Most people's home network is configured fairly simply, like this:

There's only one set of devices connected to the network, and they are all present in the same building.

My domestic ADSL broadband router already provides the basic & essential functionality of a Gateway (with NAT) and a Firewall. So why do I want to make up my own way of doing things? The quick answer is I want to set up something far more interesting! I will still be using the functionality of the router, as that provides a good secure starting point.

The router also provides a forwarding DNS server and a DHCP server. I have already turned this functionality off and replaced it with my own configuration in a TrueNAS Jail.

The router also provides WiFi with WPA2 and PSK. I will be using this functionality without any change from me.

I plan to set up two different VPN servers on my TrueNAS box to enable me to seamlessly pass information between each of the devices I own, and also allow other members of my family to have restricted access some of the information stored on my home network.

The reason for the two different VPNs is that it is easier to set up one or the other depending on the devices that are being used. Microsoft platforms seem to favour IPsec, I've had a more reliable connection using OpenVPN on Android platforms. Some broadband routers have built-in support for one or the other, which means the router can handle a VPN connection directly, rather than having to set up extra hardware at my sister's place.

The DHCP and VPN servers will allocate specific IP addresses to individual devices. Each of the TrueNAS Jails (which provide different services) will be configured to use known static IPs. The firewall rules on the gateway will decide which devices on different networks are allowed to communicate with each other, and maybe allow access to the Internet via my home router.

The goal looks something like this:

You will need to set up a Jail that has two VLAN interfaces. One will be used for your LAN and the other will just be used to connect to your Internet router. In order to do this, you'll need to configure the interfaces in “Network Properties” of the Jail to say something like:

vnet0:bridge0,vnet1:bridge0

That will define two virtual network interfaces within the Jail, both bound to the first (probably only) physical network adapter on the TrueNAS box. You can then define two separate interfaces in the “Basic Settings” section, one called vnet0 and the other called vnet1.

In this example, I have defined the LAN on vnet0 192.168.6.0/24, and the router has the address 192.168.1.254 (a common default on many routers), so I've defined the DMZ on vnet1 192.168.1.0/24.

Note: From inside the Jail, these interfaces will be known as epair0b and epair1b rather than vnet0 and vnet1.

IMPORTANT!
What follows is a work in progress.
Some of this may be inaccurate or just plain wrong.
Use these examples at your own risk, and only if you understand what's going on.

1. Log in to your TrueNAS server as root using SSH or the Shell option of the TrueNAS Web Portal.

2. Make some decisions and define some variables.

# Tailor each of these examples for your own situation

JAIL_NAME="net" # name of the jail that will contain the gateway and firewall

LAN_INTERFACE="epair0b"         # network device serving our LAN
LAN_NETWORK="192.168.6.0/24"    # network address or our LAN
PUBLIC_INTERFACE="epair1b"      # network device leading to the internet

CONF_DIR="/usr/local/etc/fw"                # where we store the config
FIREWALL_CONF="${CONF_DIR:?}/firewall.conf" # firewall config file
NAT_CONF="${CONF_DIR:?}/nat.conf"           # net service config file

jexec "ioc-${JAIL_NAME:?}" \
  mkdir -p "${NAT_CONF%/*}"

jexec "ioc-${JAIL_NAME:?}" /bin/sh -c \
"cat >| ${NAT_CONF:?}" \
<<END

use_sockets yes
same_ports yes

END

# enable IP forwarding
jexec "ioc-${JAIL_NAME:?}" sysrc gateway_enable="YES"

# enable firewall
jexec "ioc-${JAIL_NAME:?}" sysrc firewall_enable="YES"

# use the standard firewall template called "open"
jexec "ioc-${JAIL_NAME:?}" sysrc firewall_script="/etc/rc.firewall"
jexec "ioc-${JAIL_NAME:?}" sysrc firewall_type="open"

# log more while testing, or be quiet in normal operation?
jexec "ioc-${JAIL_NAME:?}" sysrc firewall_quiet="YES"

# start the firewall & natd  
jexec "ioc-${JAIL_NAME:?}" service ipfw start

This page has been cobbled together from various bits of information I've found on the Internet.

• https://lugbe.ch/lostfound/contrib/freebsd_router/
• https://lists.freebsd.org/pipermail/freebsd-net/2003-November/001945.html
• https://www.freebsd.org/cgi/man.cgi?natd
• https://www.adminbyaccident.com/freebsd/how-to-freebsd/how-to-configure-the-ipfw-firewall-on-freebsd/