I prefer the 2. chouce - truenas scale as a hypervisor os. I understqand this is limmiting myself and introducing a lot of complexity since the whole Virutalisation - Hypervisor OS theme is new to TrueNAS (very new indeed).
Still, I like my data to be the bare metal layer - so the thing that works with disks, this seems like a more reliable choice for me than to have truenas be a VM. unfortionatley I cant afford both (I am using a bare metal dedicated server machine in a datacenter).
So ----- HOW DO I SETUP A FIREWAL!!! ???
My datacenter provides a basic firewall with only 10 rules, which is really not enought for a Hypervisor OS ā¦
Can I have my TrueNAS scale somehow do the firewall duties as well? I will be having a couple of different VMās and I need to protect them at a level before they are reached (as each is specific and has its own complexity, ā as well as comoplexity to setup a firewall on each one, so really best practice here is to put firewall before them ā which is really the HypeervisorOS level - in my case - TrueNAS scaleā¦)
General rule of thumb is not to expose your NAS to the internet unless youāre doing it through a VPN.
Iām not confident enough in my own terrible execution of firewall solutions to give any real advice to others. Let alone then running virtually on my NAS.
I think (level 1 techs had some fun videos on THE FOBIDDEN ROUTER where they go into details about running your Router on a hypervisor. They didnāt virtualize it on TrueNAS and unless youāre a hardware nerd you can likely skip the build detailsā¦ but combine the knowledge there with some general info on how to virtualize on TrueNAS in general & you should have a start.
Wendell does into some details on why maybe you shouldnāt, goes into how to do it, and links to his forums where such heresy might be better supported. Iād argue the crowd here is (rightfully) more conservative; we love our data & want it away from risks.
Edit: I keep saying ārouterā when youāre asking for āfirewallā because Iām too used to opnsense where it is frankly both. I think Wendell goes over pfsense - others can argue about which is better.
These are just my foundational 101 recommendations that donāt actually give you a direct answer as to āhowā, because youāll have to learn a lot to get it working for your specific usecase & I donāt know if anyone would walk you through the entire way.
Edit 2: If this isnāt just for fun on a homelab, but instead production environment - then uhhā¦ just donāt.
thank you for a detailed answer. I am watching the video now.
I do have a question - why not expose truenas scale to the internet?
I get it that you dont want to expose your NAS to the internet, but Scale is really not just a nas, and, how are you even going to run docker containers or vmās without doing so?
I do plan to block a lot of traffic, but my main concern here is - - is there something I dont understand about truenas scale? Is it inherently unsafe to expose it to the internet? Has it not been built with security in mind, and are there a lot of exploits?
From what I have seen, it uses the port 80 or 443 for the webpanel, and I can lock them behind a vpn so it can only be reached with the vpn. I can also close every other port, and as a normal course of acation I alsways locke the port 22 to my vpn ip as well.
Are there any other problems with this? My idea is to maybe get a couple of IPs from my datacenter and bound one to the NAS itself ā that will only be accessible from my VPN IP, and use others for other VMās Iām gonna have insideā¦
Do you see any security risks or potential probelms with this setup?
TrueNAS, and FreeNAS before it, has had a hypervisor for 7+ years now.
TrueNAS doesnāt have a firewall. Never had it, never will. You could install one in a VM (use whatever software you like), but it isnāt part of TrueNAS.
Ya but you will run into bootstrapping issues as you would have to access everything from a jail and not the host directly
Some people skydive without a parachute as wellā¦ dosent make it a viable and safe strategyā¦
Personally I restrict access to TrueNAS to a dedicated VLAN, then I have a separate VLAN that a reverse proxy can access and route WAN traffic to jails running software that need WAN access such as Wireguard. For LAN access I use the same proxy but I use local DNS overrides so that I dont have to reflect NAT.
Route for public access is
WAN - proxy - untrusted VLAN - jails
as far as I am aware it was introeduced in scale? plus is super unbaked, feels like something that was added recently, if it was there for 7 + years, thats quite concerningā¦
You put TrueNAS behind something like Opnsense
did you read my post in its entirety?
Ya but you will run into bootstrapping issues as you would have to access everything from a jail and not the host directly
I can see you are not even using TrueNAS scaleā¦ no worries, but scale experience might be a bit better here
do you have experience with scale? how would you set it up in this case?
thanks ā¦
__
on a broader topic
I am really concerned with the amount of low quality flame posts on this forumā¦
So glad you joined this forum to lecture us. āI donāt like the answerā is not the same as āthe answer wasnāt helpful or valuable.ā
I answered your questions, clearly, correctly, and succinctly: TrueNAS (CORE or SCALE) does not have, never has had, and in all likelihood never will have any firewall capabilities. If you want them, youāll need to use a different system, perhaps in a VM though that really isnāt ideal. If you have further questions, feel free to ask them, preferably after searching both this and the old forums and reviewing the docs. But I donāt think youāre going to need to worry about my āzero valueā responses in the future.
First of all - thatnks for a constructive answer
Right, what is your experience with this setup? Do you prefer OPNsense or pfSense and why? I have been contemplating this as - seemingly the only reasonable option, but not entirely sure how it should be setup.
I might be able to get up to 3 x NIC for my server plus a switch if neededā¦
What do you mean about loosing internet? As Iāve stated its a server in a datacenter, so, idealy I would want TrueNAS to have always on internet connection and have VMās go thry a firewall. I can lock TrueNAS everything to my personal IP so that fixes the access and security to the main server.
I was thinking something in line with
TrueNAS - connects directly to the datacenter router
VMās and pfsence go to a switch and from it to the datacenter router
Would this be feaseable?
I would still prefer to skip pfsence if possbile, and do the routing in the freenas os if possible , so Iāll just state this again, but ā as far as I can tell - its not quite as possible?
well my friend, I joined to find a comunity of people dabbling in TrueNAS wizardry, but - Iāve had experiences with people posting like you do before. Usually very low on knowledge or skill, but quick to flame topics. So I know what I am up for. Thank you for your contribution so far, and have a lovely day
well thatās very reassuring!
why do you want to switch to OPNsense? I was leanin more towards pfSense but appreciate your opinion on this?
Right, Iāve seen people do it this way before, but in my case it might be more beneficial to have NAS be directly conneted, and have VMs go thru a router, this way I dont loose NAS access after updating it (again - datacenter)
Thanks
How would I handle docker containers in this case? Can I force them go thru a firewall as well? On a broaded note, do you find this setup a bit convoluted compared to lets say proxmox virtualisation where theese options are readily avaliable already? I am leaning more towards turenas, as I like the idea of my data being the baremetal layer, but am aware that all of theese things could be done somewhat easier on a different OSā¦ so if you had some experience / oppinions in this regard too it would be much appreciated
yeah, I agree with that, hacking a NAS seems like a pretty bad idea
I was wondering if there was a way that is less hacky, and moreā¦ āin lineā sort ofā¦ but I guess not perhapsā¦ ā¦
right.
BTW ā since you have extensive experience testing this setup with a VM router, what are your worst experiences? other than loosing intenrnet ? have you had things break pretty bad, and how? what should I know before going forward with this
Right, I know about this, and - maybe it is even a more recommended setup than the one I am thinking of pursuingā¦
could you go into detail why you would recommend going this route, as opposed to truenas scale for both? *(more power obviouslyā¦)
would you personally consider using truenas scale for both, since you already have experience with your setup where you use proxmox for vms? what would you miss the most, and what would be a dealbraker / hard to mitigate - thing?
As said, I put everything physically behind the router, by having the nas run to a switch that runs back to a separate port on the hardware which is passed into the virtual router.
The biggest issue was starting other VMs after the router was upā¦ which I solved with a script.
But I also have BMC IPMI on the management interface.
Having hardware in a data center where you donāt have hands onā¦
I can reach the server with a console even it the network breaks , but I am not very keen on doing so ā¦
so, I have a question, even in this setup, when you update truenas, if you have your router set to autostart, than, your truenas should get back up to internet, even if - it looses connection briefly, right? or no?
