TrueNAS+OPNSense=TrueSense

[imaddaou]

Dear community members, is there a plan one day to have TrueNAS and OPNSense join forces together?

I am a big fan of both systems, I am happy and impressed with both of them. I strongly believe the power of OPNSense framework plus the awesome features of TrueNAS will create wonders and miracles.

For Example, in OPNSense I can import all AD users into the system, create MFA seed per user, create a certificate per user, give access to the GUI where that user only need, especially to download OpenVPN export file, they can change their password, and other things that users/managers need. The world is changing and I can see a great opportunity for both systems to join forces.

When I compare OPNSense and TrueNAS backend, I can see that both systems can benefit tremendously from each other. The Unity between TrueNAS and OPNSense will be big news for all of us, it will be blessing for all of us.

I am pretty sure that I am not the first one to see that great opportunity, I wonder how that can be possible one day? Maybe start a new Project called TrueSense supported by both https://www.ixsystems.com/ and https://www.deciso.com/ where both companies benefits, and, it will be awesome news for all of us :0)

Well, I am going to post the same thread at OPNSense community as well.

Thank you all for your faith and hard work.

 

[jgreco]

Dear community members, is there a plan one day to have TrueNAS and OPNSense join forces together?

No, because it doesn't make sense. iXsystems is focused on selling enterprise storage systems. The system you are thinking of as TrueNAS is provided for free because they benefit from the community testing and debugging. It is not intended to be an all-inclusive solution to your home or SOHO NAS desires. Additionally, having these functions separated on the network is incredibly important to security design, so in cases where you'd like a single host solution, you can run OPNsense in a virtual machine with PCIe passthru of the network interfaces and get good (not perfect) isolation of the NAT/router host. I don't recall offhand what funding model the OPNsense project uses, but in my opinion it is better for TrueNAS to be focused on doing one thing very well.

 

[Ericloewe]

I strongly believe the power of OPNSense framework plus the awesome features of TrueNAS will create wonders and miracles.

Maybe for the russian mafia, because all the miracles I see are pain, panic that everything is down and the creeping realization that everything's been pwned.

 

[jgreco]

Maybe for the russian mafia, because all the miracles I see are pain, panic that everything is down and the creeping realization that everything's been pwned.

Yeesh, extra cynical today, sir?

 

[Patrick M. Hausen]

Yeesh, extra cynical today, sir?

Isn't that your realm? How dare he?

I could see some benefit in an integrated small business system. Can bhyve do PCIe passthrough for network interfaces? With careful selection of the hardware one might be able to build a single firewall plus storage server. But such a chimera would require someone with the experience and knowledge of the regulars around here to build, maintain, and troubleshoot.

I'm actively considering moving my OPNsense to my ESXi host with SSDs and network passed through. One less system drawing current. Then again I want my firewall up and running while toying with e.g. the latest release of SCALE.

 

[jgreco]

I could see some benefit in an integrated small business system.

So can I, and maybe what needs to happen is a discussion of how to do it correctly, along the lines of the virtualization guide.

Can bhyve do PCIe passthrough for network interfaces?

I was under the impression it could. How performant it is is another question. Network appliances typically generate obscene interrupt per second rates that might not be a good match. ESXi might be the winner fix here.

 

[awasb]

Anyone who wants to "combine" a firewall with any other service on the same machine (in compartments / containers / sandboxes / whatever) is also building padlocks on gold bars.

 

[Patrick M. Hausen]

I have been running HA firewalls and all other virtualised services on a pair of ESXi and I would do that again any time. I have yet to see a real attack on hypervisors and/or VLANs remotely over the public Internet. If anyone gains an RCE on your firewall, they have a leg in your office LAN, hypervisor and VLANs or not doesn't make a difference. Of course you do not expose any management interface to any production network but the dedicated management one.

 

[awasb]

Code is written by people. People make mistakes. More code, more mistakes.

And this observation is also the reason why firewalls, bastion hosts and routers on the one hand and „servers“ on the other should be separated IMHO.

Servers „enlarge“ surface for attack; the likelihood of a bug being found at some point (a bug that allows an attacker to execute code) is significantly greater than zero.

An IP stack or a packet filter can also have bugs, no question. But it doesn't necessarily follow that you can forget about security anyway.

It just means that all services should be switched off and one should use „minimalistic approaches“ to packet filters (using software that can be verified, i.e. the source code).

 

[jgreco]

padlocks on gold bars

Surely you meant "padlocks out of gold bars," gold being easily bent or melted and all that.

 

[awasb]

No. I meant padlocks on gold bars; like security doors in a house with windows open (pun intended). It’s a metaphor for broken security concepts.

IIRC the phrase was first used by Ross Anderson.

 

[Ericloewe]

I was under the impression it could. How performant it is is another question. Network appliances typically generate obscene interrupt per second rates that might not be a good match. ESXi might be the winner fix here.

Somewhat naïvely, I'd expect performance to be basically the same across hypervisors, as long they can configure PCIe passthrough properly. With the possible exception of a NIC with a PF used by the host and a VF used by the VM.

Yeesh, extra cynical today, sir?

My magic 8-ball only goes "super cynical", "existential dread", "mild optimism" and "ask again later". When I tried to get a refund, I only got the latter option.

 

[morganL]

Dear community members, is there a plan one day to have TrueNAS and OPNSense join forces together?

I am a big fan of both systems, I am happy and impressed with both of them. I strongly believe the power of OPNSense framework plus the awesome features of TrueNAS will create wonders and miracles.

For Example, in OPNSense I can import all AD users into the system, create MFA seed per user, create a certificate per user, give access to the GUI where that user only need, especially to download OpenVPN export file, they can change their password, and other things that users/managers need. The world is changing and I can see a great opportunity for both systems to join forces.

When I compare OPNSense and TrueNAS backend, I can see that both systems can benefit tremendously from each other. The Unity between TrueNAS and OPNSense will be big news for all of us, it will be blessing for all of us.

I am pretty sure that I am not the first one to see that great opportunity, I wonder how that can be possible one day? Maybe start a new Project called TrueSense supported by both https://www.ixsystems.com/ and https://www.deciso.com/ where both companies benefits, and, it will be awesome news for all of us :0)

Well, I am going to post the same thread at OPNSense community as well.

Thank you all for your faith and hard work.

iX loves what Deciso have built and done... many users use TrueNAS and OPNSense.

We'd love to collaborate more.... perhaps there are community developers that can see opportunities?

There's no need for a marriage to enjoy the benefits of sleeping in the same bed

 

[zithro]

I run a setup somewhat like that on two consumer-grade machines, since 5 years. I call them "Network-in-a-box".
It's kind of a Qubes setup, but less secure ofc (I've learnt about Qubes AFTER doing my setup, sad).
My setups are :
- Xen dom0 on Linux
- PFsense domU
- TrueNAS Core domU
- various "infrastructure" domUs (for DNS, NTP, etc)
- various "user" domUs (including nested Qubes, Windows for gaming, etc)

The PFsense has the motherboard NIC passthrough-ed to it. It acts as the firewall for all other hosts, including dom0.
(EDIT: each domU has its own virtual interface on PFsense, so I don't even need a FW on each domU).
The two systems are linked with a 10GbE link (for TrueNAS replication), also filtered by PF.

The other solution would be to run PF as a guest in FreeNAS, passthrough-ing the "public" NIC to PF (this is better for security as the NIC driver does not run in FreeNAS).
PF and TrueNAS would then communicate via virtual NICs. If you have an additional NIC, you could also PCI-PT it to PF as the "LAN" NIC, for "external" hosts to access the NAS, internet, etc.

 

[NickF]

Building a datacenter-in-a-box with multiple firewalls and stuff is something I've been planning to do a writeup for for a very long time. Hopefully I get the time to do it soon. Although, I have been more partial to Netgate/pfSense primarily because of they have a more enterprise focused approach (OpenSense is like the SMB cousin) and my own familiarity.