Hi, I’ve got a problem accessing an app running on a VM from outside network. When I access app locally using IP, it works fine. Trying to access it using domain name and Nginx Proxy Manager as reverse proxy ends up with 502 error page. Apps installed directly on TrueNAS working perfectly fine with this setup.
I wasn’t able to ping between VM and TrueNAS, so I made a bridge and assigned it to VM NIC. Ping now works. Was sure that’s going to fix the problem, but still can’t access my app using domain name.
The problem also appears when using VPN (WireGuard). I’m able to access TrueNAS panel, apps, etc. but I can’t connect to VM ssh using IP. The only way to access VM is trough TrueNAS panel using Spice.
Hi, I have the same issue. I run a VM on TrueNAS scale. The VM got its own IP from my router, different from the TrueNAS machine. From a local PC I can SSH to the VM and I can access a webserver on the VM with the local IP given by the router. But if I configure a nginx (running on TrueNAS) to the VM, it’s not working (while it’s working from TrueNAS nginx to other local machines, not VM).
I Also tried to open a tunnel between the VM and an external VPS, it’s also not working.
Did you solve this issue on your side?
1) Regarding connection between Host and VM
There is a simple solution: create a second bridge interface for “Host-only networking”.
For example:
Interface name: br1
DHCP: off
Bridge Members: Do NOT add anything
Aliases: set a static IP here → this is the IP of the host on that bridge. For example 10.0.100.1
Then attach br1 (in addition to br0) to your VM, and configure a static IP on that adapter. For example 10.0.100.2
Now in the Proxy Manager, use the static IP of the VM you configured (10.0.100.2).
Done.
2) Regarding the domain name and reverse proxy setup:
I use split-horizon DNS setup which means I have a local DNS server which resolves my domain names to the Local IP. SO the network devices on the local network will not go out from my LAN and then back, which is just way more efficient.
To achieve this, I had to configure the “DNS Rebind Protection” setting on my router, so that it allows this kind of traffic.
And of course the server updates a Public DNS record using DDNS, so when I leave home, my laptop/phone automatically gets the external IP from the public DNS servers.
Why your reverse-proxy is not working? Only you can figure that out by going step by step and “debug” your network.
I really don’t get what you try to do in 1). What is this bridge doing? What is the purpose of bridge in the first place? You mention link to br0 but I don’t have any bridge. I tried for 1h to create one, remove the IP in the default interface and create bridge with same IP, but it’s failing everytime and truenas revert to previous configuration.
But I don’t understand why it’s necessary in the first place. The VM is like another machine on my network, it got an IP from my routeur, it should be accessible from this IP from any machine, like I can access from my PC, why TrueNAS cannot access it with this IP as well?
And the VM is able to access internet, so if I do a Wireguard tunnel to an external machine, it should also work. I have a physical machine, linked to an external VPS, it works fine, no port redirection, nothing. Now I do the exact same config on the VM and same VPS and it’s not working, I got the handshake but that’s all, no ping possible.
I do not know why it is not working to access the VM from the host using the LAN IP, it should work.
On my own server I created two bridge interfaces to do two different things.
br0 is bridged with a physical interface to provide Internet access to the VM. (same thing as you did)
br1 is a bridge without any physical interfaces, using a private IP address range.
br1 is the one I’m using to access the VM from TrueNAS, and vica versa. This is very simple, and uses static IPs, I think this must work because it eliminates everything outside the server.
I also had issues when creating a bridge with a physical interface… It is indeed really tricky and this guide helped me.
Thanks for the video. Apparently I follow a video from the same guy to try to use jailmaker and then it was not doing what I wanted and I gave up, leaving a jailmaker running for nothing. It was preventing me to change the network settings. Now I have my bridge working, still not sure why this was necessary, but anyway.
Now I have a baby step progress, I can ping nas from vm and ping vm to nas. But that’s all, the rest is still not working, NPM nginx on NAS cannot reach the VM with the local IP.
I tried your trick with the br1, I added a second NIC to my VM with br1. I tried both VirtIO and direct network card but none works. I try to find if thhe VM got a second IP in the 10.0.100.x range, (assuming the Ip from your example), but I don’t see anything like this when doing ip a form the VM.
Also the Wireguard bridge is still not able to ping inside it, while I can ping the public IP of the other side of the tunnel.
I will still try to figure out… thanks for the help so far.
Macvlan NICs: Use to create a virtual network interface based on an existing interface. A MACVLAN assigns a unique MAC address to the virtual interface so the instance appears as a separate device on the network.
Important
A MACVLAN NIC on the same physical interface as the TrueNAS host cannot directly communicate with the host. MACVLAN sends traffic directly to the external network without passing through the host network stack. The host does not recognize MACVLAN packets as local, so any traffic between them must be routed through an external switch, use a separate NIC, or use a network bridge.
Ok this was an extremely stupid mistake in my wireguard configuration that blocked me, I copy paste a wrong IP in one of the config… Took me hours to figure out.
Still the NPM nginx cannot reach the VM but it was not my intention to use this anyway, so I will skip looking for a solution here.
