Commodity8654
Cadet
- Joined
- Jan 29, 2024
- Messages
- 3
I hope to make my setup, goal and problem as clear as possible.
Management VLAN (100) on 10.10.100.0/24 - Used for SSH and web UIs (like the trueNAS web UI)
Homelab VLAN (10) on 10.10.10.0/24 - 10 gig network to supply NFS shares to other services running in the Home lab (web UI does not listen on this address)
Note: the VLANs are not defined on trueNAS, there are defined on the managed switch.
backup machine (Ubuntu) with 1 interface:
Management VLAN (100) on 10.10.100.0/24
I keep the backup machine in the Management VLAN, because the backup machine only requires management and provides no services for users.
Inter VLAN routing is used on an OPNsense box.
The only rule set on the Homelab VLAN, is that the Management VLAN can't be accessed by Homelab. An exception is made if Management initiates the connection (which I imagine is basic stateful router stuff, because it's not a custom rule set on the VLANs).
When scanning the files using du -h /my-share, after a short while scanning files, it hangs.
However, I did not encounter a misconfigured rule.
Instead, I discovered that my Backup Machine's after mount requests to the trueNAS NFS are denied due to the "Default deny / state violation rule".
As far as I can tell, this (standard) rule is doing its job and should not be overwritten.
I made a rule in an attempt to give the specific trueNAS machine access to the management network on its own, but this did not prevent the state violations.
I thinks this tells me that asynchronous routing is the cause of the problem, one VLAN tracks the intial connection but the other VLAN recieves the response which the stateful router rejects because it did not receive the initial connection. Again, this is what I think, but I don't have the background knowledge to know if it makes sense.
NFS seems to be the only one that suffers from the current VLAN setup, so I am hessitant to blame the router configuration for anything.
Thank you for reading and I hope to hear your thoughts.
TLDR
Backup machine on a separate VLAN can mount the NFS share on another VLAN, but NFS "hangs" when operations are performed on mounted share. If they are on the same VLAN, the issue does not arise. The router rejects the Backup machine's requies to the NFS server due to State violations, which I do not know how to resolve.The goal
My backup machine intends to be a pull model backup solution that gets the nfs shares with read only access in order to create encrypted backups.Setup
trueNAS core machine with 2 Interfaces:Management VLAN (100) on 10.10.100.0/24 - Used for SSH and web UIs (like the trueNAS web UI)
Homelab VLAN (10) on 10.10.10.0/24 - 10 gig network to supply NFS shares to other services running in the Home lab (web UI does not listen on this address)
Note: the VLANs are not defined on trueNAS, there are defined on the managed switch.
backup machine (Ubuntu) with 1 interface:
Management VLAN (100) on 10.10.100.0/24
I keep the backup machine in the Management VLAN, because the backup machine only requires management and provides no services for users.
Inter VLAN routing is used on an OPNsense box.
The only rule set on the Homelab VLAN, is that the Management VLAN can't be accessed by Homelab. An exception is made if Management initiates the connection (which I imagine is basic stateful router stuff, because it's not a custom rule set on the VLANs).
The problem
The NFS share, "hangs" when mounted on the backup Machine. It seems to be timing out.When scanning the files using du -h /my-share, after a short while scanning files, it hangs.
What does work
- The NFS share succesfullys mount on the backup machine.
- When changing the Backup machine's VLAN to the Homelab VLAN (10), the problem is no more.
Troubleshooting
After discovering that changing the backup machine's VLAN removed the issue, I had hoped to check my (OPNsense) firewall and find a misconfigured Rule on the inter VLAN routing setup.However, I did not encounter a misconfigured rule.
Instead, I discovered that my Backup Machine's after mount requests to the trueNAS NFS are denied due to the "Default deny / state violation rule".
As far as I can tell, this (standard) rule is doing its job and should not be overwritten.
I made a rule in an attempt to give the specific trueNAS machine access to the management network on its own, but this did not prevent the state violations.
I thinks this tells me that asynchronous routing is the cause of the problem, one VLAN tracks the intial connection but the other VLAN recieves the response which the stateful router rejects because it did not receive the initial connection. Again, this is what I think, but I don't have the background knowledge to know if it makes sense.
Next steps
If the conclusion I made in the Troubleshooting section is correct, then I have little understanding of what to do next.NFS seems to be the only one that suffers from the current VLAN setup, so I am hessitant to blame the router configuration for anything.
Thank you for reading and I hope to hear your thoughts.
