Most people's home network is configured fairly simply, like this:
There's only one set of devices connected to the network, and they are all present in the same building.
My domestic ADSL broadband router already provides the basic & essential functionality of a Gateway (with NAT) and a Firewall. So why do I want to make up my own way of doing things? The quick answer is I want to set up something far more interesting! I will still be using the functionality of the router, as that provides a good secure starting point.
The router also provides a forwarding DNS server and a DHCP server. I have already turned this functionality off and replaced it with my own configuration in a TrueNAS Jail.
The router also provides WiFi with WPA2 and PSK. I will be using this functionality without any change from me.
I plan to set up two different VPN servers on my TrueNAS box to enable me to seamlessly pass information between each of the devices I own, and also allow other members of my family to have restricted access some of the information stored on my home network.
The reason for the two different VPNs is that it is easier to set up one or the other depending on the devices that are being used. Microsoft platforms seem to favour IPsec, I've had a more reliable connection using OpenVPN on Android platforms. Some broadband routers have built-in support for one or the other, which means the router can handle a VPN connection directly, rather than having to set up extra hardware at my sister's place.
The DHCP and VPN servers will allocate specific IP addresses to individual devices. Each of the TrueNAS Jails (which provide different services) will be configured to use known static IPs. The firewall rules on the gateway will decide which devices on different networks are allowed to communicate with each other, and maybe allow access to the Internet via my home router.
The goal looks something like this:
You will need to set up a Jail that has two VLAN interfaces. One will be used for your LAN and the other will just be used to connect to your Internet router. In order to do this, you'll need to configure the interfaces in “Network Properties” of the Jail to say something like:
vnet0:bridge0,vnet1:bridge0
That will define two virtual network interfaces within the Jail, both bound to the first (probably only) physical network adapter on the TrueNAS box. You can then define two separate interfaces in the “Basic Settings” section, one called vnet0 and the other called vnet1.
In this example, I have defined the LAN on vnet0 192.168.6.0/24, and the router has the address 192.168.1.254 (a common default on many routers), so I've defined the DMZ on vnet1 192.168.1.0/24.
Note: From inside the Jail, these interfaces will be known as epair0b and epair1b rather than vnet0 and vnet1.
IMPORTANT!
What follows is a work in progress.
Some of this may be inaccurate or just plain wrong.
Use these examples at your own risk, and only if you understand what's going on.
1. Log in to your TrueNAS server as root using SSH or the Shell option of the TrueNAS Web Portal.
2. Make some decisions and define some variables.
# Tailor each of these examples for your own situation JAIL_NAME="net" # name of the jail that will contain the gateway and firewall LAN_INTERFACE="epair0b" # network device serving our LAN LAN_NETWORK="192.168.6.0/24" # network address or our LAN PUBLIC_INTERFACE="epair1b" # network device leading to the internet CONF_DIR="/usr/local/etc/fw" # where we store the config FIREWALL_CONF="${CONF_DIR:?}/firewall.conf" # firewall config file NAT_CONF="${CONF_DIR:?}/nat.conf" # net service config file
jexec "ioc-${JAIL_NAME:?}" mkdir -p "${NAT_CONF%/*}" jexec "ioc-${JAIL_NAME:?}" /bin/sh -c "cat >| ${NAT_CONF:?}" <<END use_sockets yes same_ports yes END # public gateway interface needs nat jexec "ioc-${JAIL_NAME:?}" sysrc natd_interface="${PUBLIC_INTERFACE:?}" # extra settings for nat are in the file we defined above jexec "ioc-${JAIL_NAME:?}" sysrc natd_flags="-f ${NAT_CONF:?}"
IMPORTANT!
This firewall does not filter any traffic. It allows anything to talk to anything.
At this stage I just want to trigger NAT as appropriate to allow hosts on different networks to communicate.
The “real” firewall is provided by my Internet router (which blocks all incoming requests), not this configuration.
If your TrueNAS box connects directly to the Internet, DO NOT USE THIS EXAMPLE !!!
# use the standard firewall template called "open" jexec "ioc-${JAIL_NAME:?}" sysrc firewall_script="/etc/rc.firewall" jexec "ioc-${JAIL_NAME:?}" sysrc firewall_type="open" # log more while testing, or be quiet in normal operation? jexec "ioc-${JAIL_NAME:?}" sysrc firewall_quiet="YES"
# enable IP forwarding jexec "ioc-${JAIL_NAME:?}" sysrc gateway_enable="YES" # enable the firewall service (aka ipfw) jexec "ioc-${JAIL_NAME:?}" sysrc firewall_enable="YES" # enable the NAT service jexec "ioc-${JAIL_NAME:?}" sysrc natd_enable="YES" # start the firewall & natd jexec "ioc-${JAIL_NAME:?}" service ipfw start
If you've turned on any logging for the ipfw service or natd, the output can be seen on the TrueNAS server OUTSIDE THE JAIL in this file…
/var/log/security
This page has been cobbled together from various bits of information I've found on the Internet.