Anyone running pfSense w/ Synology NAS in Bridge Mode?

Discussion in 'Networking, Telephony & Internet' started by -Sk3tChY-, Jul 19, 2019.

  1. -Sk3tChY-

    -Sk3tChY- Member

    Joined:
    Oct 27, 2007
    Messages:
    3,950
    Location:
    NSW, In a house.
    I'm wanting to run pfSense as a VM within Synology's Virtual Machine Manager.

    My idea is to dedicate LAN4 of the NAS as a WAN port for pfSense, so physical setup would be as follow:

    VDSL Line > Vigor 130 in Bridge Mode > LAN4 of Synology NAS

    Logically, within VMM I have a virtual switch named "WAN" which bridges only to LAN4 of the NAS:

    Physical LAN4 of NAS <---> Virtual Switch Named WAN <---> Virtual NIC of pfSense VM

    ----------

    The biggest issue I am having right now is getting the WAN side of things to work within the pfSense VM.

    When I plug the bridged Vigor 130 into LAN4 of the Synology, with LAN4 set to DHCP in DSM, the NAS does indeed pick up an internet connection and the interface within DSM shows my internet IP address, gateway and DNS servers.

    I know the NAS itself is receiving an internet connection, because I can update the DSM software and packages without issue.

    This would be my first major concern. Wouldn't this mean my Synology NAS is completely exposed to the internet with absolutely no protection? It's directly connected to the bridged Vigor 130.

    ----------

    Anyway moving on, within the pfSense VM if I set the WAN port to DHCP I get no internet connection.

    This kind of makes sense to me, as my assumption is that the host (Synology DSM) is already acquiring the IP details using DHCP, which is how LAN4 in DSM is showing everything and why DSM can connect to the internet.

    I have tried setting the pfSense WAN interface to static and setting identical IP details to what's shown for LAN4 in DSM, but this also does nothing.

    ----------

    So at this stage, I'm a little stumped on what to do to try and get this setup to work.

    My guess is that you need a Hypervisor that can do some sort of "NIC Passthrough" stuff, so that it can just pass the raw network data through the Hypervisor NIC to the Virtual NIC?

    I have tried setting LAN4 to static with no IP details in DSM in the hope it might achieve this "passthrough" functionality, but you can't set the NIC to static without putting an IP + Subnet Mask.

    I know I could just take the Vigor 130 out of Bridge mode, have it acquire the internet connection and then use the Vigor's DHCP server to connect everything, but then the Vigor 130 will be doing some routing/security stuff, when I really just want it to act as a bridged modem to allow pfSense to do everything.

    ----------

    Seems you can definitely setup a virtual pfSense with QNAP devices:
    https://www.qnap.com/en/how-to/tutorial/article/installing-pfsense-on-a-qnap-nas/

    Also certain I've read countless article on setting up a vritual pfSense in ESXi too.

    Just not sure if these are always DHCP connections from the modem rather than Bridged.

    Apologies if I'm missing something really obvious here.
     
  2. gdjacobs

    gdjacobs Member

    Joined:
    Apr 3, 2007
    Messages:
    1,455
    Location:
    MB, Canada
    This is definitely not right, but I'm not sure what the easiest way will be to fix it with DSM. Essentially, you don't want DHCP or static IP settings configured for LAN4 at the metal level. All frames should be transferred to the client VM in the virtual switch.

    The classic way to do this using a single network port is via VLANs. The overall technique is called network-on-a-stick. The main requirement is a VLAN capable switch.
     
  3. OP
    OP
    -Sk3tChY-

    -Sk3tChY- Member

    Joined:
    Oct 27, 2007
    Messages:
    3,950
    Location:
    NSW, In a house.
    My thoughts exactly, hence the reason why I suspect the issue may be with DSM/VMM and the way they handle networking. What you've described is essentially what I was thinking when I said "NIC Passthrough" functionality.

    Within DSM it seems there is no way for me to set LAN4 to simply "passthrough" traffic to the Virtual switch/NIC.

    I can only choose between DHCP or Static and when I select Static I'm forced put in IP details.

    I understand the concept of VLAN's, just not sure how an implementation would help me here?

    At the Bridged Modem level, I'm not sure if there's anywhere to set a VLAN ID on the LAN interface.

    At the DSM level I can enable VLAN (802.1Q) and set a VLAN ID on LAN4.

    At the Virtual Machine Manager level, I can set a VLAN ID on the Virtual Switch.

    At the VM level, I don't see anywhere to set a VLAN ID within VMM, but withing pfSense it seems you can set VLAN ID's in Interfaces > Interface Assignments > VLANs.

    Is there anything potentially worthwhile trying with the VLAN stuff to try get this to work?
     
  4. gdjacobs

    gdjacobs Member

    Joined:
    Apr 3, 2007
    Messages:
    1,455
    Location:
    MB, Canada
    You'd only use one port on the Synology for pfsense this way. The switch tags all packets into a WAN segment. It also tags anything into the LAN segment with a different tag number. One port should be assigned as a trunk for all vlans and fed into LAN 4 on the NAS.

    On the software side, you need a VLAN interface for LAN 4 with the WAN ID going into the WAN vswitch and a LAN vswitch being fed packets from a VLAN interface with the LAN id. Both of these go to pfsense at the VM level. If you have a choice, the VLAN interface for the LAN side could also be used for your DSM interface.

    What ethernet ports are currently assigned to the Default VM Network?
     
  5. OP
    OP
    -Sk3tChY-

    -Sk3tChY- Member

    Joined:
    Oct 27, 2007
    Messages:
    3,950
    Location:
    NSW, In a house.
    I have 4 physical LAN ports on the Synology. I'd be more than happy to dedicate 2 of them to pfSense if need be - so not sure if we need to take the VLAN route?

    Not sure how VLAN's would help either, at this stage I'm literally just trying to get two interfaces to interact with each other - i.e. Physical LAN4 to passthrough traffic to virtual WAN NIC of pfSense.

    The problem I seem to be having is trying to figure out how to get LAN4 of DSM to just pass the traffic through to the virtual NIC.

    Apologies in advance if these are basic questions, I've never actually setup VLAN's before:

    What/where/how would I go about setting up the VLAN's?

    - Within DSM it looks like I can assign a single VLAN ID to the physical interface (LAN4).
    - Within VMM it looks like I can assign a single VLAN ID to the virtual switch (Named WAN which bridges only to LAN4 of the Synology)
    - Within VMM it doesn't look like I can set any VLAN ID to the virtual NIC on the pfSense VM
    - Within the pfSense VM it looks like I can setup multiple VLAN ID's in Interfaces > Interface Assignments > VLANs

    I am guessing I could go in and apply a VLAN ID of 10 to:

    1. LAN4 in DSM
    2. WAN Virtual Switch in VMM
    3. WAN virtual NIC in pfSense

    But I'm not sure this would achieve anything, because in DSM I'd still need to set LAN4 to DHCP or Static IP.

    Also wouldn't I need to set a VLAN ID on the modem?

    The "Default VM Network" virtual switch bridges with a Bonded network interface within DSM which combines LAN1+LAN2+LAN3 with LAG. (BOND1)

    BOND1 connects to my physical Cisco SG300-10P switch which is configured with LAG. (LAG is working perfectly fine)

    I have no issues with deleting this bond and dedicating LAN3 to the "Default VM Network" virtual switch. This way pfSense would have 2 dedicated LAN ports on the NAS and 2 virtual swtiches:

    WAN virtual switch, bridged with LAN4.
    Default VM Network (LAN) virtual swtich, bridged with LAN3.
     
  6. waltermitty

    waltermitty Member

    Joined:
    Feb 19, 2016
    Messages:
    1,004
    Location:
    BRISBANE
    Just buy a little router box thing to run pfSense IMO, virtualised routers are a PITA.
     
    danyell likes this.
  7. OP
    OP
    -Sk3tChY-

    -Sk3tChY- Member

    Joined:
    Oct 27, 2007
    Messages:
    3,950
    Location:
    NSW, In a house.
    Well part of this endeavor is seeing just how much valuable "stuff" I can get running off a single NAS box - being able to run pfSense securely and efficiently as a VM within the NAS would be awesome imo.

    Also not to mention, this means one less physical box is required, which is also pretty cool.

    This would also give me a chance to test and play around with pfSense before making any considerable investments in additional hardware.

    ----------

    In an effort to just try and get things working, rather than setup the Vigor 130 in MPoA > Bridge Mode, I've set it to MPoA > Obtain IP Address Automatically.

    I've then gone into the DHCP client and set reservations for both the physical LAN4 NIC on the Synology (192.168.1.10) and the virtual NIC in the pfSense VM (192.168.1.2).

    I've then setup the DMZ to essentially allow all traffic to pass-through to 192.168.1.2.

    Haven't had a chance to connect this up yet, but my hope is that LAN4 will get 192.168.1.10 and pfSense will get 192.168.1.2 via DHCP and then the Vigor will just forward all internet traffic through to pfSense (192.168.1.2).

    Obviously not quite as clean and simple as a pure Bridge Mode connection, there would be some double-NAT and slightly more overhead, but I'm hoping I'll more-or-less achieve the same outcome as a purely bridged connection.
     
  8. evilasdeath

    evilasdeath Member

    Joined:
    Jul 24, 2004
    Messages:
    4,855
    i cant see a way in the syn manual to configure switchports at all.
     
  9. OP
    OP
    -Sk3tChY-

    -Sk3tChY- Member

    Joined:
    Oct 27, 2007
    Messages:
    3,950
    Location:
    NSW, In a house.
    In this instance I think it's a case of configuring the LAN interface (LAN4) from DSM to act as a pass-through to the virtual switch I create in Virtual Machine Manager.

    The options I have within DSM and VMM are very limited in terms of configuring the interface/vSwitch.

    Configuring the LAN interface within DSM only seems to allow me to select DHCP or Static and specify a VLAN ID:

    [​IMG]

    There's also a section where I have to enable "Open vSwtich" which is needed to run VMM.

    Configuring the vSwitch in VMM basically just allows me to name it and select Private or External:

    [​IMG]

    External meaning it bridges with a LAN port on the NAS, private meaning it just stays within the VMM environment.
     
  10. gdjacobs

    gdjacobs Member

    Joined:
    Apr 3, 2007
    Messages:
    1,455
    Location:
    MB, Canada
    1. Yes
    2. Yes, I believe so. We can verify with Open VSwitch on the command line.
    3. No. We want the VSwitch layer to untag packets.

    You wouldn't need to set a VLAN ID on the modem if you use your switch to do the tagging.

    We can certainly do it that way. Not as cool, though. In either case, you're going to need a second VSwitch.

    If nothing else, we can log into a command line and see what VSwitch has everything configured as. That screenshot is as I would expect it.
     
  11. OP
    OP
    -Sk3tChY-

    -Sk3tChY- Member

    Joined:
    Oct 27, 2007
    Messages:
    3,950
    Location:
    NSW, In a house.
    For testing, I setup the Vigor to pick up the internet connection (MPoA, Obtain IP Address Automatically) and dole out DHCP Addresses on the LAN port.

    Connected the Vigor LAN port to LAN4 of the Synology and obviously LAN4 picked up a DHCP address from the Vigor and connected to the internet just fine.

    LAN4 of the Synology is bridged to the vSwitch that the virtual WAN port is on for the pfSense VM.

    Booted up the pfSense VM and it also did indeed pickup a DHCP address from the Vigor and had internet connectivity.

    Vigor LAN Port (DHCP Server) <--> Synology LAN4 Port (DHCP) <--> vSwitch --> Virtual WAN Port (DHCP)

    Presumably, I could just set reservations in the Vigor 130 for LAN4 and the virtual WAN port on the pfSense VM and then setup the DMZ to blindly forward everything the the pfSense VM.

    My understanding is this isn't quite as clean and efficient as pure Bridging, but aside from the internal double-NAT and indistinguishable performance hit - it more or less achieves the same outcome.

    Well for now I'm definitely keen to see if it's possible to somehow get the Bridged Vigor 130 + pfSense VM working, whether it be with VLAN's or physical interfaces - simply getting it to work is the main goal for now.

    Would you have any suggestions on where/how to start?

    It seems my options from within DSM are fairly limited, as shown in my previous post.

    If all we're focusing on for the moment is simply getting the WAN side of things to work within pfSense, do we need to do anything with the VLAN's just yet? My guess is the VLAN stuff would only come into play if we're trying to do the WAN+LAN stuff through a single port.

    For the moment, I'd really like to try and see if we can get bridge mode working with pfSense.
     
  12. evilasdeath

    evilasdeath Member

    Joined:
    Jul 24, 2004
    Messages:
    4,855
    try putting a dud static ip on the interface to stop it doing dhcp and letting pfsense do dhcp with your iso with vigor in bridge mode.

    Something unused in your lan 10.254.254.254/32 if it will allow or /30/31.

    Disable in proxy arp options as well.
     
  13. gdjacobs

    gdjacobs Member

    Joined:
    Apr 3, 2007
    Messages:
    1,455
    Location:
    MB, Canada
    I was also thinking of how to isolate the DSM admin port from external traffic. In any case, I recommend not having LAN 4 bridged to your VDSL line until you can confirm DSM admin is not accessible by it.

    Have you looked at the current open vswitch setup in command line to confirm everything is bridged correctly?
     
    Last edited: Jul 22, 2019
  14. OP
    OP
    -Sk3tChY-

    -Sk3tChY- Member

    Joined:
    Oct 27, 2007
    Messages:
    3,950
    Location:
    NSW, In a house.
    Within DSM I'll set LAN4 to Static with an IP address of 10.254.254.254/32 as you've mentioned and let you know.

    I'm doubtful this will work, I don't see how it would be any different from setting the static to 192.168.1.10/24, but it's worth a shot.

    I noticed when trying the whole "Double-NAT" setup, I actually had to reboot everything in order for it to work. So might try doing that also.

    Within DSM? I don't see any option to do this anywhere with the WebGUI. :(

    Guessing I'd have to do something within the command line? (Trying to avoid making changes under the hood to ensure DSM stays working as expected.)

    Well first I need to see if I can even get bridge mode working.

    If I can, then I'll take a look at whether or not it exposes DSM directly to the internet.

    My initial hope was that DSM would do nothing more than simply pass the raw data through LAN4 > vSwitch > pfSense, where pfSense would then obtain the IP address and start managing the data.

    If this were the case, to my knowledge DSM would be completely secure/transparent.

    No, I haven't done anything outside of the DSM GUI to avoid breaking something.

    I'm more than happy to get into the command line though and issue a few commands to see the current setup. Would you know what commands I need to issue? Or where I could find them?
     
  15. gdjacobs

    gdjacobs Member

    Joined:
    Apr 3, 2007
    Messages:
    1,455
    Location:
    MB, Canada
    Absolutely. We can confine ourselves to listing the configuration.
    Code:
    ovs-vsctl show : Prints a brief overview of the switch database configuration.
    ovs-vsctl list-br : Prints a list of configured bridges
    ovs-vsctl list-ports <bridge> : Prints a list of ports on a specific bridge.
    ovs-vsctl list interface : Prints a list of interfaces.
    http://therandomsecurityguy.com/openvswitch-cheat-sheet/
     
  16. danyell

    danyell Member

    Joined:
    Jan 20, 2003
    Messages:
    1,841
    Location:
    Kilsyth, 3137
    Sketchy you seem hellbent on this path but mate virtualised pfsense on your nas, whilst seemingly a good idea, is just a pita. No internet cos you're swapping out a disk? Upgrading? Rebooting cos something isn't responding? The power supply fails?

    Get a dedicated unit that can handle pfsense and has multiple interfaces. Have an old router on hand as a backup that is configured similarly if the dedicated pfsense unit should happen to fail, so you can plug-out and plug-in in a matter of minutes

    edit: configured similarly, not bloody considered
     
  17. gdjacobs

    gdjacobs Member

    Joined:
    Apr 3, 2007
    Messages:
    1,455
    Location:
    MB, Canada
    Even if it's not used for pfsense, knowing how to use VMM is still a good thing.
     
  18. OP
    OP
    -Sk3tChY-

    -Sk3tChY- Member

    Joined:
    Oct 27, 2007
    Messages:
    3,950
    Location:
    NSW, In a house.
    Much appreciated! I'll be going through these things tonight and will update everyone on my findings then.

    Appreciate the input mate. Will definitely be looking to put the thing on a dedicated piece of hardware later on down the track.

    For now I really just want an opportunity to play around a bit with pfSense and do some initial testing before investing like $300 into a decent firewall appliance like a QOTOM/Protectli box.

    I'm also just curious as to how much I could get running on/through my Synology unit. It would be cool having my single Synology running everything. (Provided it could do it securely/efficiently of course.)
     
  19. OP
    OP
    -Sk3tChY-

    -Sk3tChY- Member

    Joined:
    Oct 27, 2007
    Messages:
    3,950
    Location:
    NSW, In a house.
    A POSITIVE UPDATE:

    It seems I was able to get everything working as I wanted!

    After getting the double-NAT setup to work (where I knew it should of worked), I noticed I ended up having to reboot things in order for the IP addresses to all get picked up correctly.

    When originally trying to get everything setup with the Vigor 130 in Bridge Mode, I never actually tried restarting the NAS or pfSense VM; so I thought - maybe I just needed to reboot things.

    So I gave Bridge Mode another shot.

    Configured the Vigor 130 as MPoA + Bridge Mode.

    Tried setting the physical LAN4 port in DSM to 10.254.254.254/32 but it wouldn't allow me to (said the IP address is a broadcast address), I was able to set the LAN4 IP address to 10.254.254.254/31 so this is what I went with. (Although I'm guessing/sure setting this to any static address would be fine.)

    Set pfSense VM WAN interface to DHCP.

    This time, I shutdown everything. The the Vigor 130, the NAS and obviously the pfSense VM.

    First I booted up the Vigor 130.
    Second I booted up the NAS.
    Third, I booted up the pfSense VM.

    After doing this, logged into pfSense and in the dashboard I finally saw my public IP address next to the WAN interface! Success! I also saw my ISP DNS servers listed second and third in the DNS Server(s) list.

    However, pfSense still didn't seem like it was able to connect to the internet. Enabled DHCP on the LAN interface and even though I was picking up a DHCP address from my client machines - they weren't able to get through to the internet.

    Did a little clicking around, looked at "Status > Gateways" and the Gateway said "Online" next to it, which I figured was good:

    [​IMG]

    Stumbled across "System > Routing > Gateways" by clicking on "Related Settings" and rather than leave Default Gateway as "Automatic" tried setting this to the "WAN_DHCP" Gateway:

    [​IMG]

    This seemed to do the trick and both pfSense and the DHCP clients were able to connect to the internet!

    So, finally, it seems I've been able to get the Vigor bridging with the pfSense VM.

    Which brings me to my biggest question/concern - with this setup, is my Synology NAS actually being exposed directly to the internet in any way? Is there any security risk I should consider?

    As far as I know, the physical LAN4 interface is configured to a completely different network, so someone shouldn't be able to access 10.254.254.254/31 from my public IP address which is on a completely different network (XX.XXX.XXX.XXX/20).

    Many thanks for everyone that made an effort to assist up to this point. Quite happy I've managed to get this working - I can experiment with a few things in pfSense now. :)
     
  20. gdjacobs

    gdjacobs Member

    Joined:
    Apr 3, 2007
    Messages:
    1,455
    Location:
    MB, Canada
    Someone could technically configure themselves to a complimentary private IP and begin attempting to log in (as long as your ISP doesn't black hole route the three IETF private ranges). The ideal method is to leave that interface unconfigured at the bare metal level, but that seems to not be an option through the web UI.
     

Share This Page

Advertisement: