Harding unraid on Public IP

[Homebrewzero]

Harding Unraid. So I doing a trail of unraid, and I have this dedicated server sitting in a colo with DIA(Direct internet Access) I can only access it via DRAC and Public IP. I was wondering if there is a good way to harden the server. My idea is to install PFSense as a VM. Have the PF sense proxy arp and point the unraid server gateway to the PFsense VM image. Is this possible? 

[trurl]

Don't put your server on the internet.

 

Wireguard VPN is builtin, also My Servers plugin will allow remote access

[Homebrewzero]

There is no other options. Since it is in a colo ( CO Location) , and only has DIA.  If I had a firewall and space to put it behind I would, but I do not. 

Edited July 19, 2022 by Homebrewzero

[JonathanM]

29 minutes ago, Homebrewzero said:

If I had a firewall and space to put it behind I would, but I do not. 

Unraid currently requires an additional firewall to be safe, it is not audited for direct exposure. This may change in the future, but as of this writing you must have it protected externally.

 

Many of us run firewalls as VM's, but that requires multiple ethernet connections, the physical port connected to WAN is not accessible to Unraid, it is directly passed to the VM and excluded from Unraid, and the LAN port on the VM firewall is connected via a switch to Unraid's ethernet. This only works with a fully licensed server because internet access is required to start the array and VM's during the trial period, and if something goes wrong you must have a way to connect to the server OOB, like a separately firewalled IPMI port on the server.

 

If the server is down, I have a separate hardware firewall waiting to be fired up to take the place of the VM while troubleshooting occurs.

 

None of this is going to work well in a remote colo setting.

[Homebrewzero]

Thank you, I should be able to get this going in my environment, it is not optimal. I'm not storing any personal  information I just don't want my lab/gaming server to get owned. I should be able to use the bridge network to the VM ( proxy ARP the IP to firewall) and point the unraid server to firewall (VM) unraid seems to be the only OS option I have found that easily lets me manage Docker and QEMU items easily.  I should be able do this with out any additional ethernet cables, and if I need to get into the system. I have remote console access via Idrac, and change the GW to turn it on. 

 

[Homebrewzero]

for any of those are are curious I have figured it out. I am able to do this because I do have an OOB DRAC access.  

1.) Physical port plugs into the Server -> VM Firewall WAN -> VM Firewall LAN -> Unraid  vlan.xxx. If I need to reboot the trail version and need internet access. I just add a public IP to the unraid no-firewall port, pull the license, turn on the array, remove the IP and turn on the VM firewall. It is a few extra steps but work with the trail version.