Unraid 6.3.5 Baremetal with Sophos / Untangle (Router) on a VM


Recommended Posts

(Wasn't sure whether to put this under the VM section or General, since it's a few pieces. Feel free to move.)

 

Been using unraid for about 10 years now, since 4.2 and want to stretch my legs a bit more.

 

So, I have made the decision I am ready to move away from standard home routers and the hardware limitations they have as far as ARM CPU's go. I want to start getting into a deeper level of security at home and want to run active IPS and Antivirus, Malware etc. on my homes gateway (Sophos or Untangle etc... in router mode).

 

I could install the unit as a standalone unit, but then I have 2 x servers running 24x7, where my standard unraid box already does that. So instead, I was thinking I would install Sophos as a VM on my Unraid primary server.

 

I already have a couple intel quad port gigabit nics, one I installed last night and activated the ports in "network settings" giving my access to the new br2, 3, 4, and 5 ports, no issues there. So I think technically it's possible, I am seeing a few "gotchas" I could run into with running my router/gateway as a VM on my unraid box.

 

1. If I have to reboot Unraid, then my VM goes down thus my internet gateway and DHCP server go down. Shouldn't be too much of an issue as long as some devices on my network stay up during this since they should already have a populated ARP table and know where everything "should" be once it comes back online. But in the event all my devices are offline and unraid crashes or has to reboot, then when I turn on my desktop to manage (headless), I won't have an IP to do anything. So I guess I would have to run to the basement and plug in a laptop or something with a crossover and static IP to try and get to the webui? Or just assign my desktop a static IP on the same subnet and voila? (I really like the PC's and other fluff devices in the house to work off of the DHCP pool, and only a few key devices get reserved IP's)

 

2. If Unraid is the first to start, knowing no gateway (internet) is available, is this an issue as long as my license is already activated and current, or will I have troubles starting my array before internet is up as I would need the array online in order to be able to start a VM (I assume). If it means anything, my VM's reside solely on my SSD cache drive today. No ties to the array disks.

 

3. I assume I could try and mitigate the above issues with setting my array to auto start on boot, and then setting my sophos vm to auto start as well. But somehow I still likely manually pushing the buttons to bring everything online. Am I missing anything, any other gotchas the community has learned?

 

Any help, advice is appreciated. P.S. I have also considered just running both Unraid and Sophos in separate VM's under ESXI, but wanted to give Unraid bare metal a shot first.

Edited by cybrnook
Link to comment
  • cybrnook changed the title to Unraid 6.3.5 Baremetal with Sophos / Untangle (Router) on a VM

I just unplugged my server from the router and restarted it. The array did start ok. I thought it may not because i am using an rc unRAID version. I remember a while ago reading unRAID rcs wouldnt start without internet but it seems it is okay now. It did take a while for it to start though.

Oh and obviously your server would need a static ip.

 

I am thinking out aloud a bit whilst writing this but for logging into the server from another machine. If you have one, you could use a separate access point with another wifi network on it. Enable a very small dhcp pool on that but restrict it by mac address to only the mac address of your laptop or whatever. Keep access point switched off. Then if the server goes down you can switch on access point then log into its wifi, your laptop will get an address on the correct subnet and you can login. 

 

Theres a few guys running pfsense in a vm so what you want to do will be fine. You will need to isolate the quad nic from unraid then passthrough the the nic to the vm so its separate.

I was going to build a pfsense vm but got side tracked setting up 10gbe between my 2 servers and now i dont have any free pci slots for another nic!

Link to comment
18 hours ago, gridrunner said:

I just unplugged my server from the router and restarted it. The array did start ok. I thought it may not because i am using an rc unRAID version. I remember a while ago reading unRAID rcs wouldnt start without internet but it seems it is okay now. It did take a while for it to start though.

Oh and obviously your server would need a static ip.

 

I am thinking out aloud a bit whilst writing this but for logging into the server from another machine. If you have one, you could use a separate access point with another wifi network on it. Enable a very small dhcp pool on that but restrict it by mac address to only the mac address of your laptop or whatever. Keep access point switched off. Then if the server goes down you can switch on access point then log into its wifi, your laptop will get an address on the correct subnet and you can login. 

 

Theres a few guys running pfsense in a vm so what you want to do will be fine. You will need to isolate the quad nic from unraid then passthrough the the nic to the vm so its separate.

I was going to build a pfsense vm but got side tracked setting up 10gbe between my 2 servers and now i dont have any free pci slots for another nic!

Thanks for going into some length. I saw Jon's guide on isolating NIC's so that part is fine and seems straight forward enough.

 

17 hours ago, Squid said:

If unraid doesn't have access to the internet, the boot time is proportional to the number of docker applications installed. Roughly it probably takes an extra 30 seconds to boot per container installed.

Thanks for this. I assume each docker is doing some type of online check that will timeout after 30 seconds, then go to the next one?

 

17 hours ago, ashman70 said:

I would just buy a hardware router that does IPS, GAV, etc and call it a day. While it's possible to do what you want to do, IMO it's far too cumbersome and can leave you without internet if a VM goes down or unRAID goes down.

I am thinking this way as well. However, I don't think I am ready to drop the thousands of dollars to buy a hardware router that has the horsepower that I want to be able to sustain up to a gig line while performing IPS, DPI, AV etc... I rather just build my own with commodity server hardware.

 

 

I think all in all I am now leaning towards letting my Unraid box stay bare metal, as it is today. Instead I will install ESXi on yet another server I will build. I will be using an E5-2630L v3 which is a 55w tdp chip, so power draw should be reasonable. This is where I will make a VM to run my UTM. Now thinking about testing out OPNsense since is uses Suricata instead of Snort, so supports multi-threaded scanning which will help on higher bandwidth lines..

 

If anyone else has anything to add, I am all ears.

 

Edited by cybrnook
Link to comment

US, The only routers that I found that were not atom based, and could handle something like this would be something like a Meraki. Even then, for example, the Meraki MX100 is rated up to 750 mbps firewall and 500mbps VPN, and that sucker is $3000 - $5000.

 

At the moment I have a 500/50 line with future potential to gigabit.

Edited by cybrnook
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.