Firewall/Wireguard for whole Unraid instance including docker containers

[unifiedmamba]

Hello guys,

 

I am in the process of switching from OMV to Unraid for my Home Server.

 

One essential feature for me is a firewall, that allows me to block traffic from certain IP ranges or better, only allow traffic from certain ip ranges.

To be specific:

 

I wan't my Unraid Server, including all docker installs except of one, to only be reachable via a secured Wireguard connection, even in my LAN.

Since I am not the only one using my LAN, I cannot have full trust in security of my LAN and therefore have to block every connection to my unraid servers except for ones coming from my wireguard network and the nginx proxy manager, which has it's own ip.

 

With OMV this was really simple to do, just enable UFW, allow only my wireguard subnet and connections to my wireguard, 80 and 443 ports.

But with OMV I wasn't using docker, which has got another problem to it, since every docker instance has and needs it's own IP adress via the br0 interface. Is there a way to also restrict access to these docker instances?

 

I hope you are able to understand my problem and maybe even help me a bit. Thanks!

[itimpi]

32 minutes ago, unifiedmamba said:

since every docker instance has and needs it's own IP adress via the br0 interface.

Why is this the case? 

[JonathanM]

4 hours ago, unifiedmamba said:

since every docker instance has and needs it's own IP adress via the br0 interface.

As itimpi said, why?

I personally have 37 containers, all sharing the host's IP, answering on different ports. I find it much easier to manage that way, as I know which physical machine is responsible for the traffic and services. Besides, macvlan, the service that enables separate IP addresses for containers, is notoriously buggy for some people.

 

It's not like you will run out of unique ports, with 60K+ available on each IP.

[unifiedmamba]

19 hours ago, JonathanM said:

As itimpi said, why?

I personally have 37 containers, all sharing the host's IP, answering on different ports. I find it much easier to manage that way, as I know which physical machine is responsible for the traffic and services. Besides, macvlan, the service that enables separate IP addresses for containers, is notoriously buggy for some people.

 

It's not like you will run out of unique ports, with 60K+ available on each IP.

 

I understand that, but I use two instances of a service that needs to run on the same port and I can't just use another port, because it would cause trouble with the devices and wouldn't work plugnplay

 

But this hasn't anything to do with my problem, it would be nice if someone would explain me how I can install ufw oder something similar on Unraid.

Edited November 14, 2021 by unifiedmamba

[unifiedmamba]

Is there no way for a simple Firewall?

[bonienl]

There is a firewall function available in the WireGuard configuration which can be set to either allow or deny access to certain IP addresses/ranges.

This firewall function works for devices external to the Unraid server, but not for docker containers on dedicated IP addresses.

Docker containers run on Unraid itself, despite having a different IP address these are accessed directly before the firewall kicks in (which happens only when the physical ethernet interface is used).

 

[unifiedmamba]

5 hours ago, bonienl said:

There is a firewall function available in the WireGuard configuration which can be set to either allow or deny access to certain IP addresses/ranges.

This firewall function works for devices external to the Unraid server, but not for docker containers on dedicated IP addresses.

Docker containers run on Unraid itself, despite having a different IP address these are accessed directly before the firewall kicks in (which happens only when the physical ethernet interface is used).

 

Thank you bonienl, I thought this option would just block devices from accessing the wireguard server, not the whole unraid server itself. Is this correct?

Dockers not having a firewall would be fine atm, I'm just searching for a way to make them accessable via VPN (Wireguard), because macvlan doesn't let me connect natively.

[bonienl]

The firewall function is specific for remote clients and prevent them from accessing other sources in your network.

Any local connectivy is unaffected.

[unifiedmamba]

On 11/16/2021 at 8:10 PM, bonienl said:

The firewall function is specific for remote clients and prevent them from accessing other sources in your network.

Any local connectivy is unaffected.

Yeah but that's not what I want to achieve. I wan't to prevent every device in my LAN from accessing Unraid, except for the ones that I allow.

[Squid]

Not the best solution, but since I inherently trust everything that's hardwired with an ethernet (or at least limit via permissions its access to shares) and inherently distrust everything that's WiFi, all the WiFi devices on my network only connect to the guest network which has no access to anything else.

 

Only MY phone and MY tablet connect to the real network.  My wife, my kids, my doorbells, TV, my dog's collar (I think this annoys the pooches to no end) and most especially my freeloading sister in law who's living with us "temporarily"  etc etc etc all connect to the guest.

 

For hardwired connections that I don't trust I keep a separate router to isolate it's network completely (simply because I don't have a managed switch)