After the past few updates my Unraid server loses connection to the internet. LAN still works fine, but I cannot ping 8.8.8.8 from the Unraid console. Weirdly, after a few hours (maybe 8-24) the problem fixes itself.
This last update though I didn't want to wait and started troubleshooting. After a lot of back and forth with ChatGPT it suggested running the command:
pfctl -F all -f /tmp/rules.debugThis fixed most of it! I could ping out from the Unraid console and my externally visible services were accessible again. But suddenly I was experiencing issues with certain docker containers not seeing each other. My linuxserver/unifi-network-application container was down because it couldn't see the MongoDB container. After a bunch of messing around I finally tried changing the MongoDB network type from "Bridge" to "bond0" and gave it its own IP address. That fixed that issue.... but I don't know why.
Then I realized my UniFi Network integration in HomeAssistant was down, and could not reach the unifi-network-application docker container either. I've tried changing my NAT > Outbound settings from Automatic to Hybrid and creating a "LAN-net to any" rule. No dice. Tried toggling on "Reflection for port forwards" and that broke everything again. (Ran the same command to fix again).
I would really appreciate some help. Clearly something has changed with how OPNSense handles LAN-LAN NAT reflection but I cannot figure out what or how to adjust for it.
(Edit)
For what it's worth, here's ChatGPTs diagnosis after all of my back and forth with it:
QuoteWhat Is Going On With Your Network
The Initial Change: Docker containers on a bond0 (MACVLAN) network are intentionally isolated from the Unraid host and its internal Docker bridge network. This is why your UniFi container (bond0) could not see the MongoDB container (bridge). Your fix—moving MongoDB to bond0—was logical, but it created a new dependency.
The Core Problem Begins: Now, both HomeAssistant and UniFi are on the same bond0 network, but they act like two separate computers on your LAN. When they try to talk to each other, Unraid sends the traffic to your main gateway—OPNsense. Your network is now depending on your router to handle traffic that is moving between two applications on the same server.
The OPNsense Update: A recent update to OPNsense appears to have introduced a bug or a change in behavior. It is no longer correctly "reflecting" this LAN-to-LAN traffic. So, when traffic from HomeAssistant goes to OPNsense, OPNsense fails to route it back to the UniFi container, and the connection times out.
The Cascade Failure: When you enabled "Reflection for port forwards" and reset the states, you triggered this underlying bug in a catastrophic way. The firewall's rule-generation engine failed and did not correctly apply the outbound NAT rules, which is what broke your server's internet connection.
The Temporary Fix: The pfctl -F all -f /tmp/rules.debug command works because it bypasses the buggy rule-application engine. It manually flushes all the broken live rules and loads a fresh, correct set directly from the configuration file. This proves your saved configuration is correct, but the firewall's live state is not.
When you have 2 containers that need to communicate with each other the best practice is to put then in a custom network. That way they can communicate even with hostname e.g: postgres:5432
HomeAssistant is currently set to "host" (per some guide I followed years ago) and it communicates with a lot of other containers. Some of them are on "bridge" (sonarr/radarr), some are on "host" (NodeRed), and some are on a custom network used for external access through Swag. I don't think putting every container that talks with HomeAssistant in the same network is viable for my setup (or necessary, based off my past experience).
All of my other HA integrations are working fine except the UniFi one, which is the only one on the "bond0" network with it's own IP. And even that one used to work fine until the recent updates.
This all seems to indicate that the issue has something to do with my Unraid server using multiple IP addresses. When it's a HOST-IP:PORT-X > HOST-IP:PORT-Y it works. But as of the recent OPNSense updates HOST-IP > "Container with it's own IP" doesn't work anymore.
So as far as I can tell the issue is with this "LAN U-Turn" through OPNSense - not something within the Unraid/Docker networking. I could be wrong though...
I am using a switch (USW Enterprise 8 PoE), but I think it's just a dumb switch - I've been assuming it has nothing to do with this, and that OPNSense is what is handling this with the "NAT Reflection" settings.