Temporary postpone upgrading OpenZFS to 2.2.0 – 2.2.1 when upgrading to Proxmox 8.1

Add the following pinning rule for APT to pin proxmox to the 2.1.x branch of OpenZFS.

cat << EOF > /etc/apt/preferences.d/zfs
# Hold back on upgrading to OpenZFS 2.2.* due to a bug currently being investigated in 2.1.4*, 2.2.1* – 2023-11-25
Package: zfs-initramfs zfs-zed zfsutils-linux libzfs4linux libzpool5linux
Pin: version 2.1.13*
Pin-Priority: 900

Remember to remove the rule when Proxmox confirms the issues reported (and suspected) plaguing OpenZFS releases 2.2.0 – 2.2.1 are confirmed resolved.

Edit 2023-12-01: A fix has been released. https://www.phoronix.com/news/OpenZFS-2.2.2-Released

Install ifupdown2 on Debian

Install ifupdown2 from proxmox no-subscription repository for Debian 64bit

apt install --yes lsb-release wget curl

wget https://enterprise.proxmox.com/debian/proxmox-release-$(lsb_release -sc).gpg --output-document=/etc/apt/trusted.gpg.d/proxmox-release-$(lsb_release -sc).gpg

echo "deb [arch=amd64 signedby=/etc/apt/trusted.gpg.d/proxmox-release-$(lsb_release -sc).gpg] http://download.proxmox.com/debian/pve $(lsb_release -sc) pve-no-subscription" > /etc/apt/sources.list.d/pve.list

echo "Package: *\nPin: origin \"download.proxmox.com\"\nPin-Priority: 50\n\nPackage: ifupdown2\nPin: origin \"download.proxmox.com\"\nPin-Priority: 500" > /etc/apt/preferences.d/pve

apt update

apt list --upgradeable

apt install --yes ethtool bridge-utils python3-mako ifupdown2

How-to VPN: Private Internet Access (PIA) and MikroTik Router

⚠ Information in this post is outdated since the launch of PIA’s ‘Next-Gen’ VPN network in 2020, sunsetting the then-existing set-up

First create a vpn profile to use when creating l2tp/pptp connections
to privateinternetaccess.

/ppp profile add change-tcp-mss=yes \
comment="PIA VPN" \
dns-server=, \
name=privateinternetaccess only-one=no \
use-compression=no use-encryption=required \
use-ipv6=no use-mpls=no use-upnp=no

Create the l2tp interface

/interface l2tp-client add \
comment="PIA VPN Netherlands" \
connect-to=nl.privateinternetaccess.com \
disabled=no name=pia-de-l2tp \
profile=privateinternetaccess \
user=[l2tp-username] \
  • [l2tp-username] Your PIA username for l2tp/pptp/socks connections beginning with ‘x’ (not ‘p’!)
  • [l2tp-password] Your PIA password for l2tp/pptp/socks connections

Create a firewall mangle rule to mark IPv4 traffic we want to
go through the VPN.

/ip firewall mangle add \
action=mark-routing \
chain=prerouting \
comment="PIA VPN Netherlands" \
new-routing-mark="PPTP RM" \
passthrough=yes \
    • <li


    Fx. or

Create the NAT rule and tell it to use the VPN interface.

/ip firewall nat add \
action=masquerade chain=srcnat \
comment="PIA VPN Netherlands" \

Create a corresponding default route to match the previous NAT
rule. Which only get used when IPv4 traffic has been marked with

/ip route add \
comment="PIA VPN Netherlands" \
disabled=yes distance=1 \
gateway=pia-de-l2tp routing-mark="PPTP RM"

Now you should see traffic from clients in the IPv4 range
of [ip-range-to-forward-through-vpn] go through the VPN.

NB: If you want to use another country apart from Netherlands. Check out Private Internet Access list of locations here: PIA VPN Tunnel Network