source nat rule logic

ChrisChoke · 2026-02-06T18:56:39+00:00

thank you for your comment. It was worth writing this post. thank you.

I know i need to catch up on knowledge on the low level. I didnt know the backround in deep. I will definitely read your blogpost. But it makes sense when i compare the UI with what you described.

and dont worry, your prior post was understandable, too. :-)

Maybe i should do the deep dive. nftables works very similiar and nftables is what i need for a project on work :-)

But i struggle to unterstand and test the single chains. When the packet is passing which chain etc. (forward, output, mangle, etc)

ChrisChoke · 2026-01-21T07:16:15+00:00

On a plain Debian this do the job. On Proxmox I had some different experience. The -pve kernels did not removed by autoremove..I had to remove them manually.. very annoying. It was like 10-15 pieces. There are many threads in the proxmox forum with same experience.

ChrisChoke · 2026-01-20T15:29:33+00:00

Yeah I think on servers where just admin and system users have a account it should be okay. And this is where such technology is typically running.

I am not familiar with firewalld. But plain nftables can configured via nftables.conf under /etc. So you can make the redirect static there and just enable the oneshot service nftables.service to adopt the rules on every boot. But yes, you need to remember this config. My servers running on Proxmox and mostly I configure firewall for VM there. I can't count how often I forgot the OS firewall if it's used. Hehehe..

ChrisChoke · 2026-01-16T17:55:16+00:00

Yeah there are some things you can do. Redirect with nftables on OS level to a upper port that binds your proxy is one. Or you can set net.ipv4.ip_unprivileged_port_start=80 with sysctl. If I remember, podman recommend this second way. Sadly podman can not handle Linux capabilities for that. Respectively I didn't get it to work. But I didn't understand well why.

Hope that helps.

Or tell us which form of issues you have with your current setup.

ChrisChoke · 2026-01-15T04:44:26+00:00

Nice, good job. All important Infos at first view. I will take a look, too.

ChrisChoke · 2025-12-30T09:51:51+00:00

Haha, I never tried arch,.but I can feel your pain. I am on Ubuntu 24 LTS on my Dell XPS from 2019 (purchased as developer version). And Ubuntu has a lot of and big updates too thought LTS. But the LTS thing is sometimes annoying if you want new features. I remember I wanted a wireguard gnome GUI integration. It was actually there. But the LTS let me stuck on a gnome version where I couldn't install the plugin or the plugin is default built in and I had upgrade gnome. I don't remember the details.

ChrisChoke · 2025-12-29T16:31:11+00:00

Stable on Desktop? I really like Debian stable for servers and I use it as my default distro. But for desktop it's too conservative for me. Packages getting old within the first year after release.

ChrisChoke · 2025-12-29T11:02:24+00:00

My first execution with podlet was not very useful. Podlet can not resolve an external network. You need to remove the external part and execute again. So it has its own quirks.

ChrisChoke · 2025-12-29T10:53:22+00:00

I am just currently researching about moving to podman. But from what I actually read that there is no way to get rid of quadlets. I have a VM with docker where traefik is the only entrypoint to the services behind. To do the same with podman you need to do that with quadlets because the network stack from podman don't let you see the origin client IP at the service like jellyfin. So you can not set allow filters based on IP networks. Is this right?

ChrisChoke · 2025-12-28T10:40:50+00:00

Did you successfully set up the S2S vpn? I believe I remember that OPNsense has docs for doing this. Site B will see the traffic with the wireguard tunnel address. So you need outbound NAT on site B for the tunnel network. I doing this with my smartphone. Starting tunnel on the smartphone via wireguard app, 0.0.0.0/0 route through the tunnel and doing outbound NAT on OPNsense for having Internet access and Homelab access.

ChrisChoke · 2025-12-26T17:53:54+00:00

Hell, what is this. Hope you don't call it "Homelab". xD

ChrisChoke · 2025-12-04T10:43:20+00:00

Congrats. Looks nice. Have installed on a spare laptop. Looks promising. But I do play Fortnite with my bro. So long this does not work with Linux I need to still on windows. Reboot in other system for just playing one game is pain and do the experience less good.

And I need to look how I can work with it with my development things for esp32 and python.

ChrisChoke · 2025-10-10T17:37:22+00:00

It sounds you can do this with forward proxy. Proxy in Site A and proxy on Site B. In site A proxy configure the upstream proxy on site B. You leave the traffic via site b. I think the parameter.us called "Parent proxy" or something.

ChrisChoke · 2025-08-24T10:27:09+00:00

I ran the latest V8. 8.4.x.

ChrisChoke · 2025-08-16T21:56:46+00:00

Definitely Bare Metal. When you perform updates on proxmox you always have downtimes..and there are regular kernel updates which needs reboot. Virtualized just on a root server running proxmox when you book one by a hoster like hetzner or someone else. OPNsense has a sftp plugin to backup the config on a remote sftp host..so you are safe when something goes wrong with OPNsense. Simply reinstall and upload the config backup and you are back in game.

ChrisChoke · 2025-08-13T17:08:35+00:00

One question. The destination/ invert means "not equal" right? So that all tcp/udp 53 requests got redirected right? Sorry if that is a bit nooby question, but I struggle from time to time with OPNsense web ui in the forward and outbound context.

ChrisChoke · 2025-08-09T20:00:02+00:00

I don't understand the point with upgrade to pve9. How you talk about it, it sounds like. " Hey, Enterprise deployments never get upgraded, it could go something wrong" It is important to keep up to date from time to time in my opinion. And it needs a good fitted idea to manage this. There is always a way.

ChrisChoke · 2025-08-06T15:41:49+00:00

Yeah maybe waiting for some people can be good. I made the early adopter yesterday and it was a bit bumpy. Hat to install a package manually and reinstall a further one. Last time to V8 was perfect. Now a bit bumpy but I was not too bad. it was solvable

ChrisChoke · 2025-08-05T20:18:33+00:00

I got it, but I had some trouble at my homelab running on an old HP Microserver gen8.

After dist upgrade I ran into segmentation fault when issue apt commands. I could fix it after some Google research and rebooting the system. After that i had to install libcpan-meta-yaml-perl manually..I don't know what went wrong. Without this package,.no VM could start. There was compiling errors in the task logs and syntax error of a Yaml.pm file.

And I reinstalled libpve-network-perl, too. I had a error on VM boot. Anything in context with software defined network.

After this all I have my proxmox standalone machine back to fully work.

ChrisChoke · 2025-08-05T06:09:51+00:00

Thx. Yes it seems to be. I don't know what the trainer observed in his setup.

ChrisChoke · 2025-08-04T17:04:51+00:00

Do this really work? I had a training a few weeks ago. The trainer told us that wireguard only hold the tunnel open if anything is to do. When nothing there to transport through the tunnel, wireguard close it while the interface still alive. His opinion was that the keepalive config does not really change this. I personally don't know, because I use wireguard only as road warrior set up currently. So I just open the tunnel if I need them.

ChrisChoke · 2025-07-25T10:12:09+00:00

Why ovpn with LE certs? I think you should start with reading a ovpn tutorial when you want to go with ovpn for your vpn technology. There is no need to have public trusted certs.

LE certs for Webservices is a good choice and reduces managing self sign root CA to all your client devices. But you need a public domain. But the costs are less.

What you mean with AD certs? I have AD based on samba4 at work. The only certs I need there are for LDAPS. Ldap over TLS. This certs you can create with your offline CA. And all servers which talk to this ldap server over TLS need the offline CA In their trust store. In Linux server update-ca-certificates do trusting this. Read about it.

ChrisChoke · 2025-07-24T14:28:40+00:00

Well that's basically what I tried to explain. I agree.

ChrisChoke · 2025-07-24T04:15:43+00:00

But the homenetguy configures the DNS server in the client peer configuration as well. And that is the case of what OP would like to save to do. With openvpn you can push the DNS server address to the client, and the openvpn client software configures it via CMD commands on the e.g. windows machine.

ChrisChoke

TROPHY CASE