Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.moodmnky.com/llms.txt

Use this file to discover all available pages before exploring further.

pfSense is the default gateway for the MOOD MNKY DATA LAN and for inter-site VLANs trunked over vtnet6. It is also the NetBird subnet-routing peer that advertises on-prem RFC1918 prefixes to remote NetBird clients.

Placement

ItemValue
HypervisorMNKY-HQ (standalone Proxmox)
VMID1000
DATA address10.0.0.1/24 on vtnet1
vNIC mapping (conceptual):
  • net0 → HQ management / WAN path (101.x uplink)
  • net1 → DATA 10.0.0.0/24
  • net2net5 → per-site bridges
  • net6trunk to remote Proxmox sites (VLANs 10/20/30/40 → site segments)

Interfaces (snapshot)

InterfaceRoleIPv4 (typical)
vtnet0WANISP / public
vtnet1DATA10.0.0.1/24
vtnet6Trunk parent
vtnet6.10MOOD10.1.0.1/24
vtnet6.20SAGE10.2.0.1/24
vtnet6.30CODE10.3.0.1/24
vtnet6.40CASA10.4.0.1/24
wt0NetBird overlayAddress in 100.64.0.0/10

Routing highlights

  • Default route via WAN.
  • Connected routes for DATA and each site VLAN.
  • Static route 10.0.13.0/2410.0.0.10 (DATA segment / internal network).
  • 100.64.0.0/10 toward wt0 (overlay return path).
Themes observed on the live firewall:
  • Outbound NAT: UDP from 100.64.0.0/10 → WAN with static port (helps STUN / WireGuard behavior).
  • Outbound NAT: UDP from 10.0.0.20 (NetBird LXC) → WAN static port.
  • Port forwards: WAN UDP 3478 and 5182010.0.0.20 (STUN / WireGuard to Docker host).
  • HTTP(S): WAN 80/443 → reverse proxy tier (10.0.0.25) for netbird.moodmnky.com and other services.
  • Hairpin / reflection NAT on DATA for internal clients hitting public VIPs for internal services.
After WAN IP, multi-WAN, or NAT changes, re-test NetBird client connectivity from inside and outside the LAN.

NetBird client on pfSense

TopicDetail
Packages (post-upgrade, 2026-03-25)netbird 0.67.0, pfSense-pkg-NetBird 0.2.2 (upstream releases)
Install noteMay require IGNORE_OSVERSION=yes pkg add -f … when package OS version lags pfSense’s FreeBSD
OverlayInterface wt0, MTU often 1280
DashboardSubnet routes for 10.0.0.0/24, 10.0.13.0/24, and 10.110.4 attached to this peer — NetBird platform

DNS and management URL

Ensure netbird.moodmnky.com (the apex name used by the management URL) resolves to Traefik (10.0.0.25) on pfSense. Overriding only stun.netbird.moodmnky.com is not enough: Unbound will still resolve the apex via upstream DNS to your WAN IP, and the NetBird client will show Management/Signal disconnected with errors like dial tcp <WAN>:443: connection refused. Use Services → DNS Resolver → Host Override: host netbird, domain moodmnky.com, IP 10.0.0.25. Optional /etc/hosts line: 10.0.0.25 netbird.moodmnky.com (FQDN only — do not add a second netbird short name if it already maps to 10.0.0.20 for netbird.mnkylab.moodmnky.com). See Alignment & validation for the full checklist.

Resolver hygiene

Only one unbound instance should listen on *:53. A duplicate listener on 127.0.0.1:53 from a second config has caused confusion; fix in Services > DNS Resolver if it recurs after upgrades.

NETBIRD interface (assigned)

wt0 is configured as a named NETBIRD interface in config.xml (enabled) so rules can target overlay traffic explicitly. During NetBird policy changes, enable Log on selected NETBIRDLAN/VLAN rules to trace drops.
  • UDP / QUIC buffers: If NetBird logs failed to increase receive buffer size, set kern.ipc.maxsockbuf to 8441037 (BSD, ~7.5 MiB per quic-go UDP buffer sizes). On pfSense use System → Advanced → System Tunables so it survives reboots (same OID/value as the live firewall).

SSH over NetBird

Newer NetBird builds may show SSH Server: Disabled in netbird status. Re-enable in policy if you rely on NetBird’s integrated SSH feature.

Firewall checklist

  • Align <vpn_networks> (or equivalent aliases) with 100.64.0.0/10.
  • Allow NetBird overlay → internal VLANs only as needed; keep anti-spoof rules consistent.
  • Prefer tighter than 10.0.0.0/8 where possible.