Is there any way to enable / create an virtual switch?

[Jip-Hop]

I also have another bridge (br1) without any physical interfaces and no IP address as a "host only" virtual switch.

Could you explain how this is supposed to work? I now have an Ubuntu VM with a single network interface, to which I assigned a bridge (without IP address and without physical interface). I try to ping the host from inside the VM but this isn't working. When I type ifconfig in Ubuntu then it shows network interface ens3 doesn't have an IP address.

Ultimately I'm looking for a way to mount an NFS share from the TrueNAS host inside the VM, and restrict it in such a way that it can only be mounted from the guest and not from any clients in my LAN (not even if one of them would have the same MAC and IP address as the VM guest).

 

[Patrick M. Hausen]

If you bridge to a physical interface it's layer 2 and the packets of your VM just appear on the wire like they would with a physical machine.
If you create a private bridge without any physical interface member, you need to assign an IP address to it because your host then needs to act as the default router for all VMs connected to that.

 

[Jip-Hop]

@Patrick M. Hausen
I can't get the private bridge working. I made a new topic for my usecase: NFS Share to VM Guest but Block LAN Access. Could you take a look?

 

[ian351c]

Could you explain how this is supposed to work?

Here's what I have set up and working:

br0 - For VMs that need to be on my main network at home
- members: A physical interface on my NAS that is plugged into my main switch, but does not have an IP address and is not used for anything else (GUI, File Sharing, etc.). VMs on this bridge act just like any other machine on my network.
- IP address: none

br1 - For VMs that need to be completely isolated (no access to anything on my network or the NAS)
- members: none
- IP address: none

br2 - For VMs that don't need access to my main network but need access to the NAS
- members: none
- IP address: an IP address that is NOT part of my main network. So if my main network is 192.168.0.0/24, this bridge could be assigned to 192.168.1.1/24. Other VMs on this bridge will also be on the 192.168.1.0/24 network and will have access to the NAS on 192.168.1.1 but that's it. No internet, no other network access (unless you do some routing/bridging with another VM).

Hopefully this helps!

 

[otpi]

I have tried every permutation I can think of in the Network GUI trying to create br0-2 as @ian351c describe above. But no success yet. When I hit test "network changes" I get: Connecting to TrueNAS ... Make sure the TrueNAS system is powered on and connected to the network. Then it reverts and I'm back in the Network GUI. Even when I try to create an empty bridge (no members, no IP).

The only change I have registered is that my VM is no longer able to ping TrueNAS, even though they are on different physical ports.

I have 4 1G ports. TrueNAS GUI, smb, nfs are all on eno1 (static .11). While my VM macvtap3 (static .21) is on eno4 (which is .120, dynamic provided by dhcp).

Never used linux bridges before, so this is new territory and I'm reading as fast as I can, any help appreciated.

 

[ian351c]

I have 4 1G ports. TrueNAS GUI, smb, nfs are all on eno1 (static .11). While my VM macvtap3 (static .21) is on eno4 (which is .120, dynamic provided by dhcp).

If you are looking to do it the way I am, here's what the config should look like for you (I think):

br0 - for VMs that need to be on your regular network; should be able to access NAS via it's .11 address (looks like you already have this working)
- Bridge Members: eno4 (plugged into your switch without an IP address)
- IP address: none

br1 - Completely isolated
- Bridge Members: none
- IP address: none

br2 - Isolated with access to NAS
- Bridge Members: none
- IP address: something NOT on your regular network (if your regular network is 192.168.1.x then use 192.168.2.x). VMs on this network should also go on the 192.168.2.x network and should be able to access the NAS on it's 192.168.2.x address.

Hope that helps!

 

[otpi]

Thanks again. Yes, that's what I want. Although right now I'd settle with any bridge just to see some change. GUI just locks up when I try to add a bridge. I also tried from shell:

Code:

root@truenas[~]# ip link add br0 type bridge
root@truenas[~]# ip link set eno4 master br0
RTNETLINK answers: Device or resource busy

I'm using this redhat: bridges as my resource. But no luck so far.

edit: ok, adding eno3 worked (since it is not in use?)

 

[ian351c]

edit: ok, adding eno3 worked (since it is not in use?)

It's possible that you are attaching your VM directly to eno4 (which I should have figured out since that's what you wrote...) and that might cause issues if you try to add eno4 to a bridge. VMs should be attached to the bridges, not directly to physical interfaces (unless that's the ONLY thing you want on that interface). At least that's been my experience.

 

[Jip-Hop]

I have an alternative bridge setup which I think hasn't been mentioned here yet. Basically add a second NIC to each VM. First NIC is directly attached to a physical network interface (macvtap). Second NIC should be attached to a host-only bridge. This has several benefits. It keeps the 'defaults', TrueNAS host uses physical network interface directly for LAN communication (not a bridge interface with a different MAC address). And due to the second NIC you can easily expose VM services only to the TrueNAS host (which could then act as a reverse proxy with Traefik), but at the same time the VM has access to the LAN and internet using the default macvtap interface.

If you follow these steps, you should not run into issues when applying the network settings (Web GUI unreachable, settings rolled back after 60 seconds):

• Assign an IP address to the eno1 interface from TrueNAS Web GUI (in my case I assign the same IP address it got from router via DHCP reservation)
• Go into general settings and make sure the Web GUI only listens on this IP address
• Make a new bridge interface, default settings, no bridge members, assign IP address in a different subnet (not the same subnet as your physical network interface)
• Test and save changes (should not cause a disconnect of the Web GUI)
• Add second NIC to VM, assign the bridge interface
• Setup manual IP address inside VM for this interface (in same subnet as bridge IP address)
• Now host and guest can ping each other within the bridge subnet, VM guest can also access LAN via first interface (macvtap)
• Set the TrueNAS WebGUI to listen on port 81 and 444 (optional, if you want Traefik on 80 and 443)
• Install Traefik TureCharts app (optional: choose ports 80 and 443 if you want Traefik on 80 and 443)
• Setup TrueCharts external-service app using the VM IP address (the manually assigned IP address, in the bridge subnet)
• Now you can access the VM through Traefik
• Make another TrueCharts external-service so you can access the TrueNAS GUI again on port 443 (optional)

With this approach I intend to run Docker with Portainer inside a VM and securely mount all volumes via NFS from the TrueNAS host. That way I can throw away the VM and still not lose any data :) And the Traefik app will take care of HTTPS for the containers in the VM.