Hi, I recently assembled and configured my NAS server with TrueNAS Core. The technical specifications are:
RAM: 192GB
CPU: (2) Xeon x5680
Motherboard: Supermicro (I don’t remember the model)
Space: 8 TB in SATA.
I needed to protect my server with a firewall and I was thinking of installing pfsense on a VM on truenas. I wouldn’t know how to do it…
How many network interfaces does this system have and what is the intended layout in the end?
I did this with OPNsense but that needs 4 interfaces at least:
┌──────────────────────────────────────────────────────────┐
│ │
│ TrueNAS CORE │
│ ┌────────────────────────────────────────────┐ │
│ │ │ │
│ │ OPNsense VM │ │
│ │ ┌ ─ ─ ─ ─ ─ ┐ ┌──────────────────┐ │ │
│ │ ┌───────────┐ │ │ │ │
│ │ ┌──┴────────┐ │ │ │ LAN WAN │ │ │
│ │ │ │ │ │┌─────┐ ┌─────┐│ │ │
│ │ │ VMs/jails │ │ │ ││ ix0 │ │ ix1 ││ │ │
│ │ │ │ ├ ─ │└─────┘ └─────┘│ │ │
│ │ │ ├──┘ │ ▲ ▲ │ │ │
│ │ └────────┬──┘ └───┼──────────┼───┘ │ │
│ │ │ │ │ │ │
│ │ │ │ PCIe │ │ │
│ │ │ │ pass │ │ │
│ │ ┌────────┴─────────┐ │ thru │ │ │
│ │ │ │ │ │ │ │
│ │ │ bridge0 │ │ │ │ │
│ ┌────┐ │ │┌─────┐ ┌─────┐│ ┌──┴──┐ ┌──┴──┐ │ │
│ │IPMI├──┼─┼┤ ix0 │ │ ix1 ││ │ ix2 │ │ ix3 │ │ │
│ └────┘ │ │└──┬──┘ └──┬──┘│ └──┬──┘ └──┬──┘ │ │
│ .102 │ └───┼──────────┼───┘ │ │ │ │
│ └─────┼──────────┼──────────┼──────────┼─────┘ │
│ │ │.2 │.1 │ │
│ ▼ └──────────┘ ▼ │
│ │
│ to laptop 172.31.0.0/24 to uplink │
│ │
│ │
│ Mobile Lab │
│ ---------- │
│ Supermicro A2SDi-4C-HLN4F │
│ Supermicro SC-101F │
│ │
└──────────────────────────────────────────────────────────┘
Getting your money’s worth out of that diagram, I see. Does it count as a non-recurring engineering cost in your books now?
When it fits? Open in Monodraw, select all, copy, paste …
Thank you very much for the great scheme, I currently mount 2 network cards, I will have to add 2 more… being a novice I still have some difficulty in creating the virtual machine on TrueNas and configuring the firewall, I think I will look for some tutorials and keep asking for advice.
It all depends where you want the firewall to be.
You can have e.g. the external interface of the firewall bridged or passed to one of your two network interfaces and the internal interface to a bridge without a physical connection. Then connect jails and other VMs to that bridge.
You can also PCI pass through a single interface to OPNsense, put VLANs on that and connect a managed switch (so called “router on a stick”).
The first question is - imagine everything was separate hardware and you had as many interfaces as you need - where shall the firewall go in the network topology.
Please try to provide a drawing including your ISP router or whatever your Internet connection is. What is the firewall supposed to protect? What are its interfaces?
Thank you very much for the OPNsense firewall configuration suggestions. I am carefully considering your suggestions, and the strategic location of the firewall in the network seems to be crucial for maximizing security effectiveness.
I have been thinking about your idea of connecting the external interface of the firewall to one of the two available network interfaces and using a bridge for the internal interface without a direct physical connection. This approach seems to optimize the use of available hardware resources and improve the handling of internal traffic.
The idea of switching a single PCI interface to OPNsense and using VLANs with a managed switch (router on a stick) is interesting. It might actually simplify the configuration. As for your question about where to place the firewall, I agree that it should be located between the ISP router and the internal network to filter all incoming and outgoing traffic, thus protecting connected devices and sensitive data.
Could you give me some advice on how the interfaces should be defined in the firewall to ensure an optimal configuration? Also, what are your views on configuring security policies in a network environment like the one described?
Thanks again for your support and valuable advice.
At first you write:
But then:
These two paragraphs contradict each other unless your internal network consists of jails and VMs on TrueNAS only and there are no desktop systems, WiFi clients etc. that you want to protect.
If there is internal physical infrastructure of course the firewall needs a physical interface that is connected to that - which might include your NAS.
In that case I would recommend PCIe-passthrough of two interfaces, one external to your ISP modem, and one internal to the switch. No special bridge or whatever configuration would be necessary - neither your TrueNAS nor your other internal devices would “know” that the firewall is virtualised.
HTH,
Patrick
Update regarding my venture on opnsense, vm and truenas… I have been trying to figure this out and am finally trying to install opnsense on a truenas vm. It would all be very nice if I didn’t see a pixilated bios. I tried to move from shell but it crashes at every enter
Use the serial install image, remove the VNC device from the VM. On a TN CORE shell via ssh (!) as root enter e.g.
cu -l /dev/nmdm3B
You can look up the proper device name in the TN CORE UI.
To get out of the terminal session back into the shell again type
ENTER ~ ~ .
I have no idea how to do it
What exactly? I told you all the steps? Which one?
I have never installed an iso from shell. How can I establish ssh connection, where should I go? I found a list of devices:
nmdm1A
nmdm1B
nmdm3A
nmdm3B
and then?
You don’t need to “install from shell”. You go about installing just as you would with the VNC console - only difference we are using a serial console instead.
So you did download an ISO from opnsense.org and you did pass that to your VM as a boot/install disk - right?
Do the same but this time:
Then again in the UI click on your VM and open up the details. It will show you which device is your serial console.
For SSH - what desktop operating system are you on? For quick and easy and if your NAS is on your own isolated network and has no connection to the Internet we can use root and password login and disable that again, later.
In a powershell (Windows) or terminal (Mac) window type
ssh root@<ip of your NAS>
When asked if you want to trust the key, say “yes”. Then enter your password.
You now have a root shell in a terminal/powershell window.
type
cu -l /dev/<the serial device you looked up in the UI>
Power on the VM from the UI - you should see the boot messages and finally end up in the installer. Just like with VNC only much more reliable and one can even copy & paste etc. Serial consoles FTW! 
HTH,
Patrick
Thank you very much, I was able to connect and finally I can move in the bios. But I got stuck, I do this path= Boot maintenance manager > Boot From file and in the explore file (I attach picture) nothing appears for me.
Sorry, but what kind of screen is this? I thought you try to install OPNsense as a VM in TN CORE? There is no “BIOS” in VMs in TN CORE.
You need to get a root shell. This will give you a prompt similar to this:
root@truenas-ka[~]#
At that prompt you type
cu -l /dev/nmdm3B
and hit the ENTER key.
You replace “3B” with whatever number the TrueNAS UI shows you for your VM.
Then you “power up” the VM from the UI.
I connected to truenas via putty, logged in as root, entered the commands and turned on the vm, now I am with the boot manager. nmdm3B è il nome che vedo
That’s good. Now in the “Devices” settings of your VM (in the TrueNAS UI!) is there a CDROM device and does it point at the downloaded image from opnsense.org?
exactly
Can you show the contents of that particular dialog? Because the VM should boot right into the OPNsense installer from the virtual CDROM, not into the screen you are seeing.
