00:02:56 norm [-i|-b] [level] ;) 00:46:52 Btw, I am running 14.3 on my Thinkpad X260 since a cpl of days and I got a strange issue 00:47:35 Sometimes when I type the screen freezes and when I then type next key it unfreezes 00:48:09 I haven't used this laptop very much but this behavior seems very odd. 09:16:37 I have a PF question: I have a WireGuard gateway and servers A and B that are both connected to it. A and B can both successfully SSH into the gateway, and vice versa, as well as access the internet via the gateway. But what PF rules do I need so A and B can connect to each other? 09:17:13 I assumed `pass quick on $wg_if` would be enough, but it seems not. 09:17:58 I am on the webchat, so sorry for eventual disconnects. I am sure the solution is very simple, but I always had my troubles groking PF rules for some reason 10:20:00 zilti: do the servers know how to route to each other? 10:25:38 carneous: Good question, I don't quite know for sure... Gateway is 10.0.0.1/8, A is 10.1.0.0/8 and B is 10.2.0.0/8, and A and B have AllowedIPs of 10.0.0.0/8 in the Peer section, so at least in that regard they have the correct settings. But that's as much as there is. 10:32:16 Here's the pf.conf by the way https://termbin.com/1n59 10:52:08 I am trying to use samba on freebsd with zfs as a storage pool for proxmox but if I do preallocate I get mke2fs errors when I try installing oses and if I don't preallocate I get lost async page write. I don't get this error when I host with the same samba config on linux. Config is this https://pastebin.com/RUYzFjTf I am testing with Fedora 41 and 42 isos. I'm not seeing anything in the logs. Any suggestions? 11:04:59 Okay this has just completely entered Madtown here. I adjusted the configs somewhat, and now A can only ssh to the gateway, and B can neither ssh to A nor the gateway. And the gateway also cannot ssh to any of the two. 11:08:06 samba420-4.20.7_6 is installed on freebsd. On the linux server it is 4.21.6-1 11:41:51 ...I don't get it. I don't get any of this anymore. Is there a minimal wireguard/pf example somewhere about how I can have a wireguard setup where the clients can connect to each other? 12:13:49 zilti: have yoou tried ipsec? 12:22:07 i haven't had much experience dealing with wireguard but I know for sure the feature you are asking for can be easily satisfied with an ipsec vpn setup zilti 12:48:01 Is it possible to set subnet specific default routers? 12:52:55 zilti: normally that is done with iptables 12:53:03 now nftables 12:53:22 you add certain routes that allow intra-subnet comm. 12:53:38 not sure how wireguard works though 12:56:40 Hi, I want to update ports(chinese/ibus-table-chinese) version with all shasum, is there a cli tool for this? 12:57:15 Well, right now wireguard doesn't work at all anymore for me 12:58:28 zilti: how so? 13:00:12 scottpedia: I don't even know anymore. The clients can ssh neither to each other nor to the server, it'll just time out; and the server cannot ssh to the clients, that one will immediately fail with a "no route to host" 13:00:37 zilti: do you HAVE to use wireguard? 13:00:55 if not, I may help you with setting up a working ipsec alternative. 13:01:04 The host and one of the clients have a defaultrouter set due to having a static public IP 13:01:36 Wireguard itself is not the issue though, it connects fine and I have a "wg0" interface on each 13:03:05 The non-static client and the server were able to ssh to each other before I added the defaultrouter to the latter, so I assume the routing is the issue 13:15:48 Why is networking such an awful mess? 13:20:35 it's not easy 13:20:57 but if you need help with a possible ipsec alternative, give me a ping zilti 13:21:39 Thank you, but I'm sorry, I don't want t 13:21:54 o start from zero again with a different set of tools 13:27:35 okay 14:19:16 Oh I can't believe it, two machines, identical config apart from the privkey, one shows up on the wireguard status as "allowed ips: (none)", the other as "allowed ips: fd00::/8, 10.0.0.0/8" as it should, god fucking damned pile of steaming shit 15:28:14 wireguard? 15:28:32 rtprio: yes 15:28:43 yes, it is 15:28:46 rtprio: https://forums.freebsd.org/threads/wireguard-and-pf-have-clients-be-able-to-connect-to-each-other.98414 15:29:07 i am having ipv4 mtu problems with ssh over wireguard 15:52:29 Btw, I am running 14.3 on my Thinkpad X260 since a cpl of days and I got a strange issue 15:52:47 Sometimes when I type the screen freezes and when I then type next key it unfreezes and shows 2 keystrokes 15:52:56 I haven't used this laptop very much but this behavior seems very odd. 15:57:54 pike, booted from some other OS images, to see if it happens on them? Sounds like a hardware issue to me. 16:14:32 rtprio: try sysctl -w net.ipv4.tcp_mtu_probing=1 16:15:15 oh sorry didn't notice I'm in FreeBSD and not RedHat 16:15:36 will that work on the destination server (freebsd) despite the client and wg endpoint being linux? :| 16:16:34 quick google search says freebsd equivalent may be called net.inet.tcp.path_mtu_discovery 16:16:57 % sysctl -a | grep discove 16:16:57 net.inet.tcp.path_mtu_discovery: 1 16:17:01 it's already 1 16:17:32 net.inet.tcp.path_mtu_discovery: Enable Path MTU Discovery 16:17:55 i just get the feeling that changing the mtu doesn't actually take effect 16:18:03 but don't really have a great way to test it 16:18:07 rtprio: do ifconfig show the mtu you want 16:18:25 bash: ifconfig: command not found 16:18:38 is it linux? 16:18:46 sadly, yes, the client is linux 16:19:06 dont know if `ip a` would show the mtu 16:19:24 according to the wireguard config, it's 1420. on both ends 16:20:39 i don't know much about subnets but IIRC, i had using /8 subnet or /0 and clients was not able to reach to each other, maybe try something other than /8 subnet? 16:21:12 they can reach other. pings work 16:21:18 just full packets don't seem to 16:21:23 rtprio: hmm 16:22:07 it seems to hang at "debug1: expecting SSH2_MSG_KEX_ECDH_REPLY" 16:34:57 I've seen pmtud fail to work, on Fedora. Set a lower MTU static, fine 16:37:28 actually I did it with a firewall MSS-clamp, I think 16:42:04 Without reading all of the scrollback about path MTU discovery, the most typical reason I have seen that fail is that people have firewall blocked ICMP which is required. And note that IPv6 absolutely requires ICMP to work. 16:43:05 A workaround hack that people often use is to set the local segment to MTU 1280 as that is the smallest MTU value that all IPv6 *must* support. And then even if path discovery fails that will usually work because that's the smallest value of any segment down the connection path. 16:46:35 net.ipv4.tcp_mtu_probing in theory works without ICMP. In practice, it didn't for me 16:52:37 i'm only v4 at the moment 16:54:06 ping doesn't work back through the tunnel, maybe that's breaking mtu discovery 16:56:22 If ping is blocked then since ping is icmp then probably other required icmp types required for Path MTU Discovery are also blocked? Usually for IPv4 this does not cause problems in practice when all path segments are MTU 1500 already (shrug). 17:00:51 rwp: yeah, probably the rest are blocked. i wish they were 1500 all the time, ooof 18:27:55 hey ivy so I've played around with audacity and sox 18:28:43 audacity has recently added what I need, it is called 'Loudness Normalization' and I need RMS mode. I haven't found something similar in sox yet. 19:14:53 ivy, I believe that I found a solution in ffmpeg-normalize a python script :) 19:29:18 rtprio: if the problem packets are originating from elsewhere (not originating from where the interface in question is located), maybe you can do netstat -rnW to check the mtu (where the packet originates), and then change it with route change ... -mtu MTU if needed 19:32:22 also...netstat -WACnp tcp , where the connection originates, to check the MSS for the problem connection, net.inet.tcp.hostcache.purgenow=1 to force it to reset it..not sure if all this applies for your case 19:34:26 ah maybe it's irrelevant because you already tried it or it's on linux 19:38:23 well you cna change the mtu in linux also if needed 20:11:32 as i said, i did but it still behaves weird 20:11:44 i'll maybe try again at 1400? 21:19:37 rtprio: i thought maybe the problem is you are forwarding a packet from elsewhere, which is too big, through the tunnel, not that your wireguard iface mtu is too high. not sure of the topology and where packets are being dropped. 21:20:13 i haven't used wireguard though..ipsec has been pretty good for me personally 21:33:15 https://openssl-library.org/news/vulnerabilities/#CVE-2025-4575?mptk=f9a4b7b1834ebebeefa703e1bd0ef6502b4851b1fe72531b2cb4236643487f26e4447ae1ba6426c243f73dbfa0f9a0a6_4d6f2db71ecac8a2f71d25cde6068c2c 21:33:20 eh 21:33:30 anyway, low but cursed bug eh 21:33:46 https://openssl-library.org/news/vulnerabilities/#CVE-2025-4575 22:30:36 I've also found a bug :p This bug causes quite abnormally large output files... https://github.com/slhck/ffmpeg-normalize/issues/286 23:20:16 Hello everyone - There is a small discussion, occurring on discord, about the wiki.freebsd.org page and a thread in our forums: https://forums.freebsd.org/threads/the-journey-of-evaluating-the-wiki-freebsd-org-area-of-our-community.98409/ and was wondering if anyone had any thoughts/inputs on this topic? If so, would you be so kind to provide input. We are investigating the update/refinement of the wiki 23:20:22 and would reappreciate any input/comments you may have. Thanks in advance. 23:45:38 so surprisingly enough, CLion remote development actually works on FreeBSD, despite being described as Linux-only