| 18 Jan 2026 |
 magic_rb | on my server i see
12:58:44.828966 00:25:90:85:56:3e > 2e:2c:64:a9:08:37, ethertype IPv4 (0x0800), length 134: (tos 0x88, ttl 64, id 5539, offset 0, flags [none], proto UDP (17), length 120)
192.168.11.21.6666 > 167.235.230.162.6666: [bad udp cksum 0x5ac1 -> 0x97d9!] UDP, length 92
but no such packet can be seen on my banana pi. I do see other packets from the same server, same port, same wireguard, toward different devices (both LAN and WAN), but this specific 192.168.11.21.6666 > 167.235.230.162.6666 packet is lost to the void somewhere between by server and banana pi
| 13:04:46 |
| magic_rb | i can also ping my VPS no problem, so it seems like the specific UDP state table entry is fucked somehow? | 13:06:17 |
| magic_rb | if i restart wireguard or unplug the ethernet from my server, experience tells me itll fix itself | 13:06:36 |
| magic_rb | 13:08:34.419753 00:25:90:85:56:3e > 2e:2c:64:a9:08:37, ethertype IPv4 (0x0800), length 92: (tos 0x0, ttl 64, id 50063, offset 0, flags [DF], proto UDP (17), length 78)
192.168.11.21.52425 > 167.235.230.162.6666: [bad udp cksum 0x5a97 -> 0x9609!] UDP, length 50
that packet done using netcat appears on banana pi r4
| 13:08:59 |
| magic_rb | ive had this issue before, its always when the pppoe link drops on my banana pi. I do not understand how that can cause the state tables on my server to get mangled | 13:09:54 |
| magic_rb | any suggestions for further debugging? | 13:14:41 |
| magic_rb | only further thing i can think of is taking a laptop, putting it inbetween the router and the switch and sniffing | 13:16:51 |
 magic_rb | fuck it fixed itself while i was trying to do the laptop thing | 13:32:33 |
| magic_rb | i guess it fixing itself is better that it being broken forever and me loosing connectivity.... | 13:33:53 |
| magic_rb | i wonder if someone makes a device that i could just leave there, to sniff | 13:37:11 |
|  @marcel:envs.net left the room. | 17:46:57 |
|  isabel changed their profile picture. | 20:43:59 |
| 19 Jan 2026 |
|  @washort:greyface.org left the room. | 16:16:45 |
| 20 Jan 2026 |
|  ladadofar changed their display name from cloudcyclist to ladadofar. | 07:15:58 |
| 22 Jan 2026 |
|  trix joined the room. | 20:03:18 |
| trix | Has anyone tested IP Address certificates yet? I'm trying on 25.11 w/ shortlived profile, but I'm getting a badCSR error, with "CSR contains IP address in Common Name". I believe it's from the remote, but I'm not fully sure, and it would not make much sense, unless I majorily misunderstood how this works. | 20:16:24 |
| trix | There seems to be a hint that the common name must be disabled in CSR. Looking into how to do that | 20:30:39 |
 hexa | IP address can only be a SAN entry | 20:38:52 |
| hexa | In principle you should be able to skip the common name altogether | 20:39:13 |
| hexa | but not sure we allow that | 20:39:19 |
| hexa | * but not sure we (or lego) allow that | 20:39:26 |
 Tom | there is btw. #acme:nixos.org | 20:42:52 |
| trix | thanks i was unaware | 21:02:18 |
|  Moved to: @astro:c3d2.de changed their display name from Astro to Moved to: @astro:c3d2.de. | 21:38:10 |
|  Astro joined the room. | 21:58:24 |
| 23 Jan 2026 |
 elisaado | hmm firewalld looks interesting for declerative networking | 22:05:31 |
| elisaado | anyone using it over nftables? | 22:05:37 |
 K900 | Not worth the effort if you want declarative | 22:09:10 |
| K900 | Just write static rules | 22:09:13 |
| K900 | firewalld works when you need to adjust things as you go | 22:09:29 |
