Unraid Firewall Setup


koenjdejong

Recommended Posts

I am running a OPNsense Firewall in a VM and route the Unraid traffic through it. I made my life easy by using a 4 port Intel NIC, so I can physically connect the Motherboard Ethernet port with the NIC as well as my "WAN" (FRITZ!Box Exposed Host). The NIC is passed through to the OPNsense VM. It is possible to do it only with one Ethernet port and VLANs, but it should rather not be considered if you are able expand your Server with a PCI-E NIC card.

(My actual Network and connections is a bit more complex with redundancy, private LAN access, VPN and Wifi, but to keep it simple and easy to replicate, it can be summarized as above)

Link to comment
On 9/10/2022 at 7:23 AM, koenjdejong said:

Hey there!

 

My Unraid 6 configuration is not behind a Router / NAT, which is what I would normally use as a firewall with port forwarding.

What are the best practices for an Unraid Firewall considering my situation?

 

Thanks in advance!

 

I guess the question should be what is your intent? Nearly everybody has their server behind a router.

Link to comment

Well, I am connected to a university network where I do not have access to any routers. I have my server directly connected to this network, which gives me a few advantages such as internet speed, noice issolation and having it's own static IP.

 

To me, it is weird that no firewall is provided within unraid, because one might intrude within your own network, but hopefully not directly the unraid server.

There are also services which are both faster and easier to setup without authentication (MongoDB for example) that can just run local without accepting any request from you local network. A firewall would help me in this way, so that everything is behind a reverse proxy, and only port 80 443 and a vpn port will be allowed.

Link to comment
22 hours ago, aronmal said:

I am running a OPNsense Firewall in a VM and route the Unraid traffic through it. I made my life easy by using a 4 port Intel NIC, so I can physically connect the Motherboard Ethernet port with the NIC as well as my "WAN" (FRITZ!Box Exposed Host). The NIC is passed through to the OPNsense VM. It is possible to do it only with one Ethernet port and VLANs, but it should rather not be considered if you are able expand your Server with a PCI-E NIC card.

(My actual Network and connections is a bit more complex with redundancy, private LAN access, VPN and Wifi, but to keep it simple and easy to replicate, it can be summarized as above)

Please read the post above for a clearer explanation about my problem.
Although the solution is nice, it sounds like some performance sacrifices and I do not have access to a PCI-E NIC card for the time being.
 

The simple solution would be to have a simple ufw install from root, but I do not have the knowledge to make a plugin for this.

Link to comment
  • 3 weeks later...
  • 1 month later...
  • 1 year later...

Going to bump this one. I know unraid is not a firewall but you are telling folks to go buy a cheap router as the solution?
 

Cheap routers have vulnerabilities. Heck even expensive ones do. Just curious of how you folks think sticking a router in front of unraid is providing the needed security?

If you forward any ports from the router to unraid then unraid is at risk. It would be nice if Unraid had some kind of protection or monitoring capability.

Any docker/VM suggestions?

Link to comment

Perhaps because a firewall device, be it a sophisticated data center one, a box running pfsense/OPNsense, or even a cheap home router, is designed to do firewall things.  The code is written for routing packets, and those with better code do packet inspection and other bad actor vulnerabilities.  These tasks are best run on hardware which is dedicated to this task, both for bandwidth and to reduce possible attack vectors.

 

Unraid is written to be a NAS.  It has since gained virtualization and Docker capabilities.  With all of this already on its plate (and many folks pushing things to the limit of both the hardware and software), the best advice is leave firewall activities to those focused on writing firewall code.

 

The biggest risk to any system on one's LAN is usually the user who configures and uses the network.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.