norm [-i|-b] [level] ;)

Btw, I am running 14.3 on my Thinkpad X260 since a cpl of days and I got a strange issue

Sometimes when I type the screen freezes and when I then type next key it unfreezes

I haven't used this laptop very much but this behavior seems very odd.

I have a PF question: I have a WireGuard gateway and servers A and B that are both connected to it. A and B can both successfully SSH into the gateway, and vice versa, as well as access the internet via the gateway. But what PF rules do I need so A and B can connect to each other?

I assumed `pass quick on $wg_if` would be enough, but it seems not.

I am on the webchat, so sorry for eventual disconnects. I am sure the solution is very simple, but I always had my troubles groking PF rules for some reason

zilti: do the servers know how to route to each other?

carneous: Good question, I don't quite know for sure... Gateway is 10.0.0.1/8, A is 10.1.0.0/8 and B is 10.2.0.0/8, and A and B have AllowedIPs of 10.0.0.0/8 in the Peer section, so at least in that regard they have the correct settings. But that's as much as there is.

Here's the pf.conf by the way termbin.com/1n59

I am trying to use samba on freebsd with zfs as a storage pool for proxmox but if I do preallocate I get mke2fs errors when I try installing oses and if I don't preallocate I get lost async page write. I don't get this error when I host with the same samba config on linux. Config is this pastebin.com/RUYzFjTf I am testing with Fedora 41 and 42 isos. I'm not seeing anything in the logs. Any suggestions?

Okay this has just completely entered Madtown here. I adjusted the configs somewhat, and now A can only ssh to the gateway, and B can neither ssh to A nor the gateway. And the gateway also cannot ssh to any of the two.

samba420-4.20.7_6 is installed on freebsd. On the linux server it is 4.21.6-1

...I don't get it. I don't get any of this anymore. Is there a minimal wireguard/pf example somewhere about how I can have a wireguard setup where the clients can connect to each other?

zilti: have yoou tried ipsec?

i haven't had much experience dealing with wireguard but I know for sure the feature you are asking for can be easily satisfied with an ipsec vpn setup zilti

Is it possible to set subnet specific default routers?

zilti: normally that is done with iptables

now nftables

you add certain routes that allow intra-subnet comm.

not sure how wireguard works though

Hi, I want to update ports(chinese/ibus-table-chinese) version with all shasum, is there a cli tool for this?

Well, right now wireguard doesn't work at all anymore for me

zilti: how so?

scottpedia: I don't even know anymore. The clients can ssh neither to each other nor to the server, it'll just time out; and the server cannot ssh to the clients, that one will immediately fail with a "no route to host"

zilti: do you HAVE to use wireguard?

if not, I may help you with setting up a working ipsec alternative.

The host and one of the clients have a defaultrouter set due to having a static public IP

Wireguard itself is not the issue though, it connects fine and I have a "wg0" interface on each

The non-static client and the server were able to ssh to each other before I added the defaultrouter to the latter, so I assume the routing is the issue

Why is networking such an awful mess?

it's not easy

but if you need help with a possible ipsec alternative, give me a ping zilti

Thank you, but I'm sorry, I don't want t

o start from zero again with a different set of tools

okay

Oh I can't believe it, two machines, identical config apart from the privkey, one shows up on the wireguard status as "allowed ips: (none)", the other as "allowed ips: fd00::/8, 10.0.0.0/8" as it should, god fucking damned pile of steaming shit

wireguard?

rtprio: yes

yes, it is

rtprio: forums.freebsd.org/threads/wireguar…able-to-connect-to-each-other.98414

i am having ipv4 mtu problems with ssh over wireguard

Btw, I am running 14.3 on my Thinkpad X260 since a cpl of days and I got a strange issue

Sometimes when I type the screen freezes and when I then type next key it unfreezes and shows 2 keystrokes

I haven't used this laptop very much but this behavior seems very odd.

pike, booted from some other OS images, to see if it happens on them? Sounds like a hardware issue to me.

rtprio: try sysctl -w net.ipv4.tcp_mtu_probing=1

oh sorry didn't notice I'm in FreeBSD and not RedHat

will that work on the destination server (freebsd) despite the client and wg endpoint being linux? :|

quick google search says freebsd equivalent may be called net.inet.tcp.path_mtu_discovery

% sysctl -a | grep discove

net.inet.tcp.path_mtu_discovery: 1

it's already 1

net.inet.tcp.path_mtu_discovery: Enable Path MTU Discovery

i just get the feeling that changing the mtu doesn't actually take effect

but don't really have a great way to test it

rtprio: do ifconfig show the mtu you want

bash: ifconfig: command not found

is it linux?

sadly, yes, the client is linux

dont know if `ip a` would show the mtu

according to the wireguard config, it's 1420. on both ends

i don't know much about subnets but IIRC, i had using /8 subnet or /0 and clients was not able to reach to each other, maybe try something other than /8 subnet?

they can reach other. pings work

just full packets don't seem to

rtprio: hmm

it seems to hang at "debug1: expecting SSH2_MSG_KEX_ECDH_REPLY"

I've seen pmtud fail to work, on Fedora. Set a lower MTU static, fine

actually I did it with a firewall MSS-clamp, I think

Without reading all of the scrollback about path MTU discovery, the most typical reason I have seen that fail is that people have firewall blocked ICMP which is required. And note that IPv6 absolutely requires ICMP to work.

A workaround hack that people often use is to set the local segment to MTU 1280 as that is the smallest MTU value that all IPv6 *must* support. And then even if path discovery fails that will usually work because that's the smallest value of any segment down the connection path.

net.ipv4.tcp_mtu_probing in theory works without ICMP. In practice, it didn't for me

i'm only v4 at the moment

ping doesn't work back through the tunnel, maybe that's breaking mtu discovery

If ping is blocked then since ping is icmp then probably other required icmp types required for Path MTU Discovery are also blocked? Usually for IPv4 this does not cause problems in practice when all path segments are MTU 1500 already (shrug).

rwp: yeah, probably the rest are blocked. i wish they were 1500 all the time, ooof

hey ivy so I've played around with audacity and sox

audacity has recently added what I need, it is called 'Loudness Normalization' and I need RMS mode. I haven't found something similar in sox yet.

ivy, I believe that I found a solution in ffmpeg-normalize a python script :)

rtprio: if the problem packets are originating from elsewhere (not originating from where the interface in question is located), maybe you can do netstat -rnW to check the mtu (where the packet originates), and then change it with route change ... -mtu MTU if needed

also...netstat -WACnp tcp , where the connection originates, to check the MSS for the problem connection, net.inet.tcp.hostcache.purgenow=1 to force it to reset it..not sure if all this applies for your case

ah maybe it's irrelevant because you already tried it or it's on linux

well you cna change the mtu in linux also if needed

as i said, i did but it still behaves weird

i'll maybe try again at 1400?

rtprio: i thought maybe the problem is you are forwarding a packet from elsewhere, which is too big, through the tunnel, not that your wireguard iface mtu is too high. not sure of the topology and where packets are being dropped.

i haven't used wireguard though..ipsec has been pretty good for me personally

eh

anyway, low but cursed bug eh

I've also found a bug :p This bug causes quite abnormally large output files... slhck/ffmpeg-normalize #286

Hello everyone - There is a small discussion, occurring on discord, about the wiki.freebsd.org page and a thread in our forums: forums.freebsd.org/threads/the-jour…bsd-org-area-of-our-community.98409 and was wondering if anyone had any thoughts/inputs on this topic? If so, would you be so kind to provide input. We are investigating the update/refinement of the wiki

and would reappreciate any input/comments you may have. Thanks in advance.

so surprisingly enough, CLion remote development actually works on FreeBSD, despite being described as Linux-only