[SOLVED] Best way to setup ("layer"?) my firewall, VPN, NAS, Plex, etc on one PC through Windows 10/UnRaid

RaptorVct

Reputable
Mar 10, 2017
10
0
4,510
I'm looking for a little advice on the best way to setup and "layer" what I'm trying to do with some of my networked components. I've got a rack that I've built a rack-mount Windows 10 PC into, mid-level i5 Intel CPU with a half dozen drives attached and connects to a KVM for keyboard/mouse/monitor in my office for some light use there.

Here are the uses that I'd like to get out of the rack-mount PC, half of which I'm doing already in one way or another:
  • Firewall for all my home traffic, preference toward pfSense from what I've seen (I have a switch in my rack, it'd just need to be fed from the firewall)
  • OpenVPN client tunneling all my home traffic to my VPN (probably through pfSense from what I've seen, and needs at least the horsepower for a gigabit connection without slowdown)
  • Windows 10 - I'm not gaming on it or anything, but for some misc apps and lightweight web browsing
  • Torrent client
  • NAS for backups and file sharing - I'd prefer to use Unraid based on what I've seen and a desire to use multiple methods of data backup
  • Plex server using a TV tuner and serving as a DVR and to steam some movies/shows
  • Perhaps eventually record security footage
My questions relate to the best way to set this up software/OS-wise.
  1. What's the best way to "layer" this all using VM's or dockers (I believe that's what Unraid calls them? I'm less experienced with that at this point.) It seems I can use Windows 10 as the base level OS and assign out network adapters to VM's for both pfSense/VPN and Unraid. In this way I'd run Plex on Win 10, be able to use it for browsing and torrent client. Or would it be better to use Unraid as the base level OS and run Windows 10 as a VM/docker/[insert correct term] on top of it?
  2. Is there benefit to physically dividing these functions out using different hardware? Low power draw is still a big goal of mine, even at the expense of investments in hardware. For example, I'm more than willing to add a couple rack systems using J5005's (one for pfSense/VPN, one for NAS using Unraid, etc.). The NAS doesn't need to be on 24/7 so the only long term extra power draw I would have is one J5005 running the pfSense/VPN client.
Open to other ideas, but as I mentioned at this point I need Plex and I do have preferences for software including Unraid and pfSense.

Thanks in advance for the advice!!
 
Solution
Just so I'm clear, you're advocating for a standalone solution using pfSense on its own hardware? Putting it in it's own VM with its own apportioned hardware isn't enough? I would definitely be putting it on the WAN side of the router regardless.
Yes. If it gets compromised, you want it separated from your other hosts. Can it be done with multiple NICs and VMs? probably. A firewall should be as isolated as possible. There are ways that a VM can compromise other VMs on the same host. Is it likely? Probably not, but it is possible. The biggest concern I would have is that you get something wrong during an update or a config change and you don't keep your WAN connection isolated. Separate physical hardware is...

RaptorVct

Reputable
Mar 10, 2017
10
0
4,510
The best way is to NOT layer your firewall with any other functions. It should be separate, and on the WAN side of your router. All the other functions are on the LAN side of your router.

Just so I'm clear, you're advocating for a standalone solution using pfSense on its own hardware? Putting it in it's own VM with its own apportioned NIC's isn't enough? I would definitely be putting it on the WAN side of the router regardless.
 
Last edited:

kanewolf

Titan
Moderator
Just so I'm clear, you're advocating for a standalone solution using pfSense on its own hardware? Putting it in it's own VM with its own apportioned hardware isn't enough? I would definitely be putting it on the WAN side of the router regardless.
Yes. If it gets compromised, you want it separated from your other hosts. Can it be done with multiple NICs and VMs? probably. A firewall should be as isolated as possible. There are ways that a VM can compromise other VMs on the same host. Is it likely? Probably not, but it is possible. The biggest concern I would have is that you get something wrong during an update or a config change and you don't keep your WAN connection isolated. Separate physical hardware is always the best way.
 
Solution
This is one of those risk questions. In effect your VM software is the top level firewall and if it is compromised the actual firewall software does nothing

This was a discussion where I used to work where they wanted to put all the zones on a single switch using vlans. It came down to if the risk is high enough to pay $80,000 for a firewall spending a couple thousand more for separate switches should also be justified.
 
You can virtualize all this on one piece of hardware, but it probably won't be the best approach if you want to also save power by shutting things off that don't need to be on.

You can run 'bare metal' pfsense on a low power system specifically for that purpose that will be on 24x7 and should think in terms of 'silos' like this for every operation you would like to perform.

Then as you see things overlap, those can be virtualized on the same hardware since they have the same requirements in terms of power and usage.