koenjdejong Posted September 10, 2022 Posted September 10, 2022 Hey there! My Unraid 6 configuration is not behind a Router / NAT, which is what I would normally use as a firewall with port forwarding. What are the best practices for an Unraid Firewall considering my situation? Thanks in advance! Quote
primeval_god Posted September 10, 2022 Posted September 10, 2022 This is not a safe or recommended environment for unRAID. Quote
aronmal Posted September 13, 2022 Posted September 13, 2022 I am running a OPNsense Firewall in a VM and route the Unraid traffic through it. I made my life easy by using a 4 port Intel NIC, so I can physically connect the Motherboard Ethernet port with the NIC as well as my "WAN" (FRITZ!Box Exposed Host). The NIC is passed through to the OPNsense VM. It is possible to do it only with one Ethernet port and VLANs, but it should rather not be considered if you are able expand your Server with a PCI-E NIC card. (My actual Network and connections is a bit more complex with redundancy, private LAN access, VPN and Wifi, but to keep it simple and easy to replicate, it can be summarized as above) Quote
kizer Posted September 14, 2022 Posted September 14, 2022 On 9/10/2022 at 7:23 AM, koenjdejong said: Hey there! My Unraid 6 configuration is not behind a Router / NAT, which is what I would normally use as a firewall with port forwarding. What are the best practices for an Unraid Firewall considering my situation? Thanks in advance! I guess the question should be what is your intent? Nearly everybody has their server behind a router. Quote
koenjdejong Posted September 14, 2022 Author Posted September 14, 2022 Well, I am connected to a university network where I do not have access to any routers. I have my server directly connected to this network, which gives me a few advantages such as internet speed, noice issolation and having it's own static IP. To me, it is weird that no firewall is provided within unraid, because one might intrude within your own network, but hopefully not directly the unraid server. There are also services which are both faster and easier to setup without authentication (MongoDB for example) that can just run local without accepting any request from you local network. A firewall would help me in this way, so that everything is behind a reverse proxy, and only port 80 443 and a vpn port will be allowed. Quote
koenjdejong Posted September 14, 2022 Author Posted September 14, 2022 22 hours ago, aronmal said: I am running a OPNsense Firewall in a VM and route the Unraid traffic through it. I made my life easy by using a 4 port Intel NIC, so I can physically connect the Motherboard Ethernet port with the NIC as well as my "WAN" (FRITZ!Box Exposed Host). The NIC is passed through to the OPNsense VM. It is possible to do it only with one Ethernet port and VLANs, but it should rather not be considered if you are able expand your Server with a PCI-E NIC card. (My actual Network and connections is a bit more complex with redundancy, private LAN access, VPN and Wifi, but to keep it simple and easy to replicate, it can be summarized as above) Please read the post above for a clearer explanation about my problem. Although the solution is nice, it sounds like some performance sacrifices and I do not have access to a PCI-E NIC card for the time being. The simple solution would be to have a simple ufw install from root, but I do not have the knowledge to make a plugin for this. Quote
JonathanM Posted September 14, 2022 Posted September 14, 2022 1 hour ago, koenjdejong said: I have my server directly connected to this network, which gives me a few advantages such as internet speed, noice issolation and having it's own static IP. Add your own router to that direct static IP and put the server behind that. 1 Quote
koenjdejong Posted September 14, 2022 Author Posted September 14, 2022 1 minute ago, JonathanM said: Add your own router to that direct static IP and put the server behind that. Now I uderstand that is an option, but it doesn't seem very logical does it. In addition, I would have to buy a router for that. Quote
aronmal Posted September 14, 2022 Posted September 14, 2022 You can get Gigabit Intel NICs on ebay for about 10-15 Euro. Shouldn't be any different in the US. And there are also a lot of cheap routers out there. A OPNsense Firewall does not take much performance. What processor are you using if I may ask? Quote
MrGrey Posted October 3, 2022 Posted October 3, 2022 I hate to bump this thread, but people need to know that security (security, freedom, anonymity, personality, news) starts, online, with having and controlling your own router which is your own access to the Internet. Unraid is a server; NOT a firewall. 1 Quote
MP715 Posted November 28, 2022 Posted November 28, 2022 On 10/3/2022 at 12:40 AM, MrGrey said: Unraid is a server; NOT a firewall. Fish are friends!, not food! Quote
xokia Posted March 20 Posted March 20 Going to bump this one. I know unraid is not a firewall but you are telling folks to go buy a cheap router as the solution? Cheap routers have vulnerabilities. Heck even expensive ones do. Just curious of how you folks think sticking a router in front of unraid is providing the needed security? If you forward any ports from the router to unraid then unraid is at risk. It would be nice if Unraid had some kind of protection or monitoring capability. Any docker/VM suggestions? Quote
ConnerVT Posted March 20 Posted March 20 Perhaps because a firewall device, be it a sophisticated data center one, a box running pfsense/OPNsense, or even a cheap home router, is designed to do firewall things. The code is written for routing packets, and those with better code do packet inspection and other bad actor vulnerabilities. These tasks are best run on hardware which is dedicated to this task, both for bandwidth and to reduce possible attack vectors. Unraid is written to be a NAS. It has since gained virtualization and Docker capabilities. With all of this already on its plate (and many folks pushing things to the limit of both the hardware and software), the best advice is leave firewall activities to those focused on writing firewall code. The biggest risk to any system on one's LAN is usually the user who configures and uses the network. Quote
Vetteman Posted March 22 Posted March 22 I wonder if people would want NAS capabilities available to their firewall? Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.