00:06:44 so i'm setting up a freebsd box as a wireguard server with 1 wireguard client. i'll want wg client to be able to pass its traffic out through wg server, and it obviously needs to be able to receive return traffic through wg server. also, wg server needs to forward traffic coming in on a certain port range to the wg client. i'm using pf firewall. is 00:06:45 the best way to do that `nat` for wg client out, and `rdr` for port forwarding wg client in? 00:30:11 scoobybejesus: what are you looking for? py311-sopel? 00:30:30 indeed 00:30:35 scoobybejesus: Oh, you got it good, I see now. 00:31:13 I had to pip install it tonight. would love to pkg install it again 01:20:28 Hi, I'm taking a lookt at the Yazi file manager. But it seems that Nerd Fonts doesn't work with XFCE4 Terminal. 02:25:50 https://termbin.com/yeii are all of my pf config. how can i make it better please? more complete, more specific, more accurate, more strict, etc 02:25:56 i want to make it /perfect/ 06:33:01 there any downside to skipping unbound and just putting nameserver ips in /etc/resolv.conf? 06:33:09 :q 06:42:41 demido: Nope. 06:42:59 ok nice that's good for low mem installs 06:43:27 ek you fix your bhyve issue? 06:43:32 If you have available nameservers accessible, resolv.conf will point to the right places to do the lookups. 06:44:04 demido: Nope. Bhyve still broken (for re-use of vm names.) Otherwise, it works really well. 06:44:23 you open a bugzilla for it? 06:44:49 Well, re-use of vm names and Windows 11 (ugh...) Those are struggling pretty hard. But, I don't use them, so it doesn't bother me much. 06:45:33 demido: Not yet. I need to figure out how to make it reproducible. Problem is, I can't just keep doing reboots to figure it out. So, kind of between a rock and hard place. 06:55:36 demido: Do keep in mind that you can also use Unbound to relay to your default nameservers and it'll cache. Making replies not only faster, but a little less internet traffic as a whole. It'll save a tiny bit space on the install, but won't really much (any) extra load on the system. 06:56:34 ... unless it's a really, really low-resource system (like a dog turd with potato power, or something.) 06:56:44 1G total mem fwiw 06:57:13 Yep. It won't even touch 1% of that as far as I've seen. 06:58:41 Small VM's and such where I use Unbound (just by default as a caching NS server generally run around 0.01 CPU usage and 25-100MG RAM. 06:58:49 (Active) 06:59:33 this box is just a wireguard server so don't know how much dns it'll be doing. not sure it's worth that 07:00:31 If it's a endpoint, probably a lot? 07:00:43 s/a/an/ 07:01:15 maybe i'll pflog it and watch 07:02:52 Sure. Can't hurt to monitor. Again, if it's an endpoint, it'll be doing lookups and routes for anything external. If you have internal DNS servers and it's not an endpoint, it wouldn't do really do anything. 07:45:55 ek feels really nice being back to no swap. i had done that before but ppl convinced me it was a bad idea. but i'm with you, never had swap help me only had it hurt me 07:46:15 i don't overcommit boxes so i don't need any cheats 07:49:25 The only time it's ever mattered for me was for panics. But, even then, mostly not helpful. Also, I haven't had a FBSD panic is years and years. 07:49:40 Not to mention, even when I do set up swap, it's never used anyway. 07:50:20 yea 08:08:02 I guess it's just one of those things. By, default 2GB isn't much to spare for SWAP for emergency panic info. But, if they system ends up using it (or not,) it's slow and basically worthless these days. 08:18:18 :q 08:19:48 Oops, the trap of tabbing. ;) 08:34:47 Pauli1: It happens to everyone (me more often than I'd like.) 08:41:19 Howdy everyone. I got a new SSD for my computer, installed freebsd on it (had freebsd on the HDD too) and due to lack of experience I didn't realize leaving the default name "zpool" for the ZFS pool would render my other drive un-bootable. Is there any way to recover the other drive's data? 08:55:31 <|cos|> mountainman1312: i'm the opposite of an expert, but if i were in your shoes i would first physically remove one disk. then rename to pool of the remaining one, and reinsert the previously conflicting disk again. 08:56:31 just fyi #zfs also exists 08:59:17 * |cos| realizes renaming a zpool isn't as trivial as i assumed... 09:00:24 demido: thanks, I'll hop over there 09:26:17 just did a fresh install and config of 14.2 and when i boot i get "fssh_kex_exchange_identification connection reset by peer" to console. what can cause that? 09:36:48 ek i'm trying to see how many dns requests are going out from the wg client but all i can see in pf log on wg server is dns requests from the wg server, and nat pings out from the wg client, not showing nat dns requests out from the wg client 09:37:52 now that i think about it, wg client dns requests wouldn't be performed by the wg server unless i set that up somewhere right? i actually wonder where they're going 09:38:35 i'll bet the wg client is putting them out over ITS dns server, which is my home router ip. that sound right ek? 09:45:15 demido: are you progressing with solving FreeBSD issues ? 09:50:44 mzar ya basically i turned off swap and problem solved lol. i'm using wired_memory="yes" for bhyve guests but not sure if i even need it anymore 09:54:43 nice; I cannot help much with wired_memory="yes", I have never been using it 09:54:59 demido: good luck with FreeBSD 09:55:02 how much ram is biggest bhyve guest you made? 09:55:05 ty 09:55:24 12 or 16GB IIRC 09:55:47 ah ok 09:56:40 I prefer jails, especialy those without VNET 09:57:51 why no vnet 09:59:17 less overhead 10:46:03 i noticed /etc/resolv.conf doesn't have options edns0, should i add that? 11:35:27 anyone know why wg client would get abysmal throughput between wg server? i started a curl dl of debian iso on wg client, saw it was slow, started same dl on wg server and it finished in a minute. meanwhile wg client dl is saying 2 hours? 12:48:16 mzar: it's on now 12:56:12 anyone know why wg client would get abysmal throughput between wg server? i started a curl dl of debian iso on wg client, saw it was slow, started same dl on wg server and it finished in a minute. meanwhile wg client dl is saying 2 hours? if i sftp from wg client to wg server, i can dl the file in like 30 sec. the only wg server pf rule i have 12:56:13 enabled is the wg client nat so it can pass traffic 13:22:37 demido: are you using tcp for wireguard connection? 13:22:43 no udp 13:27:50 gt ^ 13:46:52 anyone know why wg client would get abysmal bw through wg server? i started a curl dl of freebsd iso on wg client, saw it was slow, started same dl on wg server and it was fast. if i sftp iso from wg server to wg client, it's fast. the only wg server pf rule i have enabled is the wg client nat so it can pass traffic. what could be making my wg 13:46:53 connection so slow? 13:46:59 (cleaned up text) 13:57:56 demido: I haven't had that experiene with wg, it has always performed flawlessly for me. 13:58:07 demido: idk, it could've been a tcp meltdown if it was tcp 13:58:39 do you use wg over tcp or udp? 13:59:01 udp everytime 13:59:23 im using set reassemble yes in pf, good? 14:01:20 I think that's the default anyways 14:01:35 you modify any mtu anywhere? 14:01:43 no 14:02:04 modify mss or anything else? 14:02:29 did you track this issue to your pf setup? 14:02:39 no 14:02:52 if I'd start with that 14:02:55 i have no clue what the problem is 14:02:56 if possible* 14:03:02 well i commented out every rule i had 14:04:08 so all i have left in pf.conf is: set block-policy drop, set reassemble yes, set skip on lo, nat on vtnet0 inet from {} to any -> vtnet0 that's IT 14:04:12 see any probs? 14:06:05 no 14:06:20 thing is, you want to rule out pf 14:06:27 anyways 14:06:30 how can i do that? 14:06:40 i need the nat rule for wg client to get traffic through no? 14:06:59 I don't know, do you? 14:07:05 it depends on your topology 14:08:05 if you can test your wg setup without any nat that will give you a way of ruling out pf 14:08:29 fails to resolve domain 14:09:43 then remove the name and point to the ip instead 14:09:57 or add it to /etc/hosts 14:11:53 ya no traffic passes even by ip 14:12:07 how do you pass wg client traffic through your wg server without a pf nat rule? 14:33:15 gt ^ 14:57:04 if your setup is simply a box acting as a gateway for a bunch of wireguard peers, then you do need nat at the wan interface 15:05:14 ok 15:05:31 and as you see i have a few options and 1 nat rule, so it can't be pf man 15:05:43 what the f could be making my wireguard connection so slow 15:05:52 maybe freebsd isn't a good wg server yet? 15:10:03 is there anywhere detailing wifi development of fbsd? like how is 802.11ac support on intel cards? 15:10:41 it's getting there 15:11:06 not much details tho 15:12:23 demido: I doubt that 15:13:33 ketas: i heard there is a push to improve laptop support 15:13:56 good to hear though 15:16:43 morpho: https://freebsdfoundation.org/project/wifi-update-intel-drivers-and-802-11ac/ 15:17:56 demido: I guess you could play with the mtu and mss values a bit. See if you can find a better mtu and then lower max-mss to match it 15:18:18 gt already tried playing with mtu, didn't really change anything 15:18:30 i tried 1380, 1280, few more 15:19:02 try setting max-mss to the mtu of your wg interface 15:20:43 max-mss in wg0.conf or? 15:21:58 pf 15:25:53 gt like match in all scrub    (no-df random-id max-mss 1420)? 15:29:40 demido: yes, assuming 1420 is your mtu 15:30:33 should i remove any of that? or should i remove set reassemble yes? i believe that conflicts with the older no-df 15:36:04 I'd try it as is first, idk you need to disable reassemble 15:36:38 no-df and reassemble are related to fragmentation but they're are not controlling the same thing 15:37:42 gt https://termbin.com/wchn 15:38:03 didn't help 15:38:08 what else can i try? 15:38:36 also maybe try it on wg0 alone 15:38:39 match in on wg0 15:39:40 tried, no better 15:39:59 match in on wg0 all scrub ... 15:41:45 remove all 15:42:50 https://termbin.com/fhi7k no better 15:43:03 hey there, are you guys enforcing user autentication for wireguard? 15:43:05 and each time, i reload pf rules. then on wg client i down the interface, up it, and try the dl again 15:43:21 cybercrypto just using pub/priv key 15:44:37 demido: same here. I am looking into some alternative. In case of lost/stolen device (keys will be visible) 15:49:15 nimaje: does this mean the latest BSD release will have 802.11ac speeds now? I used fBSD a few years back and had to run a linux vm and pipe the wifi through 15:53:08 https://termbin.com/sqon is my whole config for the slow wireguard setup 15:55:32 wifibox i think it was called 15:58:57 gt any other ideas? 16:08:43 demido: not much, maybe remove in, do match on wg0 16:09:19 btw did you get to test the link speed with something like iperf or scp'ing a big file? 16:09:45 no change 16:09:57 well i could sftp the file down from wg server to wg client and it was fast 16:10:01 but no iperf yet 16:19:07 can't believe i'm the only person that can't get wireguard server running fast in freebsd like wtf 16:20:08 that makes you special one 16:20:18 maybe you found a bug 16:42:27 hey there! I've used /boot/loader.conf to pass through a PCI NIC to bhyve 16:42:49 it does show as ppt0 when doing `vm passthru` 16:43:55 my question is: can I release so the NIC is again available to the host system (not the VM) without rebooting, or is a reboot after commenting out the pptdevs= section of loader.conf mandatory at this stage? 16:44:00 thanks in advance! 16:51:06 veg: try kenv -u (compare kenv(1) first), I have not tested it, but that's what comes to mind first 17:02:36 morpho: it is an active project of the freebsd foundation, no idea if any code from it got merged in any stable branch (or produced at all), I hoped that site has more information about the status of it, but I haven't read it 17:09:30 thanks for the tip, mzar 17:11:12 unfortunately, after `kenv -u pptdevs`, `kenv -l pptdevs` returns "unable to get pptdevs" (whereas it was reporting the PCI address before), but the NIC does not show up still, and `vm passthru` still reports the PCI address as being passed through; I guess a reboot it will be :) 17:29:05 veg: after removing from kenv variables, you'll probably need to rescan PCI bus, but I doubt it's feasible 17:39:32 veg: try "devctl rescan pci0" after clearing pptdevs 17:43:41 is a vnet jail (or host) required for running tailscale on freebsd? or is it possible to enable /dev/tun in a loopback jail 17:45:46 scoobybejesus: regardless to access to /dev/tun you'll probably need access to manipulating FIB tables and will not work without VNET 17:46:06 i see, thank you 17:54:56 scoobybejesus: but yes, you can enable access to /dev/tun* devices from non-vnet jail 17:57:51 ouch, too late, I had rebooted already, mzar, but I'm writing that down in case I get another occasion to try it out, thanks a bunch! 17:58:44 veg: let us know if is it possible to get this device back or not 18:00:01 when you will have opportunity to test, of course 18:13:53 will do, mzar! It's a production server though, so I'm not too keen on rebooting unless needed :) 18:45:57 veg: cool; perhaps the right path will be kenv -u ... && devctl delete ... && devctl rescan pci0 19:00:27 a VNET jail, despite having its own fancy network interface could just as easily be a loopback-only jail, right? just choose lo0 and everything should be fine? it's on a VPS with one public IP, so i just want to give it a loopback address like everything other jail 19:15:03 veg: kenv -u ... && devctl delete ... && devctl rescan pci0 is proven to work 19:15:45 thanks for the opportunity to test 19:18:36 scoobybejesus: in non-vnet jail you have access not only lo devices, also aliases on NICs shared by the host can be used 19:19:14 i never had good luck with shared networking, though in theory you're right 19:19:43 for now, i need a VNET jail to be confined to loopback 19:21:22 OK 19:22:36 veg: moreover, you can also steal the device this way from the system and then passthrough it to bhyve without rebooting 19:59:45 this is proving tricky. bastille can't create a vnet jail on the loopback device. i created it on vtnet0, and now i guess i have routing problems 20:01:26 ok, regarding my earlier ipfw tablearg problem, i've traced the issue to ipfw table value corruption. see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284691 20:02:03 i need destination, gateway, flags, netif to be: 10.0.0.184, link#3, UH, bastille0. perhaps I can set that in rc.conf? 20:03:23 is freebsd is better than linux to host AI? gpus nvidia drivers ok? 20:06:11 eniac: i have 14.2 running on a lenovo laptop with nvidia0: on vgapci0 20:06:46 nvidia-driver-550.127.05.1401000 NVidia graphics card binary drivers for hardware OpenGL rendering 20:06:55 nvidia-drm-61-kmod-550.127.05.1401000_1 NVIDIA DRM Kernel Module 20:07:15 and i need it to be nat'd.. hmm. 20:07:47 running X. works fine. i don't know anything about hosting AI though, sorry 20:14:23 jpb nice.. never tried to run ollama? 20:14:55 vllm? 21:13:31 eniac: no - sorry. 21:14:12 i've got some other things on my plate atm 21:14:30 btw - love the nick. 21:16:07 old school cool 21:19:04 everything is broken :< 21:20:04 jbo tks 21:21:06 one day I might get upset enough to maintain my own ports tree :/ 21:25:14 Wait... What? What's broken? 21:35:32 I'm gana slap FreeBSD on my server tonight I think 21:35:51 unless someone can convince me why I would chose NetBSD instead? 21:37:03 elsheepo: Different systems, different strengths. Try them both if you can. 21:37:42 I have a feeling NetBSD would probably be more appropriate 21:37:53 but maybe freebsd is a little more friendly? idk 21:38:05 elsheepo: Don't forget OpenBSD and Dragonfly. 21:40:15 gana have to watch more youtube videos 21:59:26 aybe more appropriate if you're running it on a dreamcast or toaster 22:52:16 lol 23:02:37 rtprio: ngl I was thinking along the same lines... 23:07:00 no doubt a highly capable brother system though 23:08:46 elsheepo: ooc, why did you have a feeling that netbsd would be more appropriate? 23:20:24 i have a wireguard setup that's 'working' but the wg client gets tiny throughput. any help appreciated https://termbin.com/u89g 23:25:24 demido: did you do the iperf test? 23:27:30 not yet just woke up 23:27:37 going to soon tho 23:38:57 gt, less thrills, more of a work-horse server 23:39:08 doesn't need a gui 23:41:32 you don't need a gui on freebsd either 23:51:26 I'm curious to hear your opinions on these three BSD variants, FreeBSD v OpenBSD v NetBSD 23:51:48 particularly, the strengths of each, if anyone would be so kind 23:52:17 I know I can just as easily Google it, but I'd like to hear directly from the community if/when possible 23:54:05 ok got it... 23:54:11 wow 23:55:22 https://termbin.com/et91 is my wireguard setup that works (but has tiny throughput down to wg client) including iperf tests from wg client to wg server over tunnel, wg client to wg server over inet, and wg server to wg client over tunnel 23:56:47 how tiny? 71MBytes seems plenty fast to me 23:58:16 when i try to dl freebsd or linux iso from the mirror sites it CRAWLS. like saying 80 hours to dl