Complete Guide: Step 8 - Setup Proxmox Firewall
First up, in TrueNAS, go to Services -> NFS, change the ports to the following. This is for my setup, you can change these ports to any unused port you like.
Now you’re ready to configure your Proxmox firewalls.
Before you start, it’s a good idea to establish a SSH connection to your Proxmox node first before turning on the Proxmox firewall. Incorrect firewall settings can lock you out from Proxmox management and it’s VMs. The pre-established SSH connection allows you disable the firewall and attempt to fix it.
Refer to the Proxmox Firewall documentation to get a general understanding on how Proxmox firewall works.
We will setup the rules first. First thing is to lock down your NAS VM. In Proxmox UI, go to your NAS VM. Under the VM’s Firewall -> IPSet, create the following groups. These will be your clients, i.e. which computer can access which services.
- admin. This group contains the set of IP addresses/networks you want access to the NAS WebApp
- cifs. This is the set of IP addresses/networks that is allowed to use Windows Share.
- nfs. This is the set of IP addresses/networks that is allowed to use NFS.
You can create more groups if needed (e.g. Apple File Share, iSCSI, and so on). AFS is slowly being replaced by CIFS, and performance of iSCSI is slower when compared to NFS on my setup. These 3 groups should suit 99.9% in general.
For each group, you then add the IP addresses or networks, like so. E.g. Add your main computer network IP (or it’s subnet) to all 3 groups. Like so:
IP addresses and subnets are heavily used in Proxmox, so it is a good idea to assign a IP to all your important clients via DHCP where possible.
Here are the firewall rules for the NAS VM. Note the ports 55000 to 55002 are pre-defined in TrueNAS earlier.
Rule 1 and 9 are default policies (Drop all incoming, and accept all outgoing). These rules although already configured correctly under Proxmox Firewall options do not always apply correctly for some reason. Adding these two rules explicity will work around this problem. A future version of Proxmox may fix this, but I wouldn’t count on it.
Next, you’ll want to lock down your Proxmox management UI, and only allow certain IPs to access them. Go to Datacenter -> Firewall -> IP Set, and create two groups:
- allowedhosts. This are the clients who are allowed to access Proxmox Management. Access to this is different from access to NAS. Add your workstation IP (or subnet) into this group.
- proxmox. This should only contain the IP address of your Proxmox server. It’s a good idea to set your Proxmox in a IPSet now in case you want to expand your single Proxmox node into a multiple-node cluster.
With these two groups added you can proceed to add your datacenter firewall rule.
If you have plans to expand to a Proxmox cluster, you can add the following two rules. Just add all your Proxmox IPs to the proxmox IP Set and everything will be good.
Now you’re ready to turn on the Proxmox firewall. You’ll need to enable Firewall from the top level down.
- Under Datacenter -> Firewall -> Options. Firewall needs to be checked (enabled). Leave everything else as the default.
- Under Node (Server) -> Firewall -> Options. Firewall needs to be checked (enabled). Leave everything else as the default.
- Under Node -> NAS Virtual Machine -> Firewall -> Options. Firewall needs to be checked (enabled). Leave everything else as the default.
- Under Node -> NAS Virtual Machine -> Hardware. Check all the network interfaces you want to enable Firewall. Leave everything else as the default.
All four firewalls needs to be turned on, else nothing will work. Verify your firewall settings are set correctly:
- Only IPs/subnets set in the Datacenter IPset “allowedhost” is allowed to go to your Proxmox management UI
- Only IPs/subnets set in the NAS IPSet “admin” is allowed to go to the TrueNAS management UI
- Only IPs/subnets set in the “cifs” or “nfs” is allowed to access the shares (assuming this is also configured correctly in NFS).
If everything works, congrats, you now have a functioning L2/L3 hybrid firewall NAS. If there are problems, go to your pre-established SSH session, run the following command to disable proxmox firewall.
Go through the rules and see what is wrong, and re-enable the firewall to test
Adding a firewall on top may appear to be counter-intuitive. However, in about 2 months of testing I have not noticed any performance loss. This is because the bottlebeck I have is the 1 Gbps network infrastructure. The backbone is 10 Gbps but it is still 1 Gbps connection to my IoT devices and work computers. As such this arrangement works really work.
If you want added security, you can also chose to install Suricata on top of Proxmox and configure the NAS traffic to be sent to suricata for inspection. I skipped this step because I already have a router doing this.