Messages

You can assign a dedicated IP address to your Docker based "apps" in TrueNAS. Even one on a VLAN interface.

For ingress.

For egress all those "apps" will still use your management interface with the default route, because they run on the same IP stack as the control plane.

That's the current state of affairs.

Come to think of it I should try placing the control plane into a separate network *without* a default route ;-)

I had to use chatgpt to understand this.

It even translated your joke.

So this is way above my knowledge. But it made sense.

But would this interfere with my setup? I am starting to think I will only isolate the "app" pool with its own VLAN and the UI on its own. It feels more secure than a asus home router with everything behind that - so its a big step up for my porpouse.

Then in the future I will by som old hardware and use proxmox and laborate with that instead and throw away my two old computers I got from work to laborate with 😇

IDK if TN directly supports docker containers

It does but these are *NOT* separable from the control plane. Only VMs are (via bridge interfaces without a host IP address).

Docker was the motivation to switch TrueNAS from FreeBSD to Linux.

I was messing around in the apps trying to find where to put them on their own VLAN/Bridge, but this explains it.


Damn. Than I need to create a VM. (I wanted to skip this part since its one more thing to learn from zero, when the only goal is to get my website server up and running again 😅)

Thanks for the info 🙏

That looks fine. You do not need to separate cloudflared from nginx, but it does not hurt, either.

IDK if TN directly supports docker containers, if so, keep in mind that true VMs provide a better isolation than lightweight containers, like Docker, LXC or their likings.

this was the message I wanted to read! The Jedi is happy = than I am more than happy! 🙏

I think its starting to make a little sense now. I hope.

What I am doing (in theory) is creating separated roads to all my apps in TN. And to get on to those roads from WAN I have opnsense as a block/pass for specific type of traffic I allow. But I will use cloudflared to not open any roads, instead some magic to jump the blockade and then pass that traffic to nginx with a small port rule so that nginx can direct traffic to other apps or networkadresses. These Nginx "sideroads" to other servers or apps etc will be opened with rules in opnsense.

Have I summarized it correctly? 🤔 (I write like this to see if I understand it or if I have broken logic)

Please dont give up on me yet. I made another solution and want to check if its as safe.

I have made VLANs in opnsense for:
VLAN30: Truenas UI
VLAN40: Truenas Nginx
VLAN50: Truenas Cloudflared

I then make the same VLANs in Truenas scale.

On top of that I make bridges for the apps.

For example the only  firewall rule for vlan30 (TN UI) I block everything except my LAN net to my specific TN IP and port 80 (http just for now) on that VLAN (as of now testing, I will lock it down more when I am done).

If I understand this correctly I have this way segmented my network down to each app. So if someone hack nginx they will be on their own subnet/vlan, even bridge in TN. And in TN they are in a container/docker(?).

No traffic between except what is needed. For example Cloudflared VLAN will allow port 80/443 to talk to Nginx VLAN.

Would this be a good practice or have I totally misunderstood the assignment. I have been googeling and talking to gemini about different options and this was propused as the most secure with most layers to segment (and hack if someone where to do that).

PS. I just tested the firewall rule. If I use my laptop on LAN and try to access the TN UI I can only get to it with the http IP. If I try to use HTTPS its blocked. If I also deactivate the rule I cant access the TN at all. So it seems the rule is working as it should. The only issue I read is that opnsense automatically allows traffic back for each rule = not sure if its bad practice or something to worry about?

[only]

No, think about how the traffic is passing. Draw a picture if you need to.

The correct steps are:

1. Create a VM in your TrueNAS server that is connected to a TN VLAN interface only (the DMZ interface).
2. Create that DMZ VLAN in your OpnSense as well and isolate it from your normal LAN. Give it internet access.
3. Install your nginx reverse proxy and your application on this VM.
4. Install the cloudflare client in the same VM and connect that to the Cloudflare console endpoint.

That way, someone who connects to your Cloudflare endpoint is tunneled through to your VM and your VM only. Should your application get hacked, he is still only within the DMZ, without any chance to break into your LAN.

That would be the case if the cloudflare client is installed on any machine (VM or physical) that is in your LAN, like if you install it on TN itself.

And just to be clear: OpnSense has (nearly) no saing in this - apart from that it allows the VM to access the internet (and Cloudflare's cloud alongside) and that it isolates your LAN from your DMZ.

Oh my. I missed the VM detail, thought it was optional.

Thanks for the clear instructions.

How much computer capacity does that VM need?

Can I use the tunnel for nginx proxy manager and nextcloud app in my truenas scale server?

Of course. That is the idea.

aha! Thanks for clarifying 🙂

I will give this some sleep and try to find some guide on nginx behind opnsense before posting more here.

It has to be something on google 😇

Sorry for all the posts. I think this is fun but so many details and I dont want any obvious holes in the security. So slow and steady.

[on that same DMZ VM]

I already warned to expose unhardened web UIs in post #5, I think.

As for the setup: It is almost surely not what I suggested. You talked about an application behind an nginx reverse proxy that runs on a VM under TrueNAS on a DMZ network and I meant to have the cloudflare tunnel running on that same DMZ VM. Now it seems you are running the cloudflared on TrueNAS itself, which has access to your LAN (or so I presume).

As Patrick says, anyone who can use the Cloudflare endpoint can try to hack the connected application(s) behind the tunnel.
This is just as insecure as opening a port on the firewall itself. The only benefit is that Cloudflare first takes attack attempts before they hit you. However, it does little more than any other reverse proxy would do. When you open up a web app, you open it up to essentially anything.

If these apps are running in your LAN and not in an isolated DMZ, it can be problematic. You will have to take special care to not expose unhardened apps. Nextcloud should be fine, however, if there ever was a vulnerability, I would still like to have it in my DMZ if possible.

That being said, you do not need anything like this in order to expose Plex - it has its own means (i.e. tunnel) to enable remote access.

I thought the cloudflared tunnel app would be the road in to my network. Misunderstood what you meant.

Ny truenas is within its own interface and subnet with firewall rules to only allow dns and internet out. All other internal networks are blocked. So I guess this is a DMZ 🤷�♂️

The same setup has been made for my website server.

But I cant figure out how to direct traffic from WAN to my two servers. Mainly a problem since I use different domains for my apps. nextcloud.mydomain.com, www.mydomain.com (would be my website server).

Thats where I thought I should use nginx proxy manager. This worked good on with my asus router and just portforward some ports. This is another level... however thus far fun to learn. Even if I make some stupid errors as with the exposure of truenas gui 😬 (thanks for correcting that! 🙏🏼)

What exactly are you exposing to the world via a domain name? Don't do this with the TrueNAS UI or the file sharing services. These are not hardened and will get hacked sooner than you might think.

You can safely expose a hardened Internet safe application in a VM via cloudflare like this. Or an app on TrueNAS that is supposed to be run that way, like e.g. Nextcloud.

Don't ever open your TrueNAS itself to the world. Please.

Oh no. It was the GUI of the truenas.

Back to the drawing board 😞

I dont get how to make this work and be safe.

Can I use the tunnel for nginx proxy manager and nextcloud app in my truenas scale server? 🤔

I still cant understand how I will get the website server to get internet access and traffic directed to it behind my firewall with opnsense. What am I missing in this?

Ok sorry to spam this forum. I AM HAPPY AS A CHILD ON CHRISTMAS!

I setup cloudflared on my truenas. Put it behind my firewall. And after some headaches I can now reach it with a domainname from a computer elsewhere. Perhaps not the most secure setup for the future, just want to get it started to reach it to keep configure nginx etc.

But cloudflare tunnel is really nice. And I dont need any ports. Not sure how it works that the firewall allow this traffic since it should block everything - but I hope this is supposed to work like this.

If I understand the guides correctly I can set up all my traffic through cloudflare for nextcloud, nginx and plex using this method. No ports needed and my IP is "hidden" for the outside world which seems really neat.

To think they give this for free is so nice, and your help guiding in this is soo soo appreciated you cant believe it! :) Sorry there is no like button or something.

The quest contious to make this work for my websiteserver... still have not got my head around that next step. Since its another interface and server, which does not have this neat cloudflared app installed 🤔🤷�♂️ Is it just for me to use nginx as I did before perhaps and add some firewall rule to allow traffic between the interfaces/subnets? 🤔

But perhaps I dont ned nginx app in the truenas scale anymore if opnsense can direct the traffic locally instead? 🤔

The Cloudflare daemon would then run on this VM, as well as your Nginx.

Many thanks for your patience and help. I read, but sometimes it flyes over my head WHAT I read 😅

I see now you mean cloudflare in another way than I had it before. I will google and see if I can get that up and running before going further.

I will also investigate how to get the VLAN solution to work on my truenas scale server.

I will re-plan my work and start with getting my truenas scal up and running on the new network. Thought I could leave it running on the asus router while setting up everything else 😇

I think its just a big overload of new concepts and stuff I have never heard or done, so it takes alot of time to process it 😊

I liked this solution, but I think I might not understand what I am reading.

For this to work, you must set up:

1. A working separate DMZ VLAN which can access the internet. You place your web server in that DMZ.
2. Cloudflare reverse proxy with certificates.

1. This is done I think. I have my webserver on a separate interface and its own subnet with locked down firewall rules to only access internet and not locally within my network.
2. I have a cloudflare account for my domainname. on there I previously set up cloudflare to handle my domain, and point to my own IP in the DNS records. I also added ssl with strict setting. And used the certificate and put it into the Nginx app.

But perhaps I dont ned nginx app in the truenas scale anymore if opnsense can direct the traffic locally instead? 🤔

I wonder if my novice level might be forgotten here.

I dont know how to trunk my ports. I will google though. But is this needed for my purpouse? It feels like I am going a bit too far over my head atm.

Or can the firewall rules be setup so that they separate my apps from the local storage instead of VLANs? 🤔

I only have this on my TN server:
1) nginx to proxy traffic from cloudflare, so that my website server works. Also proxy for nextcloud (cloudstorage) and plex server.
2) I have plex server app for movies
3) Nextcloud app for cloud storage
4) Some locally shared storage to make a central storage for my data

I guess I need to expose 1-3 to the internet. And to do that as locked as possible. Thats why I use cloudflare to handle my domainname and point traffic to my router. And only open the ports they need out to WAN.

Nr4 I understand should run on LAN somehow not exposed to the internet as the rest.

So do I need to put in more reading on the Trunk solution to get VLANs up or is it as good to use firewall rules (if its even possible)?

Also please note my TN server only has one NIC.

Of course it does. Opening any port from outside to your internal network can compromise your security. We discussed just that here, didn't we?

When you open a port to any application, you will give the whole internet the opportunity to scan for the application and probe it for security flaws, like WASP vulnerabilities. For that, attackers do not even need to individually probe that application. If they can probe for fingerprints (i.e. application type and version) and find them in one of the widely available hacking databases, they're in.

And if there is no vulnerability yet, they can store the found fingerprints obtained into Shodan et.al., where attackers can look them up later to direct their future attacks directly at targets, once a new vulnerability becomes known. Of course, this is worse with IPv4 than with IPv6 and also worse with fixed IPs.

That is why you want to place your applications into an isolated network zone (DMZ).

Many thanks my network Jedi 🙏

I am all over the place to read and learn, I am still in padawan mode 😉

As a total novice in to networks I just need to get cofirmation.

Is it safe/good practice to follow this?

My whole idea to start building a serious network at home is to be more secure than on my old asus consumer router (which was a breeze to handle) now that I want to host my websites at home.

Would the first posts solution compromise my security somehow?

W/r to your TrueNAS server: It was better if you separated the file server (LAN) from the application server (DMZ). That way, you could confine the application (which might get hacked) to a subset of your data (i.e. the part that you give access to). For this, you would need a firewall rule to allow file access and hope that the authorisation cannot be circumvented.

Can I separate my server if I only have one ethernet port on the truenas server? I thought I read end points cant handle tagged vlans. Or how would I do that? 🤔