[guide] pfsense VM on QNAP in 2020

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
User avatar
Moogle Stiltzkin
Ask me anything
Posts: 8910
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: [guide] pfsense VM on QNAP in 2020

Post by Moogle Stiltzkin » Tue Jun 23, 2020 1:07 pm

just received my 2x8gb crucial ram. installed it on the tbs-453dx, allocated 12gb for the vm.
notes: DO NOT simply pull out the ram on a tbs-453dx. If you check the manual, it mentions you press both sides of the ram, there is a metal clip thing that will pop out the ram. so DO NOT SIMPLY yank out your ram just like that from the get go :shock:


now testing suricata :}
Suricata is a free, open source, Intrusion Detection System software, or IDS for short. But it can also act as an Intrusion Prevention System, or IPS. It works by finding patterns using heuristics typically from network traffic. When configured to just warn about suspicious activity it is called an IDS, however when it blocks the traffic because of the pernicious activity it is called an IPS. Suricata is typically installed as a plugin in pfSense, a complete enterprise grade, open source, firewall and networking distribution based on FreeBSD.
What are the differences in the rule sets?



Community Ruleset program

The Community Ruleset is a GPLv2 Talos certified ruleset that is distributed free of charge without any Snort Subscriber Rule Set License restrictions. If you are a Snort Subscriber Rule Set Subscriber, the community ruleset is already built into your download. If you are a registered user (under the 30-day delay) you may also include this ruleset in your Snort installation to stay current. The authors of the rules in the community ruleset are listed in the AUTHORS file inside the tarball. This ruleset is updated daily and is a subset of the subscriber ruleset.

Registered
This ruleset is also free for use for individuals and businesses (however, Integrators may not use this ruleset). This ruleset is 30 days behind the Snort Subscriber Rule Set and does not contains zero-day threats under the “limited” provision of the Snort Subscriber Rule Set License. This ruleset does contain the Community ruleset. It is recommended that you use both the Registered Ruleset and the community ruleset, if you are not going to become a subscriber. This ruleset is generally updated on Tuesdays and Thursdays.

Subscriber
This is the full Snort Subscriber Ruleset, without delay. For more information on the Snort Subscriber Rule Set, please read our FAQ. This ruleset is also referred to as the “VRT Ruleset” or the “Talos Ruleset” This ruleset is generally updated on Tuesday and Thursdays, but may be updated at any time to stay current with emerging threats.
https://www.youtube.com/watch?v=KRlbkG9Bh6I

https://www.youtube.com/watch?v=9QaM3b0Kd6M


*update

ok got suricata up and running. cpu and ram usage seems ok so far, but i'll have to leave this running for a while to know for sure.


did my config as suggest by lawrence, but i couldn't get "IP Reputation Configuration" setup. Seems there is a separate requirement to get that to work for free users :S

:(

Code: Select all

Assignment of a 'Categories File' is required when IP Reputation is enabled!
bmeeks -
Jan 27, 2020,

Suricata's IP reputation engine works nothing like Snort's. To use IP Reputation in Suricata you either need to manually build your own configuration files (it takes at least two) or subscribe to the very expensive IQRisk package from Proofpoint (formerly Emerging Threats).

You can find configuration information for IP Reputation in Suricata here: https://suricata.readthedocs.io/en/late ... ation.html. The link is to version 5.0.1, but 4.1.x works the same way.

The IP REP tab was originally put in place to support users with an IQRisk subscription from Emerging Threats.
https://forum.netgate.com/topic/149946/ ... ion-help/5


There is a guide here to setup for that for free users
A forum member, BBcan177, was kind enough to create a script containing the necessary functions missing. The script was designed to keep snort IP reputation lists up to date, but we'll adapt it to our needs.

We'll use aliases to keep a large number of IPs in a rule. This allows us to set up quick floating rules for a number of interfaces, keeping our per interface ruleset to a minimum. Remember, incoming should always be blocked, outgoing should always be rejected. In the future, when you add an interface, instead of copying existing rules to that interface, you just edit the existing quick floating rules and CTRL+click the new interface and you are done :).

If BBcan177 passes by this thread, please provide the script for public downloading. I do understand that the script is released under GPL, but I'm not willing to take credit for the script by providing the download.
https://forum.netgate.com/topic/70170/t ... ueprint/12

Using Snort VRT Rules With Suricata and Keeping Them Updated
bmeeks Jan 17, 2017,
Warning: do not attempt to use the Snort3 rules with Suricata! If you enable the Snort 3.0 rules download, you will break your Suricata package install completely and the only way to recover will be to delete the package and install it again. You've been warned ... 😀.
Suricata is compatible with most of the Snort VRT rules, and thus many users like to include the Snort VRT rules in their collection of rule signatures used with Suricata. However, using Snort VRT rules with Suricata requires understanding and working with two key points. First, obviously Suricata is not Snort; and thus while it is compatible with most legacy Snort rule options, there are some newer Snort rule keywords/options that Suricata will not recognize. Suricata will print errors in the suricata.log file when encountering rules like this. Luckily, unlike Snort which will quit when encountering a rule syntax error, Suricata will skip the offending rule and keep on loading the next one. The second major point to understand is that Snort VRT rules are versioned and tied to a specific Snort binary version. So you must run 2.9.8.3 rules with the 2.9.8.3 Snort binary. For instance, the only rules package that will work with Snort version 2.9.8.3 is snortrules-snapshot-2983.tar.gz. If you manually download a different rules snapshot version and attempt to use it with Snort 2.9.8.3, the rules load will fail.

The Snort package on pfSense automatically determines the correct Snort VRT rules snapshot update to use because it knows what version of the Snort binary is running. Suricata can't know that. Nor does Suricata have any way of determining what the "latest" version of Snort might be. The Suricata package depends on you to tell it what Snort VRT rules snapshot file to download. You do this on the GLOBAL SETTINGS tab when you enable use of the Snort VRT rules. There is an input box where you should type in the Snort VRT rules snapshot filename. Enter just the filename. Do not enter a URL and do not enter your Oinkcode here! This filename parameter tells Suricata which snapshot file to download for the daily rule updates.

It follows from the above that it is also incumbent upon the admin user to keep up with changes in the Snort binary and resulting rules snapshots so the rules snapshot filename Suricata uses is updated when necessary.
For instance, recently Snort has posted a new 2.9.15.1 binary version and associated rules snapshot. Suricata can use the updated rules in the new 2.9.15.1 rules snapshot file (snortrules-snapshot-29151.tar.gz for the 2.9.15.1 Snort binary), but it won't download that file until you tell it the name on the GLOBAL SETTINGS tab. Also, if you forget to change the value on the GLOBAL SETTINGS tab, then when the file version specified there goes end-of-life and is pulled by the Snort team, Suricata's Snort Subscriber Rules updates will start failing. So if you are using Snort Subscriber Rules with Suricata, set some kind of external reminder in your email or on your smartphone to prompt you to check the www.snort.org site once a month to see if updated versions of the Snort Subscriber Rules snapshot files have been posted and update the Snort Subscriber Rules snapshot filename on the GLOBAL SETTINGS tab in Suricata..

Bill
https://forum.netgate.com/topic/110325/ ... -updated/2


other than lawrence and wendel's suricata guide, i couldn't find any other good suricata setup guide. i had to resort to non english guides, but it's managable with auto translate.

in this video he highlights exactly the problem with using snort v3 rule sets using suricata. Make sure you DO NOT use snort v3, or you will have BIG problems :shock: In all fairness, event the pfsense gui has notes pointing this out (more reason to pay careful attention to the pfsense notes in settings ui) he has some very good info and details that it was hard to find elsewhere that explained it simply (step by step process)
https://www.youtube.com/watch?v=SobzXrDOnm8

Enabling the new option for "Block on DROP Only" is only 50% of what is required. You must individually modify the rule action keyword from ALERT to DROP for those rules which you want to now "block" in the new mode. This is the way things work with the Inline IPS Mode. This new mode of operation is actually how all major IPS hardware operates – namely only selected rules drop or block traffic, and all the other rules just produce alerts with no blocks.

I don't mean to sound harsh with this reply, but if you can't answer this question then using the new mode may not be suitable for you yet. Read up on rule signatures and various attack traffic types and methods to gain some knowledge about the blackhat hacking craft. As you gain experience in that arena, the answer to your question will become more obvious.

One easy shortcut for beginners is to subscribe to the Snort VRT ruleset. Next, on the CATEGORIES tab in Suricata, check the box to use IPS Policy and select a policy. For beginners, I strongly recommend starting with "Connectivity". This provides basic protection from most really bad stuff while at the same time not being overly aggressive with false positives. Underneath the drop-down where you choose the IPS policy is another option for choosing the Policy Mode. Set that to "Policy" in order to use the suggested rule action contained in the IPS Policy metadata provided by the Snort VRT folks. When set to "Policy" mode, Suricata will automatically change the rule action to match that suggested by the rule metadata. There is some help text on the screen to explain the options. To gain a better understanding of IPS Policies inside the Snort rules, try a few searches on Google.

Bill
https://forum.netgate.com/topic/121082/ ... rop-only/3

bmeeks Mar 20, 2019,


For someone new to an IDS/IPS, here is my recommendation.

Configure Snort on your LAN interface only. There is generally no extra security obtained by putting an instance on your WAN as the WAN, by default in pfSense, drops all unsolicited inbound traffic anyway.

Do NOT configure blocking at first. Just use the default IDS (detection-only) mode for at least two weeks and potentially a month so you can see what alerts happen on your network. This lets you investigate and weed out false positives without getting frustrated because things get blocked.

Register for either a free or paid ($29.99/year for paid) Snort Subscriber Rules Oinkcode. There is link for that on the GLOBAL SETTINGS tab when you click the checkbox to enable the Snort Subscriber Rules. For convenience, here is another copy of the link: https://www.snort.org/products#rule_subscriptions. Once you have done this, go to the UPDATES tab and force a rules update so your Snort Subscriber Rules will download.

Edit the LAN interface in Snort and go to the CATEGORIES tab. Check the box to use an IPS Policy and then choose IPS-Connectivity in the drop-down selector. This is an excellent starter policy that offers very good protection with hardly any false positives. Save the change then start Snort on the LAN interface (or restart it if it was already running).

Sit back and study the alerts you receive by periodically reviewing the ALERTS tab. It is likely you will get some false positive alerts from the HTTP_INSPECT preprocessor rules. Here is a link to an older thread about Suppression Lists and using the SID MGMT tab to control false positives: https://forum.netgate.com/topic/50708/s ... lesid-conf. Remember that with Snort, once blocking is enabled, every alert you see could have resulted in a block of host traffic. This is why you examine the alerts and suppress or disable those rules which are firing on benign traffic in your environment.

After you get the rule set tuned up, you can go back and enable blocking mode. If things are smooth, then you can bump up your IPS Policy to IPS-Balanced and see how that works for you. I do not recommend folks use the IPS-Security policy as that one enables a bunch of extra rules that are highly prone to false positives (especially in home networks). You can also choose to start using some of the free Emerging Threats rule categories by going back to the GLOBAL SETTINGS tab and enabling the Emerging Threats Open rules. You would then add those rule categories to your ruleset back on the CATEGORIES tab for your LAN interface.
https://forum.netgate.com/topic/141743/ ... nterface/3

https://www.reddit.com/r/Ubiquiti/comme ... ps_alerts/

https://www.reddit.com/r/PFSENSE/commen ... ta_alerts/


so yeah.... as a pfsense newbie, i think i'll stick to basic settings for now.

most of the default rules is auto, but for snort, seems i have to check each month whether to change to new snort file name for basic maintenance. i don't mind that too much.




in troubleshooting suricata, i identified something i was blocking which it shouldn't. have to go alerts, then whitelist the host ip, or disable a rule. when you do that, it takes like 15-20 seconds for the rule to apply, so you can't browse away from that page until 15-20 seconds have pass afaik. i tried clicking save but that didn't seem like it did jack if i refresh too soon.


*update


after further testing, not sure that intel celeron is cutting it for suricata. during regular browsing and netflix streaming, everything is fine. Cpu is 50-60% under.

But when i begin maximizing my alloted isp bandwidth dl/ul, that is when cpu pegs at 100%

not happy with that :? because feels like my speed is being throttled somewhat i suspect under that kind of max load on cpu. at least from what i read if it hits 100% that's not good.

https://forum.netgate.com/topic/70170/t ... eprint/205




so for now i'll just leave it running a few days see what it does, then roll back to just using pfblocker which seems to be enough for me.

I don't port forward, so i don't reckon i need this do i?


*update

further testing.

to simulate max load, i downloaded a bunch of torrents at the same time.

broadband package is 100 Mbps = 12.5 MB/s for dl, and 50 Mbps ul.

i only managed to get 10 MB/s on vpn.


it does fine for a bit, but later it hits 100% and then router acted funny. the torrent connections get cut, and the router wan connection seemed to have died or something not sure. but it's apparent that on intel celeron 3 cores allocated for suricata wasn't sufficient :S

with casual browsing and not maxing out on my connection, it's usable. but i rather be able to max out my paid for speed without worrying about router dying on me :roll:


without suricata (i reverted to an older snapshot prior to installing suricata), but only using pfblocker, i get similar speeds. but equally importantly it remains stable without router crashing or any weird connection drops. cpu usage also below 20% load
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) single disks.
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228
[^] QNAP TS-128
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

MikeLagit
Easy as a breeze
Posts: 289
Joined: Fri Mar 22, 2013 11:40 pm

Re: [guide] pfsense VM on QNAP in 2020

Post by MikeLagit » Tue Jun 30, 2020 3:05 am

Ton of great info and this really helped me get mine up and running quickly! Thanks a lot!! I decided to give this a try to see if it could provide a better solution vs trying to do everything on a router pre-NAS. I love the power of pfsense and the security seems pretty solid in this workflow given an external IP doesn't exist on the NAS unless pfsense is running and assigns it.

I am however running into one small issue. Before I would always exclude the NAS & router entirely from the whole house ExpressVPN, so it was easy to do a simple port forward on the router to connect to Plex. In this setup Plex always reported the true WAN IP to the plex.tv service. The main issue I have with the whole NAS in the VPN now is that Plex detects the VPN IP as my WAN IP, and reports that up for users to connect which is wrong. ExpressVPN cannot forward a port without paying for a static IP. As you would expect and by VPN design, Plex cannot detect this true WAN IP inside the VPN.

With putting a pfsense rule in front of the VPN on incoming traffic, I can easily get pfsense to not VPN'ize the Plex incoming connection from remote, and therefore I can connect to my Plex server remotely using the actually WAN IP's external address, so I know I can connect....BUT, the problem is the VPN IP is getting reported to Plex.tv on my NAS. So logging into plex.tv it cannot find my NAS. I have to manually put in 47.24.194.32. Kind of like a double NAT issue. So seems like I need to just get the container out of the VPN all together, but can't figure that out with pfsense and how virtual switches work. Anyone get this working for the Plex behind a VPN and figure out how to get it to report the true WAN IP from behind pfsense?

Update: I forgot to add screenshot attachments. I set up virtual switches just like you did per the guides. So only using pfSense for VPN client to ExpressVPN. Previous I ran my whole house through ExpressVPN mainly just to keep everything private. With my Asus RT-AX88U I could exclude the NAS and router from the VPN which made it easy. I think you can do that with pfSense, just haven't figured it out yet.
You do not have the required permissions to view the files attached to this post.
Last edited by MikeLagit on Tue Jun 30, 2020 10:43 am, edited 1 time in total.
Model: TS-877-1700 16GB
(HDD): [RAID-5] 4 x 4TB Seagate Ironwolf

Model:TS-569L 3GB
(HDD): [RAID-5] 4 x 3TB WD Red

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 8910
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: [guide] pfsense VM on QNAP in 2020

Post by Moogle Stiltzkin » Tue Jun 30, 2020 7:51 am

MikeLagit wrote:
Tue Jun 30, 2020 3:05 am
Ton of great info and this really helped me get mine up and running quickly! Thanks a lot!! I decided to give this a try to see if it could provide a better solution vs trying to do everything on a router pre-NAS. I love the power of pfsense and the security seems pretty solid in this workflow given an external IP doesn't exist on the NAS unless pfsense is running and assigns it.
i was actually testing this feature within qnap since although it's been unofficially possible in the past, yet qnap then later officially supported it with blessings from pfsense. so i was testing out pfsense at the same time seeing whether i was ready to make that transition or not. eventually i just kept setting an am happy with it.

but some users mention concern from a security standpoint, while others said they used this same setup on the qnap for a while without issue. yes pfsense is good security wise (assuming you use the proper settings, which by default it is already out of the box safe, cept the password that it does ask you to change from defaults). pfsense on nuc should be safe. pfsense on qnap as main edge router? that i'm not sure either. i leave that to others to explain.

For myself, i risk finding out 8)

MikeLagit wrote:
Tue Jun 30, 2020 3:05 am
I am however running into one small issue. Before I would always exclude the NAS & router entirely from the whole house ExpressVPN, so it was easy to do a simple port forward on the router to connect to Plex. In this setup Plex always reported the true WAN IP to the plex.tv service. The main issue I have with the whole NAS in the VPN now is that Plex detects the VPN IP as my WAN IP, and reports that up for users to connect which is wrong. ExpressVPN cannot forward a port without paying for a static IP. As you would expect and by VPN design, Plex cannot detect this true WAN IP inside the VPN.
okay so are you using QVPN or are you setting up via the pfsense vpn client settings? I recommend doing the later method (not sure what odd things may happen if you attempt to use qvpn when you are already using the qnap as a pfsense router)

Personally i didn't try using qvpn on the QNAP NAS i am using pfsense on. If i were to do that, i rather setup the vpn client on the pfsense router to be sure that it worked properly.

On the QNAP side to get pfsense router working, you had to ensure you get the virtual switches setup correctly. Did you do that? if you did, then focus on the pfsense configuration for getting your VPN up and running correctly.


i'm not sure about using vpn + plex, but for the simplified method which is to portforward 32400 for plex, there is a portforward guide for pfsense here

How To Setup Port Forwarding on pfsense
https://www.youtube.com/watch?v=3-DU47zDrQk


however if you do port forward plex 32400, the recommendation i learned that for port forward, use a custom port for your external port, and redirect it to internal 32400.


I created a discussion thread about how to safely remote. i'm still learning myself
So let's take Plex for an example, internally it runs on port 32400, which is fine. Externally, for ease, most people run it also on 32400. This is quite a know port on the internet now. So if this script kiddie started looking ports and found 32400 listening, he'd probably know that there's a plex server listening. He's already got most the information he needs to start probing that server.

The best and easiest defence is to run your server externally on a different port, a high number that doesn't often get scanned. Something from 5000 to 65000, people don't normally scan all the ports, they only scan the known ones, or the first 5000.
viewtopic.php?f=45&t=155682



also if i am not mistaken, some people instead of using the plex qpkg, setup plex container, then they do the security settings for that container, and also once they configured it, they setup for read only to further mitigate risks.
Xelas-

Keep in mind that Plex does not actually need write access to the media. Plex stores all of the media metadata and the user management database in a separate folder. If you give Plex read-only access to your media, the only things you lose are DVR capabilities, the ability to delete media from within Plex, and I think the ability to upload Photos from mobile devices depending on where the Photo storage library resides.

https://forums.plex.tv/t/read-only-media-folder/383717

Also, viewing media on mobile devices usually triggers the need to transcode media, since the media is now being streamed out of your network (most people have fairly low upload speeds) and the internet generally does not have any guaranteed speeds. Transcoding media is a HUGE CPU hog, and I'm amost 100% sure rPi won't cut the mustard. The othercommon reason is that most mobile devices can't play multichannel audio, forcing at least an audio transcode, and even that is several percentage points on a mid-grade Xeon CPU.

Plex itself runs using a something similar to a DDNS (Dynamic DNS). Since most people don't have static IPs on their internet conection and can't be bothered to set up DDNS, and Plex wants the ability to track how their product used and to track licences, you log into your Plex account on their server when you use Plex. Your server sends heartbeats to Plex and announces it's IP, so they know what your server's IP is. When a remote client needs to connect, they act as a DDNS service for the Plex client and help it hit the server.

Depending on the size of the library, the size and speed of the drive that the Plex metadata folder resides on can be a bottleneck as well that manifests itself in how quickly the media covers load, speed of searches and scrolling, etc. The metadata also consists of a HUGE number of tiny files, so it's very sensitive to the latency of the drive its stored on. I have a mid-sized library, and the metadata folder has almost exactly 300,000 files and is 75GB. I actually set aside an old 200GB SSD drive that's dedicated just for the metadata and that keeps Plex moving smoothly. Running the Plex metadata folder must be really hard on an SD card - I'd run a "real" hard drive or SSD for that. SD cards aren't really made for that kind of use and they won't last long.

The Plex server needs only a single port to be forwarded. I run an IDS on my router (Suricata) and I've never detected malicious traffic on that port in the several years I've had Plex with remote access. I travel a lot for work, and Plex is my main source of entertainment. I've been VERY happy with it.
https://arstechnica.com/civis/viewtopic ... &t=1457847


TheBR-

Hi,

I installed Plex manually as a qpkg an my TS-453B (in case its relevant - Im a Plex pass owner) and have a couple of questions.

When i point Plex to my Media folders i would like the folders to be read only to prevent Plex from deleting any media, but how do i go about this? What "user" is plex running as (according to process manager it seems to be running a admin, but, all the apps say the same) and how can i restrict it as it appears to have read/write access at the moment?

Should i be creating a user Plex then logging in as plex and installing the app as that user with read access to the media folders or am i misunderstanding here?
dolbyman » Thu Mar 07, 2019 10:48 pm

I think all apps are running as admin by default and that can't be changed

workaround would be a vm with plex and access media folders via smb share ( with r/o user right)
viewtopic.php?t=147328




MikeLagit wrote:
Tue Jun 30, 2020 3:05 am
With putting a pfsense rule in front of the VPN on incoming traffic, I can easily get pfsense to not VPN'ize the Plex incoming connection from remote, and therefore I can connect to my Plex server remotely using the actually WAN IP's external address, so I know I can connect....BUT, the problem is the VPN IP is getting reported to Plex.tv on my NAS. So logging into plex.tv it cannot find my NAS. I have to manually put in 47.24.194.32. Kind of like a double NAT issue. So seems like I need to just get the container out of the VPN all together, but can't figure that out with pfsense and how virtual switches work. Anyone get this working for the Plex behind a VPN and figure out how to get it to report the true WAN IP from behind pfsense?
i did hear that some users are doing this.

VPN subscription service + plex.

From i understand, this encrypts their internet traffic so your local ISP doesn't see you are streaming on plex that one piece you downloaded off torrent because that filename still has the fansub group tag with crc as an identifier for pirated material. Although most plex users would stripe out those tell tale signs, because plex prefers more simplified naming (episode number, anime title, and season number only. it doesn't like excess stuff in the filename and folder structure and may not index properly.
https://support.plex.tv/articles/naming ... how-files/

If i see a guide that explains how to setup the subscription VPN for use with plex (on pfsense router), i will post back here when i am able to :'


This is what i found for you so far (some of the vpn is not your expressvpn, but the process should be quite similar. difference is where you grab the openvpn config from)
abrahamdrinkin-

if you are accessing your local network (the one with plex on it) through a VPN you shouldn't need to enable remote access if you set up the VPN to access the local network or the media server to accept connections from the VPN address subnet.

plex is also sometimes stupid about remote access because I have remote access through a reverse proxy and plex complains all day it isn't available, but when I hit the url BAM! plex!

half the reason I am moving away from plex is this nonsense, the other half is the no local users thing. I am moving towards jellyfin, which right now is not comparable feature wise, but is well on its way for a project that is only a couple months old. plus they don't have silly restrictions they won't budge on like allowing users to download the media content without paying for sync or whatever the ** plex is calling it.
https://www.reddit.com/r/PFSENSE/commen ... seopenvpn/


GUIDE: PFSense with Private Internet Access and Plex
https://www.reddit.com/r/PFSENSE/commen ... ccess_and/



in summary


vpn hides your plex streaming acitivity from local isp, and using VM with restricted permissions (aka make it read only), limits anyone from writing or deleting. So even if your plex gets compromised on that port, all they can do is watch your videos but do nothing else :mrgreen: Your pfsense should log connections from the internet logging onto your router network, and if you don't recognize it, then that's one way to tell someone managed to login who shouldn't :'
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) single disks.
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228
[^] QNAP TS-128
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 8910
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: [guide] pfsense VM on QNAP in 2020

Post by Moogle Stiltzkin » Tue Jun 30, 2020 8:21 am

there were 2 methods of configuring VPN on the router from what i read.

either setup so that all traffic transits through the VPN, or in addition, do a vpn tunnel split, which adds more complexity to the setup, also risk of ip leak, but at the same time offers you a no vpn connection for times when you don't require it (e.g. gaming when you require the fastest latency. i doubt my isp cares about my gaming history to tattle on me :D )

https://www.youtube.com/watch?v=XHtwVJt4AKo



this video is pretty useful as well. lawrence demonstrates how to add multiple vpn server routes (e.g. US, Sweden, Japan etc), and also add a kill switch. It's for PIA but i'm guessing this ought to work for your expressvpn (just use your own vpns openvpn config instead, and change out some parts that are specific to your vpn provider)
https://www.youtube.com/watch?v=TglViu6ctWE
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) single disks.
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228
[^] QNAP TS-128
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 8910
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: [guide] pfsense VM on QNAP in 2020

Post by Moogle Stiltzkin » Tue Jun 30, 2020 8:25 am

pfsense 2.4.5 Update / Upgrade Process and Troubleshooting Guide
https://www.youtube.com/watch?v=2ch-QyQsVDY


missed this. but TLDR: check packages what pfsense it requires. If it says you need a newer pfsense first, DO NOT UPDATE packages BEFORE you update pfsense as may be required by that package :shock:

and this is why i recommend snapshots, so you can avoid mistakes on your part in reagrds to updates. Before i update, i do snapshots.
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) single disks.
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228
[^] QNAP TS-128
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 8910
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: [guide] pfsense VM on QNAP in 2020

Post by Moogle Stiltzkin » Tue Jun 30, 2020 9:00 am

MikeLagit wrote:
Tue Jun 30, 2020 3:05 am
...


mullvad vpn for pfsense
https://mullvad.net/en/help/using-pfsense-mullvad/

and this is the one for expressvpn
https://www.expressvpn.com/support/vpn- ... n-openvpn/


Selectively routing Plex through your VPN
https://www.comparitech.com/plex/plex-vpn-routing/

Remote Access not avail when behind VPN
JuiceWSA-

The trick is to Forward a Port - then tell your VPN Client what that port is.

This feat can be:
-Easy
-Hard
-Dammed Impossible

Depending on what VPN you’re using and how you’re using it.

I’m using PIA and it was so easy my dumbest Cat did it for me in 10 seconds…
(I’ve got the smart one working on Warp Drive)
Image
https://forums.plex.tv/t/remote-access- ... vpn/217132
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) single disks.
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228
[^] QNAP TS-128
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 8910
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: [guide] pfsense VM on QNAP in 2020

Post by Moogle Stiltzkin » Tue Jun 30, 2020 9:12 am

MikeLagit wrote:
Tue Jun 30, 2020 3:05 am


I am however running into one small issue. Before I would always exclude the NAS & router entirely from the whole house ExpressVPN, so it was easy to do a simple port forward on the router to connect to Plex. In this setup Plex always reported the true WAN IP to the plex.tv service. The main issue I have with the whole NAS in the VPN now is that Plex detects the VPN IP as my WAN IP, and reports that up for users to connect which is wrong. ExpressVPN cannot forward a port without paying for a static IP. As you would expect and by VPN design, Plex cannot detect this true WAN IP inside the VPN.
Plex and express VPN
The answer is port forwarding

Djurrep-

By default, Plex publishes the public IP address on which your server is reachable.

Starting a VPN will block that public IP address.

Instead of publishing your public IP, you can also publish a URL.

Go to Settings > Server > Network > Custom server access URLs

Here you can fill in a dynamic domain name.

Dynamic domains are freely available with several dynamic domain providers.

Run a background app of this provider to keep the IP address of this dynamic domain in sync with your public IP address (with VPN on or off)

For more details:
https://support.plex.tv/articles/200430283-network/ 274

Custom server access URLs
A comma-separated list of URLs (either HTTP or HTTPS), which will be published to plex.tv 1 for server discovery. This can be very useful in a few cases: if you’re using a VPN to get back home, if you’re using a reverse proxy in front of the media server, or if your networking configuration is otherwise unique. For instance, if you have your own custom domain with subdomain, you might add:

https://plex.mycustomdomain.com:32400 59

Tip!: If you don’t specify a port, the port from your Remote Access page will automatically be used.
https://forums.plex.tv/t/plex-and-express-vpn/397577/2



VPN doesn’t allow port forwarding, am I S.O.L?
SE56-

Split Tunneling by application and or IP exemption is a simple solution, just like JuiceWSA suggested. Been using it from the day PIA announced it’s release. Easy to set up and convenient hot server switching, fantastic for bypassing Geoblocks. The world is your oyster.

Other VPN companies with split Tunneling:

ExpressVPN
NordVPN
CtberGhost
VyprVPN
Surfshark
PureVPN

and more…
https://forums.plex.tv/t/vpn-doesnt-all ... l/605038/4

I got a bit delayed and forgot about replying to this thread, but anyway here is the workaround for other users on ExpressVPN who are having issues with Plex. It is a method that will need some recurring maintenance to keep working, but it does get Plex working with the ExpressVPN Service.
#Plex and ExpressVPN

You can set static routes to allow certain IPs through. So what you’re really doing is telling your VPN client (OpenVPN, perhaps?) that IP xxx.xxx.xxx.xxx (belonging to plex.tv 6) should connect directly to the Plex Media Server.

Here’s what I mean:

First you need to know the IPs of plex.tv 6. These IPs change fairly often. On any OS in the Command window/terminal, you should run
nslookup plex.tv 6

This will return the IPs plex.tv 6 is currently using.

Then you have to tell your VPN client to allow those IPs through to your local network (and bypass the VPN). In Open VPN, this is pretty easy. Locate the config file for the connection you’re using (check OpenVPN’s docs, or just poke around). Open the config file in a text editor.

Add lines like this:
route xxx.xxx.xxx.xxx 255.255.0.0
where xxx.xxx.xxx.xxx is one of the IPs you found via nslookup. Repeat for each of the other IPs found via nslookup.

Like I said, plex changes IPs pretty often, so you’ll need to update this once in a while. I make it a little easier on myself by adding a comment line before this section in the config file. Comment lines are preceded by a hash:

#Plex IPs for July 28 2016
route 54.194.102.80 255.255.0.0 192.168.1.13
Mine PMS is 192.168.1.13.

I hope this helps.
https://forums.plex.tv/t/expressvpn-and ... s/227513/3




i'm not too familiar with expressvpn since i never used it before, but sounds like to me, the solution is to bypass using the vpn for the plex port forward? probably by means of a vpn split tunnel, if you setup your vpn on your pfsense router :'



if you head down to the pfsense or expressvpn forum, you would find a better answer. or perhaps on pfsense reddit. i think the problem lies more towards those rather than to QNAP (assuming that you configured qnap virtual switches correctly for your qnap pfsense setup).
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) single disks.
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228
[^] QNAP TS-128
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

MikeLagit
Easy as a breeze
Posts: 289
Joined: Fri Mar 22, 2013 11:40 pm

Re: [guide] pfsense VM on QNAP in 2020

Post by MikeLagit » Tue Jun 30, 2020 11:07 am

Great info, and i forgot to add the screenshots in my last post, so I updated it up above. My setup is just a QNAP with pfSense setup just like you did it with virt switches. I then added ExpressVPN on the pfSense to direct ALL 192.168.1.0/24 traffic through the VPN. Now I just need to take the NAS:32400 out of the VPN somehow. I could maybe split tunnel but not sure how to do that and keep plex accessible on the local LAN. I don't need VPN on Plex at all for what I do, so just getting it out of VPN would solve this. I think you are correct though, it seems like it needs to be done in pfSense and not QNAP. I want to essentially tell pfSense that any traffic on port 32400 going in and out of my network would route through the WAN instead of the ExpressVPN WAN. Also, the way we setup our pfSense doesn't allow for doing it through QNAP virt switches, which is by design for security. Other wise I would just point a virtual switch to adapter 1 which would have my WAN IP. That method isn't good though, as it expose my NAS entirely to the WAN, so that's out.

I did look at that custom URL, and setup an alias at dreamhost for the DNS, but Plex didn't seem to ever use it as it still couldn't find my server. I could ping my IP on the alias, so I know the DNS was right. Just seemed like Plex wasn't using that option to find my server. Maybe I will go back and revisit this...

I think I will check with pfSense forum folks as well, but if anyone figures it out here let me know. :)

-ML
Model: TS-877-1700 16GB
(HDD): [RAID-5] 4 x 4TB Seagate Ironwolf

Model:TS-569L 3GB
(HDD): [RAID-5] 4 x 3TB WD Red

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 8910
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: [guide] pfsense VM on QNAP in 2020

Post by Moogle Stiltzkin » Tue Jun 30, 2020 12:35 pm

MikeLagit wrote:
Tue Jun 30, 2020 11:07 am
Great info, and i forgot to add the screenshots in my last post, so I updated it up above. My setup is just a QNAP with pfSense setup just like you did it with virt switches.
if that is the case, then i don't think we need to worry about the qnap side at this point.


to get plex port forwarding working, now you have to look at your pfsense router settings.

also whether your vpn is capable of port forwarding, and if so, what other quirks it might have with plex. if it does have a quirk, you may have to use vpn split tunnel.

this way you can continue to use your vpn as is, but omit plex from using the vpn. vpn split is the method to go about this.

Yes it is complicated, that is why i didn't do it myself. i use the desktop vpn app since it's simpler for my own requirements, and the max 5 vpn connections is within my usage requirements without having to resort to setting the vpn on the router besides.

MikeLagit wrote:
Tue Jun 30, 2020 11:07 am
I then added ExpressVPN on the pfSense to direct ALL 192.168.1.0/24 traffic through the VPN. Now I just need to take the NAS:32400 out of the VPN somehow.
just a reminder, the external port should be custom. only the internal port you can keep as 32400. so the external port redirects to your qnap lan ip device to internal port 32400


MikeLagit wrote:
Tue Jun 30, 2020 11:07 am
I could maybe split tunnel but not sure how to do that and keep plex accessible on the local LAN. I don't need VPN on Plex at all for what I do, so just getting it out of VPN would solve this.
https://www.expressvpn.com/support/trou ... g-desktop/



basically this is what you need ya? there might be an answer here for you
OpenVPN Split tunnelling **screenshots**

Eekoo -
Jan 21, 2020,

Here's my scenario:

I have a subscription with ExpressVPN.

Setting up as per their instruction works as it should.

What i'm trying to accomplish is route specific port traffic thru VPN only, but the rest of connections thru WAN. Example: BT Transmission thru port 60000.

I can route the entire LAN thru VPN
I can route a single LAN IP thru VPN
I can't figure out how to route a single port thru VPN.

Please advise.

Thanks
https://forum.netgate.com/topic/149842/ ... creenshots


this is a split tunnel guide for PIA. you'll have to find one specific to expressvpn
https://www.reddit.com/r/PFSENSE/commen ... ll_switch/



bit hard trying to use google to include these keywords together "plex + expressvpn + pfsense" the results trying to read through what i could find was just a maze of info.

to keep things simpler, stick to the youtube pfsense guide for creating a split tunnel. one you follow those step by step guides, try then to setup the port forward for your plex.

and it should work... *cross fingers :shock:


oo and before you start messing around with your pfsense config, do yourself a favor, use the virtual station, and create a snapshot of your existing pfsense router. so if you run into issues you can revert back to it.
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) single disks.
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228
[^] QNAP TS-128
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

MikeLagit
Easy as a breeze
Posts: 289
Joined: Fri Mar 22, 2013 11:40 pm

Re: [guide] pfsense VM on QNAP in 2020

Post by MikeLagit » Thu Jul 02, 2020 1:25 am

I was able to get this working with forwarding in pfsense and I always do port security through obscurity! Good reminder in the forum!

Split tunneling in the PIA or ExpressVPN apps are pretty straight forward if you are running only the VPN on the windows computer behind a QNAP pfsense firewall with no VPN on it. On my setup the cable modem attached directly to pfSense through the NAS and ALL traffic gets VPN unless an exception is made. Also I run everything on the NAS from subsonic to plex. Below are the steps I used to get it working for my setup.

1) You'll need a way to get your real WAN connection IP and update its' IP/DNS name as it changes. The best way is to pay for it with some service listed on pfSense, and then use their updater tool. I am trying to find a way to do it for free but haven't got there yet. I wish pfSense would just report my IP somewhere similar to how my Asus router did with their own dydns. I could simply register blah.asuscomm.com and always had my true WAN IP via that dydns name. I haven't found a free one that is handsoff yet, but also note some paid hosting services offer this service for free.

Dynamic DNS:
Dynamic.DNS.JPG
2) Set Plex to know about your dyndns so it can connect external users to your real WAN IP.

Plex network 1:
Plex.network1.JPG
Plex network 2:
Plex.network2.JPG
3) Setup the rules in pfSense

PfSense rules:
pfSense rules.JPG
PfSense rules detail:
pfSense rules detail.JPG
PfSense NAT:
pfSense NAT.JPG
PfSense NAT detail:
pfSense NAT detail.JPG
4) This is all assuming your pfSense is setup on your NAS as Moogle Stiltzkin provided in the front of this thread:

Interfaces:
Interfaces.JPG
Overview:
Overview.JPG
Virtual switch:
Virtual switch.JPG
In summary it all works well setup like this and with whole house VPN.

-ML
You do not have the required permissions to view the files attached to this post.
Model: TS-877-1700 16GB
(HDD): [RAID-5] 4 x 4TB Seagate Ironwolf

Model:TS-569L 3GB
(HDD): [RAID-5] 4 x 3TB WD Red

Post Reply

Return to “Users' Corner”