A. M. H.Aug 20, 2025

Just updated my Netgraph VIewer for safer use. Make sure to bypass doas password in doas.conf. Now, normal users can run these scripts without root directly

Codeberg: https://codeberg.org/maulanahirzan/Netgraph-Viewer
Brew BSDCafe: https://brew.bsd.cafe/maulanahirzan/Netgraph-Viewer

!!! Run these script with extra precaution. I am not responsible for any broken system or data lost. You have been warned !!!

#freebsd #netgraph #script #viewer

Netgraph-Viewer

Netgraph-Viewer

Codeberg.org
A. M. H.Aug 20, 2025

I wrote shell and python scripts as a wrapper for ngctl dot (netgraph Graphviz export) and dot (Graphviz dot to png). Available through my repository :

a. Coideberg: https://codeberg.org/maulanahirzan/Netgraph-Viewer
b. Brew : https://brew.bsd.cafe/maulanahirzan/Netgraph-Viewer

These scripts requires root to run so: choose sh version for less external dependencies (more secure), or python version bundled with tkinter image viewer.

!!! Run these script with extra precaution. I am not responsible for any broken system or data lost. You have been warned !!!

#freebsd #netgraph #viewer

Netgraph-Viewer

Netgraph-Viewer

Codeberg.org
A. M. H.Aug 17, 2025

I need help troubleshooting my network simulation. This simulation simulates simple network with a router and a client (both are jails). The router provides internet to client 1 through netgraph.

Setup:
1. Host-Router (Epair)
2. Router-Bridge-Client1 (NetGraph)

What are working:
1. Router can ping 1.1.1.1 (Internet Access)
2. Router can ping host gateway (192.168.200.1)
3. Router can ping client 1 (192.168.150.10)
4. Client 1 can ping the router (192.168.150.1)

What are not working:
1. Client 1 cannot ping 192.168.200.1
2. Client 1 cannot ping 1.1.1.1

What I have done:
1. Enabled gateway_enable in rc.conf
2. Configured all forwarding in sysctl
3. Create default route to 192.168.200.1

#freebsd #netgraph #troubleshooting

A. M. H.Aug 15, 2025

This screenshot is a proscrationation project with Netgraph: a small script that exports Netgraph's dot file and converts it to an image. I can preview my current Netgraph progress using an image viewer (with a live update like Risretto) every 5 seconds.

#freebsd #netgraph

A. M. H.Aug 14, 2025

Productive procrastination with Netgraph. I have successfully deployed a simple peer-to-peer connection with traffic mirroring capability that is suitable for Wireshark sniffing. What makes Netgraph great is that no additional software is required at all. I will note these personal discoveries into my notes (and eventually, turn it into an ebook?)

#freebsd #netgraph

A. M. H.Aug 12, 2025

Studying in the morning is the best way to learn. I have successfully deployed Client1-Router-Client2 with netgraph and vnet. Screenshot 1 is the deployment result, and Screenshot 2 dot image produced by netgraph with some editing (my first time hacking Graphviz dot file, and so confusing. But actually quite simple).

My last objectives are to route the traffic between client 1 and client 2, and automate the netgraph process

#freebsd #netgraph

Show threadJared JenningsAug 11, 2025

@amadaluzia @catavz pf.conf.d ... could be a good idea, but you'd have to have priority numbers. ipfw just has those on the rules themselves; this seems like a more complete working out of the idea. That way your software can insert rules in different places while still having all its rules in one file. (although i don't know if ipfw.conf.d exists, or whatnot.)

More generally, though, this is changing the firewall under programmatic control, and that's part of the intrusion of dev into ops that's implicit in modern usage of the word "container." Hmm, so you... turn on multilevel jails, start a jail with a VNET behind a bridge, and run #podman in the jail, whereunder it starts child jails. podman gets a pf.conf to mess with, and you get a pf.conf it can't touch. :) or... what if someone makes a #CNI that uses #netgraph instead? hmmm

Show threadJared JenningsAug 11, 2025
@maulanahirzan @david_chisnall The grasp of #netgraph I have (which is tenuous) i got by searching out conference talks and #FreeBSD Journal articles: the reference documentation doesn't tell the story. The reason I'm still working at it, after VLAN-aware bridges have been announced and merged, is that netgraph has a #netflow node, which emits data about each connection or "flow" to a side channel. I think Open vSwitch might be able to do that, but the in-kernel bridges don't; and OVS is another layer of complexity.
Show threadJared JenningsJul 20, 2025

@karinjiri So glad to hear this! I had just figured out the bridge-per-vlan thing when the vlan-aware bridge stuff started being announced.

I was trying to do CARP between VNET jails on a pair of hosts and failed miserably because the CARP packets don't go past the bridge. Probably won't (initially) do any better with CARP using vlan-aware bridges but it'll be simpler.

I started trying to use #netgraph(4) for this instead, though, because it has a node that can export Netflow data for logging and monitoring. But it appears it's up to me to write the script that sets up the netgraph at boot time - /etc/rc.d/netif won't help me.

edited to add: more words at https://j.agrue.info/freebsd-vnet-jail-bridge-carp-fail.html and surrounding articles

Writing to think 2: Write harder - freebsd vnet jail bridge carp fail

A. M. H.May 11, 2025
still learning how to operate ngctl command. It is easy to create simple graph with tee and cisco. But need more information to creata the rest nodes #freebsd #netgraph