Samba file server on Opnsense box ?

Started by madbrain, March 27, 2023, 04:28:44 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 27, 2023, 04:28:44 AM
I am interested in running a Samba server on my Opnsense box. I see that Samba has been ported to FreeBSD.
However, there is no Samba Opensense plug-in for this.

Google searches found several discussions about both pfSense and Opnsense, and this was generally discouraged for security reasons. Some recommend virtualization software to run Opnsense and a file server under different VMs. I'm skeptical that the performance will be acceptable. My system has a requirement to handle multi-gig speeds. I built it for that purpose. Virtualization likely would reduce the speed too much. I'd like to file server to support multi-gig speeds too, so it's not just an inexpensive matter to build another physical system as a file server, not to mention all the additional watts that entails.

Is there any solution for someone looking to run a file server bare metal on the same host as Opnsense ?
March 28, 2023, 03:44:14 PM #1
There is a good point somewhere in the docs, or discussion forum, that you don't want this firewall to be an everything server. It is meant to stay busy moving packets your want in and out of interfaces. There are the openNAS projects, I'm looking to try to see the power of ZFS under its hood. The Synology systems use really lightweight ARM based Linux and their newest seem to allow use of BTRFS for snapshots. Hopefully a server appliance doing just file serving should be a green solution, and keep security higher
March 28, 2023, 06:24:55 PM #2
I would at least try the virtualization way, before installing stuff on a box which is not meant to be there. Every big upgrade can break your custom software as OPNsense does not care about it.

Installing a basic Proxmox system is very easy. Use a new hard disk, so your current installation can stay as it is.

Then install OPNsense and check how much of bandwidth drop you get.

Or just use a dedicated NAS for storage like a Synology.
,,The S in IoT stands for Security!" :)
March 29, 2023, 01:53:32 AM #3
Quote from: yourfriendarmando on March 28, 2023, 03:44:14 PM
There is a good point somewhere in the docs, or discussion forum, that you don't want this firewall to be an everything server. It is meant to stay busy moving packets your want in and out of interfaces. There are the openNAS projects, I'm looking to try to see the power of ZFS under its hood. The Synology systems use really lightweight ARM based Linux and their newest seem to allow use of BTRFS for snapshots. Hopefully a server appliance doing just file serving should be a green solution, and keep security higher
[/quote

I posted a lengthy reply earlier today, but it looks like it disappeared.

It seems the developers/doc writers don't want this firewall to be a file server. I, personally, very much want it to be.

A standalone NAS is by definition going to consume much more than just the wattage of additional SSDs on my pfsense box.

I do have a standalone (custom built) NAS already, but it idles at 100W, has 5 case fans, 8 platter disks of 14TB each, a GPU for transcoding, etc. Which is why it's not on 24/7 . It's using Ubuntu with ZFS RAID-Z2.

By comparison, my pfSense box is 100% silent (not even a CPU or PSU fan, and zero case fan) and idles at 37W with two SSDs (ZFS mirror). Each additional SATA SSD would add perhaps one watt, probably less. There are 6 SATA ports on the motherboard, and I have 3 more SSDs on hand I could plug in. Also two M2 slots. I believe I thus could add 6 SSDs with fairly minimal idle wattage increase. There are also 5 free PCIe slots that could take M2 PCIe cards. Of course that would entail more watts, possibly hitting limits of passive cooling. In any case, I do need software to make use of all those SSDs and share them through the LAN interface. I would very much prefer to do it bare metal, not through virtualization.
March 29, 2023, 01:58:28 AM #4
Quote from: Gauss23 on March 28, 2023, 06:24:55 PM
I would at least try the virtualization way, before installing stuff on a box which is not meant to be there. Every big upgrade can break your custom software as OPNsense does not care about it.

Good point. However, Samba isn't necessarily that complex to setup again, if the config is lost. I have done it many times on Linux manually. Never on FreeBSD. And not on a box with more than one NIC where I only wanted it to listen on one of them.

Quote
Installing a basic Proxmox system is very easy. Use a new hard disk, so your current installation can stay as it is.

Then install OPNsense and check how much of bandwidth drop you get.

Or just use a dedicated NAS for storage like a Synology.

I didn't want my network to go down, so I installed Proxmox under Virtualbox on my Windows PC, just to see how easy it really is. I noticed that it is entirely managed via web interface. How does that work if the router/DHCP server is running as a VM inside Proxmox ? Do I have to configure a static IP address for it ?
This is as far as I went. The web GUI for proxmox was pretty intimidating to me. I have no idea where to go to install an Opensense VM (or Ubuntu or TrueNAS VM for storage). This really seems like a level of complexity and abstraction that's not needed, to me, compared to running Samba bare metal.
March 29, 2023, 02:40:50 AM #5
Quote from: madbrain on March 29, 2023, 01:58:28 AMThis really seems like a level of complexity and abstraction that's not needed, to me, compared to running Samba bare metal.

I followed a tutorial on youtube on how to set it up. I setup the VM, and put the  Opensense .IMG file in the templates/iso folder . But the VM says the CD-ROM is not bootable, unfortunately. Maybe ISO and IMG formats are different ?
March 29, 2023, 04:57:18 AM #6
Gave up on running Proxmox inside Virtualbox. Double virtualization wasn't working reliably.

I installed it bare metal instead, using a very powerful system , AMD Ryzen 5950X with 64GB of RAM, single 10 Gbps Aquantia NIC. This is normally my daily desktop. There is a SATA hotswap bay also, so I used a spare 240GB SATA SSD for this test.

I still couldn't boot Opensense. Apparently I had the wrong image, I would need a DVD image rather than VGA I got. With just one NIC, I wouldn't learn too much about the performance, though.

I tried Windows and Linux clients. Windows managed 700 Mbps in Ookla speedtest in Firefox. About 1.3 Gbps with single stream in iperf3. Up to about 4.3 Gbps with multiple streams. I could only test unidirectional, I didn't have the proper Windows iperf3 binary that does bidir. I would have needed to reboot to my bare metal Windows partition to get the binary I compiled ...

OTOH, Linux (Ubuntu 22) achieved very good networking performance, 18 Gbps total in bidir mode. This was just for iperf3 though. No routing or firewall duties. And with two NICs that total is doubled, and that total (36 Gbps) is something my lowly 5700G handles fine without the virtualization in the picture with bare metal Opnsense.

I suppose there is no way for me to tell what the performance overhead will be without trying it on the actual hardware in question, with the proper config and the actual NICs.
March 29, 2023, 12:39:53 PM #7
I added Samba to my community repo some time ago, but it's only the pkg (untested) and no plugin.
Maybe it works out of the box ...

https://www.routerperformance.net/opnsense-repo/
March 30, 2023, 04:09:20 AM #8
Thank you very much for this ! I'll take a look.
March 30, 2023, 04:22:12 AM #9
Quote from: madbrain on March 30, 2023, 04:09:20 AM
Thank you very much for this ! I'll take a look.

I enabled SSH on the firewall and ran the "fetch" command.
fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
I still don't see any new packages or plug-ins in the UI. Do I need a reboot ?

What's the name of the samba package ? I tried "pkg install samba" and "pkg install smbd" , but those did not work .
March 30, 2023, 08:57:25 AM #10
forgive me for saying this..but i do think you are on thin ice  with this project of yours
let just keep it a firewall, your life will be easier ;)

pkg search samba
samba413-4.13.17_4             Free SMB/CIFS and AD/DC server and client for Unix
primary - HP 290-p0043w - 9600/32gb
secondary - qotom 7500u
on the shelf HP-730
March 30, 2023, 09:34:18 AM #11 Last Edit: March 30, 2023, 09:47:51 AM by chemlud
It's as always in life: The answer pretty much depends on your threat model. So if you are a home user and don't care for attackers walking in and out via vulnerabilities in your firewall: simply go ahead with samba on your firewall.

Otherwise: Choose the services running on your firewall carefully and invest some time (and brain power) in making your firewall somewhat safe. If you are Mr. Snowden or alike your digital life will be rather complicated, anyways...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
March 30, 2023, 07:53:37 PM #12
Quote from: madbrain on March 30, 2023, 04:09:20 AM
Thank you very much for this ! I'll take a look.
First run pkg update :)
March 31, 2023, 12:03:07 PM #13
Quote from: chemlud on March 30, 2023, 09:34:18 AM
It's as always in life: The answer pretty much depends on your threat model. So if you are a home user and don't care for attackers walking in and out via vulnerabilities in your firewall: simply go ahead with samba on your firewall.

Then again: if that is your scenario, why use a complex firewall like OpnSense at all?
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
Print
Go Up Pages1
User actions