Messages

Working for me now :) Realized that i never tested the LAN, and only VPN. So at least my VPN is backup and running to access the domains :D

Good that the rules are the same, that means that can be ruled out (pun not intended xD)

If VPN is involved, the next possible cause can be PMTU (Path MTU Discovery), since VPN reduces possible MSS sizes.

In 25.1 there have been some issues regarding that.
https://github.com/opnsense/src/issues/235

You could try to install the test kernel and see if that fixes your issues:
https://github.com/opnsense/src/issues/235#issuecomment-2636702333

I can definitely try that, but the issue is happening within the network as well. any device within the LAN cant reach my subdomains that arent routed through CF proxy.

Thats what we can find out. If you have snapshots of before and after the update, we could also compare the pf ruleset.

Just store whats in /tmp/rules.debug before and after the update and diff it for obvious changes regarding rdr or nat.

I luckily backup my config every night. I did a quick compare on the XML, and the NAT section remained the same, no changes. The only differences were the UUID's that were added. Other than that, its pretty much the same.

The simplest way to check whats up is if you create manual NAT rules using this tutorial page. If it works with them, then maybe there's something up with the automatic generation.

Please note that NAT is complicated.

https://docs.opnsense.org/manual/how-tos/nat_reflection.html

Yeah i can do that and try, my only concern is that it was working before the update and nothing besides the version changed. So wasnt sure if others had experienced the same issue as well, if others have experienced the same issue, then it would point to something consistent in the update that changed.

Just asking for clarity here: You say that this worked before 25.1 including Plex? The reason I am asking is that while Plex can have a different port than 32400, but it must know which IP to connect to. Since you cannot specify a DNS name in Plex, it probably is essential to use the same IP for inbound and outbound traffic, which is potentially (or per default) not the case.

The PIA approach seems to be that they provide you with a public IP and an abitrary port, which you could use as a target for inbound by specifying it directly or via DNS. All of your normal outbound traffic would go over the external NATed IP your ISP provides. This is all that Plex can see, so it would try to connect back to the IP that was reaching out to them.

So, IMHO, I think you would also have to direct all outbound Plex traffic over your PIA IP, maybe that is the problem. IDK what magic the PIA script does, but potentially, it has not been modified to work with 25.1, yet.

Yes, I dont run any PIA scripts or anything. I had my plex setup working as follows: plex.mydomain.com would redirect me internally and externally, same with jellyfin.mydomain.com (plex settings > network > custom server url I have my domain). I did get my immich to run/load internally, thats due to me enabling my cloudflare proxy, jellyfin and plex are the only 2 apps that I dont route through CF proxy. So it seems to point to an issue with the 'hairpin NAT"

My port forwards consist of 2 things:
80/443 --> point to my SWAG(nginx) instance

my NAT has 2 settings enabled:
Reflection for port forwards and automatic outbound nat for reflection.


I updated to v25.1 and changed 0 settings, just ran the update and let it do its thing. If theres other info I can provide I can, I'm not sure what settings would be useful though, so just let me know :)

Without showing the NAT rules in question, some info on the network topology, and preferrably packet traces, there is little chance anything will be fixed.

Don't assume a problem you experience is widely known. Always assume it's particular to your specific setup. Seriously.

Not claiming there is no bug, or "it's your fault" or some such - but the most important part of a bug report is "how to reproduce". "There's a bug in NAT" is not a problem description. Neither is "I cannot connect", sorry.

If everybody using NAT reflection was experiencing the same problem, Q&A would probably have caught it before shipping. And even if not, the forum would now be full with reports. Apparently that is not the case.

My updates went completely painless apart from some cosmetic issues in the dashboard.

Sorry, first time im using the forum here. Wasnt sure what else to put in the description

I'm not really sure how to replicate/demonstrate the issue or what settings would be useful to post here. I just started to notice it today and was curious if i was alone or not in the matter. Nothing changed in my setup besides the version from 24.7.12 to 25.1.

So it seems like its a bug with the new update and NAT. I dont really want to find a workaround if its an issue with OPNSense. Hopefully a fix is pushed out for it.

For some reason after the update to 25.1, i cant access my domain interface anymore. Im connecting via wireguard to my network and try to access 'photos.mydomain.com' and it does not load.

The specific apps im having problems with: immich, jellyfin, plex.

Im using: Unraid (with SWAG/nginx). Other apps seem to load fine. But im having issues with those 3. I dont even see any logs for the requests being sent to my nginx, so it seems like whatever the update changed on opnsense, may have caused it. (Was working fine in 24.7.12)