Quote from: User074357 on November 21, 2025, 12:33:14 PMI was under the impression the "Default allow LAN to any rule" would be enough to allow pinging devices in the DMZ from LAN.[...]
Quote from: xavx on November 21, 2025, 02:41:02 PMWhat I did is include the netflow storage path in the var/log ram disk by modifying the end of /usr/local/etc/rc.subr.d/var :echo -n "Setting up /var/log memory disk..."
mount -t tmpfs -o size=$((MAX_MEM_SYS / 100 * MAX_MFS_VAR)) tmpfs /var/log
echo "done."
ln -s /var/log/netflow /var/netflow
mkdir -p /var/log/netflow
chown root:wheel /var/log/netflow
chmod 750 /var/log/netflow
fi
# prep boog log
: > /var/log/boot.log
I also did something similar for the unbound.duckdb.
You'll need to re-apply these changes after each opnsense update as they'll be overwritten.
echo -n "Setting up /var/log memory disk..."
mount -t tmpfs -o size=$((MAX_MEM_SYS / 100 * MAX_MFS_VAR)) tmpfs /var/log
echo "done."
ln -s /var/log/netflow /var/netflow
mkdir -p /var/log/netflow
chown root:wheel /var/log/netflow
chmod 750 /var/log/netflow
fi
# prep boog log
: > /var/log/boot.log
Quote from: InvalidHandle on November 21, 2025, 04:59:41 AMIt sounds like you are missing firewall configuration for the vlan interfaces that you set up and I don't think you need the bridge.I was under the impression the "Default allow LAN to any rule" would be enough to allow pinging devices in the DMZ from LAN.
If you want to allow traffic between both LAN and vLAN networks I'm not sure what you gain with the vlan unless you really need to split a single port into multiple subnets. Here is the documentation on vlans: https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html
Just food for thought, vLANs can be very tricky if you are using IDS/IPS. If you have enough ports on your hardware and aren't trying to segment traffic, create a separate LAN subnet interface for your TrueNAS, skip the vLAN, and setup firewall rules accordinly if you want to isolate the NAS LAN from WAN. That is my two bits.
Quote from: Bubber on November 21, 2025, 10:14:45 AMWenn ich perspektivisch einen Reverse-Proxy nutzen möchte (um Subdomains für andere Hosts zu nutzen) leitet dieser doch nur Port 80 und ggf. 443 weiter. Das heißt doch, dass ich die NAT-Regel trotzdem für die anderen Ports benötige oder?
Und dann muss ich explizit Port 80 und 443 aus meiner NAT-Regel herausnehmen oder?
Quote from: Bubber on November 21, 2025, 09:03:23 AMAuf dem Host dahinter laufen mehrere Dienste die zum Teil viele Ports benötigen. Daher wäre mir das zu fummelig für jeden Port einzeln eine NAT-Regel anzulegen.