Messages

[And now solved:]

Wanted to grow the root partion from 16GB to 32GB, so I did:

• Shutdown OpnSense
• In Proxmox Harddisc->Resize +16
• Reboot OpnSense

Output of gpart shows:

Code Select Expand

root@opnsense:~ # gpart show
=>      40  33554352  da0  GPT  (32G) [CORRUPT]
        40      1024    1  freebsd-boot  (512K)
      1064  33553328    2  freebsd-ufs  (16G)

Usage:

Code Select Expand

root@opnsense:~ # df -h
Filesystem                   Size    Used   Avail Capacity  Mounted on
/dev/da0p2                    15G     14G    705M    95%    /
devfs                        1.0K      0B    1.0K     0%    /dev
tmpfs                        611M    6.3M    604M     1%    /var/log
tmpfs                        1.8G    4.4M    1.8G     0%    /tmp
tmpfs                        1.8G    120K    1.8G     0%    /var/lib/php/tmp
devfs                        1.0K      0B    1.0K     0%    /var/dhcpd/dev
devfs                        1.0K      0B    1.0K     0%    /var/unbound/dev
/usr/local/lib/python3.11     15G     14G    705M    95%    /var/unbound/usr/local/lib/python3.11
/lib                          15G     14G    705M    95%    /var/unbound/lib
/dev/md43                    145M     72K    133M     0%    /usr/local/zenarmor/output/active/temp
tmpfs                        100M     12K    100M     0%    /usr/local/zenarmor/run/tracefs

Details:

Code Select Expand

root@opnsense:~ # du -hs /*
8.0K    /COPYRIGHT
1.4M    /bin
312M    /boot
 12M    /conf
4.0K    /dev
4.0K    /entropy
2.1M    /etc
4.0K    /home
 17M    /lib
164K    /libexec
4.0K    /media
4.0K    /mnt
4.0K    /net
4.0K    /proc
4.0K    /rescue
 76K    /root
4.9M    /sbin
  0B    /sys
 39M    /tmp
5.1G    /usr
8.5G    /var
root@opnsense:~ # du -hs /var/*
4.0K    /var/account
 12K    /var/at
 12K    /var/audit
4.0K    /var/authpf
 20M    /var/backups
 47M    /var/cache
8.0K    /var/crash
 16K    /var/cron
7.8G    /var/db
104K    /var/dhcpd
4.0K    /var/empty
 60K    /var/etc
4.0K    /var/games
4.0K    /var/heimdal
277K    /var/lib
 15M    /var/log
4.0K    /var/mail
4.0K    /var/msgs
844K    /var/netflow
4.0K    /var/preserve
164K    /var/run
4.0K    /var/rwho
148K    /var/spool
 12K    /var/tmp
696M    /var/unbound
4.0K    /var/yp

Tried this, rebooted, but did not do anything:

Code Select Expand

touch /.probe.for.growfs.nano

fsck did give lots of weird error:

Code Select Expand

** /dev/da0p2 (NO WRITE)
** Last Mounted on /mnt
** Root file system
** Phase 1 - Check Blocks and Sizes
INCORRECT BLOCK COUNT I=160265 (31872 should be 28672)
CORRECT? no

INCORRECT BLOCK COUNT I=1602731 (8 should be 0)

tried:

Code Select Expand

root@opnsense:~ # gpart resize -i 2 da0
gpart: table 'da0' is corrupt: Operation not permitted


• Booting in single user mode, tried everything again, nothing helped.
• Restored backup, tried again, same problem.

Found this:

Code Select Expand

root@opnsense:~ # service growfs onestart
Growing root partition to fill device
da0 recovered
da0p2 resized

And now solved:

Code Select Expand

root@opnsense:~ # gpart show
=>      40  67108784  da0  GPT  (32G)
        40      1024    1  freebsd-boot  (512K)
      1064  67107760    2  freebsd-ufs  (32G)

But WTF!?

Code Select Expand

root@opnsense:~ # df -h
Filesystem                   Size    Used   Avail Capacity  Mounted on
/dev/da0p2                    31G    5.8G     23G    20%    /
devfs                        1.0K      0B    1.0K     0%    /dev
tmpfs                        611M    7.9M    603M     1%    /var/log
tmpfs                        1.8G    584K    1.8G     0%    /tmp
tmpfs                        1.8G    120K    1.8G     0%    /var/lib/php/tmp
devfs                        1.0K      0B    1.0K     0%    /var/dhcpd/dev
devfs                        1.0K      0B    1.0K     0%    /var/unbound/dev
/usr/local/lib/python3.11     31G    5.8G     23G    20%    /var/unbound/usr/local/lib/python3.11
/lib                          31G    5.8G     23G    20%    /var/unbound/lib
/dev/md43                    145M     12K    133M     0%    /usr/local/zenarmor/output/active/temp
tmpfs                        100M     32K    100M     0%    /usr/local/zenarmor/run/tracefs

Now only 5.8G is used? Before grow it was 14G ...
Why was /var/db so big?

Code Select Expand

root@opnsense:~ # du -hs /var/*
4.0K    /var/account
 12K    /var/at
 12K    /var/audit
4.0K    /var/authpf
 20M    /var/backups
156M    /var/cache
8.0K    /var/crash
 16K    /var/cron
 44M    /var/db
100K    /var/dhcpd
4.0K    /var/empty
 64K    /var/etc
4.0K    /var/games
4.0K    /var/heimdal
133K    /var/lib
849K    /var/log
4.0K    /var/mail
4.0K    /var/msgs
844K    /var/netflow
4.0K    /var/preserve
148K    /var/run
4.0K    /var/rwho
148K    /var/spool
 12K    /var/tmp
698M    /var/unbound
4.0K    /var/yp


Indeed, I am sorry Patrick.
Today I learned a lot!

Did you limit the destination in the NAT rule to the modem IP or subnet?

I did it as Patrick suggested without destination and translation.
But now I tried 192.168.33.1/32 as Destination and have both working! Hurray!

Thank you All for your help and patience!!

[Internet did not work any more!!]

I did what Patrick suggested and could reach my modem. Unfort. there are two side effects:

• The WAN network 192.168.33.x was exposed to my private local 10.10.x.x network.
• Internet did not work any more!!

That's not what I was trying to achive. I do not want to expose 192.168.x.x in my 10.10.x.x network.

deleted

[reach a single IP on a single port]

Guys, I appreciate your support. But searching for 'outbound' I find:

Outbound NAT (Network Address Translation) changes the source IP address of traffic leaving a private local network (like your home or business network) to a public IP address as it goes out to the internet, allowing multiple devices to share one public IP and enabling internet access.

Why do I want to change (hide) the source IP?

I only wanted to reach a single IP on a single port on the WAN side. What's wrong with port mapping?

I tried two versions, both failing.
(I am having difficutly understanding translation/destination).

Just access it using its IP. OPNsense is a router and will route the traffic properly.

This does not work. No it does not.
LAN and IP Bridge are on different network.

I made a drawing to help make things more clear.

... you want to tunnel the traffic through SSH for security reasons or whatever.

No, this is only the workaround.

I don't think that OPNsense gets the tunneld traffic in on any interface, which can be used for port forwarding. I assume, it enters the machine on localhost, but this is not available in a port forwarding rule.

Not quite sure if we are on the same page? Every connection enters on the localhost, that's what port forwarding is for.

I already setup NAT from WAN to a local machine behind. This works OK.
But now I thought about setting up NAT from LAN to WAN (but on the IP alias).

And what's the sense of forwarding the traffic?

As posted in my first message, my fiber bridge does have a local IP for maintenance - on the same physical port.
This is on the WAN side:

FiberBridge  <->  WAN  <->  OpenSense  <->  LAN

So from LAN I wanted to NAT to the Fiber Bridge.

But if you correctly NAT ...

Yes that's what I was trying, but failing (as written in my initial post).

... and access the device by its IP then.

I am not accessing the modem by its IP. I need to http to OpenSense on port 88, and from there forward to the modem 192.168.33.1 on port 80.
That's why I gave this example:

From my desktop PC I do:

Code Select Expand

ssh -L 88:192.168.33.1:80 root@opnsense
And then doing http://opnsense:88 I get forwarded to the modem.

Sorry, but I did not want to "disobey" you *lol* ... I might not understood it better ...

Configured it:

Code Select Expand

Interface Source      Source Port Destination Destination Port NAT Address NAT Port Static Port Description    
WAN         LAN1 net     tcp/ *         This Firewall tcp/ 88                 192.168.33.1/32 80         NO

But getting a timeout when opening http://opensense:88

Dear community,

my fiber bridge does have a second IP for local configuration web interface: 192.168.33.1
For this I configured a virtual IP (IP alias) on the WAN interface. Ok - this works.

From the LAN side I can only reach it when doing a port forwarding using ssh (ssh -L 88:192.168.33.1:80 root@opnsense).
When configuring a Firewall-NAT-Port forwarding I am failing:

Code Select Expand

LAN1 TCP * * This Firewall 88 192.168.33.1 80 (HTTP)
Also tried a firewall rule:

Code Select Expand

IPv4 TCP LAN1 net * * 88 * * Glasfaser Modem
But nothing helps.

Any ideas welcome. Thx!

Actually I figured it out.

In my DNS A Record there was a wildcard *.mydomain.at

This led to my Sony TV searching for wpad.mydomain.at which actullay should have stayed inside my private network, but now went public.
It also alarmed my domain provider because I had my debian bookworm mirror wrongly setup to debian.mydomain.at which then spamed my provider, because there was no such private domain, and eventually shutdown my IP.

I learned a lot this weekend ...