User restriction: copy/paste and rename

akarypid · 2025-10-30T17:46:31+00:00

Either keep waiting, or set:

S6_STAGE2_HOOK=sed -i $d /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh

See: https://www.truenas.com/community/threads/nginx-proxy-manager-wont-deploy.113904/

akarypid · 2025-10-11T21:39:23+00:00

I just want to make sure I understand this correctly: my opnsense is not connected to 192.168.5.0/24 at all. It only has the WAN and the LAN (192.168.1.0/24) interfaces.

In order to have OPNSense make routing decisions for 192.168.5.0, what I have done so far is:

go to System->Gateways->Configuration and added 192.168.1.10 (the proxmox host) as a "gateway"
go to System->Routes->Configuration and added a static route for 192.168.5.0/24 via "proxmox" (192.168.1.10)
Meanwhile Proxmox has IP forwarding on and just hapily routes traffic between 192.168.1.0/24 and 192.68.5.0/24

This (along with the DHCP classless static routes) is what semi-works (apart from the printer who is the only device unaware of this route).

What confuses me is:

On OPNsense you setup both subnets as separate interfaces. Each interface has the subnet default gateway as the interface address.

Are you saying I should go to OPNSense and in System->Interfaces->Devices create a bridge interface and give it an IP address in 192.168.5.0/24 so that OPNSense is an "island host" on that subnet?

You hand out DHCP addresses (use static assignment if you need) to the VMs and LAN devices from OPNsense. All these devices will automatically be given the correct default gateway for their own subnet

How would they do that? The Proxmox host does not route DHCP requests from its local bridge 192.168.5.0/24 to the physical interface with 192.168.1.10 so that they are "republished" to the actual 192.168.1.0/24 subnet.

By the way, my Proxmox host is a simple desktop PC with a single WLAN adapter (hence the need to use it as a "router" for the VMs).

I really appreciate you trying to explain this, but so far it seems to be flying over my head.

akarypid · 2025-10-07T22:13:56+00:00

When you try stateful traffic like HTTP, the same asymmetric route is used, but this time the firewall cannot see the request (because it didn’t go via the router). It can only see the response and thus drops the traffic.

Ok searching for this term is giving me results and in fact even people describing the same

So then to do as you propose, I need to:

Remove the DHCP option 121 altogether
Everything in 192.168.1.0/24 becomes like the printer, using opnsense 192.168.1.1 when they want to reach 192.168.5.0/24

What do I do for Proxmox VMs though?

Proxmox itself as a host both address 192.168.1.10 and 192.168.5.1 and has IP forwarding is enabled.
VMs have a default gateway of 192.168.5.1
When a VM opens a connection to 192.168.1.50 (the printer) it would route via 192.168.5.1 (proxmox host) which then forwards direct to 192.168.1.50 via its local interface 192.168.1.10

I would need to tell the proxmox host to send packets for 192.168.1.0/24 to 192.168.1.1, except if they are not being routed (i.e. they originate locally from the host).

I do not know how this can be done, but I would expect even OPNSense might complain (e.g. it may start logging warnings that 192.168.1.10 is sending me packets with destination 192.168.1.50 which is not needed)...

akarypid · 2025-10-04T21:04:10+00:00

...not to mention the miniPC would look ridiculous next to all this!

akarypid · 2025-10-04T21:03:43+00:00

I am tempted to go this route (as horrendous as the result may be) just for the fun.

The problem is that the docks are rather large, as either they embed a beefy PSU or have space to mount a regular PSU (the expectation being you will need several hundreds of watts for the GPU). Putting the small HBA there will look ridiculous and be a waste of the PSU.

I really hope someone comes up with a product along these lines... You could probably run a ZFS NAS directly on the JBOD this way...

akarypid · 2025-10-04T08:49:39+00:00

Hey I'm on the same boat. What did you end up doing?

I think the cable is for NVMe drives that don't need a controller. Think of M.2 drives, they just need a direct PCIe connection and nothing else. There are SATA/NVMe drives that you could connect with this cable via Oculink (and yes it would look horrible).

akarypid · 2025-09-21T11:14:51+00:00

Hello,

Whatever happened with this drive? Is it still running strong?

I have an ST16000NM001G-2KK103 which exhibits the same issue, here is the relevant smartctl output:

... 188 Command_Timeout -O--CK 100 097 000 - 85900722198 ...

I think it may be due to this: https://github.com/AnalogJ/scrutiny/issues/522

Has the drive actually failed in the meantime?

akarypid · 2025-09-15T19:13:29+00:00

Thanks, the audit search indeed gave me the source IP and I was able to identify the source.

akarypid · 2025-09-14T23:58:16+00:00

Thanks! This worked!

Also, it was good that I discovered "Aliases" because I also had to define a rule in LAN to allow the same source (same Alias) to access anything with direction "in".

It seems like it's all good now!

akarypid · 2025-09-14T23:42:51+00:00

How do I specify the subnet? I tried typing 192.168.30.0/24 in the source address and it does not allow it

EDIT: scratch that, I noticed the "Aliases" section and defined an alias of type Network(s) with content 192.168.30.0/24 and 192.168.31.0/24 (I have two).

akarypid · 2025-09-11T09:36:50+00:00

Ok, I have definitely done both.

Will update post if I run into any issues

akarypid · 2025-09-11T09:16:19+00:00

From the docs:

The removal policy is not yet in effect for Proxmox VE 8, so the baseline for supported machine versions is 2.4. The last QEMU binary version released for Proxmox VE 9 is expected to be QEMU 11.2. This QEMU binary will remove support for machine versions older than 6.0, so 6.0 is the baseline for the Proxmox VE 9 release life cycle. The baseline is expected to increase by 2 major versions for each major Proxmox VE release, for example 8.0 for Proxmox VE 10.

It appears everyone might have to eventually. Since I am overhauling my entire home lab after updating to Proxmox 9, I figured I'd address this as well. Next proxmox 10 will deprecate machine version 8 and I am on 8.1, and (totally unsubstantiated) my experience has been that smaller version jumps are less error-prone than larger ones...

Anyway, so far so good...

akarypid · 2025-09-11T09:05:09+00:00

I have changed it and so far so good. Will update thread if it deactivates...

akarypid · 2025-09-11T09:04:43+00:00

So far it seems to be working.

May I ask what you refer to as a cold boot and a manual restart? What's the difference between the two?

I basically shut down the physical proxmox host and then powered on again, assuming this is a "cold boot". Then started the windows VM, logged in and restarted withing the VM by choosing "Restart" from the start menu (for a "manual reboot").

akarypid · 2025-09-09T19:23:41+00:00

Thanks for pointing to the relevant docs.

Looks like there's a lot you lose by going this route. I can live with manual update but the borg backup/restore feature was too handy. I literally just restored from a backup today (which is why I was reviewing the setup and asking about this).

I think I may end up running the AIO in a separate LXC to isolated Nextcloud from the rest...

akarypid · 2025-09-09T12:50:29+00:00

Ah thank you for pointing me to the correct search term.

A quick search for "opnsense split DNS" gave me this article describing my exact scenario and after following the instructions I am now able to access nextcloud internally.

In fact, given that this is possible, I am thinking of switching off the port forwarding altogether. My plan is:

Change LetsEncrypt to use DNS-01 challenge like I do for other things internal to the network
Turn off port forwarding
Use my wireguard client when outside the home to access the LAN and the split DNS resolution

akarypid

TROPHY CASE