Unraid Firewall Setup

[koenjdejong]

Hey there!

 

My Unraid 6 configuration is not behind a Router / NAT, which is what I would normally use as a firewall with port forwarding.

What are the best practices for an Unraid Firewall considering my situation?

 

Thanks in advance!

[primeval_god]

This is not a safe or recommended environment for unRAID.

[aronmal]

I am running a OPNsense Firewall in a VM and route the Unraid traffic through it. I made my life easy by using a 4 port Intel NIC, so I can physically connect the Motherboard Ethernet port with the NIC as well as my "WAN" (FRITZ!Box Exposed Host). The NIC is passed through to the OPNsense VM. It is possible to do it only with one Ethernet port and VLANs, but it should rather not be considered if you are able expand your Server with a PCI-E NIC card.

(My actual Network and connections is a bit more complex with redundancy, private LAN access, VPN and Wifi, but to keep it simple and easy to replicate, it can be summarized as above)

[kizer]

On 9/10/2022 at 7:23 AM, koenjdejong said:

Hey there!

 

My Unraid 6 configuration is not behind a Router / NAT, which is what I would normally use as a firewall with port forwarding.

What are the best practices for an Unraid Firewall considering my situation?

 

Thanks in advance!

 

I guess the question should be what is your intent? Nearly everybody has their server behind a router.

[koenjdejong]

Well, I am connected to a university network where I do not have access to any routers. I have my server directly connected to this network, which gives me a few advantages such as internet speed, noice issolation and having it's own static IP.

 

To me, it is weird that no firewall is provided within unraid, because one might intrude within your own network, but hopefully not directly the unraid server.

There are also services which are both faster and easier to setup without authentication (MongoDB for example) that can just run local without accepting any request from you local network. A firewall would help me in this way, so that everything is behind a reverse proxy, and only port 80 443 and a vpn port will be allowed.

[koenjdejong]

22 hours ago, aronmal said:

I am running a OPNsense Firewall in a VM and route the Unraid traffic through it. I made my life easy by using a 4 port Intel NIC, so I can physically connect the Motherboard Ethernet port with the NIC as well as my "WAN" (FRITZ!Box Exposed Host). The NIC is passed through to the OPNsense VM. It is possible to do it only with one Ethernet port and VLANs, but it should rather not be considered if you are able expand your Server with a PCI-E NIC card.

(My actual Network and connections is a bit more complex with redundancy, private LAN access, VPN and Wifi, but to keep it simple and easy to replicate, it can be summarized as above)

Please read the post above for a clearer explanation about my problem.
Although the solution is nice, it sounds like some performance sacrifices and I do not have access to a PCI-E NIC card for the time being.
 

The simple solution would be to have a simple ufw install from root, but I do not have the knowledge to make a plugin for this.

[JonathanM]

1 hour ago, koenjdejong said:

I have my server directly connected to this network, which gives me a few advantages such as internet speed, noice issolation and having it's own static IP.

Add your own router to that direct static IP and put the server behind that.

[koenjdejong]

1 minute ago, JonathanM said:

Add your own router to that direct static IP and put the server behind that.

 

Now I uderstand that is an option, but it doesn't seem very logical does it. In addition, I would have to buy a router for that.

[aronmal]

You can get Gigabit Intel NICs on ebay for about 10-15 Euro. Shouldn't be any different in the US. And there are also a lot of cheap routers out there. A OPNsense Firewall does not take much performance.

 

What processor are you using if I may ask?

[MrGrey]

I hate to bump this thread, but people need to know that security (security, freedom, anonymity, personality, news) starts, online, with having and controlling your own router which is your own access to the Internet.

 

Unraid is a server; NOT a firewall.

[MP715]

On 10/3/2022 at 12:40 AM, MrGrey said:

Unraid is a server; NOT a firewall.

 

Fish are friends!, not food!