well, maybe

now, if you can; tcpdump the wireless instead of the bridge and try a wget again

15:07:13.322484 ARP, Request who-has 192.168.1.1 tell 192.168.1.9, length 28

So basically, samer thing.

s/r / /

never a response?

Nope.

It feels as if the router isn't liking the (virtual) machine, for some reason.

is it a consumer router, or can you tcpdump on it as well?

Alas, consumer. I never brought the "proper" one over since I moved apartments.

I generally rent servers, but for tests and such, I tend to do them at home, heh.

I do have access to the router's ARP table, and the .9 doesn't show up there. Not sure if it's because of the static IP or not.

(.9 == VM)

it would still need to look it up, static or not

I know. But maybe it's not showing the full table, is what I mean.

I'm beginning to suspect some sort of a firewall issue on the host system. I do have pf running.

... uh yeah

that could impact things

Quite. :D

Yeah, appjail depends on pf running, so :P

Sorry, I forgot to mention it because I thought it was a given when I mentioned appjail ^^

Forgot y'all might not be familiar.

i don't know/use appjail

well, then you're going to have to figure out how to extend the pf.conf from appjail to permit your VMs access

or try it without appjail /pf to get the feel for things

pfctl -s all: vpaste.net/QvJOx

Yeah, might be a good idea to just disable pf for now.

i haven't had enough coffee to diagnose someone elses pf.conf

lol fair

It's just those 3 lines up top, though I must admit I'm not sure what *-anchor does in pf.

rtprio, disabled all of appjail stuff, pf, etc --- rebooted --- still nothing :(

ifconfig now only has vm-public, tap0, jext, em0, and lo0.

and the wifi is still renamed to jext?

Yeah, that's the one thing I didn't undo (yet)

Guess I'll try that.

i don't know, i run mine interface on a vlan

Still nothing, even without the rename. It might be an Alpine-specific problem, but frankly, I'm calling it a day -_-

i doubt it very much that this has anything to do with your vm

So do I, but at this point, I'm about ready to start throwing things at a wall and seeing what sticks.

we;;, i have had weirdness with bridging and wifi before

Yeah, fair. I generally use wired for everything, but I happen to have run out of ports, and it's only a test thing anyway.

rtprio, I just tried it with em0. Notably, `vm switch add public jext` (again renamed to keep config the same) took a few seconds, unlike before.

Also, DHCP worked immediately. Huh.

So yeah, it was wlan that was the problem, it seems?

rtprio: So yeah, everything works now. I've no idea what's different with wlan vs eth, but ...

i don't know, but as i suspected

there are hacky was you could work around it, but they are hacky

Hi, I have read somewhere that if you append a small amount of bytes to a file the operation is atomic. Could someone confirm/deny or provide more details on the expected FreeBSD behaviour? thanks

uh, i don't think there's any empirical evidence of this

is there any list of "whats new" in 14.2? it'd be nice if something like this was linked to on the release timeline page. without it, beta testing is reduced to "just see if anything breaks"

rtprio: it will be detailed listed here freebsd.org/releases/14.2R/relnotes

markmcb: looks like "not much"

ok, thanks. just making sure there wasn't some hidden draft list everyone knew about but me.

This is some wierd shit to see in my auth logs: termbin.com/sgqw

CrtxReavr: ssh scanners

quite common, not very weird, really

CrtxReavr: i think you should review your sshd setup/firewall

Did you get that suggestion off a cereal box?

perhaps he means 'fail2ban' or similar

i ignore them; with key only they're not going to get very far

Clearly they were sending \\admin as the username (or actually \\\\admin since the \s need escaped).

If you're authing against windows, you may need to send domain\\user

Seeing \\admin in the logs was just curious.

I did wonder if it might match a CVE or something.

i've seen all sorts of weird shit

CrtxReavr: no need to be an asshole.

There's no need to spout inane nonsense, either.

Anyone operating a public Internet server is going to be subjected to the Internet background radiation of endless probes and attacks. That's just the normal thing these days.

Trust in the math. Just because someone is probing attempting an attack does not mean they are going to be successful. It's just a log filler.

To avoid them filling up the logs tools like fail2ban (and FreeBSD's blacklistd and sshd patches) are both useful to limit the miscreants.

would FreeBSD be POSIX-alike in this ?