From c3f567f63928d4ce5b99afec0a3486ef49446e52 Mon Sep 17 00:00:00 2001 From: kavren Date: Mon, 22 Dec 2025 15:20:30 -0500 Subject: [PATCH] docs: Document NAT reflection and Traefik gateway fix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Root cause was Traefik using Asus (10.4.2.254) as gateway instead of OPNsense (10.4.2.1) - Enabled NAT reflection in OPNsense for VLAN access via WAN IP - Fixed NFS mount issues with KavNas 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- docs/CHANGELOG.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 43fd3dc..7f80d74 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -2,6 +2,23 @@ > **Purpose**: Historical record of all significant infrastructure changes +## 2025-12-22 + +### NAT Reflection & External Access Fix +- **Root cause**: Traefik (LXC 104) had gateway set to 10.4.2.254 (Asus) instead of 10.4.2.1 (OPNsense) +- **Symptom**: External traffic and VLAN traffic to Traefik via WAN IP failed (asymmetric routing) +- **Fix**: Changed Traefik gateway to 10.4.2.1 in both runtime and `/etc/pve/lxc/104.conf` + +### OPNsense NAT Configuration +- Enabled NAT reflection (Pure NAT mode) in Firewall → Settings → Advanced +- Enabled automatic outbound NAT for reflection +- Port forwards for HTTPS (443) → Traefik (10.4.2.10) now work from all VLANs and external + +### NFS Storage Issues +- KavNas has two NICs with different IPs; primary is 10.4.2.13 +- Fixed stale NFS mounts on pm2 and pm4 by updating `/etc/pve/storage.cfg` to correct IP +- Pi-hole (LXC 103) and other containers recovered after NFS fix + ## 2025-12-21 ### Traefik Updates