Recent posts

#21

General Discussion / Re: Trouble with VLAN setup on...

Last post by pfry - November 21, 2025, 03:04:54 PM

I was under the impression the "Default allow LAN to any rule" would be enough to allow pinging devices in the DMZ from LAN.[...]

It should be, and blocked packets would be logged, assuming default block logging is enabled. Valid sessions would be visible regardless of logging.

How about "Interfaces: Devices: Bridge" and "Interfaces: Overview"?

#22

25.7, 25.10 Series / Re: SSD get's massively writte...

Last post by senseOPN - November 21, 2025, 03:04:26 PM

What I did is include the netflow storage path in the var/log ram disk by modifying the end of /usr/local/etc/rc.subr.d/var :

Code Select Expand

        echo -n "Setting up /var/log memory disk..."
        mount -t tmpfs -o size=$((MAX_MEM_SYS / 100 * MAX_MFS_VAR)) tmpfs /var/log
        echo "done."

ln -s /var/log/netflow /var/netflow
mkdir -p /var/log/netflow
chown root:wheel /var/log/netflow
chmod 750 /var/log/netflow

fi

# prep boog log
: > /var/log/boot.log

I also did something similar for the unbound.duckdb.

You'll need to re-apply these changes after each opnsense update as they'll be overwritten.

That's a nice idea, great many thanks!

I am wondering why this is not bound to /var/log anyways - so that it lands in RAM if you decide to configure a RAM disk for this.

#23

25.7, 25.10 Series / Re: SSD get's massively writte...

Last post by xavx - November 21, 2025, 02:41:02 PM

What I did is include the netflow storage path in the var/log ram disk by modifying the end of /usr/local/etc/rc.subr.d/var :

Code Select Expand

        echo -n "Setting up /var/log memory disk..."
        mount -t tmpfs -o size=$((MAX_MEM_SYS / 100 * MAX_MFS_VAR)) tmpfs /var/log
        echo "done."

ln -s /var/log/netflow /var/netflow
mkdir -p /var/log/netflow
chown root:wheel /var/log/netflow
chmod 750 /var/log/netflow

fi

# prep boog log
: > /var/log/boot.log

I also did something similar for the unbound.duckdb.

You'll need to re-apply these changes after each opnsense update as they'll be overwritten.

#24

German - Deutsch / Re: Einsteigerfrage zu NAT

Last post by meyergru - November 21, 2025, 12:33:34 PM

Dann ändere den Thread-Titel bitte und hänge [Solved] davor.

#25

General Discussion / Re: Trouble with VLAN setup on...

Last post by User074357 - November 21, 2025, 12:33:14 PM

It sounds like you are missing firewall configuration for the vlan interfaces that you set up and I don't think you need the bridge.
If you want to allow traffic between both LAN and vLAN networks I'm not sure what you gain with the vlan unless you really need to split a single port into multiple subnets.  Here is the documentation on vlans: https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

Just food for thought, vLANs can be very tricky if you are using IDS/IPS.  If you have enough ports on your hardware and aren't trying to segment traffic, create a separate LAN subnet interface for your TrueNAS, skip the vLAN, and setup firewall rules accordinly if you want to isolate the NAS LAN from WAN.  That is my two bits.

I was under the impression the "Default allow LAN to any rule" would be enough to allow pinging devices in the DMZ from LAN.
My end goal is to have 2 VLANs going to the NAS, one of which will be isolated (DMZ) and one will be added to the LAN bridge. That way I can use the DMZ VLAN for the VMs on TrueNAS while the NAS itself can be inside LAN.

#26

25.7, 25.10 Series / Re: SSD get's massively writte...

Last post by franco - November 21, 2025, 12:30:55 PM

ZFS can be a bit annoying in this regard writing metadata for no apparent reason all the time even when the disk content is not (significantly) changing.

You can tweak the tunable 'vfs.zfs.txg.timeout' to your liking by increasing it at the expense of losing more data during an outage.


Cheers,
Franco

#27

German - Deutsch / Re: Einsteigerfrage zu NAT

Last post by Bubber - November 21, 2025, 12:24:33 PM

Ja, hab ein Alias für die Ports gesetzt (und bei der Gelegenheit gleich mal bisl aufgeräumt). :-)

Und Danke nochmal für die schnelle und wirksame Hilfe! Tolles Forum. Vielleicht liest man sich bei Gelegenheit mal wieder.

Damit ist der Thread für mich gelöst und kann geschlossen werden.

BG
bubber

#28

German - Deutsch / Re: Einsteigerfrage zu NAT

Last post by Patrick M. Hausen - November 21, 2025, 12:12:05 PM

Wenn ich perspektivisch einen Reverse-Proxy nutzen möchte (um Subdomains für andere Hosts zu nutzen) leitet dieser doch nur Port 80 und ggf. 443 weiter. Das heißt doch, dass ich die NAT-Regel trotzdem für die anderen Ports benötige oder?
Und dann muss ich explizit Port 80 und 443 aus meiner NAT-Regel herausnehmen oder?

Ja und ja.

#29

German - Deutsch / Re: Einsteigerfrage zu NAT

Last post by bamf - November 21, 2025, 12:05:16 PM

Auf dem Host dahinter laufen mehrere Dienste die zum Teil viele Ports benötigen. Daher wäre mir das zu fummelig für jeden Port einzeln eine NAT-Regel anzulegen.

Dafür gibt es Aliase. Du bündelst die Ports in einem Alias und legst mit diesem dann eine NAT-Regel an.

[Netsh int tcp set global autotuning=normal]

#30

25.7, 25.10 Series / Re: Slow server download speed...

Last post by xXHelperXx - November 21, 2025, 11:56:09 AM

I have to post here after some digging and blaming the OPS version.

The issue for me, was a configuration in windows on PC (Client).
At first I tried to connect using my phone with the same way and I managed to obtained the full speed.
So tried to test everything in windows environment.

Somehow the issue was relegated to the TCP global option that was disabled.
When run it to default: "Netsh int tcp set global autotuning=normal" The performance back to full speed.

Cheers!