I know it's a bit off topic for this thread, but what VLAN issue are you having? I'm using multiple VLANS with my TrueNAS config and it was frustrating me to no end at first but I finally figured out what I was doing wrong and it's humming away as we speak.
-
Important Announcement for The TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Windows 11/SMB Problems
- Thread starter qwerty3656
- Start date
Nightbored
Dabbler
- Joined
- Sep 16, 2021
- Messages
- 11
So, I have every server in my environment in its own vlan to isolate interserver traffic at the switch using Ubiquity.
The issue I am having is that my TrueNAS server is on its own vlan XX with a gateway for the subnet in a /30 CIDR
My proxmox cluster is setup the same way with its own vlan XY with a gateway for its subnet /29 CIDR
In proxmox and TrueNAS the interfaces actually have access to all vlans, but I configure the vlans on the system to connect to their respective silos.
I do this to allow for VMs to be made that can be configured with vlans to allow for the isolation I mentioned before.
I am not sure if you use proxmox, but they have a limit of one default gateway just like TrueNAS with their global gateway, but unlike TrueNAS you can create a VM and enter the interface you want to use, in my case the physical interface that has access to all vlans, and then specify what vlan and gateway the VM will use.
My issue with TrueNAS is that from my understanding and googling is that no matter what vlan you setup it will try to use the global gateway, and in my setup that does not work as no vlan is able to talk to another vlan, and that includes the gateways in each vlan.
Here is hoping I am completely wrong on something as I really do not want to rebuild my TrueNAS server within proxmox.
This issue is bothering me so much so I am thinking of replacing my Threadripper 1950x system with a 5950x system running proxmox and virtualizing TrueNAS to get around the issue.
so the default gateway thing is true, for the host.
Here's what I found out...
TrueNAS, for whatever reason, doesn't seem to play nice with tagged and untagged traffic on the same interface.
So what I did was from my switch, I'm just straight trunking over all of the VLANs that I'm using on TrueNAS with no native LAN.
Then, for TrueNAS, for the VLAN the host is on, set up the global gateway and DNS.
Next, you want to strip the IP address off of the LAGG or network interface, and make sure DHCP isn't enabled.
Then create VLAN interfaces for every VLAN you're trunking over, with the appropriate VLAN tag. No IP address on these interfaces, and the LAGG or NIC as the parent interface.
And finally, create a Bridge interface for each VLAN interface you previously created. The one VLAN you are wanting TrueNAS on, give that one the IP address, or enable DHCP. I would name them with the VLAN tags for easy reference, eg. bridge20
Afterwards, all of your jails and VMs will then need to be set to use the appropriate bridge interface as their host NIC. For VMs, that is straight forward, the bridges will all be in the drop down list. For jails, in network properties, you'll need to set the interfaces to vnet0:bridge<X>, where <X> would be the vlan number if you followed my suggestion for naming the bridge interfaces.
For each jail and VM, they should then be on their appropriate VLANS as if they were plugged into an appropriate switch port directly and will route to their own default gateways.
You should end up with something like this:
Here's what I found out...
TrueNAS, for whatever reason, doesn't seem to play nice with tagged and untagged traffic on the same interface.
So what I did was from my switch, I'm just straight trunking over all of the VLANs that I'm using on TrueNAS with no native LAN.
Then, for TrueNAS, for the VLAN the host is on, set up the global gateway and DNS.
Next, you want to strip the IP address off of the LAGG or network interface, and make sure DHCP isn't enabled.
Then create VLAN interfaces for every VLAN you're trunking over, with the appropriate VLAN tag. No IP address on these interfaces, and the LAGG or NIC as the parent interface.
And finally, create a Bridge interface for each VLAN interface you previously created. The one VLAN you are wanting TrueNAS on, give that one the IP address, or enable DHCP. I would name them with the VLAN tags for easy reference, eg. bridge20
Afterwards, all of your jails and VMs will then need to be set to use the appropriate bridge interface as their host NIC. For VMs, that is straight forward, the bridges will all be in the drop down list. For jails, in network properties, you'll need to set the interfaces to vnet0:bridge<X>, where <X> would be the vlan number if you followed my suggestion for naming the bridge interfaces.
For each jail and VM, they should then be on their appropriate VLANS as if they were plugged into an appropriate switch port directly and will route to their own default gateways.
You should end up with something like this:
Last edited:
Nightbored
Dabbler
- Joined
- Sep 16, 2021
- Messages
- 11
I imaged a Windows 11 Preview system, and will update this thread with the results.
My plan:
Connect to truenas before joining a domain
Attempt to connect to truenas after joining a domain with GPO set to not defined for Local Computer Policy->Windows Settings->Security Settings->Local Policies->Security Options-> Network security Lan Manager authetication level.
If the previous fails update Send NTLMv2 reply only to confirm it works as noted in my earlier post.
Lastly, add TrueNAS to AD remove the GPO setting, and test again.
Nightbored
Dabbler
- Joined
- Sep 16, 2021
- Messages
- 11
Interesting, I will mess with that this weekend, and if it is okay with you to move this to a direct conversation to avoid moving the thread off topic.
As I feel this authentication issue with Windows 11 is a really important topic for domain users at least since the OS is releasing early next month.
- Joined
- Mar 6, 2014
- Messages
- 9,554
Code:
No, my desktop and laptop are not currently domain joined. I'm logged in with MS accounts on both and using domain accounts to access network shares/resources. Though I'm tempted to now spin up a Windows 11 VM and domain join it and test share access. But Since my TrueNAS server is also domain joined, I'd expect, based on behavior of all of my Windows Server systems, that it'd use kerberos to authenticate and not present the NTLM issue.
In this case, (logged in with MS account and trying to authenticate with AD creds) the client will most likely attempt NTLMv2 for auth.
Nightbored
Dabbler
- Joined
- Sep 16, 2021
- Messages
- 11
Started Troubleshooting based on previous conversation with @Vertigo 7
System setup:
Fresh install of Windows 11 Preview EN-US 22000.iso
Group policy being tested is
Local Computer Policy->Windows Settings->Security Settings->Local Policies->Security Options-> Network security Lan Manager authetication level.
Setting to default Not Defined
Setting to NTLMv2 response only
Test 1
Offline account no GPO changes, not on domain.
Result
Able connect to share via UNC \\hostnameinDNS\ShareInQuestion
Test 2
Microsoft account no GPO changes, not on domain.
Result
Able connect to share via UNC \\hostnameinDNS\ShareInQuestion
Test 3
domain account no GPO changes beyond domain GPO for drive maps etc.
Result
Able connect to share via UNC \\hostnameinDNS\ShareInQuestion and my shared drives defined in group policy mapped just fine.
This is consistent with my experience on my laptop, everything used to work, then stopped after a little while.
Test 4
remove security group policy from laptop, and restart a few times after gpupdate to see if drive connection breaks.
Delete the regkey entry (DWORD) LmCompatibilityLevel under HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa and reboot.
Result
I had to restart a whole bunch of times as my system was failing gpupdates after removing the registry key due to an AD and SYSVOL version mismatch
That said after about 3 restarts and running gpupdate /force after each one everything is in working order, and I still have access to my drives.
I cannot explain why the mapping works, then at some point stopped, and setting the key to NTLMv2 rebooting a few times fixed it, and then undoing it all kept the share working...
I ended up not testing TrueNAS connected to domain with a domain account as the shares were working for a fresh install of windows on domain without domain join by TrueNAS.
System setup:
Fresh install of Windows 11 Preview EN-US 22000.iso
Group policy being tested is
Local Computer Policy->Windows Settings->Security Settings->Local Policies->Security Options-> Network security Lan Manager authetication level.
Setting to default Not Defined
Setting to NTLMv2 response only
Test 1
Offline account no GPO changes, not on domain.
Result
Able connect to share via UNC \\hostnameinDNS\ShareInQuestion
Test 2
Microsoft account no GPO changes, not on domain.
Result
Able connect to share via UNC \\hostnameinDNS\ShareInQuestion
Test 3
domain account no GPO changes beyond domain GPO for drive maps etc.
Result
Able connect to share via UNC \\hostnameinDNS\ShareInQuestion and my shared drives defined in group policy mapped just fine.
This is consistent with my experience on my laptop, everything used to work, then stopped after a little while.
Test 4
remove security group policy from laptop, and restart a few times after gpupdate to see if drive connection breaks.
Delete the regkey entry (DWORD) LmCompatibilityLevel under HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa and reboot.
Result
I had to restart a whole bunch of times as my system was failing gpupdates after removing the registry key due to an AD and SYSVOL version mismatch
That said after about 3 restarts and running gpupdate /force after each one everything is in working order, and I still have access to my drives.
I cannot explain why the mapping works, then at some point stopped, and setting the key to NTLMv2 rebooting a few times fixed it, and then undoing it all kept the share working...
I ended up not testing TrueNAS connected to domain with a domain account as the shares were working for a fresh install of windows on domain without domain join by TrueNAS.
Nightbored
Dabbler
- Joined
- Sep 16, 2021
- Messages
- 11
My recommendation is if you are unable to connect to your shares via smb.
Set Local Computer Policy->Windows Settings->Security Settings->Local Policies->Security Options-> Network security Lan Manager authetication level. to "NTLMv2 response only"
Then reboot system gpupdate until the shares map again.
Then delete the registry key entry (DWORD) LmCompatibilityLevel under HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
This will set the policy back to undefined.
Then reboot system and run gpupdate till you receive a successful gpupdate, based on my testing the drive mapping will continue to work.
As @Vertigo 7 mentioned setting group policy to NTLMv2 response only long term is a non solution given its vulnerabilities.
I will update this forum should I run into any drive mapping issues in the future with my Windows 11 laptop.
Nightbored
Dabbler
- Joined
- Sep 16, 2021
- Messages
- 11
Alright, so I feel a little silly for two reasons.
First, for my ubuntu server I tried starting yesterday I connected bxe1 and then setup the vlan on the system, something I usually never ever do in proxmox as that gives the system access to other vlans should it become compromised.
So, I setup the vlan the same way I have the host vlan setup, and read this message regarding new link aggregations.
In the off chance that for some reason a new vlan could not become active immediately as with proxmox I think they give you the option to reboot interfaces as long as you have ifupdown2 installed by default. After a restart of the NAS my vms started talking on the vlan no problem. :D
For posterity, here is my setup. It is so obvious to me to setup a vlan and connect it as the nic as that is what proxmox does with containers, but the rebooting is what got me lol.
You need the bridge interfaces too, especially if you're going to have more than 1 thing (Jail, VM, TrueNAS host, or any combination there of) sharing that VLAN interface. The "bridge" interface is a virtual switch and is important for the network stack. The parent interface for the bridges are the vlan interfaces.
In logical order, it's NIC -> LAGG (if using LAGG) -> VLAN -> Bridge -> OS
In logical order, it's NIC -> LAGG (if using LAGG) -> VLAN -> Bridge -> OS
Nightbored
Dabbler
- Joined
- Sep 16, 2021
- Messages
- 11
I did not see the need for a bridge as in my network every vm/server gets its own vlan.
I am also confused how you would use a bridge in this context as it is my understanding a bridge, bridges two or more interfaces together.
So, in this instance, what would you bridge the vlan with? You cannot bridge it with the interface bxe1 as that is the parent, and the OS is not an interface...
They're not a bridge in the same context of bridging NICs in Windows. They are literally virtual switches. They allow for l2 packet switching so that multiple things can use a common interface. Though, you technically can bridge 2 interfaces but I don't know why you would want to. But switching is their primary function.
I don't know why in unix/linux that's called a bridge, but it is. It'd make more sense to me if that was just called 'vswitch'.
And what I mean by OS, is the endpoint, be it the TrueNAS host OS, Jail OS, or a VM OS.
Here's one of the bridges I'm using:
Using this interface, I can put as many jails or VMs on VLAN 7 as I wish.
I don't know why in unix/linux that's called a bridge, but it is. It'd make more sense to me if that was just called 'vswitch'.
And what I mean by OS, is the endpoint, be it the TrueNAS host OS, Jail OS, or a VM OS.
Here's one of the bridges I'm using:
Using this interface, I can put as many jails or VMs on VLAN 7 as I wish.
Last edited:
Just wanted to share that I just ran into this issue on Server 2019 and 2022. Turns out there is a setting that restricts access to guest shares by default that I needed to adjust. I assume this would be the same for Windows 11. Hope this helps some folks.
gpedit -> Computer Configuration-> Administrative Templates -> Network -> Lanman Workstation -> Enable insecure guest logon -> Enable
gpedit -> Computer Configuration-> Administrative Templates -> Network -> Lanman Workstation -> Enable insecure guest logon -> Enable
- Joined
- Mar 6, 2014
- Messages
- 9,554
Yes, we probably need to deprecate SMB "guest" shares in TN. They just don't work as expected anymore because the world has moved on from insecure authentication methods.
