proxmox-infra/docs/TASKS.md

Current Tasks

Last Updated: 2025-12-21

In Progress

OPNsense NAT Configuration (URGENT)

Config was corrupted during editing. Restored to backup. Need to re-add:

Via OPNsense UI (https://10.4.2.1):

1. Port Forwards (Firewall → NAT → Port Forward):

   • TCP 80 → 10.4.2.10:80 (Traefik HTTP)
   • TCP 443 → 10.4.2.10:443 (Traefik HTTPS)
   • TCP/UDP game ports → 10.4.2.26 (AMP server)

2. NAT Reflection (Firewall → Settings → Advanced):

   • Reflection for port forwards: Enable (NAT + proxy)

3. Disable Rebind Check (System → Settings → Administration):

   • Uncheck "HTTP Referer enforcement"

4. WireGuard should still work (built into OPNsense 25.7)

Pending

Remaining Network Tasks

• Disable DHCP on Asus router and switch LAN to OPNsense DHCP
• Test firewall isolation (IoT device cannot ping LAN device)
• Test LAN access to IoT (Home Assistant, Frigate can reach IoT devices)
• Migrate devices from Asus APs to UniFi APs (to retire Asus routers)

Future Network Upgrades

• Order hardware (2× GiGaPlus 10G PoE, 2× U7 Pro) for 10G backhaul
• Consider managed 2.5G PoE switches for proper VLAN support
• Consider OPNsense HA (CARP) with second USB NIC on another node

Media Organization

• Verify Jellyfin can see all imported media
• Clean up .processing-loose-episodes folder
• Review and potentially restore TV shows from processing folder

Configuration

• Consider custom format to prefer English audio releases
• Review Sonarr language profiles for non-English releases

Infrastructure

• Define backup strategy and schedule
• Set up monitoring/alerting system
• Document disaster recovery procedures

Completed (Recent)

• OPNsense WAN cutover to AT&T modem (192.168.1.x)
• VLAN isolation working (Trusted, IoT, Guest)
• pm4 vmbr0 VLAN-aware with persistent bridge vlan config
• Pi-hole accepting DNS from all subnets (listeningMode=ALL)
• Pi-hole gateway set to OPNsense for return routing
• UniFi SSIDs configured with VLAN tags
• Configured OPNsense VLANs (10, 20, 30) on vtnet0
• Configured VLAN interfaces with IPs (10.4.10.1, 10.4.20.1, 10.4.30.1)
• Configured DHCP on all VLAN interfaces
• Implemented firewall rules for IoT/Guest isolation
• Added Traefik routes for UniFi Controller and OPNsense
• Resized Traefik LXC 104 rootfs from 2GB to 4GB
• Configured pm4 vmbr1 bridge with USB 2.5G NIC for OPNsense WAN
• Added net1 (vmbr1) to OPNsense VM 130
• Deployed UniFi Controller LXC 111 on pm4
• Fixed SSH access between cluster nodes (pm2 can access all nodes)
• Fixed NZBGet permissions (UMask=0000 for 777 files)
• Fixed Sonarr permissions (chmod 777 on imports)
• Fixed Jellyfin LXC mounts (restarted LXC)
• Fixed Jellyseerr IP in Traefik config
• Consolidated documentation structure
• Created documentation index

Blocked

None currently.