itsrumsey

unRAID in a colo - security dilemmas

5 posts in this topic

I have been paying $125 a month for Charter Business internet for over 3 years now for a paltry 100/7 connection and due to 4 outages in the last month, have decided I have had it.

 

I want to move my server to a colo and have been shopping around for deals.  The problem is the only decent ones I can find are 1U-4U and my server itself is in a 4U chassis, that means no room to bring my own firewall.

 

I've been thinking it through and best as I can figure there are two options:

  • run ESXi or similar on the metal and virtualize my unRAID installation, then run pfSense in another VM
  • run pfSense in a VM under unRAID, using another NIC and passthrough

 

If I choose the latter I feel like I am in for quite the challenge, as you could categorize my linux/unix confidence as firmly in "beginner".  Conversely, if I go for option 1 I am not sure how difficult it would be to virtualize my existing unRAID configuration.

 

Maybe someone who has done it (or has knowledge how) could comment, but the way I see running pfSense within unRAID I'd need to utilize dual NIC on my motherboard as well as purchase another dual NIC card to passthrough.  We'll call the motherboard NICs eth0 / eth1 and the addin card pci1 / pci2.  I figure pci1 would accept the publicly open network connection from the colo, pfSense would act as the router / firewall, there would be a crossover cable from pci2 to eth0, eth0 would be in the primary incoming NIC for unRAID and would obtain IP lease etc from pfSense VM, and eth1 would be reserved for IPMI management.  Does this sound about right?  Is there any way it could be simplified further?

 

If it is mostly trivial to virtualize my existing unRAID configuration in ESXi, that may be the easier choice since I can do all of this with virtual NICs and won't be researching KVM / linux network configuration for days.

0

Share this post


Link to post
Share on other sites

Neither are ideal, but if you had to go with one I would choose running a virtual firewall distro. For grins and giggles I implemented something like this a little while back in  lab with ESXi as the hypervisor and IPfire as the virtual firewall. As some one who works in large scale cloud environments, many of today's cloud based solutions deploy virtual firewalls/appliances to handle networking, so theirs no real security issue there, as long as you follow best practices when it comes to networking.

As for the complications of deploying a Linux/Unix based firewall, distros like pfSense, IPfire, Smoothwall take a lot of the complication out of it.  

0

Share this post


Link to post
Share on other sites

I recently setup pfsense in a vm on unRaid. It gets an independent/isolated nic passed through to the vm that is not part of the onboard bridge. It wasn't that bad really. Just have to set a static ip in unRaid since it won't find a dhcp server when it boots. Then set the vm to auto load after the array autostarts. UnRaid eventually figures it out.

 

The problem comes if you need to reboot or take the array offline for whatever reason, then you lose your access to the server since it is remote and needs the pfsense vm. Option 1 might be the better choice? Tough call for an all-in-one solution that is not in the same building.

0

Share this post


Link to post
Share on other sites

Does your server not have any remote management capabilities? IPMI or something like an iDrac?

0

Share this post


Link to post
Share on other sites

Colo is a quite good one, my friend started using it a few months ago and he really likes it. I would also recommend looking at something like fail2ban for security, was doing some reading about it here. In any case theres a few really good ones to consider.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

Copyright © 2005-2017 Lime Technology, Inc. unRAID® is a registered trademark of Lime Technology, Inc.