Platform: TRUENAS-MINI-3.0-X+
Version:Dragonfish-24.04.2
Please bear with me, I am new to TrueNAS
Hi.
I have created a VM that hosts Windows 10 and installed an email server on that Windows.
Access from Windows to the outside (LAN, Internet) works fine.
However, I need to access the Windows applications from the outside.
The IP that the guest OS (Windows) in the VM sees as its own is not accessible from outside the NAS, not even a ping gets through.
In the current state I have 2 NICs, the second being assigned to the VM. The IP visible from the outside is 192.168.0.11 (the VM), the guest OS Windows itself gets 192.168.0.10. These addresses are obtained through DHCP., without success.
I have made sure that the email server on Windows is effectively listening on the expected ports (using netstat -a) and I tried to access these ports from another computer on the LAN, trying the VM’s IP and the IP that Windows sees - without success.
What do I need to do to make Windows applications on the VM accessible from outside the NAS?
Something like port forwarding from the VM to the guest OS (Windows)?
Can that be done?
Assign the NAS IP to the first NIC. Assign no IP to the second (in TrueNAS). Create a bridge interface with the second NIC as a member. Again no IP address on that bridge interface. Connect the Windows VM to that bridge.
Thanks but this did not work at all.
Removed IP from NIC2, created the bridge with member NIC2 and no IP, rebooted the VM and had no more internet access on the VM.
Tried to add a static IP on NIC2 (as recommended in many articles) and that got me Internet back on the VM but now the whole system is unstable.
I get very frequently disconnected from TrueNAS and I find myself unable to either remove NIC2 from the bridge (I lose access to TrueNAS) or even remove the bridge.
It’s a big mess now.
Did you change the VM connection to the bridge interface? The VM guest OS should get its own IP address and everything else from the DHCP server in your LAN.
There is now reason why TN should have an IP address on that second NIC. More so having an IP address on two NICs in the same network will lead to exactly the problems you observe.
The NIC2 should serve as strictly a layer 2 connection with a bridge on top of it into which VMs can plug.
In TN CORE you need to set a manual option to NIC2, namely “up” for the interface to be brought up by the OS even without an IP address assigned. I do not know if anything like this is also required in SCALE/Linux.
Can someone with better SCALE knowledge step in, please?
Yes, I set the VM connection to the bridge interface.
“More so having an IP address on two NICs in the same network will lead to exactly the problems you observe.” << Not sure what you mean by that. Having the two NICs on the same network was untenable as I was unable to assign IP addresses (as per the other articles), so I put the second NIC on a different network (LAN). The first NIC is on the DMZ.
On top of the instability I was also unable to access the app NextCloud (set to use the IP of NIC1) that also runs on the NAS.
I finally managed to change the configuration back to something stable by, in one step, removing NIC2 from the bridge and activating DHCP on the bridge (TrueNAS did not let me remove the IP).
How could some manipulations on NIC2 and a bridge related only to NIC2, mess up connections via NIC1 too?
Why would I need a bridge in the first place when I have 2 NICs? Is this really necessary to allow incoming connections to the guest OS on the VM? Installing an app like Nextcloud was way easier. Isn’t there some configuration like the one that is done automatically for the app that needs to/can be done manually for the VM?
Note that the mess with your suggested configuration was such that I completely lost access to the NAS via NIC1 when I disconnected the cable from NIC2. How is that even possible?
Each VM comes with its own virtual NIC managed entirely by the guest OS. You need to bridge (“virtual switch”) all the VM NICs and one physical NIC to connect the VMs to “the wire”.
That I know for sure even if I am more familiar with CORE than with SCALE.
You might want to search the forum for “SCALE” and “bridge” etc. Possibly my procedure was wrong.
OTOH I assumed both NICs were connected to the same network. If they are not, whether you assign an IP address on TrueNAS to that particular bridge or not depends on whether TrueNAS as a host is supposed to be connected to that network. Frequently it is not.
About how the bridge on NIC2 could mess up the connections on NIC1 … again, a big apology. On CORE I would immediately know where to dig. The TN middleware automagically creates bridges if you assign VMs to interfaces. That might mess with anything you configure manually unless you make sure that all bridges are pre-configured and you only ever assign VMs to bridges, never plain interfaces. On SCALE I am at a loss now but with about 35 years of network engineering in my book, my gut says “something something bridge”.
Please search for other threads or wait for someone else to step in.
“I assumed both NICs were connected to the same network. If they are not, whether you assign an IP address on TrueNAS to that particular bridge or not depends on whether TrueNAS as a host is supposed to be connected to that network. Frequently it is not.” << Not sure I understand what you mean. How would I know if TrueNAS is “supposed” (you mean “allowed”, right?) to connect to a network?
I would agree that TrueNAS likely automatically creates some bridge for VMs as the guest OS is able to connect to the internet. But why do incoming connections to the guest OS not work? Again, is there anything we can learn from the way Apps are automatically configured?
Here at home I have a trusted network - VLAN 1 - with most of the devices, laptops, iPads, phones, … and the TrueNAS admin interface and all the file sharing.
I then have another network with services that I run in jails on my TrueNAS host - but just substitute “jails” with “VMs” for the sake of the argument. This is VLAN 2 - across my switch infrastructure and on my OPNsense firewall. These jails/VMs are accessible over the public Internet via a reverse proxy on my firewall.
Now the TrueNAS UI and the file sharing etc. does not need any connection to VLAN 2. Seriously it should not have one. So VLAN 2 on my TrueNAS is just a layer 2 interface without an IP address. On top of that VLAN there is “bridge2” also without an IP address.
And then there are N jails (read “VMs” in your case) that are connected to that bridge so they are able to talk across that switch to the OPNsense firewall and out to the Internet.
By “supposed to” I mean “do you as you are designing network separation need the NAS itself to offer any services in that particular network or is it just for the VMs”?
Depending on the answer you assign an IP address or you don’t.
The NAS should offer SMB shares to the LAN and the Apps and VMs should offer services accessible from the LAN and the internet (Nextcloud and email server).
So far I have both the NAS and the Nextcloud app on the DMZ. The “physical” separation of LAN and DMZ is done on my switch with 802.1Q VLANs. The access rights are managed on my Opnsense firewall. Right now I do not care about the separation, I just need to get the incoming connections to the guest OS on the VM to work.
This is not about my network setup. There is no issue on my network.
But there is the issue of getting incoming connections to the guest OS on the VM to work.
The NAS (both NICs) is connected to a switch where LAN and DMZ are separated. The switch is connected to an Opnsense firewall. Opnsense has a DHCP server for both LAN and DMZ…
