Lmst

If you have a bridge on #FreeBSD with many members, but no addresses (#vnet jails, #bhyve VMs?) there may be a performance improvement for you in this patch that landed in stable/14 https://cgit.freebsd.org/src/commit/?h=stable/14&id=ff1980d569c8167d38cda5f2713664866d9802bc

After a while of fiddling, I got dual-stack for FreeBSD (IPv4 and IPv6) VNet Jails working properly and reliably 🙂

The important lessons, I've learned:

/etc/sysctl.conf:
+net.link.bridge.inherit_mac=1

/boot/loader.conf:
+if_epair_load="YES"

/etc/rc.conf:
+create_args_bridge0="inet6 auto_linklocal -ifdisabled addm vtnet0"
+ifconfig_vtnet0="up -tso -vlanhwtso"
+rtsold_enable="YES"
+rtsold_flags="-i -m bridge0"

Then, configuring ifconfig_bridge0_ipv6 as well as ipv6_defaultrouter for the host to have IPv6 connectivity as well as the network-configuration in the jail via $jail/etc/rc.conf (The jail of course needs it's own IP on the same subnet as the host)

Screenshots of the fully working configuration with a connectivity test are attached :-)

#freebsd #jails #vnet #ipv6 #container #networking

Added 𝗨𝗣𝗗𝗔𝗧𝗘 𝟭 - 𝗧𝗵𝗼𝘂𝗴𝗵𝘁𝘀 𝗔𝗳𝘁𝗲𝗿 𝗖𝗼𝗺𝗺𝗲𝗻𝘁𝘀 to the 𝗙𝗿𝗲𝗲𝗕𝗦𝗗 𝗝𝗮𝗶𝗹𝘀 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 article.

https://vermaden.wordpress.com/2025/04/11/freebsd-jails-security/

#containers #CVE #docker #freebsd #jail #jails #linux #podman #security #server #vnet #cve

Added 𝗨𝗣𝗗𝗔𝗧𝗘 𝟭 - 𝗧𝗵𝗼𝘂𝗴𝗵𝘁𝘀 𝗔𝗳𝘁𝗲𝗿 𝗖𝗼𝗺𝗺𝗲𝗻𝘁𝘀 to the 𝗙𝗿𝗲𝗲𝗕𝗦𝗗 𝗝𝗮𝗶𝗹𝘀 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 article.

https://vermaden.wordpress.com/2025/04/11/freebsd-jails-security/

#containers #CVE #docker #freebsd #jail #jails #linux #podman #security #server #vnet #cve

New 𝗙𝗿𝗲𝗲𝗕𝗦𝗗 𝗝𝗮𝗶𝗹𝘀 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 (𝘃𝗲𝗿𝘀𝘂𝘀 𝗣𝗼𝗱𝗺𝗮𝗻) [FreeBSD Jails Security (versus Podman)] article on the blog.

https://vermaden.wordpress.com/2025/04/11/freebsd-jails-security/

#verblog #containers #CVE #docker #freebsd #jail #jails #linux #podman #security #server #vnet

New 𝗙𝗿𝗲𝗲𝗕𝗦𝗗 𝗝𝗮𝗶𝗹𝘀 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 (𝘃𝗲𝗿𝘀𝘂𝘀 𝗣𝗼𝗱𝗺𝗮𝗻) [FreeBSD Jails Security (versus Podman)] article on the blog.

https://vermaden.wordpress.com/2025/04/11/freebsd-jails-security/

#verblog #containers #CVE #docker #freebsd #jail #jails #linux #podman #security #server #vnet

I never used #TrueNAS. I started directly with vanilla #FreeBSD. My first contact with #Jails was through #ezJails, then, when I discovered #VNET and #ZFS I moved to #iocage. Even if I heard a lot of good things about #BastilleBSD I got so used to #iocage that I never tried it. It's always difficult to move to new tools and I generally do it when I'm forced to (as long as the current tool does the job for me).

Have you tried #iocage? If so, how would you compare it to #BastilleBSD?

My main webserver is running FreeBSD and I've been running my services (nginx, postgresql, exim, etc) in individual jails. Each one with a ZFS dataset for it's data.

So far, I've been using traditional jails, but now, I did successfully implement VNET jails, to give each Jail it's own ip address and make them communicate via a private network, that I've been securing with pf firewall. Very smooth experience 🙂

Christmas project for this year: Updating my server and jails to FreeBSD 14.2

#success #freebsd #unix #vnet #jails #zfs

So it seems that if you enable ipfw(8) when running #VNET jails on a #FreeBSD server, the following ruleset will appear in all of the jails:

65535 deny ip from any to any

This means I have to set up ipfw(8) in my VNET jails as well, because all communication (except DHCP?) is blocked.

I have tried to find information online about this behavior of ipfw(8) and VNET jails, but have found nothing. Can someone shed some light on this? 😕

I need some advise here. Getting a little dizzy of all the options in jailing systems around networks and access.

I use now appjail until I get the hang of it, not quite ready 😉

I can use a bridge with epairs / vnet / netgraph / a combination of some of them…
Dhcp on these option partially work, but not with all combinations.

Bridges/epairs are working on a different server with bastillebsd….

But now to the basic question (I know, it’s my lack of basic network skills here speaking):
It is easy the autocreate jails on a subnet interface with a new range (say 10.0.0.0) apart from the normal lan (192.168.0.0). I can ping the jail on the host but not from the lan (obvious).

What is the best option to make it works? And how? A practical example or link would help.

#freebsd #lan #jail #vnet #epair #subnet #interfaces #Networking

That was quick , just followed this tutorial. I am able to run a linux container
https://community.veeam.com/kubernetes-korner-90/just-when-i-thought-i-would-relax-someone-messages-me-that-podman-runs-on-freebsd-7432

It runs with #VNET bridge setup out of the box fantastic !

#container #freebsd #oci #podman

The FreeBSD-native-ish home lab and network

For many years my setup was pretty simple: A FreeBSD home server running on my old laptop. It runs everything I need to be present on the internet, an email server, a web server (like the one you’ve accessed right now to see this blog post) and a public chat server (XMPP/Jabber) so I can be in touch with friends.

For my home network, I had a basic Access Point and a basic Router.

Lately, my setup has become more… intense. I have IPv6 thanks to Hurricane Electric, the network is passed to my home network (which we’ll talk about in a bit), a home network with multiple VLANs, since friends who come home also need WiFi.

I decided to blog about the details, hoping it would help someone in the future.

I’ll start with the simplest one.

The Home Server

I’ve been running home servers for a long time. I believe that every person/family needs a home server. Forget about buying your kids iPads and Smartphones. Their first devices should be a real computer (sorry Apple, iOS devices are still just a toy) like a desktop/laptop and a home server. The home server doesn’t need to be on the public internet, but mine is, for variety of reasons. This blog being one of them.

I get a static IP address from my ISP, Ucom. After the management change that happened couple of years ago, Ucom has become a very typical ISP (think shitty), but they are the only ones that provide a static IP address, instead of setting it on your router, where you have to do port forwarding.

My home server, hostnamed pingvinashen (meaning the town of the penguins, named after the Armenian cartoon) run FreeBSD. Historically this machine has run Debian, Funtoo, Gentoo and finally FreeBSD.

Hardware wise, here’s what it is:

root@pingvinashen:~ # dmidecode -s system-product-nameLatitude E5470root@pingvinashen:~ # sysctl hw.modelhw.model: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHzroot@pingvinashen:~ # sysctl hw.physmemhw.physmem: 17016950784root@pingvinashen:~ # zpool listNAME    SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOTzroot   420G   178G   242G        -         -    64%    42%  1.00x    ONLINE  -

While most homelabbers use hardware virtualization, I think that resources are a tight thing, and should be managed properly. Any company that markets itself as “green/eco-friendly” and uses hardware virtualization should do calculations using a pen and paper and prove if going native would save power/resources or not. (sometimes it doesn’t, usually it does)

I use containers, the old-school ones, Jails to be more specific.

I manage jails using Jailer, my own tool, that tries to stay out of your way when working with Jails.

Here are my current jails:

root@pingvinashen:~ # jailer listNAME        STATE    JID  HOSTNAME              IPv4               GWantranig    Active   1    antranig.bsd.am       192.168.10.42/24   192.168.10.1antranigv   Active   2    antranigv.bsd.am      192.168.10.52/24   192.168.10.1git         Stoppedhuginn0     Active   4    huginn0.bsd.am        192.168.10.34/24   192.168.10.1ifconfig    Active   5    ifconfig.bsd.am       192.168.10.33/24   192.168.10.1lucy        Active   6    lucy.vartanian.am     192.168.10.37/24   192.168.10.1mysql       Active   7    mysql.antranigv.am    192.168.10.50/24   192.168.10.1newsletter  Active   8    newsletter.bsd.am     192.168.10.65/24   192.168.10.1oragir      Active   9    oragir.am             192.168.10.30/24   192.168.10.1psql        Active   10   psql.pingvinashen.am  192.168.10.3/24    192.168.10.1rss         Active   11   rss.bsd.am            192.168.10.5/24    192.168.10.1sarian      Active   12   sarian.am             192.168.10.53/24   192.168.10.1syuneci     Active   13   syuneci.am            192.168.10.60/24   192.168.10.1znc         Active   14   znc.bsd.am            192.168.10.152/24  192.168.10.1

You already get a basic idea of how things are. Each of my blogs (Armenian and English) has its own Jail. Since I’m using WordPress, I need a database, so I have a MySQL jail (which ironically runs MariaDB) inside of it.

I also have a Git server, running gitea, which is down at the moment as I’m doing maintanence. The Git server (and many other services) requires PostgreSQL, hence the existence of a PostgreSQL jail. I run huginn for automation (RSS to Telegram, RSS to XMPP). My sister has her own blog, using WordPress, so that’s a Jail of its own. Same goes about my fiancée.

Other Jails are Newsletter using Listmonk, Sarian (the Armenian instance of lobste.rs) and a personal ZNC server.

As an avid RSS advocate, I also have a RSS Jail, which runs Miniflux. Many of my friends use this service.

Oragir is an instance of WriteFreely, as I advocate public blogging and ActivityPub. Our community uses that too.

The web server that forwards all this traffic from the public to the Jails is nginx. All it does is proxy_pass as needed. It runs on the host.

Other services that run on the host are DNS (BIND9), an email service running OpenSMTPd (which will be moved to a Jail soon), the chat service running prosody (which will be moved to a Jail soon) and finally, WireGuard, because I love VPNs.

Finally, there’s a IPv6-over-IPv4 tunnel that I use to obtain IPv6 thanks to Hurricane Electric.

Yes, I have a firewall, I use pf(4).

For the techies in the room, here’s what my rc.conf looks like.

# cat /etc/rc.conf# Defaultsclear_tmp_enable="YES"syslogd_flags="-ss"sendmail_enable="NONE"#local_unbound_enable="YES"sshd_enable="YES"moused_enable="YES"ntpd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"hostname="pingvinashen.am"# Networkingdefaultrouter="37.157.221.1"gateway_enable="YES"ifconfig_em0="up"vlans_em0="37 1000" # 1000 -> WAN; 37 -> Home Routerifconfig_em0_1000="inet 37.157.221.130 netmask 255.255.255.0"ifconfig_em0_37="inet 192.168.255.2 netmask 255.255.255.0"static_routes="home"route_home="-net 172.16.100.0/24 -gateway 192.168.255.1"cloned_interfaces="bridge0 bridge6 bridge10"ifconfig_bridge10="inet 192.168.10.1 netmask 255.255.255.0"## IPv6ipv6_gateway_enable="YES"gif_interfaces="gif0"gifconfig_gif0="37.157.221.130 216.66.84.46"ifconfig_gif0="inet6 2001:470:1f14:ef::2 2001:470:1f14:ef::1 prefixlen 128"ipv6_defaultrouter="2001:470:1f14:ef::1"ifconfig_em0_37_ipv6="inet6 2001:470:7914:7065::2 prefixlen 64"ipv6_static_routes="home guest"ipv6_route_home="-net 2001:470:7914:6a76::/64 -gateway 2001:470:7914:7065::1"ipv6_route_guest="-net 2001:470:7914:6969::/64 -gateway 2001:470:7914:7065::1"ifconfig_bridge6_ipv6="inet6 2001:470:1f15:e4::1 prefixlen 64"ifconfig_bridge6_aliases="inet6 2001:470:1f15:e4::25 prefixlen 64 \inet6 2001:470:1f15:e4::80 prefixlen 64      \inet6 2001:470:1f15:e4::5222 prefixlen 64    \inet6 2001:470:1f15:e4:c0fe::53 prefixlen 64 \"# VPNwireguard_enable="YES"wireguard_interfaces="wg0"# Firewallpf_enable="YES"# Jailsjail_enable="YES"jailer_dir="zfs:zroot/jails"# DNSnamed_enable="YES"# Mailsmtpd_enable="YES"smtpd_config="/usr/local/etc/smtpd.conf"# XMPPprosody_enable="YES"turnserver_enable="YES"# Webnginx_enable="YES"tor_enable="YES"

The gif0 interface is a IPv6-over-IPv4 tunnel. I have static routes to my home network, so I don’t go to my server over the ISP every time. This also gives me the ability to get IPv6 in my home network that is routed via my home server.

As you have guessed from this config file, I do have VLANs setup. So let’s get into that.

The Home Network

First of all, here’s a very cheap diagram

I have the following VLANs setup on the switch.

VLAN IDPurpose1Switch Management1000pingvinashen (home server) WAN1001evn0 (home router) WAN37pingvinashen ↔ evn042Internal Management100Home LAN69Home Guest

Here are the active ports

PortVLANsPurpose24untagged: 1Switch management, connects to Port 222untagged: 1000pingvinashen WAN, from ISP21untagged: 1001Home WAN, from ISP20tagged: 1000, 37To pingvinashen, port em019untagged: 1001To home router, port igb118tagged: 42, 100, 69, 99To home router, port igb217untagged: 37To home router, port igb016tagged: 42, 100, 69To Lenovo T480s15untagged: 100To Raspberri Pi 42untagged: 99From Port 24, for switch management1untagged: 42; tagged: 100, 69; PoETo UAP AC Pro

The home router, hostnamed evn0 (named after the IATA code of Yerevan’s Zvartnots International Airport) runs FreeBSD as well, the hardware is the following

root@evn0:~ # dmidecode -s system-product-nameAPU2root@evn0:~ # sysctl hw.modelhw.model: AMD GX-412TC SOC                               root@evn0:~ # sysctl hw.physmemhw.physmem: 4234399744root@evn0:~ # zpool listNAME    SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOTzroot  12.5G  9.47G  3.03G        -         -    67%    75%  1.00x    ONLINE  -

The home router does… well, routing. It also does DHCP, DNS, SLAAC, and can act as a syslog server.

Here’s what the rc.conf looks like

clear_tmp_enable="YES"sendmail_enable="NONE"syslogd_flags="-a '172.16.100.0/24:*' -H"zfs_enable="YES"dumpdev="AUTO"hostname="evn0.illuriasecurity.com"pf_enable="YES"gateway_enable="YES"ipv6_gateway_enable="YES"sshd_enable="YES"# Get an IP address from the ISP's GPONifconfig_igb1="DHCP"# Internal routes with pingvinashenifconfig_igb0="inet 192.168.255.1 netmask 255.255.255.0"ifconfig_igb0_ipv6="inet6 2001:470:7914:7065::1 prefixlen 64"static_routes="pingvinashen"route_pingvinashen="-net 37.157.221.130/32 -gateway 192.168.255.2"ipv6_defaultrouter="2001:470:7914:7065::2"# Home Mgmt, Switch Mgmt, Home LAN, Home Guestifconfig_igb2="up"vlans_igb2="42 99 100 69"ifconfig_igb2_42="inet 172.31.42.1 netmask 255.255.255.0"ifconfig_igb2_99="inet 172.16.99.1 netmask 255.255.255.0"ifconfig_igb2_100="inet 172.16.100.1 netmask 255.255.255.0"ifconfig_igb2_100_ipv6="inet6 2001:470:7914:6a76::1 prefixlen 64"ifconfig_igb2_69="inet 192.168.69.1 netmask 255.255.255.0"ifconfig_igb2_69_ipv6="inet6 2001:470:7914:6969::1 prefixlen 64"# DNS and DHCPnamed_enable="YES"dhcpd_enable="YES"named_flags=""# NTPntpd_enable="YES"# Router Advertisement and LLDPrtadvd_enable="YES"lldpd_enable="YES"lldpd_flags=""

Here’s pf.conf, because security is important.

ext_if="igb1"bsd_if="igb0"int_if="igb2.100"guest_if="igb2.69"mgmt_if="igb2.42"sw_if="igb2.99"ill_net="172.16.0.0/16"nat pass on $ext_if from $int_if:network to any -> ($ext_if)nat pass on $ext_if from $mgmt_if:network to any -> ($ext_if)nat pass on $ext_if from $guest_if:network to any -> ($ext_if)set skip on { lo0 }block in allpass on $int_if   from $int_if:network   to anypass on $mgmt_if  from $mgmt_if:network  to anypass on $sw_if    from $sw_if:network    to anypass on $guest_if from $guest_if:network to anyblock quick on $guest_if from any to { $int_if:network, $mgmt_if:network, $ill_net, $sw_if:network }pass in on illuria0 from $ill_net to { $ill_net, $mgmt_if:network }pass inet  proto icmppass inet6 proto icmp6pass out   all   keep state

I’m sure there are places to improve, but it gets the job done and keeps the guest network isolated.

Here’s rtadvd.conf, for my IPv6 folks

igb2.100:\  :addr="2001:470:7914:6a76::":prefixlen#64:\  :rdnss="2001:470:7914:6a76::1":\  :dnssl="evn0.loc.illuriasecurity.com,loc.illuriasecurity.com":igb2.69:\  :addr="2001:470:7914:6969::":prefixlen#64:\  :rdnss="2001:470:7914:6969::1":

For DNS, I’m running BIND, here’s the important parts

listen-on     { 127.0.0.1; 172.16.100.1; 172.16.99.1; 172.31.42.1; 192.168.69.1; };listen-on-v6  { 2001:470:7914:6a76::1; 2001:470:7914:6969::1; };allow-query   { 127.0.0.1; 172.16.100.0/24; 172.31.42.0/24; 192.168.69.0/24; 2001:470:7914:6a76::/64; 2001:470:7914:6969::/64;};

And for DHCP, here’s what it looks like

subnet 172.16.100.0 netmask 255.255.255.0 {        range 172.16.100.100 172.16.100.150;        option domain-name-servers 172.16.100.1;        option subnet-mask 255.255.255.0;        option routers 172.16.100.1;        option domain-name "evn0.loc.illuriasecurity.com";        option domain-search "loc.illuriasecurity.com evn0.loc.illuriasecurity.com";}host zvartnots {    hardware ethernet d4:57:63:f1:5a:36;    fixed-address 172.16.100.7;}host unifi0 {    hardware ethernet 58:9c:fc:93:d1:0b;    fixed-address 172.31.42.42;}
[…]subnet 172.31.42.0 netmask 255.255.255.0 {        range 172.31.42.100 172.31.42.150;        option domain-name-servers 172.31.42.1;        option subnet-mask 255.255.255.0;        option routers 172.31.42.1;}subnet 192.168.69.0 netmask 255.255.255.0 {        range 192.168.69.100 192.168.69.150;        option domain-name-servers 192.168.69.1;        option subnet-mask 255.255.255.0;        option routers 192.168.69.1;}

So you’re wondering, what’s this unifi0? Well, that brings us to

T480s

This laptop has been gifted to me by [REDACTED] for my contributions to the Armenian government (which means when a server goes down and no one knows how to fix it, they called me and I showed up)

Here’s the hardware

root@t480s:~ # dmidecode -s system-versionThinkPad T480sroot@t480s:~ # sysctl hw.modelhw.model: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHzroot@t480s:~ # sysctl hw.physmemhw.physmem: 25602347008root@t480s:~ # zpool listNAME    SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOTzroot   224G   109G   115G        -         -    44%    48%  1.00x    ONLINE  -

The T480s has access to VLAN 100, 42, 69, but the host itself has access only to VLAN 100 (LAN), while the jails can exist on other VLANs.

So I have a Jail named unifi0 that runs the Unifi Management thingie.

Here’s what rc.conf of the host looks like

clear_tmp_enable="YES"syslogd_flags="-ss"sendmail_enable="NONE"sshd_enable="YES"ntpd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"hostname="t480s.evn0.loc.illuriasecurity.com"ifconfig_em0="up -rxcsum -txcsum"vlans_em0="100 42 69"ifconfig_em0_100="up"ifconfig_em0_42="up"ifconfig_em0_69="up"cloned_interfaces="bridge0 bridge100 bridge42 bridge69"create_args_bridge100="ether 8c:16:45:82:b4:10"ifconfig_bridge100="addm em0.100 SYNCDHCP"ifconfig_bridge100_ipv6="inet6 auto_linklocal"rtsold_flags="-i -F -m bridge100"rtsold_enable="YES"create_args_bridge42=" ether 8c:16:45:82:b4:42"create_args_bridge69=" ether 8c:16:45:82:b4:69"ifconfig_bridge42="addm em0.42"ifconfig_bridge69="addm em0.69"jail_enable="YES"jailer_dir="zfs:zroot/jailer"ifconfig_bridge0="inet 10.1.0.1/24 up"ngbuddy_enable="YES"ngbuddy_private_if="nghost0"dhcpd_enable="YES"lldpd_enable="YES"

I used Jailer to create the unifi0 jail, here’s what the jail.conf looks like

# vim: set syntax=sh:exec.clean;allow.raw_sockets;mount.devfs;unifi0 {  $id             = "6";  devfs_ruleset   = 10;  $bridge         = "bridge42";  $domain         = "evn0.loc.illuriasecurity.com";  vnet;  vnet.interface = "epair${id}b";  exec.prestart   = "ifconfig epair${id} create up";  exec.prestart  += "ifconfig epair${id}a up descr vnet-${name}";  exec.prestart  += "ifconfig ${bridge} addm epair${id}a up";  exec.start      = "/sbin/ifconfig lo0 127.0.0.1 up";  exec.start     += "/bin/sh /etc/rc";  exec.stop       = "/bin/sh /etc/rc.shutdown jail";  exec.poststop   = "ifconfig ${bridge} deletem epair${id}a";  exec.poststop  += "ifconfig epair${id}a destroy";  host.hostname   = "${name}.${domain}";  path            = "/usr/local/jailer/unifi0";  exec.consolelog = "/var/log/jail/${name}.log";  persist;  mount.fdescfs;  mount.procfs;}

Here are the important parts inside the jail

root@t480s:~ # cat /usr/local/jailer/unifi0/etc/rc.confifconfig_epair6b="SYNCDHCP"sendmail_enable="NONE"syslogd_flags="-ss"mongod_enable="YES"unifi_enable="YES"root@t480s:~ # cat /usr/local/jailer/unifi0/etc/start_if.epair6b ifconfig epair6b ether 58:9c:fc:93:d1:0b

Don’t you love it that you can see what’s inside the jail from the host? God I love FreeBSD!

Did I miss anything? I hope not.

Oh, for the homelabbers out there, the T480s is the one that runs things like Jellyfin if needed.

Finally, the tiny

Raspberry Pi 4, Model B

I found this in a closed, so I decided to run it for TimeMachine.

I guess all you care about is rc.conf

hostname="tm0.evn0.loc.illuriasecurity.com"ifconfig_DEFAULT="DHCP inet6 accept_rtadv"sshd_enable="YES"sendmail_enable="NONE"sendmail_submit_enable="NO"sendmail_outbound_enable="NO"sendmail_msp_queue_enable="NO"growfs_enable="YES"powerd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"rtsold_enable="YES"samba_server_enable="YES"

And the Samba Configuration

[global]# Network settingsworkgroup = WORKGROUPserver string = Samba Server %vnetbios name = RPi4# Logginglog file = /var/log/samba4/log.%mmax log size = 50log level = 0# Authenticationsecurity = userencrypt passwords = yespassdb backend = tdbsammap to guest = Bad Usermin protocol = SMB2max protocol = SMB3# Apple Time Machine settingsvfs objects = catia fruit streams_xattrfruit:metadata = streamfruit:resource = streamfruit:encoding = nativefruit:locking = nonefruit:time machine = yes# File System supportea support = yeskernel oplocks = nokernel share modes = noposix locking = nomangled names = nosmbd max xattr size = 2097152# Performance tuningread raw = yeswrite raw = yesgetwd cache = yesstrict locking = no# Miscellaneouslocal master = nopreferred master = nodomain master = nowins support = no[tm]comment = Time Machine RPi4path = /usr/local/timemachine/%Ubrowseable = yesread only = novalid users = antranigvvfs objects = catia fruit streams_xattrfruit:time machine = yesfruit:advertise_fullsync = truefruit:time machine max size = 800G  # Adjust the size according to your needscreate mask = 0600directory mask = 0700

That’s pretty much it.

Conclusion

I love running homebrew servers, home networks and home labs. I love that (almost) everything is FreeBSD. The switch itself runs Linux, and the Unifi Access Point also runs Linux, both of which I’m pretty happy with.

While most homelabbers used ESXi in the past, I’m happy to see that most people are moving to open source solutions like Proxmox and Xen, but I think that FreeBSD Jails and bhyve is much better. I still don’t have a need for bhyve at the moment, but I would use it if I needed hardware virtualization.

Most homelabbers would consider the lack of Web/GUI interfaces as a con, but I think that it’s a pro. If I need to “replicate” this network, all I need to do is to copy some text files and modify some IP addresses / Interface names.

I hope this was informative and that it would be useful for anyone in the future.

That’s all folks…

Reply via email.

https://antranigv.am/posts/2024/06/freebsd-server-network-homelab/

#Containers #Dell #DellLatitudeE5470 #FreeBSD #homeServer #HowTo #Jailer #Jails #macOS #Networking #pf #Samba #Unifi #Unix #VNET

Working around Terraform’s Azure inequities – Part 2: Azure Shared Private Links

https://bc3.tech/b/10L

#AiSearch, #Azure, #Cicd, #ContinuousDeployment, #Openai, #PrivateEndpoint, #PrivateLink, #Terraform, #VirtualNetwork, #Vnet

Working around Terraform’s Azure inequities – Part 2: Azure Shared Private Links

#aiSearch #azure #cicd #continuousDeployment #openai #privateEndpoint #privateLink #terraform #virtualNetwork #vnet

https://bc3.tech/b/10L

I'm getting old I guess? 🙄

Moved some #FreeBSD #VNET #jail to a different network segment today by
- changing DNS entries
- changing the statically assigned address in its /etc/rc.conf
- moving the "host end" of the epair interface to a different bridge
- changing necessary firewall rules

... and then was puzzled for almost an hour I couldn't even get it to #ping any more, looking for the issue in the firewall rules, to no avail ...

Turns out you indeed have to change the default gateway as well 🙈

#FreeBSD 13.3 deployed at home. 4 times "metal", one VM, 12 #VNET #jails.

First time ever not the vanilla version from the releng branch (with just one commit adding kernel configs on top), but pulling in extra patches from some repo on github. 🙄 Because it's unusable in my setup otherwise 😞.

I really really hope this will stay a rare exception for FreeBSD. And of course I hope for an EN including the functionality of all these patches I now pulled in myself ... would probably be a PITA having to maintain them locally.

[和訳]Azure ハブ＆スポーク構成における一貫した DNS 構成 (原題：Consistent DNS resolution in a hybrid hub spoke network topology)
https://qiita.com/aktsmm/items/3223a669c3d8e8b7318d?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #Azure #dns #vnet #駆け出しアーキテクト #hub_spoke

Nice resource group #visualization!

Useful for #vnet #peering #troubleshooting.

https://youtu.be/nyKKmreKNsA?feature=shared

𝐀𝐳𝐮𝐫𝐞 𝐍𝐞𝐭𝐰𝐨𝐫𝐤 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐋𝐚𝐛 𝐄𝐧𝐯𝐢𝐫𝐨𝐧𝐦𝐞𝐧𝐭 𝐃𝐞𝐩𝐥𝐨𝐲𝐦𝐞𝐧𝐭 𝐓𝐞𝐦𝐩𝐥𝐚𝐭𝐞 𝐰𝐢𝐭𝐡 𝐀𝐳𝐮𝐫𝐞 𝐏𝐫𝐞𝐦𝐢𝐮𝐦 𝐅𝐢𝐫𝐞𝐰𝐚𝐥𝐥

If you want to learn how Azure Firewall works in practice, including its applicability scenarios, use cases, and advanced features, this lab is for you. 🙂

This ARM deployment includes everything needed to test Azure Network Security components including the new Azure Firewall Premium:

https://github.com/Azure/Azure-Network-Security/tree/master/Lab%20Templates/Lab%20Template%20-%20NetSec%20Demo%20Lab

#azure #networksecurity #network #security #networking #cloud #cloudnative #cloudnetworking #Azurefirewall #firewall #vnet #hub #spoke #networkarchitecture #soc #cybersecurity

Talk at me about #azure #deployment #slots and private endpoints.

I can create both with Azure CLI. But question is: Do I need to add a DNS zone configuration AND a vnet?

Kind of appears so. Thats how other app services configured here....

#devops #dnszone #vnet

#VNet

Client Info