January 7, 20251 yr Hello all, sorry for the probable redundant post, but I haven't been able to find any sort of guide at near basics level. TL;DR, is there a simple network security guide for dumb dumbs like me, that lays out some basics and let's me forge my own way forward? I want to keep it as simple for friends and family as possible, and not having them log in through like tailscale or the like. I'm pretty new to Unraid, but I think I've got my basics handled at the moment. The deficit I have, however, is networking skills. I understand some basics like UPNP/UDP/TCP, have successfully forwarded ports, know not to put my system in the DMZ on my network, and just generally to stay protected. But I'm looking for something that is the most efficient for my needs and probably very basic as it's probably an introduction to networking for the most part for me. ----- I currently have a 48TB array, with 16TB of parity, and a 500GB cache operating on an Zen3 CPU with 32GB of RAM. I have Plex and an array of -arrs going, as well as qbit, watchtower, watchlistarr and cross-seed going. No VMs or remote shares going aside from Plex connections from friends/family. Local shares are just great and enjoying my 2.5Gbs connections between devices on my network, despite having only 1Gb fiber. Right now, the server is just active behind the firewall that is my ISP modem. I have an unmanaged switch that has several consoles, desktops with Windows, TVs and more running through it. No mesh, and all wifi active devices are directly connected to my modem. A stand alone router is on the horizon possibly. The primary purpose, atm, is sharing my Plex media server with friends and family outside of my home network (10 overall, max streams are usually 5-6). This is successfully happening, though without any wireguard or DDNS, or anything in place at this moment (outside of my personal VPN on my desktop) as I'm not too awfully concerned about the data that's there right now and I only pick up things from private areas. IFKYK. Well that and my previous attempts at a reverse proxy were ill met as I don't have a static IP and everything just goes over my head. Local network is just fine, all web connections are functioning just great. But eventually (sooner rather than later) I'm going to have more personal material on my server, phone and PC backups, self-hosted services, home security and automation and more and would like to stay protected. Without experimenting yet, I'm trying to find guidance on the next direction to go. Do I run a VM with nginx? Or is the docker just fine? Is wireguard with a DDNS fine enough for my purposes atm? Should I look into a cheap Pi or miniPC to host a proxy? Or is there just a guide that really breaks some of the basics down for me so I can forge my own path? Appreciate any and all wisdom.
January 7, 20251 yr Community Expert not redunant... per the saying... "many ways to skin a cat" as it comes down to how you wnat to interacet with it and what you want it to do. you can doa vm, lxc, docker. 90% of what you are doing so far listed will be in the CA and dockers. Please note that Unraid is not a networking device. what it seems your asking is more on vpn clients, and router/firewall like systems.... What exactly are you trying to acomplish? https access? samba share? nfs share? nginx "npm" revers proxy? https://docs.unraid.net/unraid-os/manual/shares/network-access/ ntworking on unraid can get complicated. docker setups teter more on if you are using IPVLAN or MacVLan https://docs.docker.com/engine/network/drivers/ipvlan/ https://docs.docker.com/engine/network/drivers/macvlan/ Recomned settings for one docker per previous posts. review this post on some linux netowrking 101 stuff: most i think are setups for a npm or lets encrypt to use https:
January 7, 20251 yr Community Expert I prefer macvlan as i want my docker containers to have there own hostnaems and mac address. Web UI > Setting > Docker you may want to enable Host access to custom networks. so lets review plex: there are quite a few plex docker optiosn. which docker did you install? I use linux server docker found in the CA. others will work... Ther forum for support: Plex how to share: https://support.plex.tv/articles/201105738-creating-and-managing-server-shares/ Plex uses its own api and website plex.tv to conect your content over the internet at large. First, Plex should realy have its own IP as it has a web serverand other ports. this IP will then be used for port forwarding latter. as you will need to open plex remote port for libray access over the internet. Plex default port is 3400 only tcp 3400 needs opened. https://portforward.com/ in my casse I have a unfi router and i have portfowrading enabled with that set we are now ready to go into plex and tell it to share its libray. other friends and family will need there own plex account with there own email. you will need there email to add them to your server In plex go to settings by clicking the tool icon at the top right: at the left under setting click on remtoe access: enable remote access set the port and test: with plex reachable form the Internet at large we are now ready to add uses. go to the list at the top left and click on manage library access: Click grant libray access: and type in the email for friends and family. the firends should get a email or you can text copy the activation link. once they acept you will have a list of users and they will see your sever when they login to plex to watch content form your server. So the only network thing on unriad is potential docker setting prefference ipvlan / macvlan host access (more for npm latter and docker subnet acess latter) and the docker application ahving its own ip address. more of this setup will be in the application itself no unraid. thus the first post of what is it your trying to do
January 7, 20251 yr Author 6 hours ago, bmartino1 said: Please note that Unraid is not a networking device. what it seems your asking is more on vpn clients, and router/firewall like systems.... What exactly are you trying to acomplish? Thanks for your detailed responses. Like I said, I feel that I have the basics handled. I have a number of images running right now that all function well locally, and Plex is set up properly and shared with friends who actively use it I do realize that Unraid is not a network device, but it does have networking functions to implement within it's own environment. Until a point in time that I physically expand to have more (Like investing in Unifi devices, and maybe more dedicated devices) I'm wanting to understand some basic aspects of more "advanced" networking within the Linux environment as well as just in general so I can keep scaling upwards with that knowledge. You know, the general pitfall of anyone that get's into this hobby to eternal build more and more. My goal, right now, is to keep myself secure, via it be https or otherwise, by the most secure, scalable, and amateur friendly way, while allowing my friends/family who also are a part of at least one share (and maybe more later) ease of access without too many steps; but I need more knowledge on the subject. So like, what I see as the most scalable option is hosting a proxy off of a miniPC on my network. Even then, I can look up a guide on probably best practices, and how to's, but it doesn't give me knowledge that will scale with the experience. Anything I learn will be specific to that environment. So to answer your questions: 6 hours ago, bmartino1 said: https access? samba share? nfs share? nginx "npm" revers proxy? Yes, lol Right now, I've come across this free course that I may get started with because just staring at youtube all day doesn't help me. https://www.howtonetwork.com/comptia-network-study-guide-free/ 6 hours ago, bmartino1 said: review this post on some linux netowrking 101 stuff: Thanks, I will definitely check this out, though I see a lot of crosses with Unifi, I think this may help with general configurations. 6 hours ago, bmartino1 said: 90% of what you are doing so far listed will be in the CA and dockers. While this is true, I feel like I don't know what I need until I figure out what I need; so as I said, I'm just lacking the knowledge/experience to just move forward. The CA and available images seems to me always to be set up for people already familiar with them, their applications, and the general environment. So for someone like me, it has always felt like I'm banging my head or throwing darts to find what I actually need to move forward. Can't just type out a task that I want and expect the CA to direct me to the best option, so I want to learn. Like, I had no idea that TRASH guides existed, until I had one particular issue (that I'm embarrassed to talk about) transitioning my -arr stack + Plex over from Windows to Unraid. I figured out from the docs and experimenting what worked best. But I also had no idea the -arr suite existed until I had the question: "What about automation" after 4 years of hosting a Plex server. But I feel like that's all on me and my learning style. I need to do simultaneous tasking, on both reading about a subject and engaging in said subject to absorb it. But I feel like more advanced networking (or at least advanced for me) there isn't a good starting point a lot of time. ----- 6 hours ago, bmartino1 said: I prefer macvlan Again, just a general aspect I'm not familiar with, nor with the network requirements to just get that going. Didn't even know that was an option. I'm using the official Plex MS image. I will definitely look into moving into individualized IP:Mac for a few containers like Plex. Which is some knowledge I was seeking, like is it better to run the nginx container, or to host it on it's own VM. Correct me if I'm wrong, but it seems to me that hosting it on it's own VM is great and all, but overly complicated for my needs just yet and can be better suited set up on just a container with a macvlan from what I'm reading here.
January 7, 20251 yr Community Expert One more thing. Make sure that you have locked down your shared files to prevent accidental or deliberate damage. You should probably have all shares set to 'Private' and allow read-only access to those shares unless there is a specific reason why that user needs write access. (Remember that even a trusted client whom you want to have access to your files can become a victim of malware. This danger is elevated when that client is a remote one.) See here for how to do this: https://forums.unraid.net/topic/110580-security-is-not-a-dirty-word-unraid-windows-1011-smb-setup/ Edited January 7, 20251 yr by Frank1940
January 7, 20251 yr Community Expert Id have you looking into networking stuff. From a cybersecurity, networking, ethical hacking standpoints. There are quite a bit of free stuff and paid stuff... Here our good resources and tools with a community to go over networking. College courses free online as well with certs. semi-free: https://www.youtube.com/channel/UC9x0AN7BWHpCDHSm9NiJFJQ https://academy.networkchuck.com/ Networking usually branches into manufacture specif. like Cisco cert for cnna https://www.netacad.com/cisco-packet-tracer that more login into switch and configures the switch for layer 2 to layer 3 stuff. pirate software youtube and discord... while you won't ear a colege credit you can get harvard courses... It really begins with understanding the OSI Model and how to breakdown subnets. https://aws.amazon.com/what-is/osi-model https://docs.netgate.com/pfsense/en/latest/network/cidr.html https://mxtoolbox.com/subnetcalculator.aspx then how to traverse the subnets and move between them. Usually nat and dnsmask via iptables and masquerade.... Things like kali linux, Wireshark, nmap... use special networking tools to monitor and take a deeper looking into what is going on in the network. This is done by capturing traffic and exploring what is sent in millsecond... and how that packet is made. Like all things technology is not inherently good or evil. its a tool and how its used. With knowledge comes standpoints and issues. Take things with a grain of salt. From my perspective. Sadly, nothing connected to the internet is safe. There are standards and security measure you can follow, but that doesn't mean you can't be hacked or not already vulnerable. its more just a level of paranoia where you fell comfortable at and what you can do for when something happens. This is why backups are important and following the 321 backup rule is important... Form zero day vulnerabilities to skeleton keys. The Security stands are guidelines to help protect or lockdown, but are not guarantees. in which case i would have you look into site that help report and monitor CVEs, networking standards on IEEE 802.3 and other RFC documentation. but that can be advanced. I don't know the level your at, what you know, what you dont' know. so I'm hard strech on what to share, where to direct... CVEs: https://www.cvedetails.com/ ieee standards: https://www.ieee802.org/3/ RFC: https://www.ietf.org/process/rfcs/ I started out by going around my town collecting and buy computers and hardware at garage sales. Later went to school, currently back in school due to a work perk. I have taken classes to refresh and learn new things. Currently, I hold 0 certificates(taken classes, never the test as certs expire now... Degress do not. certs only show that you have knowldge in a area...) and hold a Associate Degree in micro-computer support. This doesn't mean I have total understanding nor experience more concepts, etc.... To gain those concepts you usually go through podcast, youtube, other free tools and have a play area. I'm a hands on and visual learner. I have played around and done alot. What keeps me on this forum is that I like puzzles and have experienced a thing or two... I can go broad or application specfic. Is there an area you want to look into first?
January 7, 20251 yr Community Expert I would have you make a debian/ubuntu VM in unraid and install documentation flowing ubutu comunity docs and support to learn about the applications before running them on unriad in dockers and full setups. For ubuntu example samba: https://ubuntu.com/tutorials/install-and-configure-samba https://ubuntu.com/server/docs/samba-as-a-file-server then learn the smb conf that dictates samba to be a network share. https://www.samba.org/samba/docs/man/ https://www.samba.org/samba/docs/4.9/man-html/smb.conf.5.html Unraid has a weird samba setup. Having works as a technician with a ISP and other experiences with samba for more than 10 years. I rather write my own samba config. there are other side examples one can do. if using zfs you can leverage samba for shdow copies with your zfs snapshots: https://forum.level1techs.com/t/zfs-on-unraid-lets-do-it-bonus-shadowcopy-setup-guide-project/148764 per share: vfs objects = shadow_copy2 shadow: snapdir = .zfs/snapshot shadow: sort = desc shadow: format = zfs-auto-snap_%S-%Y-%m-%d-%H%M shadow: localtime = yes as example. let me know of 1 area and i will gladly work with you. Unriad has a decent basic samba configuration and its has been improving. it is great for generic end users use. That said samba is a complicated thing in and of itself. there alot that a smb.conf can do... too much really!... most of the time, samba is used with Windows machines. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/5606ad47-5ee0-437a-817e-70c366052962 So again this comes back to what you want it to do and how you want to interact with it.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.