Hi all, hitting a port forwarding wall and need a sanity check.

Setup

• Raspberry Pi 5, Docker Compose: Gluetun + qBittorrent
• ProtonVPN Plus, WireGuard
• Gluetun v3.40.0 (pinned to avoid 56789 placeholder bug in latest)
• qBittorrent connected via network_mode: "service:gluetun"
• Tested with both Netherlands (NL#614) and Switzerland configs, P2P selected, NAT-PMP ON, Moderate NAT OFF, VPN Accelerator ON
• IPv4 only (WIREGUARD_ADDRESSES=10.2.0.2/32)
• WIREGUARD_MTU=1412 (PPPoE IPv4)

Symptom

Gluetun successfully negotiates a forwarded port:

[port forwarding] port forwarded is (E.g.) 62884
[firewall] setting allowed input port 62884 through interface tun0

qBittorrent listen port stays in sync with the forwarded one (auto-sync via VPN_PORT_FORWARDING_UP_COMMAND, works fine — confirmed Session\Port=62884).

But: testing the forwarded port externally on canyouseeme.org, yougetsignal.com, and portchecker.io (all run from inside the gluetun-routed qBittorrent container, so request goes through Proton) — all return PORT CLOSED.

Tested multiple times on both NL and CH servers. Same result: Gluetun reports success, qBittorrent has the right port, firewall rule is in place, but the port is unreachable from the outside.

Also: DHT reports 0 nodes in qBittorrent regardless of VPN provider (tested with Mullvad too, same).

What I've checked

• ✅ Port reported by Gluetun matches firewall rule (no 56789 bug on v3.40.0)
• ✅ qBittorrent listen port matches Gluetun's forwarded port
• ✅ Container is healthy, port forwarding logs clean
• ✅ Outbound from container works fine (HTTPS, DNS, all good)
• ✅ Moderate NAT confirmed OFF in Proton dashboard
• ✅ No IPv6 in WIREGUARD_ADDRESSES
• ✅ Trackers can't reach me — peers timeout

Without VPN, qBittorrent connects to trackers and peers immediately. With Proton, port is reported open but actually closed externally.

docker-compose.yml

yaml

services:
  gluetun:
    image: qmcgaw/gluetun:v3.40.0
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8080:8080
      - 6881:6881
      - 6881:6881/udp
    volumes:
      - ./gluetun:/gluetun
      - ./gluetun:/tmp/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=protonvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=<REDACTED>
      - WIREGUARD_ADDRESSES=10.2.0.2/32
      - WIREGUARD_MTU=1412
      - SERVER_COUNTRIES=Switzerland
      - VPN_PORT_FORWARDING=on
      - VPN_PORT_FORWARDING_PROVIDER=protonvpn
      - VPN_PORT_FORWARDING_UP_COMMAND=/bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":{{PORTS}}}" http://127.0.0.1:8080/api/v2/app/setPreferences 2>
&1'
      - PORT_FORWARD_ONLY=on
      - TZ=America/Sao_Paulo
    restart: unless-stopped

  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent
    network_mode: "service:gluetun"
    environment:
      - PUID=1000
      - PGID=1000
      - WEBUI_PORT=8080
    volumes:
      - ./qbittorrent-public:/config
      - /mnt/media:/data
    depends_on:
      gluetun:
        condition: service_healthy
    restart: unless-stopped

Question

Is this a known Proton quirk? Has anyone gotten Proton port forwarding to be actually reachable externally on Gluetun lately, or is everyone seeing this "reported but closed" behavior? Worth opening a Proton support ticket, or is the issue on Gluetun's side?

Hey everyone, I'm planning my home network setup for an upcoming renovation and would love to hear from people actually running this kind of stuff.

This is a home project — I'm a CS student getting into networking and security, and the renovation gives me a chance to do proper cabling + a small rack. Since I'll only get one shot at this (walls closed = $$$ to reopen), I want to hear real experiences before buying anything.

Planned setup:

• MikroTik as the core router/firewall (probably RB5009 or hEX)
• UniFi switch with PoE (leaning toward USW-Pro-24-PoE)
• 3-4 UniFi APs (mix of U6-Pro and U6-Lite depending on coverage testing)
• 1-2 Raspberry Pi 5 in the rack running Pi-hole, Grafana, Prometheus, UniFi Controller, maybe Suricata later
• VLANs separating Family / IoT / Lab / Guest
• Cat6A cabling pulled to every ceiling AP point + key rooms

The house: 2 floors, ~450m². Upper floor is open, lower floor has thick concrete walls + a zigzag layout that probably kills 5GHz signal.

My questions for people who actually run similar setups:

1. MikroTik + UniFi combo - worth the complexity vs just going full UniFi (UDM Pro)? Is RouterOS as painful to learn as people say?
2. Firmware updates on MikroTik - how often do they break things? Backup strategies that saved your ass?
3. UniFi Controller on a Pi - stable long-term? Any gotchas running it 24/7 alongside Pi-hole + other services?
4. OPNsense/pfSense on mini-PC - would you pick that over MikroTik today if starting fresh? Learning curve comparison?
5. AP count for a house like mine - am I overestimating? Underestimating?
6. Anything you regret buying or wish you'd done differently?

Not looking for "just buy X" answers - I want the honest "I've been running this for 2 years and here's what actually happens" type of feedback.

Budget is flexible but not unlimited. I'd rather start smaller and expand than over-buy upfront.

Thanks in advance.

TL;DR: Planning a home network for a renovation: MikroTik router + UniFi switch/APs + Pis for Pi-hole/Grafana. Want real experience - MikroTik vs full UniFi vs OPNsense, update horror stories, AP count, regrets.