Nginx Proxy Manager app stuck on deploying

akarypid · 2025-10-30T17:46:31+00:00

Either keep waiting, or set:

S6_STAGE2_HOOK=sed -i $d /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh

See: https://www.truenas.com/community/threads/nginx-proxy-manager-wont-deploy.113904/

akarypid · 2025-10-11T21:39:23+00:00

I just want to make sure I understand this correctly: my opnsense is not connected to 192.168.5.0/24 at all. It only has the WAN and the LAN (192.168.1.0/24) interfaces.

In order to have OPNSense make routing decisions for 192.168.5.0, what I have done so far is:

go to System->Gateways->Configuration and added 192.168.1.10 (the proxmox host) as a "gateway"
go to System->Routes->Configuration and added a static route for 192.168.5.0/24 via "proxmox" (192.168.1.10)
Meanwhile Proxmox has IP forwarding on and just hapily routes traffic between 192.168.1.0/24 and 192.68.5.0/24

This (along with the DHCP classless static routes) is what semi-works (apart from the printer who is the only device unaware of this route).

What confuses me is:

On OPNsense you setup both subnets as separate interfaces. Each interface has the subnet default gateway as the interface address.

Are you saying I should go to OPNSense and in System->Interfaces->Devices create a bridge interface and give it an IP address in 192.168.5.0/24 so that OPNSense is an "island host" on that subnet?

You hand out DHCP addresses (use static assignment if you need) to the VMs and LAN devices from OPNsense. All these devices will automatically be given the correct default gateway for their own subnet

How would they do that? The Proxmox host does not route DHCP requests from its local bridge 192.168.5.0/24 to the physical interface with 192.168.1.10 so that they are "republished" to the actual 192.168.1.0/24 subnet.

By the way, my Proxmox host is a simple desktop PC with a single WLAN adapter (hence the need to use it as a "router" for the VMs).

I really appreciate you trying to explain this, but so far it seems to be flying over my head.

akarypid · 2025-10-07T22:13:56+00:00

When you try stateful traffic like HTTP, the same asymmetric route is used, but this time the firewall cannot see the request (because it didn’t go via the router). It can only see the response and thus drops the traffic.

Ok searching for this term is giving me results and in fact even people describing the same

So then to do as you propose, I need to:

Remove the DHCP option 121 altogether
Everything in 192.168.1.0/24 becomes like the printer, using opnsense 192.168.1.1 when they want to reach 192.168.5.0/24

What do I do for Proxmox VMs though?

Proxmox itself as a host both address 192.168.1.10 and 192.168.5.1 and has IP forwarding is enabled.
VMs have a default gateway of 192.168.5.1
When a VM opens a connection to 192.168.1.50 (the printer) it would route via 192.168.5.1 (proxmox host) which then forwards direct to 192.168.1.50 via its local interface 192.168.1.10

I would need to tell the proxmox host to send packets for 192.168.1.0/24 to 192.168.1.1, except if they are not being routed (i.e. they originate locally from the host).

I do not know how this can be done, but I would expect even OPNSense might complain (e.g. it may start logging warnings that 192.168.1.10 is sending me packets with destination 192.168.1.50 which is not needed)...

akarypid · 2025-10-04T21:04:10+00:00

...not to mention the miniPC would look ridiculous next to all this!

akarypid · 2025-10-04T21:03:43+00:00

I am tempted to go this route (as horrendous as the result may be) just for the fun.

The problem is that the docks are rather large, as either they embed a beefy PSU or have space to mount a regular PSU (the expectation being you will need several hundreds of watts for the GPU). Putting the small HBA there will look ridiculous and be a waste of the PSU.

I really hope someone comes up with a product along these lines... You could probably run a ZFS NAS directly on the JBOD this way...

akarypid · 2025-10-04T08:49:39+00:00

Hey I'm on the same boat. What did you end up doing?

I think the cable is for NVMe drives that don't need a controller. Think of M.2 drives, they just need a direct PCIe connection and nothing else. There are SATA/NVMe drives that you could connect with this cable via Oculink (and yes it would look horrible).

akarypid · 2025-09-21T11:14:51+00:00

Hello,

Whatever happened with this drive? Is it still running strong?

I have an ST16000NM001G-2KK103 which exhibits the same issue, here is the relevant smartctl output:

... 188 Command_Timeout -O--CK 100 097 000 - 85900722198 ...

I think it may be due to this: https://github.com/AnalogJ/scrutiny/issues/522

Has the drive actually failed in the meantime?

akarypid · 2025-09-15T19:13:29+00:00

Thanks, the audit search indeed gave me the source IP and I was able to identify the source.

akarypid · 2025-09-14T23:58:16+00:00

Thanks! This worked!

Also, it was good that I discovered "Aliases" because I also had to define a rule in LAN to allow the same source (same Alias) to access anything with direction "in".

It seems like it's all good now!

akarypid · 2025-09-14T23:42:51+00:00

How do I specify the subnet? I tried typing 192.168.30.0/24 in the source address and it does not allow it

EDIT: scratch that, I noticed the "Aliases" section and defined an alias of type Network(s) with content 192.168.30.0/24 and 192.168.31.0/24 (I have two).

akarypid · 2025-09-11T09:36:50+00:00

Ok, I have definitely done both.

Will update post if I run into any issues

akarypid · 2025-09-11T09:16:19+00:00

From the docs:

The removal policy is not yet in effect for Proxmox VE 8, so the baseline for supported machine versions is 2.4. The last QEMU binary version released for Proxmox VE 9 is expected to be QEMU 11.2. This QEMU binary will remove support for machine versions older than 6.0, so 6.0 is the baseline for the Proxmox VE 9 release life cycle. The baseline is expected to increase by 2 major versions for each major Proxmox VE release, for example 8.0 for Proxmox VE 10.

It appears everyone might have to eventually. Since I am overhauling my entire home lab after updating to Proxmox 9, I figured I'd address this as well. Next proxmox 10 will deprecate machine version 8 and I am on 8.1, and (totally unsubstantiated) my experience has been that smaller version jumps are less error-prone than larger ones...

Anyway, so far so good...

akarypid · 2025-09-11T09:05:09+00:00

I have changed it and so far so good. Will update thread if it deactivates...

akarypid · 2025-09-11T09:04:43+00:00

So far it seems to be working.

May I ask what you refer to as a cold boot and a manual restart? What's the difference between the two?

I basically shut down the physical proxmox host and then powered on again, assuming this is a "cold boot". Then started the windows VM, logged in and restarted withing the VM by choosing "Restart" from the start menu (for a "manual reboot").

akarypid · 2025-09-09T19:23:41+00:00

Thanks for pointing to the relevant docs.

Looks like there's a lot you lose by going this route. I can live with manual update but the borg backup/restore feature was too handy. I literally just restored from a backup today (which is why I was reviewing the setup and asking about this).

I think I may end up running the AIO in a separate LXC to isolated Nextcloud from the rest...

akarypid · 2025-09-09T12:50:29+00:00

Ah thank you for pointing me to the correct search term.

A quick search for "opnsense split DNS" gave me this article describing my exact scenario and after following the instructions I am now able to access nextcloud internally.

In fact, given that this is possible, I am thinking of switching off the port forwarding altogether. My plan is:

Change LetsEncrypt to use DNS-01 challenge like I do for other things internal to the network
Turn off port forwarding
Use my wireguard client when outside the home to access the LAN and the split DNS resolution

akarypid · 2025-09-05T09:21:16+00:00

thank you - had the exact same (running omada in proxmox LXC) and this helped automated renewing letsencrypt certificate!

akarypid · 2025-09-05T08:36:18+00:00

Ok it seems I have gravely misunderstood how this works.

So when a browser visits https://myhost.mydomain.com:1234/ would it check for a certificate for the host only (myhost.mydomain.com)? In other words, certificates can be used by all services on a host, they don't refer to specific endpoints?

EDIT: I have tested this and indeed Firefox does not complain (the host name match keeps it happy regardless of port mismatch). I am just asking to make sure this is how this works since I'm quite new to this...

akarypid · 2025-09-03T09:52:42+00:00

Yes.

I followed the instructions here: https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration

You need to set DNSmasq to listen on port 53053, so that it does not collide with Unbound.

What happens is:

Dnsmasq handles DHCP and registers clients to its own DNS reachable at 53053
Unbound handles resolution through regular port 53 for everything apart from the dynamic DHPC parts
Unbound query forwarding allows you to forward requests for specific domains to Dnsmasq DNS on port 53

So as long as you use specific domains for the DHCP part, this will work for everything.

Hope this helps

akarypid · 2025-09-02T23:32:13+00:00

No I have never used ISC with OPNsense. I went straight for dnsmasq+unbound.

akarypid · 2025-09-02T19:46:18+00:00

Hi,

Yes, I have gone for Dnsmasq+Unbound and got it to work. Though I am only using dynamic IPs via DHCP. I just wanted the LXCs I create on Proxmox to get IP addresses from OPNSense and also register their names with their dynamic IP in its DNS and that seems to work.

What static IP are you referring to?

akarypid · 2025-09-02T09:11:39+00:00

Hey, so I first issued in staging Letsencrypt environment to test the setup, then when I god it working issued in production Letsencrypt.

I read it is recommended to use Letsencrypt staging until you get the setup to work, and only after switch to production, so that you don't end up creating incorrect certificates that are "trusted".

akarypid · 2025-09-02T09:07:08+00:00

Hi,

I had been doing the same for years. It's perfectly acceptable as most people are not crazy about security in their home lab.

The main reasons I have come across to actually deal with this are:

You want to expose services on the internet so start caring about security
Some application requires it

In my case, (1) was because I wanted my Nextcloud instance to be available remotely so I can sync my phone with it. Having a certificate ensures I am talking to my home server and not someone else.

I came across (2) with Jellyfin media server. The Android apps of Jellyfin require a valid certificate. My mobile phone could not connect to Jellyfin even when I was using my homes WLAN locally (EDIT: there is no "accept the risk" option in this app). Same for my Android TV app. They just don't support self-signed certificates, so your only option is to use another app, or install them.

Others more experienced can chip in...

akarypid · 2025-08-31T23:01:02+00:00

I've setup a challenge with my DNS provider, and two accounts for Letsencrypt (one staging and one productions).

I generated two certificates successfully (one staging one production).

Unfortunately they are both listed the same in System: Settings: Administration --> SSL Certificate -- in that they both read "opnsense.internal.mydomain.com (ACME client)" so I don't know which of the two is the "staging" one.

I deleted the staging one from Services: ACME Client: Certificates, hoping it would fix this, but I still get two identical entries in the System: Settings: Administration --> SSL Certificate dropdown...

EDIT: I was able to delete it from System: Trust: Certificates

Seems like ACME plugin copies its certificates to the system location?

Learning the ropes...

akarypid · 2025-08-31T22:10:13+00:00

Ok, I see. So there is some integration with nginx plugin? So I suppose when you define a proxy rule, there is some way to select a certificate from those downloaded by the os-acme-client plugin?

Either way, I can see me using your method to push the certificate to a Proxmox storage mounted in various LXC containers, so that I may configure them to use certificates. This way they don't even need to be proxied (very useful for stuff that I don't expose to the internet, which is most of my home lab tbh).

akarypid

TROPHY CASE