unRAID in a colo - security dilemmas


itsrumsey

Recommended Posts

I have been paying $125 a month for Charter Business internet for over 3 years now for a paltry 100/7 connection and due to 4 outages in the last month, have decided I have had it.

 

I want to move my server to a colo and have been shopping around for deals.  The problem is the only decent ones I can find are 1U-4U and my server itself is in a 4U chassis, that means no room to bring my own firewall.

 

I've been thinking it through and best as I can figure there are two options:

  • run ESXi or similar on the metal and virtualize my unRAID installation, then run pfSense in another VM
  • run pfSense in a VM under unRAID, using another NIC and passthrough

 

If I choose the latter I feel like I am in for quite the challenge, as you could categorize my linux/unix confidence as firmly in "beginner".  Conversely, if I go for option 1 I am not sure how difficult it would be to virtualize my existing unRAID configuration.

 

Maybe someone who has done it (or has knowledge how) could comment, but the way I see running pfSense within unRAID I'd need to utilize dual NIC on my motherboard as well as purchase another dual NIC card to passthrough.  We'll call the motherboard NICs eth0 / eth1 and the addin card pci1 / pci2.  I figure pci1 would accept the publicly open network connection from the colo, pfSense would act as the router / firewall, there would be a crossover cable from pci2 to eth0, eth0 would be in the primary incoming NIC for unRAID and would obtain IP lease etc from pfSense VM, and eth1 would be reserved for IPMI management.  Does this sound about right?  Is there any way it could be simplified further?

 

If it is mostly trivial to virtualize my existing unRAID configuration in ESXi, that may be the easier choice since I can do all of this with virtual NICs and won't be researching KVM / linux network configuration for days.

Link to comment

Neither are ideal, but if you had to go with one I would choose running a virtual firewall distro. For grins and giggles I implemented something like this a little while back in  lab with ESXi as the hypervisor and IPfire as the virtual firewall. As some one who works in large scale cloud environments, many of today's cloud based solutions deploy virtual firewalls/appliances to handle networking, so theirs no real security issue there, as long as you follow best practices when it comes to networking.

As for the complications of deploying a Linux/Unix based firewall, distros like pfSense, IPfire, Smoothwall take a lot of the complication out of it.  

Link to comment

I recently setup pfsense in a vm on unRaid. It gets an independent/isolated nic passed through to the vm that is not part of the onboard bridge. It wasn't that bad really. Just have to set a static ip in unRaid since it won't find a dhcp server when it boots. Then set the vm to auto load after the array autostarts. UnRaid eventually figures it out.

 

The problem comes if you need to reboot or take the array offline for whatever reason, then you lose your access to the server since it is remote and needs the pfsense vm. Option 1 might be the better choice? Tough call for an all-in-one solution that is not in the same building.

Link to comment
  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.