so i'm setting up a freebsd box as a wireguard server with 1 wireguard client. i'll want wg client to be able to pass its traffic out through wg server, and it obviously needs to be able to receive return traffic through wg server. also, wg server needs to forward traffic coming in on a certain port range to the wg client. i'm using pf firewall. is

the best way to do that `nat` for wg client out, and `rdr` for port forwarding wg client in?

scoobybejesus: what are you looking for? py311-sopel?

indeed

scoobybejesus: Oh, you got it good, I see now.

I had to pip install it tonight. would love to pkg install it again

Hi, I'm taking a lookt at the Yazi file manager. But it seems that Nerd Fonts doesn't work with XFCE4 Terminal.

termbin.com/yeii are all of my pf config. how can i make it better please? more complete, more specific, more accurate, more strict, etc

i want to make it /perfect/

there any downside to skipping unbound and just putting nameserver ips in /etc/resolv.conf?

:q

demido: Nope.

ok nice that's good for low mem installs

ek you fix your bhyve issue?

If you have available nameservers accessible, resolv.conf will point to the right places to do the lookups.

demido: Nope. Bhyve still broken (for re-use of vm names.) Otherwise, it works really well.

you open a bugzilla for it?

Well, re-use of vm names and Windows 11 (ugh...) Those are struggling pretty hard. But, I don't use them, so it doesn't bother me much.

demido: Not yet. I need to figure out how to make it reproducible. Problem is, I can't just keep doing reboots to figure it out. So, kind of between a rock and hard place.

demido: Do keep in mind that you can also use Unbound to relay to your default nameservers and it'll cache. Making replies not only faster, but a little less internet traffic as a whole. It'll save a tiny bit space on the install, but won't really much (any) extra load on the system.

... unless it's a really, really low-resource system (like a dog turd with potato power, or something.)

1G total mem fwiw

Yep. It won't even touch 1% of that as far as I've seen.

Small VM's and such where I use Unbound (just by default as a caching NS server generally run around 0.01 CPU usage and 25-100MG RAM.

(Active)

this box is just a wireguard server so don't know how much dns it'll be doing. not sure it's worth that

If it's a endpoint, probably a lot?

s/a/an/

maybe i'll pflog it and watch

Sure. Can't hurt to monitor. Again, if it's an endpoint, it'll be doing lookups and routes for anything external. If you have internal DNS servers and it's not an endpoint, it wouldn't do really do anything.

ek feels really nice being back to no swap. i had done that before but ppl convinced me it was a bad idea. but i'm with you, never had swap help me only had it hurt me

i don't overcommit boxes so i don't need any cheats

The only time it's ever mattered for me was for panics. But, even then, mostly not helpful. Also, I haven't had a FBSD panic is years and years.

Not to mention, even when I do set up swap, it's never used anyway.

yea

I guess it's just one of those things. By, default 2GB isn't much to spare for SWAP for emergency panic info. But, if they system ends up using it (or not,) it's slow and basically worthless these days.

:q

Oops, the trap of tabbing. ;)

Pauli1: It happens to everyone (me more often than I'd like.)

Howdy everyone. I got a new SSD for my computer, installed freebsd on it (had freebsd on the HDD too) and due to lack of experience I didn't realize leaving the default name "zpool" for the ZFS pool would render my other drive un-bootable. Is there any way to recover the other drive's data?

mountainman1312: i'm the opposite of an expert, but if i were in your shoes i would first physically remove one disk. then rename to pool of the remaining one, and reinsert the previously conflicting disk again.

just fyi #zfs also exists

demido: thanks, I'll hop over there

just did a fresh install and config of 14.2 and when i boot i get "fssh_kex_exchange_identification connection reset by peer" to console. what can cause that?

ek i'm trying to see how many dns requests are going out from the wg client but all i can see in pf log on wg server is dns requests from the wg server, and nat pings out from the wg client, not showing nat dns requests out from the wg client

now that i think about it, wg client dns requests wouldn't be performed by the wg server unless i set that up somewhere right? i actually wonder where they're going

i'll bet the wg client is putting them out over ITS dns server, which is my home router ip. that sound right ek?

demido: are you progressing with solving FreeBSD issues ?

mzar ya basically i turned off swap and problem solved lol. i'm using wired_memory="yes" for bhyve guests but not sure if i even need it anymore

nice; I cannot help much with wired_memory="yes", I have never been using it

demido: good luck with FreeBSD

how much ram is biggest bhyve guest you made?

ty

12 or 16GB IIRC

ah ok

I prefer jails, especialy those without VNET

why no vnet

less overhead

i noticed /etc/resolv.conf doesn't have options edns0, should i add that?

anyone know why wg client would get abysmal throughput between wg server? i started a curl dl of debian iso on wg client, saw it was slow, started same dl on wg server and it finished in a minute. meanwhile wg client dl is saying 2 hours?

mzar: it's on now

anyone know why wg client would get abysmal throughput between wg server? i started a curl dl of debian iso on wg client, saw it was slow, started same dl on wg server and it finished in a minute. meanwhile wg client dl is saying 2 hours? if i sftp from wg client to wg server, i can dl the file in like 30 sec. the only wg server pf rule i have

enabled is the wg client nat so it can pass traffic

demido: are you using tcp for wireguard connection?

no udp

gt ^

anyone know why wg client would get abysmal bw through wg server? i started a curl dl of freebsd iso on wg client, saw it was slow, started same dl on wg server and it was fast. if i sftp iso from wg server to wg client, it's fast. the only wg server pf rule i have enabled is the wg client nat so it can pass traffic. what could be making my wg

connection so slow?

(cleaned up text)

demido: I haven't had that experiene with wg, it has always performed flawlessly for me.

demido: idk, it could've been a tcp meltdown if it was tcp

do you use wg over tcp or udp?

udp everytime

im using set reassemble yes in pf, good?

I think that's the default anyways

you modify any mtu anywhere?

no

modify mss or anything else?

did you track this issue to your pf setup?

no

if I'd start with that

i have no clue what the problem is

if possible*

well i commented out every rule i had

so all i have left in pf.conf is: set block-policy drop, set reassemble yes, set skip on lo, nat on vtnet0 inet from {<wg_addys>} to any -> vtnet0 that's IT

see any probs?

no

thing is, you want to rule out pf

anyways

how can i do that?

i need the nat rule for wg client to get traffic through no?

I don't know, do you?

it depends on your topology

if you can test your wg setup without any nat that will give you a way of ruling out pf

fails to resolve domain

then remove the name and point to the ip instead

or add it to /etc/hosts

ya no traffic passes even by ip

how do you pass wg client traffic through your wg server without a pf nat rule?

gt ^

if your setup is simply a box acting as a gateway for a bunch of wireguard peers, then you do need nat at the wan interface

ok

and as you see i have a few options and 1 nat rule, so it can't be pf man

what the f could be making my wireguard connection so slow

maybe freebsd isn't a good wg server yet?

is there anywhere detailing wifi development of fbsd? like how is 802.11ac support on intel cards?

it's getting there

not much details tho

demido: I doubt that

ketas: i heard there is a push to improve laptop support

good to hear though

morpho: freebsdfoundation.org/project/wifi-update-intel-drivers-and-802-11ac

demido: I guess you could play with the mtu and mss values a bit. See if you can find a better mtu and then lower max-mss to match it

gt already tried playing with mtu, didn't really change anything

i tried 1380, 1280, few more

try setting max-mss to the mtu of your wg interface

max-mss in wg0.conf or?

pf

gt like match in all scrub    (no-df random-id max-mss 1420)?

demido: yes, assuming 1420 is your mtu

should i remove any of that? or should i remove set reassemble yes? i believe that conflicts with the older no-df

I'd try it as is first, idk you need to disable reassemble

no-df and reassemble are related to fragmentation but they're are not controlling the same thing

gt termbin.com/wchn

didn't help

what else can i try?

also maybe try it on wg0 alone

match in on wg0

tried, no better

match in on wg0 all scrub ...

remove all

termbin.com/fhi7k no better

hey there, are you guys enforcing user autentication for wireguard?

and each time, i reload pf rules. then on wg client i down the interface, up it, and try the dl again

cybercrypto just using pub/priv key

demido: same here. I am looking into some alternative. In case of lost/stolen device (keys will be visible)

nimaje: does this mean the latest BSD release will have 802.11ac speeds now? I used fBSD a few years back and had to run a linux vm and pipe the wifi through

termbin.com/sqon is my whole config for the slow wireguard setup

wifibox i think it was called

gt any other ideas?

demido: not much, maybe remove in, do match on wg0

btw did you get to test the link speed with something like iperf or scp'ing a big file?

no change

well i could sftp the file down from wg server to wg client and it was fast

but no iperf yet

can't believe i'm the only person that can't get wireguard server running fast in freebsd like wtf

that makes you special one

maybe you found a bug

hey there! I've used /boot/loader.conf to pass through a PCI NIC to bhyve

it does show as ppt0 when doing `vm passthru`

my question is: can I release so the NIC is again available to the host system (not the VM) without rebooting, or is a reboot after commenting out the pptdevs= section of loader.conf mandatory at this stage?

thanks in advance!

veg: try kenv -u (compare kenv(1) first), I have not tested it, but that's what comes to mind first

morpho: it is an active project of the freebsd foundation, no idea if any code from it got merged in any stable branch (or produced at all), I hoped that site has more information about the status of it, but I haven't read it

thanks for the tip, mzar

unfortunately, after `kenv -u pptdevs`, `kenv -l pptdevs` returns "unable to get pptdevs" (whereas it was reporting the PCI address before), but the NIC does not show up still, and `vm passthru` still reports the PCI address as being passed through; I guess a reboot it will be :)

veg: after removing from kenv variables, you'll probably need to rescan PCI bus, but I doubt it's feasible

veg: try "devctl rescan pci0" after clearing pptdevs

is a vnet jail (or host) required for running tailscale on freebsd? or is it possible to enable /dev/tun in a loopback jail

scoobybejesus: regardless to access to /dev/tun you'll probably need access to manipulating FIB tables and will not work without VNET

i see, thank you

scoobybejesus: but yes, you can enable access to /dev/tun* devices from non-vnet jail

ouch, too late, I had rebooted already, mzar, but I'm writing that down in case I get another occasion to try it out, thanks a bunch!

veg: let us know if is it possible to get this device back or not

when you will have opportunity to test, of course

will do, mzar! It's a production server though, so I'm not too keen on rebooting unless needed :)

veg: cool; perhaps the right path will be kenv -u ... && devctl delete ... && devctl rescan pci0

a VNET jail, despite having its own fancy network interface could just as easily be a loopback-only jail, right? just choose lo0 and everything should be fine? it's on a VPS with one public IP, so i just want to give it a loopback address like everything other jail

veg: kenv -u ... && devctl delete ... && devctl rescan pci0 is proven to work

thanks for the opportunity to test

scoobybejesus: in non-vnet jail you have access not only lo devices, also aliases on NICs shared by the host can be used

i never had good luck with shared networking, though in theory you're right

for now, i need a VNET jail to be confined to loopback

OK

veg: moreover, you can also steal the device this way from the system and then passthrough it to bhyve without rebooting

this is proving tricky. bastille can't create a vnet jail on the loopback device. i created it on vtnet0, and now i guess i have routing problems

ok, regarding my earlier ipfw tablearg problem, i've traced the issue to ipfw table value corruption. see bugs.freebsd.org/bugzilla/show_bug.cgi?id=284691

i need destination, gateway, flags, netif to be: 10.0.0.184, link#3, UH, bastille0. perhaps I can set that in rc.conf?

is freebsd is better than linux to host AI? gpus nvidia drivers ok?

eniac: i have 14.2 running on a lenovo laptop with nvidia0: <NVIDIA GeForce RTX 4070 Laptop GPU> on vgapci0

nvidia-driver-550.127.05.1401000 NVidia graphics card binary drivers for hardware OpenGL rendering

nvidia-drm-61-kmod-550.127.05.1401000_1 NVIDIA DRM Kernel Module

and i need it to be nat'd.. hmm.

running X. works fine. i don't know anything about hosting AI though, sorry

jpb nice.. never tried to run ollama?

vllm?

eniac: no - sorry.

i've got some other things on my plate atm

btw - love the nick.

old school cool

everything is broken :<

jbo tks

one day I might get upset enough to maintain my own ports tree :/

Wait... What? What's broken?

I'm gana slap FreeBSD on my server tonight I think

unless someone can convince me why I would chose NetBSD instead?

elsheepo: Different systems, different strengths. Try them both if you can.

I have a feeling NetBSD would probably be more appropriate

but maybe freebsd is a little more friendly? idk

elsheepo: Don't forget OpenBSD and Dragonfly.

gana have to watch more youtube videos

aybe more appropriate if you're running it on a dreamcast or toaster

lol

rtprio: ngl I was thinking along the same lines...

no doubt a highly capable brother system though

elsheepo: ooc, why did you have a feeling that netbsd would be more appropriate?

i have a wireguard setup that's 'working' but the wg client gets tiny throughput. any help appreciated termbin.com/u89g

demido: did you do the iperf test?

not yet just woke up

going to soon tho

gt, less thrills, more of a work-horse server

doesn't need a gui

you don't need a gui on freebsd either

I'm curious to hear your opinions on these three BSD variants, FreeBSD v OpenBSD v NetBSD

particularly, the strengths of each, if anyone would be so kind

I know I can just as easily Google it, but I'd like to hear directly from the community if/when possible

ok got it...

wow

termbin.com/et91 is my wireguard setup that works (but has tiny throughput down to wg client) including iperf tests from wg client to wg server over tunnel, wg client to wg server over inet, and wg server to wg client over tunnel

how tiny? 71MBytes seems plenty fast to me

when i try to dl freebsd or linux iso from the mirror sites it CRAWLS. like saying 80 hours to dl