Any issues with VMs in QNAP for vital services (UTM)

QNAP NAS solution for server virtualization and clustering/HA/FT
Post Reply
shazoom
New here
Posts: 7
Joined: Fri Dec 30, 2016 1:22 am

Any issues with VMs in QNAP for vital services (UTM)

Post by shazoom » Mon Jan 23, 2017 11:53 pm

I've setup a VM running ClearOS and it's the router/firewall/DHCP/IDS/DNS/QOS/proxy... on a TS-453A. It's live and working fine so far.

I've explained what I've done here: https://shaz00m.wordpress.com/2017/01/23/a-weird-science-experiment-with-utm-vm-and-nas/. And here is a diagrams from that post which covers the most important details: Image

What I'd really like to know is have any of your come across any issues with important services running in VMs on QTS 4.2?

dolbyman
Guru
Posts: 14696
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Any issues with VMs in QNAP for vital services (UTM)

Post by dolbyman » Tue Jan 24, 2017 12:10 am

Issues like ..? .. performance..security .. reliability ?

shazoom
New here
Posts: 7
Joined: Fri Dec 30, 2016 1:22 am

shazoom

Post by shazoom » Tue Jan 24, 2017 1:55 am

Well thanks for the sarcasm.

I don't think performance will be an issue. The QNAP has a lot of CPU and RAM, up to 2 cores are available and 1 GB ram, plenty for a router doing a few other light services. With at least 2 more cores free to do other stuff I don't think host services will suffer either.

Nobody is making drive by hacks for this kind of odd setup and I doubt anybody who could exploit it would be willing to put the time in. Even identifying what's running on the WAN port might be a challenge; trivial investigations don't tell you much (nmap reports ports are filtered and gives up.)

The issue is reliability of course.

User avatar
razormoon
Easy as a breeze
Posts: 457
Joined: Fri Feb 13, 2015 5:05 am
Location: Denver, CO

Re: shazoom

Post by razormoon » Tue Jan 24, 2017 7:59 am

shazoom wrote:Well thanks for the sarcasm.

I don't think performance will be an issue. The QNAP has a lot of CPU and RAM, up to 2 cores are available and 1 GB ram, plenty for a router doing a few other light services. With at least 2 more cores free to do other stuff I don't think host services will suffer either.

Nobody is making drive by hacks for this kind of odd setup and I doubt anybody who could exploit it would be willing to put the time in. Even identifying what's running on the WAN port might be a challenge; trivial investigations don't tell you much (nmap reports ports are filtered and gives up.)

The issue is reliability of course.


Well, dolbyman was simply trying to get a scenario as your OP was oddly vague (maybe it was the punctuation that made it seem sarcastic...?)...almost as if you were just 'showing off' what you're having the NAS do. Your description and provided image was much more descriptive than the question you finally asked. What service? Active Directory? A domain? A specific feature of your UTM?

I myself am running pfSense on a VM along with snort IPS and pfBlockerNG with an extensive collection of both DNS and IP BLs. I've been running it a very long time. Never had an issue. Not with speed nor functionality.
My Windows Server also runs in tandem with AD DC from a VM. All absolutely trouble free.
I also run sophos once in a while for testing and will leave it on for days or weeks. It gets a little slow on the transparent cache, but only because I gave it 2 cores and 4 GB of ram (which is what pfSense gets as well).
I'm not sure if this is what you were asking for?
:!: TVS-871-i7-16G 4.3.3.0136 Build 20170228, KODI, WSE 2012 r2, pfSense
:?: 1 x KINGSTON SNV325S2 as 2mb block cache, WDC WD40EFRX as RAID5, 1 x WDC WD40EFRX as iSCSI
:arrow: pfSense 2.3.3 (PPPoE), snort, pfBlockerNG, PIA OpenVPN client and server
:idea: CyberPower 1500VA
:-0 WIKI SUPPORT

"Nothing is impossible. Only expensive, illegal or both."

dolbyman
Guru
Posts: 14696
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Any issues with VMs in QNAP for vital services (UTM)

Post by dolbyman » Tue Jan 24, 2017 9:02 am

yup no sarcasm intended, simply put, I don't know what issues you would be referring to

why would this application have issues of any kind ?

shazoom
New here
Posts: 7
Joined: Fri Dec 30, 2016 1:22 am

Re: Any issues with VMs in QNAP for vital services (UTM)

Post by shazoom » Tue Jan 24, 2017 9:58 am

@razormoon I wasn't trying to show off and I really didn't mean to sound sarcastic. I wanted to write an abstract of what I'd done and if anybody was interested there is a lot more information on my wordpress. Your comments of sophos are interesting, especially as you've got a workstation class CPU in your NAS (@dolbyman looks like I might be expecting too much of my little celeron.) The core services I need are: firewall, NAT, DHCP server and better handling of interaction with the ISP's DHCP. I needed to login and renew the lease manually every couple of days. I'd like some traffic reporting, VPN and QOS too.

@dolbyman sorry, I shouldn't have taken your comments that way and it seems you may have taken your queue from me anyway.

The main thing which occurred to me was how well does virtual station handle improper shutdown. I wonder if anybody has experienced VM corruption.

I wanted to know if anybody had done this sort of thing with their NAS, or setup database or anything else vital, and wondered what their general experience was. For example, last night I rebooted the NAS to see if everything came up and found the virtual switches were reconfigured. The NAS saw the external IP, on eth0 in the diagram, and grabbed it. Normally I like to leave settings in their default but I needed to specify the default gateway, reconfigure the virtual switches and network settings in Clearos. It reboots and resumes the VM correctly, even if it does take a few minutes to get up and running.

shazoom
New here
Posts: 7
Joined: Fri Dec 30, 2016 1:22 am

shazoom

Post by shazoom » Sun Jan 29, 2017 1:00 am

If anybody else is considering running a UTM on their NAS I can share my experience a week in.

No problems to speak of after the teething issue I noted with the default gateway with the default gateway on the NAS. ClearOS has been very easy to setup and use and every option I've wanted to use has been free. I was planning on evaluating Sophos and Untangled but while I don't really object to paying $50 a year for Untangled I've had so few real issues (finding where things are in the menu system took a while as some features which I expect require a package to be installed from their marketplace) with ClearOS I don't plan on looking any further.

Currently, I'm running:
* ClearOS's own dynamic DNS client
* Squid
* Snort
* Open VPN
* DHCP Server, DNS Server, NTP Client

OpenVPN has quite an impact. It seems to increase CPU on the host by about 10% with up to 2 cores and 2GB of ram given over.

User avatar
razormoon
Easy as a breeze
Posts: 457
Joined: Fri Feb 13, 2015 5:05 am
Location: Denver, CO

Re: Any issues with VMs in QNAP for vital services (UTM)

Post by razormoon » Sun Jan 29, 2017 2:41 am

shazoom wrote:If anybody else is considering running a UTM on their NAS I can share my experience a week in.


No offense taken and my apologies if I were brash myself. If you're itching for misunderstandings, this is the place to be. :lol:

So...speaking to my pfSense VM (and never mind the Win Server) it runs much more smoother and efficient than Sophos as far as RAM and CPU usage are concerned.
And this is with many of the bells and whistles:

    WAN as PPPoE (set ISP modem as bridged)
    OpenVPN client (with killswitch)
    OpenVPN server
    snort (both WAN and (passive) LAN prevention/detection)
    pfBlockerNG (with 12 IP, 7 DNS block lists (around 700,000 blocks)
    DHCP
    NTP
    darkstat
    ntopng
    etc

DNS is handled by Windows Server with pfSense as the forward.
Understand that unlike Sophos, pfSense allows extremely granular tweaking when it comes to how much memory and processing power you give each item.
In other words all lists, features and add ons. Buffer sizers, caches, thresholds, priorities...perfect for all types of systems.

pfsense1.PNG

pfsense2.PNG


The latter pic is while the Windows Server is running as well.

That being said, I've done away with squid (and all caches). Too many issues, too much slow down and across all the platforms that I've used it, it doesn't always play nice so things break.
Your best bet is to use the one included with QTS as it will (hopefully) work independent of the router...though I think it will still break things.
I find no use for them except for maybe the inline virus scanning. I used to need it for adblock, but now pfBlockerNG is able to do that.
Here is the mem/proc usage (including the OpenVPN):

pfsense3.PNG


I've had the NAS hang on beta. Upon restarting there was an issue with port 4 (pfSense WAN, isolated net) where the static IP reverted to factory default.
Shutting down the VMs and restart again fixed it.
I have restarted the NAS on occasion while the VMs were left running. I have found no evidence of corruption. However, looking at pfSense you can see that it does work on it's system clock
when the NAS comes back on. Leaving it as such seems to be ok (though I restart the VM due to mild OCD). The Windows Server does the same thing and loses time. I've had to create a custom
time schedule to have the time feature sync constantly every 15 mins on it.

As far as the virtual switch thing, I am not sure.
What I have done is set all of them to static on the NAS, MTU 9000, pfSense as gateway and DNS server as Windows Server IP (or PIA VPN servers if not joined to domain).
It 'hiccups' on startup (before Virtualization Station) and complains about DNS/DHCP services, but smoothes over once pfSense VM comes back on.
You do not have the required permissions to view the files attached to this post.
:!: TVS-871-i7-16G 4.3.3.0136 Build 20170228, KODI, WSE 2012 r2, pfSense
:?: 1 x KINGSTON SNV325S2 as 2mb block cache, WDC WD40EFRX as RAID5, 1 x WDC WD40EFRX as iSCSI
:arrow: pfSense 2.3.3 (PPPoE), snort, pfBlockerNG, PIA OpenVPN client and server
:idea: CyberPower 1500VA
:-0 WIKI SUPPORT

"Nothing is impossible. Only expensive, illegal or both."

shazoom
New here
Posts: 7
Joined: Fri Dec 30, 2016 1:22 am

Re: Any issues with VMs in QNAP for vital services (UTM)

Post by shazoom » Sun Jan 29, 2017 10:30 pm

No offense taken and my apologies if I were brash myself. If you're itching for misunderstandings, this is the place to be. :lol:


It's cool :wink:

I think I must have have been sleepy or something when I wrote my last post. OpenVPN doesn't do a ** thing unless I'm using it, it's Snort (of course which is killing me on CPU utilisation. I knew that and you knew that,) I don't know why I wrote OpenVPN. I suspect exercising Snort properly is more than just throughput but number of connections too. Anyway, using bit torrent to fill my pipe the VM seems like it was using about 30% CPU (2 cores and I don't have mpstats or top installed); not very scientific but it's a start to understanding what's going on.

I looked briefly at virtual switches but thought it would be too easy to screw up and I really like the option of pulling the plug on the modem. Besides, I don't need more throughput on a 25/8Mb connection. The beta looked great, a nice update in style. I didn't give it much of a try though, I experienced lots more problems chrome casting and that's pretty important to me so I reverted, reset and restored in under a day.

shazoom
New here
Posts: 7
Joined: Fri Dec 30, 2016 1:22 am

Re: Any issues with VMs in QNAP for vital services (UTM)

Post by shazoom » Wed Feb 01, 2017 10:56 am

Status update: I uninstalled squid too. After an unplanned reboot due to a power cut (really need to get a UPS) the squid cache was corrupted and needed manual intervention to reset it. The VM (and basically the whole network DHCP, DNS, ...) was offline for five minutes while the volume was checked: this is probably the biggest issue I've hit with virtualising the UTM.

Brother_scud
First post
Posts: 1
Joined: Sat Jul 08, 2017 9:26 pm

Re: Any issues with VMs in QNAP for vital services (UTM)

Post by Brother_scud » Sat Jul 08, 2017 9:38 pm

Hi Shazoom,

I have been trying to run ClearOS 7 on TS-251 but Im having trouble connecting to the web administration website (https://x.x.x.x:81).

Im trying to set it as a gateway and these were the steps i did let me know if there is anything else that im missing:

I have set up with enough ram to run and two virtual switches one for external (WAN) and other one for standard switch (LAN). In the settings of ClearOS virtualization I have set the WAN side to be DHCP and LAN as static with an address such as 192.168.1.1. I was able to get DNS ping and speed test on external side. But it seems like ClearOS doesn't activate the web daemon to continue in gateway mode as it worked when I tested in standalone server. It looks like to me it must do something with DHCP/DNS issue?

Is there something i done wrong? Im accessing the server through my MAC book.

Post Reply

Return to “Server Virtualization & Clustering”