Bridge WAN IP

[Didimasta]

I have a TrueNAS Core with a WAN IP address. I want to create a VM inside TrueNAS and give that VM internet access with a different dedicated IP on the WAN. How to do it?
At the moment, in my mind, one server represents the NIC WAN IP TrueNAS.

For example, in ESXI, I can use a virtual switch connected to the management interface and guest virtual machines connected to it with a dedicated WAN IP address.

 

[Patrick M. Hausen]

What is "WAN"? You did not connect your TrueNAS to the public Internet, did you?

Anyway you answered your own question - you need to create a bridge interface, make your physical interface a member interface of that bridge (i.e. vSwitch) and move the IP address configuration from the physical to the bridge IF. Then you are ready go. You can connect your VM to the bridge and are all set.

 

[Didimasta]

What is "WAN"? You did not connect your TrueNAS to the public Internet, did you?

Anyway you answered your own question - you need to create a bridge interface, make your physical interface a member interface of that bridge (i.e. vSwitch) and move the IP address configuration from the physical to the bridge IF. Then you are ready go. You can connect your VM to the bridge and are all set.

Hello! I have connected my TrueNAS to the public internet.
I tried this method - when I try to connect my nick to the new bridge I get an error - this device is busy -

Error: Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 139, in call_method
result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self)
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1236, in _call
return await methodobj(*prepared_call.args)
File "/usr/local/lib/python3.9/site-packages/middlewared/schema.py", line 975, in nf
return await f(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/network.py", line 900, in commit
await self.sync()
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/network.py", line 1991, in sync
await self.middleware.call('interface.bridge_setup', bridge)
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1279, in call
return await self._call(
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1247, in _call
return await self.run_in_executor(prepared_call.executor, methodobj, *prepared_call.args)
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1152, in run_in_executor
return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
File "/usr/local/lib/python3.9/concurrent/futures/thread.py", line 58, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/interface/bridge.py", line 57, in bridge_setup
iface.add_member(member)
File "netif.pyx", line 1211, in netif.BridgeInterface.add_member
File "netif.pyx", line 1229, in netif.BridgeInterface.bridge_cmd
OSError: [Errno 16] Device bus

 

[Ericloewe]

! I have connected my TrueNAS to the public internet.

Don't do that, unless you feel like getting intimately familiar with the russian mafia.

 

[Didimasta]

Don't do that, unless you feel like getting intimately familiar with the russian mafia.

page translator accidentally worked :)

 

[NugentS]

or know how to decrypt all your files

 

[Didimasta]

I think not, because TrueNAS is behind an external firewall

or know how to decrypt all your files

 

[2twisty]

If it's behind a firewall, it's not connected to the public internet.

• Is the IP of your TN box in private IP space? Are you running a DHCP server?
• Did you want your VM to be directly connected to the public Internet or do you plan to open holes in your firewall for specific services?
• What services are those?

 

[Didimasta]

If it's behind a firewall, it's not connected to the public internet.

• Is the IP of your TN box in private IP space? Are you running a DHCP server?
• Did you want your VM to be directly connected to the public Internet or do you plan to open holes in your firewall for specific services?
• What services are those?

Why do you think so? If the provider provides me with a firewall service? I just asked to restrict access to my IP only from the specified WhiteList IPs.

1. Yes, it is. No I don't use DHCP
2. Yes, I want my VM to be connected to the public internet
3. ...

I think that I need to create a Bridge and put a TN physical interface and a VM virtual interface into it. But I get the error from the post above. Can you tell me how to do it differently?

 

[Didimasta]

1* My TN box in Public space(mistake in previous message)

 

[Patrick M. Hausen]

Do you already have a VM or a jail running? Possibly there already is an automatically created bridge and this causes the error message about "device busy".

To get rid of that the easiest way (if some downtime is acceptable) is to disable autostart for all jails and/or VMs and then reboot the system. You should be able to create the bridge0 interface, then.

 

[Didimasta]

Thanks, it worked, now I can add my NIC to the bridge. I've got one more question:
I can see its MAC address in the Bridge properties - if I put my NIC in this bridge, is it possible to send frames with the MAC address of the bridge to the provider's network? My question is because the provider limits the list of MAC addresses from which sending is possible, and if frames with a MAC address not from the list of allowed ones are seen, the server will be disposed of.

Do you already have a VM or a jail running? Possibly there already is an automatically created bridge and this causes the error message about "device busy".

To get rid of that the easiest way (if some downtime is acceptable) is to disable autostart for all jails and/or VMs and then reboot the system. You should be able to create the bridge0 interface, then.

 

[2twisty]

Glad you got it working. However, I would never trust someone else's firewall. Maybe I'm tin-foil-hat-ing here, but if that provider gets compromized or has a rogue employee, you're completely exposed.

I strongly recommend putting it behind your own firewall. But if it's working the way you want it to now, great!

 

[Patrick M. Hausen]

You can use a tunable:

Name: net.link.bridge.inherit_mac
Value: 1
Type: sysctl

That makes the bridge interface use the MAC address of the first member which should be your physical interface. Also remember that you must move the IP address configuration to the bridge interface and leave the member without an IP address. Just put "up" into the options field.

 

[MrGuvernment]

TrueNAS is a NAS at heart, it is meant for storage, while it is great people can run VMs on them, it should be a replacement for a proper dedicated virtualized server to host publically accessible services on. A providers firewall means you are taking their word it is secured, but either way, you are routing external public access into your NAS...never a good idea.

 

[Didimasta]

You can use a tunable:

Name: net.link.bridge.inherit_mac
Value: 1
Type: sysctl

That makes the bridge interface use the MAC address of the first member which should be your physical interface. Also remember that you must move the IP address configuration to the bridge interface and leave the member without an IP address. Just put "up" into the options field.

How to set this parameter correctly? I didn't find what I needed in the GUI. If I do:
sysctl net.link.bridge.inherit_mac=1
this change doesn't persist after reboot. adding to /etc/sysctl.conf
net.link.bridge.inherit_mac=1 is also not saved after reboot

 

[Patrick M. Hausen]

System > Tunables in the UI.