Samba file server on Opnsense box ?

[madbrain]

I am interested in running a Samba server on my Opnsense box. I see that Samba has been ported to FreeBSD.
However, there is no Samba Opensense plug-in for this.

Google searches found several discussions about both pfSense and Opnsense, and this was generally discouraged for security reasons. Some recommend virtualization software to run Opnsense and a file server under different VMs. I'm skeptical that the performance will be acceptable. My system has a requirement to handle multi-gig speeds. I built it for that purpose. Virtualization likely would reduce the speed too much. I'd like to file server to support multi-gig speeds too, so it's not just an inexpensive matter to build another physical system as a file server, not to mention all the additional watts that entails.

Is there any solution for someone looking to run a file server bare metal on the same host as Opnsense ?

[yourfriendarmando]

There is a good point somewhere in the docs, or discussion forum, that you don't want this firewall to be an everything server. It is meant to stay busy moving packets your want in and out of interfaces. There are the openNAS projects, I'm looking to try to see the power of ZFS under its hood. The Synology systems use really lightweight ARM based Linux and their newest seem to allow use of BTRFS for snapshots. Hopefully a server appliance doing just file serving should be a green solution, and keep security higher

[Gauss23]

I would at least try the virtualization way, before installing stuff on a box which is not meant to be there. Every big upgrade can break your custom software as OPNsense does not care about it.

Installing a basic Proxmox system is very easy. Use a new hard disk, so your current installation can stay as it is.

Then install OPNsense and check how much of bandwidth drop you get.

Or just use a dedicated NAS for storage like a Synology.

[madbrain]

There is a good point somewhere in the docs, or discussion forum, that you don't want this firewall to be an everything server. It is meant to stay busy moving packets your want in and out of interfaces. There are the openNAS projects, I'm looking to try to see the power of ZFS under its hood. The Synology systems use really lightweight ARM based Linux and their newest seem to allow use of BTRFS for snapshots. Hopefully a server appliance doing just file serving should be a green solution, and keep security higher
[/quote

I posted a lengthy reply earlier today, but it looks like it disappeared.

It seems the developers/doc writers don't want this firewall to be a file server. I, personally, very much want it to be.

A standalone NAS is by definition going to consume much more than just the wattage of additional SSDs on my pfsense box.

I do have a standalone (custom built) NAS already, but it idles at 100W, has 5 case fans, 8 platter disks of 14TB each, a GPU for transcoding, etc. Which is why it's not on 24/7 . It's using Ubuntu with ZFS RAID-Z2.

By comparison, my pfSense box is 100% silent (not even a CPU or PSU fan, and zero case fan) and idles at 37W with two SSDs (ZFS mirror). Each additional SATA SSD would add perhaps one watt, probably less. There are 6 SATA ports on the motherboard, and I have 3 more SSDs on hand I could plug in. Also two M2 slots. I believe I thus could add 6 SSDs with fairly minimal idle wattage increase. There are also 5 free PCIe slots that could take M2 PCIe cards. Of course that would entail more watts, possibly hitting limits of passive cooling. In any case, I do need software to make use of all those SSDs and share them through the LAN interface. I would very much prefer to do it bare metal, not through virtualization.

[madbrain]

I would at least try the virtualization way, before installing stuff on a box which is not meant to be there. Every big upgrade can break your custom software as OPNsense does not care about it.

Good point. However, Samba isn't necessarily that complex to setup again, if the config is lost. I have done it many times on Linux manually. Never on FreeBSD. And not on a box with more than one NIC where I only wanted it to listen on one of them.

Installing a basic Proxmox system is very easy. Use a new hard disk, so your current installation can stay as it is.

Then install OPNsense and check how much of bandwidth drop you get.

Or just use a dedicated NAS for storage like a Synology.

I didn't want my network to go down, so I installed Proxmox under Virtualbox on my Windows PC, just to see how easy it really is. I noticed that it is entirely managed via web interface. How does that work if the router/DHCP server is running as a VM inside Proxmox ? Do I have to configure a static IP address for it ?
This is as far as I went. The web GUI for proxmox was pretty intimidating to me. I have no idea where to go to install an Opensense VM (or Ubuntu or TrueNAS VM for storage). This really seems like a level of complexity and abstraction that's not needed, to me, compared to running Samba bare metal.

[madbrain]

This really seems like a level of complexity and abstraction that's not needed, to me, compared to running Samba bare metal.

I followed a tutorial on youtube on how to set it up. I setup the VM, and put the  Opensense .IMG file in the templates/iso folder . But the VM says the CD-ROM is not bootable, unfortunately. Maybe ISO and IMG formats are different ?

[madbrain]

Gave up on running Proxmox inside Virtualbox. Double virtualization wasn't working reliably.

I installed it bare metal instead, using a very powerful system , AMD Ryzen 5950X with 64GB of RAM, single 10 Gbps Aquantia NIC. This is normally my daily desktop. There is a SATA hotswap bay also, so I used a spare 240GB SATA SSD for this test.

I still couldn't boot Opensense. Apparently I had the wrong image, I would need a DVD image rather than VGA I got. With just one NIC, I wouldn't learn too much about the performance, though.

I tried Windows and Linux clients. Windows managed 700 Mbps in Ookla speedtest in Firefox. About 1.3 Gbps with single stream in iperf3. Up to about 4.3 Gbps with multiple streams. I could only test unidirectional, I didn't have the proper Windows iperf3 binary that does bidir. I would have needed to reboot to my bare metal Windows partition to get the binary I compiled ...

OTOH, Linux (Ubuntu 22) achieved very good networking performance, 18 Gbps total in bidir mode. This was just for iperf3 though. No routing or firewall duties. And with two NICs that total is doubled, and that total (36 Gbps) is something my lowly 5700G handles fine without the virtualization in the picture with bare metal Opnsense.

I suppose there is no way for me to tell what the performance overhead will be without trying it on the actual hardware in question, with the proper config and the actual NICs.

[mimugmail]

I added Samba to my community repo some time ago, but it's only the pkg (untested) and no plugin.
Maybe it works out of the box ...

https://www.routerperformance.net/opnsense-repo/

[madbrain]

Thank you very much for this ! I'll take a look.

[madbrain]

Thank you very much for this ! I'll take a look.

I enabled SSH on the firewall and ran the "fetch" command.
fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
I still don't see any new packages or plug-ins in the UI. Do I need a reboot ?

What's the name of the samba package ? I tried "pkg install samba" and "pkg install smbd" , but those did not work .

[y0y0y0]

forgive me for saying this..but i do think you are on thin ice  with this project of yours
let just keep it a firewall, your life will be easier

pkg search samba
samba413-4.13.17_4             Free SMB/CIFS and AD/DC server and client for Unix

[chemlud]

It's as always in life: The answer pretty much depends on your threat model. So if you are a home user and don't care for attackers walking in and out via vulnerabilities in your firewall: simply go ahead with samba on your firewall.

Otherwise: Choose the services running on your firewall carefully and invest some time (and brain power) in making your firewall somewhat safe. If you are Mr. Snowden or alike your digital life will be rather complicated, anyways...

[mimugmail]

Thank you very much for this ! I'll take a look.

First run pkg update

[meyergru]

It's as always in life: The answer pretty much depends on your threat model. So if you are a home user and don't care for attackers walking in and out via vulnerabilities in your firewall: simply go ahead with samba on your firewall.

Then again: if that is your scenario, why use a complex firewall like OpnSense at all?