My network is divided in multiple zones. Each zone having its VLAN.
Data and DB in the GreenZone
Internet facing in the RedZone
etc
My TrueNas system is connected to multiple zones via a trunk carrying multiple VLAN’s.
If an application VM, app or the TrueNas core itself, is connected / related to a certain security zone, responses towards the application arriving via a certain vlan >>should<< be answered via the same vlan.
And there it goes terribly wrong.
the TrueNAS core can not handle that
and I think apps can not handle that as well
luckily VM’s do route traffic the way it should !!
The problem is that truenas does route every thing back via the same routing table / the default gateway … (not ok at all IMHO)
I sincerely hope that I am wrong at least in relation to apps.
Lets give an example:
the TrueNAS core / base system is using VLAN-A and address range 192.168.A.<1-255>
I tie an app to security zone ‘X’ using VLAN-X having range 192.168.X.<1-155>
(assign the app to e.g. 192.168.X.2)
a query arrives via VLAN-X towards ‘the app’
the app is responding and the answer is send via the TrueNas default gateway 192.168.A.1 where it should have be send to 192.168.X.1 !!
the gui of the App is also responding via 192.168.A.1
This is absolutely not ok! It is bocked in my network! It is assymetric routing and insecure.
So again I sincerely hope I am wrong, but this issue alone is enough reason for me not to use apps.
What happens if you create two VLAN interfaces on TN, one for each zone, and bound each app to the corresponding IP.
Is the reply still via default gateway?
Routing is exactly how any Unix system with a single IP stack would do it. Or Cisco IOS - or whatever. The expectation that reply packets leave through the interface at which the requests arrive is just plain wrong.
Unless you explicitly implement policy routing.
I have my entire TN CE in a separate VLAN and only run apps on it.
Yep that is a solution, using a separate machine for each vlan / security zone.
What does not take away that it is ridiculous to have multiple physical machines for that! Perhaps not a problem for a company having many servers, but for private or small environments …
I really need a proper solution, I just do not accept this historical insecure mistake.
(which should have been fixed long ago!)
I am sometimes thinking in the direction of XCP-ng perhaps even running a couple of true-nas images.
Most people dont know how Apps (Docker) networking really work and that includes you from your understanding.
Once again:
Docker uses NAT networking so UNLESS you do create/define a macvlan or ipvlan for the Docker container, and a shim-interface in TN, there WON’T be communication between the Docker host and the Docker app!!!
Bottom line:
It works if you are willing to learn and test.
I challenge you to go to another Docker solution and get your setup to work the same way you tried in TN.
