Block VM access to unRaid SMB/NFS shares and any other network device, but keep internet access

[mizifih]

Yes, I know, this was asked once, and this was answered once. But I can't make it work. I attached my Routing Table below. VM is set to work with vibr0 as suggested in other threads, and it is getting the IP it's supposed to get (192.168.122.x). I think it's bridged over unRaid (br0) own network, since it's not showing up anymore on my router (it was set to work with br0 before).

 

I have a second NIC (192.168.0.0/24) but the cable is unplugged, so it's not being listed right now. I had a problem figuring out in what order unRaid should use them, turn out it was very simple, but I didn't plug the cable, just yet.

 

So, my question is...

 

Is there a easy way to isolate a VM from my network, but keeping it accessing the internet? I'm not that savvy in Linux. Is there a way to set it under the Routing Table settings?

 

[ken-ji]

Does your router support VLANs? if so, you can setup a VLAN, assign it to a port and plug Unraid eth1 to that. Make sure eth1 is not part of br0 though. Then just connect the VM to eth1(br1). Don't bother asigning an IP to eth1. Finally firewall off the VLAN from accessing the rest of the LAN and vice versa at the router.

Other option: get a cheap router. plug it into the main router. make sure they don't have the same subnet address. plug unraid eth1 to the 2nd router. (same as above make sure that eth1 is not part of br0, etc.) This will create a double NAT situation (like CGNAT for ISPs), which will prevent the LAN from accessing the VM, but the VM can access the LAN and the internet. But this will break stuff like dynamic port forwarding. and nothing on the internet can ever directly raech stuff on the VM. To port forward, you would need to manually configure router1 and router2.

[mizifih]

5 hours ago, ken-ji said:

Does your router support VLANs? if so, you can setup a VLAN, assign it to a port and plug Unraid eth1 to that.

HI there! Thank you for your reply. My router supports VLAN. It's running shibby's tomato. But, remember, I don't want to isolate unRaid, just that VM. Will unRaid (and dockers and other VMs) stay on the same network they are today? 

 

5 hours ago, ken-ji said:

Then just connect the VM to eth1(br1). Don't bother asigning an IP to eth1. Finally firewall off the VLAN from accessing the rest of the LAN and vice versa at the router.

Now, with the sorcery.

 

Let's say I set up a VLAN. It'll be like I have two sets of IPs range (hope that's the term) pm that port, right?

 

Will unRaid show it on the Routing Tables? Do I need to add something there? What do I do on unRaid once all this is set on my router?

 

And I need to set a fixed IP for unRaid, it has to keep its current IP, everything has, except that VM that must be apart from everything else. 

Edited March 13, 2020 by mizifih

[ken-ji]

On 3/13/2020 at 6:10 PM, mizifih said:

Let's say I set up a VLAN. It'll be like I have two sets of IPs range (hope that's the term) pm that port, right?

 

Will unRaid show it on the Routing Tables? Do I need to add something there? What do I do on unRaid once all this is set on my router?

 

And I need to set a fixed IP for unRaid, it has to keep its current IP, everything has, except that VM that must be apart from everything else. 

yes, If you look at Unraid network settings, a VLAN will create a sub-interface which will look like another network interface that can only see all the VLAN-marked traffic. so Unraid will definitely show this on the routing table. It will be the job of the router that understand VLANs to route between them, Nothing changes for Unraid.

 

In actuality, a VLAN is just network packets with an extra label. if the device is VLAN aware, it see the extra label and process accordingly (member or not, etc) a non-VLAN aware device will not understand and either throw it out (as the case with PCs, and other clients) or just pass it on as it seems with most dumb/simple switches. This allows the VLAN to have its own subnet addresses/etc, and they can happily coexist with the main LAN traffic.