Messages

While your approach is interesting and I considered having split DNS, I feel that it's more problematic for administrating.

My chief concern is that there may be some form of memory leak going on, or perhaps some table that is filling up with records and then causing opnsense to get into an out-of-memory condition. WebDav doesn't generate as much packet traffic, unlike something like streaming video. Which in itself seems annoying, as the box my opnsense is running on has 16GB of RAM, so it's not exactly short on space.

I have a OPNsense installation running where I have internal traffic going to ports 80/443 of the public IP, which in turn goes to an nginx reverse proxy, then to a Jellyfin ("JF") server.  Yes, I could simply point the JF client to the internal JF server address, but for configuration simplicity's sake, I point the client to the public IP so tablets connect regardless if I'm internal/external to my LAN.

For this purpose, I have "Reflection for port forwards" enabled so internal traffic can hairpin out and in through the public IP.

<int. jf client:443> --> <public IP opnsense> --> <int. nginx revproxy:443> --> <int. jf server:8096>

When running in this configuration, traffic succeeds for as little as several seconds to as much as several minutes before the entire OPNsense firewall blocks/freezes traffic completely for everyone and everything. It's unpredictable how long it will take. Recovering necessitates that I power cycle the OPNsense firewall and reboot.

This was not happening prior to upgrading to 24.7, where I was running 24.1.

Public-facing traffic has no problem transitioning through OPNsense with the NAT configuration as it is. I've been forced to deactivate Reflection out of concerns that any amount of traffic could lock up OPNsense on me.