Here is why NAS functionality on pfsense can make a hell lot of sense.
-
@pfSense4ME
I said I might use some older hardware that I already have.
There are a few calculations to do before I can say what would be the smartest move for me.
I mean let's say my older hardware would cost me 150€/year and the newer hardware would only cost me 100€/year, but 400€ to buy it.
Now if I would wait a years and the hardware would then only cost 300€, I could upgrade my system then and save 50 bucks withing the first year.
I'm just saying it's not that easy.Yes, I DO think that someone else will have the time. It would cost me month, if not years of work to do something like this.
I will definitely try to find a developer who actually knows what he is doing and pay him to get it done.@divsys
Thanks for shining some light on all this.
That may change everything for me.Okay, I've got a Intel Pentium G3258 lying around that I bought form a fried for very cheap a while ago. I just looked it up and it lacks VT-d (Intel Virtualization Technology for Directed I/O). And that even though it is from 2013 or so..
That's kind of what I meant earlier. Now how would that affect my FreeNAS-in-a-vm-experience? What are my disadvantages of not having VT-d?
And in general what happens if I want to swap a hard drive in my NAS? Would I have to reconfigure the whole vm for that? Or could it just handle it automatically?And would such a CPU be enough? After all it's just a dual core part and I'm not sure if I'd want to overclock it (fan noise).
-
It's a security risk to store your files on the same machine as the firewall. If your firewall machine gets hacked the hacker could gain access to your data.
When I posts like that I was shocked. I personally live in a thing called democracy. If I want to buy and eat something that makes me fat, then I can do so.
You're free to make your own crappy Firewall+NAS, but most people here won't help you harm yourself.
I've wanted a NAS for over 15 years, but I refuse to make one until I can make it correctly. I'd rather do without than half-ass it. Do it correctly or don't do it at all.
-
I've wanted a NAS for over 15 years, but I refuse to make one until I can make it correctly. I'd rather do without than half-ass it. Do it correctly or don't do it at all.
For some of the current definitions of "correct" you can look at http://www.freenas.org/ or http://www.nas4free.org/.
-
It clearly supports vt-x, why do you need directed i/o vt-d –Unless you need to give 1 vm specific access to some hardware, it is not needed.. Sure an the hell not need to run a nas and your router on the same host that is for sure..
Talk about cherry picking info.. Vt-d is going to be included in their HIGH END cpus.. Not some msrp $72 cheap budget cpu.. It supports most none of the advanced features
http://ark.intel.com/products/82723/Intel-Pentium-Processor-G3258-3M-Cache-3_20-GHzThat chip released Q2 2014, not 2013 btw..
Vt-d didn't even come on the table until end of 2008.. Pick any HIGH END cpu after that period and it will most likely support Vt-d.. My ford focus doesn't have a turbo charger either, so what I can not drive it?
VT-x has been around atleast 10 years.. And is included in almost all current cpus, yes even that budget chip you pointed out..
My system doesn't support aes-ni either, but guess what it still does openvpn just fine.. You don't always need a freaking Ferrari to drive to and from work..
-
I've wanted a NAS for over 15 years, but I refuse to make one until I can make it correctly. I'd rather do without than half-ass it. Do it correctly or don't do it at all.
For some of the current definitions of "correct" you can look at http://www.freenas.org/ or http://www.nas4free.org/.
My definition of "correct" is the physical hardware. I figure I need at least $2k to get started. I won't go for anything less than 1TiB of logical, back by all SSDs of several different brands, Xeon, 10Gb NIC+switch, and 64GiB of DDR4. The bigger issue is finding some good hot-swap hardware(bays). Most stuff that I can find on NewEgg has people complaining about cheap parts and the plugs not aligning, plugs breaking, general connection issues resulting in a drive suddenly disconnecting.
My alternative is to just get something from iXSystems.
-
"10Gb NIC+switch"
There you just blew your 2k$ budget ;) 10Gb switches are not really home/lab budgeted yet.. Atleast not that I have seen.
I was looking at the new supermicro http://www.wiredzone.com/supermicro-servers-compact-embedded-processor-sys-5028d-tn4t-10024470 that you can get for $1200 without anything, but does have dual 10G nic via soc and 2 more gig nics.. The problem is the switch to connect it at 10Gb ;) Will do up to 128GB ddr4, would be a screaming vm host.. Once you put some memory in it and some disks your pushing the 2k budget.. But those 10G nics would be nice future proofing for when the 10Ge switches get to be more reasonable.
-
@Harvy66
"You're free to make your own crappy Firewall+NAS, but most people here won't help you harm yourself."
Can you even read? HOW WOULD I POSSIBLY HARM MYSELF?
I said it a million times now. I'm a private user, no one would benefit from explicitly hacking me. The data on the NAS will be stored encrypted just because I can. I wouldn't even really care if a hacker would get my data.
But all that doesn't even matter because running a NAS (in a vm) on pfsense does not create vulnerabilities in pfsense, unless pfsense by itself is a poorly written piece of crap, which I highly doubt.
But if you are so certain that security would be affected that drastically, proof it.@johnpoz
Calm down, please.
I'mwell aware that it supports vt-x and I never said I need vt-d. I was just asking nicely what the disadvantages of not having it would be in my case.
"Q2 2014" - I don't want to impute nitpicking to you, but that's really not relevant. Besides I said "2013 or so"; I was just estimating.
"Unless you need to give 1 vm specific access to some hardware"
Well yeah, how about the hard drives that go into the NAS? Will I have access to S.M.A.R.T and could I create a file system on the drives from the NAS OS without vt-d? And what about pcie raid controllers? -
"I was just asking nicely what the disadvantages of not having it would be in my case."
None - unless you wanted to directly connect some hardware to a vm..
Well it would depend on how you connect them, I don't have vt-d and I have access to the smart info because I raw map them to the vm.. Would also depend on your hypervisor I would also assume on if it allow for such raw mapping.
Are you talking to the vm OS itself, like esxi? Or the VM? Both can do it - esxi added function in like 5.1 I think, and the disks I raw map to my nas os vm, can see it as well.
In my nas vm (2k12r2) I run some software from stablebit that does my pooling for me, not really a fan of drive spaces for simple home use pooling of disks, and also user their scanner software that watches smart, keeps an eye on the filesystem and disk and sends me an alert if something seems odd, out of wack, etc..
-
Personal opinion, but I really like my firewall to do one thing, one thing only. Much easier to verify correctness, less to loose if something goes bad.
-
My definition of "correct" is the physical hardware. I figure I need at least $2k to get started. I won't go for anything less than 1TiB of logical, back by all SSDs of several different brands, Xeon, 10Gb NIC+switch, and 64GiB of DDR4. The bigger issue is finding some good hot-swap hardware(bays)
From my POV you've stepped from the "Build my own NAS" to the "Build my own Server" maybe a change of perspective is in order…...
-
Many consumer routers come with a USB port to simulate a NAS type of storage, but many consumer routers also have security problems related to this sort of technology. I believe the developers of PFSense could do it correctly, but it really feels like the wrong type of feature to implement on the PFSense platform.
PFSense is designed to be an expandable/modular driven firewall solution for protecting 1 or many networks. Developing "frills" isn't a way forward for a product with a strong focus on security and stability.
If an "All in one" solution is something you would prefer, then I would suggest a typical off the shelf product and flash it with dd-wrt/tomato or a variant if you feel the need.
I think it's noteworthy that you hold PFSense in such high regard and wish to use it as your "All in one" platform, but demanding that a product team implement a feature that hasn't gained traction for obvious reasons is the wrong way to solve your problem.
-
I don't know who or what to believe anymore.
I just read this forum post on the FreeNAS forums:FreeNAS is awesome. FreeNAS can and will run as a VM. That does not make it a good idea.
-
FreeNAS is designed to run on bare metal, without any clever storage systems (UNIX/VMFS filesystem layers, RAID card caches, etc!) getting in the way. Think about this: ZFS is designed to implement the functionality of a RAID controller. However, its cache is your system's RAM, and its processor is your system's CPU, both of which are probably a lot larger and faster than your hardware RAID controller's cache!
-
Without direct access to the hard drives, FreeNAS lacks the ability to read SMART data and identify other developing problems or storage failures.
-
A lot of the power of FreeNAS comes from ZFS. Passing a single virtual disk to ZFS to be shared out via FreeNAS is relatively safe, except that ZFS will only be able to detect and not actually correct any errors that are found, even if there is redundancy in the underlying storage.
-
There is a great temptation to create multiple virtual disks on top of nonredundant datastores in order to gain "MOAR SPACE!!!". This is dangerous. Some specific issues to concern yourself with: The data is unretrievable without the hypervisor software, the hypervisor might be reordering data on the way out (which makes the pool at least temporarily inconsistent), and the hypervisor almost certainly handles device failures non-gracefully, resulting in problems from locked up VM to unbootable VM, plus interesting challenges once you've replaced the failed device.
-
Passing your hard disks to ZFS as RDM to gain the benefits of ZFS and virtualization seems like it would make sense, except that the actual experiences of FreeNAS users is that this works great, right up until something bad happens, at which point usually more wrong things happen, and it becomes a nightmare scenario to work out what has happened with RDM, and in many instances, users have lost their pool. VMware does not support using RDM in this manner, and relying on hacking up your VM config file to force it to happen is dangerous and risky.
-
FreeNAS with hardware PCI passthrough of the storage controller (Intel VT-d) is a smart idea, as it actually addresses the three points above. However, PCI passthrough on most consumer and prosumer grade motherboards is unlikely to work reliably. VT-d for your storage controller is dangerous and risky to your pool. A few server manufacturers seem to have a handle on making this work correctly, but do NOT assume that your non-server-grade board will reliably support this (even if it appears to).
-
Virtualization tempts people to under-resource a FreeNAS instance. FreeNAS can, and will, use as much RAM as you throw at it, for example. Making a 4GB FreeNAS VM may leave you 12GB for other VM's, but is placing your FreeNAS at a dangerously low amount of RAM. 8GB is the floor, the minimum.
-
The vast majority of wannabe-virtualizers seem to want to run FreeNAS in order to provide additional reliable VM storage. Great idea, except that virtualization software typically wants its datastores to all be available prior to powering on VM's, which creates a bootstrap paradox. Put simply, this doesn't work, at least not without lots of manual intervention, timeouts during rebooting, and other headaches. (2013 note, ESXi 5.5 may offer a way around this.)
I'm pretty sure I'm forgetting a few. But the conclusion is this: it's perfectly fine to experiment with FreeNAS in a VM. However, if you run it in production, put your valuable data on it, and then something bad happens, and you absolutely positively must get your data back, there probably won't be a lot of help available from the forum. We've seen it happen again, and again, and again. Sigh.
So is it a bad idea or not? I mean that post does clearly imply that it is. Now the question is how biased each party is..
-
-
More a subject to be hashed out on the freenas forums. Why are you here looking for FreeNAS expertise?
In case you haven't figured it out, it doesn't appear that anybody here is interested.
If you want pfSense and FreeNAS on the same hardware, virtualize (at your own risk.)
Your aforementioned old hardware will almost certainly lack VT-d support.
-
I've not delved too deeply into the current state of the art of FreeNAS so you may take my next comments with some grain of salt.
That said, I have noted there seems to be a current "battle" between FreeNAS and Nas4Free (a recent fork of FreeNAS) on a whole range of issues, some of which you've touched upon.
As far as the include a "NAS in pfSense" debate, everything you've touched on is evidence in my mind NOT to include a NAS in pfSense.
Perhaps VM is the way to go, perhaps not, but it's pretty obvious to me from your quote that a NAS has really different issues of concern than a firewall.
No point in trying to shoehorn them together.As Derelict mentioned, I think you've moved off of this being a pfSense issue.
I'd suggest a little research into the current NAS distro issues and where you want to go from here. -
I don't know who or what to believe anymore.
I just read this forum post on the FreeNAS forums:~snip~
So is it a bad idea or not? I mean that post does clearly imply that it is. Now the question is how biased each party is..
Keep it in context. That post is directed, as clearly stated if you would read it further, to individuals who don't know what they are doing with virtualization. That post was authored to clearly state that if you virtualize FreeNAS and bad things happen you are on your own and will get no support from the forums fixing it. It does not say that you can't or shouldn't, it says you shouldn't unless you know what you are doing. And if you have to ask then you don't know what you are doing.
But don't take my word for it, go over there and pitch your proposed idea of a combined router/firewall and NAS and see the type of response you get.
-
@Jailer
Well, as far as I understood the post, it pretty much says, "if something goes bad, you lose your data, unless you had vt-d".@divsys
I think the argument that the "solution" would be to run FreeNAS in a vm on pfsense is pretty much eliminated now. (please correct me if I'm wrong)
And I had a gazillion points for why it would make a lot of sense in certain cases to not run the firewall/router and the NAS on separate devices. (see first post if you don't remember)
This whole discussion until this point was all about people telling me that virtualization is the solution.
So as far as I see it, the discussion I was looking for in the first place may start now ("NAS service on pfsense" vs "separate devices").And I can only repeat myself over and over again. An optional service that you don't chose to use doesn't bare any risks for you.
And users like me (who don't even have sensitive data) who would want to use such a service (to save a significant amount of money) wouldn't even care about the risks (if they even existed). -
"unless you had vt-d""
You do NOT need vt-d to pass your hdd to your VM natively… Atleast not in in esxi its a simple raw map..
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1017530 -
So correct me if I'm wrong (I'm very much a noob here), but pfsense already combines two very different but common sense functions - routing and firewalls. Why is it such a stretch to think that NAS is so far removed from these two worlds? We're talking about network management, which includes storage.
Also, why doesn't anyone seem to recognize that the Apple Time Capsule is basically exactly what the user is describing? Sure, the target demographic for Apple is set-it-and-forget-it consumers who aren't as security savvy, but Apple is pretty invested in building a secure product. A pfsense router/firewall seems like a much better partner for an NAS backup solution than an out of the box Apple product. I for one would love a single solution for all my network related needs.
-
Why is it such a stretch to think that NAS is so far removed from these two worlds?
??? One involves handling of network traffic, the other concerns itself with data on hard disks. Same reason your basic fridge doesn't have a wine chiller, a Frappuccino maker and a toaster oven all built-in, even though it sounds amazing.
We're talking about network management, which includes storage.
Well, not really, other than your NAS is just another device on the network. My TV is on my network at home, but I wouldn't consider television to be a part of network management.
I've been in IT for almost 30 years now, and I've learned the hard way that one service per device is usually best. Building a monolithic server stack is great until it falls over and takes everything out.
-
So correct me if I'm wrong (I'm very much a noob here), but pfsense already combines two very different but common sense functions - routing and firewalls.
There is no firewall that separates routing functions, they're inherently required in combination and aren't very different at all. Where you leap from firewall to file server, that's a very different function.
Those who think this is a good idea aren't really our target market. Do you get a NAS built into your Cisco ASA or Sonicwall or Checkpoint or Watchguard or any other similar class product? No.
All the solutions that try to be everything to everyone end up doing everything poorly.
Moot point, as we now have bhyve. Run your NAS in bhyve.
So is it a bad idea or not? I mean that post does clearly imply that it is. Now the question is how biased each party is..
Some of those points are valid, some are FUD, but it's largely just that people get themselves into a situation that's more complex than they know how to handle. Granted, if you want to run ZFS, you're either going to want to run on bare metal or with a controller you can passthrough to the NAS VM.
-
My definition of "correct" is the physical hardware. I figure I need at least $2k to get started. I won't go for anything less than 1TiB of logical, back by all SSDs of several different brands, Xeon, 10Gb NIC+switch, and 64GiB of DDR4. The bigger issue is finding some good hot-swap hardware(bays)
From my POV you've stepped from the "Build my own NAS" to the "Build my own Server" maybe a change of perspective is in order…...
A NAS that isn't a server is a toy, not a tool. Like getting a NAS from a Happy Meal.
I think I got jaded when I was young. My dad purchased some cheaper computers and they were so annoying to work with, I stopped using them all together. I gave up using computers for almost a year and my dad wondered why. I told him, get something better or nothing at all. Of course I used my own money to help augment the price differences.
I refuse to work with cheap hardware. This is why I have an Intel i210-T1 on my desktop. Screw RealTek integrated. I have 3 SSDs in all of my computers, in case one dies. I did not order any computers until I could afford at least 2 SSDs. I don't need high availability and RAID controllers, but I do need fall-back plans. When I get a new computer, 1 week of CPU and memory burn-ins, split about 4 days of memtest and 3 days of CPU, which also stresses the memory during parts.
If you're going to do it, do it well or don't do it at all.
-
Almost every consumer grade router has built-in NAS functionality nowadays
In the past someof this NAS-routers where seen from Netgear, ASUS and other vendors, for sure
if anybody means that is the right thing for him self, he should go and buy and use it.Examples please.
AVM Fritz!Box Router comes with a NAS "function"
Netgear was launching a so called NAS-router (a router with a inserted HDD/SSD)
ASUS was also setting up on of that devices but with no really market gainA firewall is a security based and focused device that is using rules or rule sets to separate
networks from one or more other networks, and a router is routing packets from one to another
or more networks, and why a firewall also can route packets it might be not putting these devices
in the same class of things.There are many NAS solutions out there that can be easily used together with pfSense, but so
both of them would be able to do his own job the code was written for. So why both systems
should be installed together on one unit opening then more security holes or risks that are unwanted?Because some of the users love to be get more comfort? I would love to see more security things in
a firewall and usability in a NAS and not both together on one system.Also for the developers it would be a nightmare because the NAS fraction want to insert all new and
fancy things and the firewall guys want to insert lees as able to do, related to security holes and we
all have to wait for the new product or version for ever? No I don´t want this.Let them run in two different VMs or stand alone, this might be the best compromise for all customers
and the development staff too.@NopIt
it is an older thread but about the same thing we are talking here, you could have a look inside if you
want and will be able to imagine that this would perhaps a really often thought or idea, but it is not really
matching the security point and there fore it is better as it is likes now in my opinion. Link to the therad -
Too many people are worry about security, when there no such thing is 100% vulnerability free. Would be nice to have the feature for the ones that want to use it, would allow this old HP DL380 G6 I got to do more than just be a "firewall"
-
Too many people are worry about security,
Should we not talking about if we are talking about our firewalls?
when there no such thing is 100% vulnerability free.
For sure you are right but many peoples are working very on pfSense to be 100% worry free!
And know because some want to get a nice gimmick the entire rest must go home or live with
a potential unsecure firewall? I really don´t think so.Would be nice to have the feature for the ones that want to use it,
You are free to hire someone who will be wrtiting the code for such a packet, here.
would allow this old HP DL380 G6 I got to do more than just be a "firewall"
In the pfSense shop or at Netgate are many devices that could be really a nice and fast firewall
only. And they are all saving electric power on top. So no one was pressing you to go by this PC. -
@BlueKobold:
Too many people are worry about security,
Should we not talking about if we are talking about our firewalls?
when there no such thing is 100% vulnerability free.
For sure you are right but many peoples are working very on pfSense to be 100% worry free!
And know because some want to get a nice gimmick the entire rest must go home or live with
a potential unsecure firewall? I really don´t think so.Would be nice to have the feature for the ones that want to use it,
You are free to hire someone who will be wrtiting the code for such a packet, here.
would allow this old HP DL380 G6 I got to do more than just be a "firewall"
In the pfSense shop or at Netgate are many devices that could be really a nice and fast firewall
only. And they are all saving electric power on top. So no one was pressing you to go by this PC.Firewall that I would call cute at most, if you want to talk firewalls pair Cisco FirePOWER with OpenDNS Umbrella. I just see to many people bash down on ideas to innovate, not like I'm worry about how good pfSense works. My old appliance die and I had mess load of DL380 from work which I loaded up my Porsche with and sold most of them on eBay. Now I got 12 core, 48Gb, 4x Pro/1000 ET Quad with 6TB of light speed storage firewall for no reason at all. I was just thinking about having Samba on it and intewebs lead me here. Some people would call wearing a 6 foot fox fursuit with a socialist armband a gimmick too.
Foxler
-
Too many people are worry about security
:o
-
I don't think pfsense should develop NAS capability, I just think it'd be nice to run them both on the same box without vm. I mean, the only thing separating them now is an Ethernet cable, why not do away with the physical separation and have a robust software integration that is security conscious AND feature rich. Let them share what they can share and keep separate what needs to be separate. A pfsense based time capsule would be killer.
-
luckily this will probably never happen.
if people wish to dig their own grave then they should do so, i guess.
-
I spent some more time thinking about this and I still think that all the security concerns are complete BS.
I mean if you think about it, having anything sensitive on a computer that has a browser or Windows on it (or even better: android) is a gazzilion times more risky.
Just think about the million Flash and browser vulnerabilities.
In my opinion everyone who argues that NAS and router on the same device is stupid has no right to run Windows in a network with private data. Period.
But I'm sure you all have figured this out and are running a separate computer for every program. One for the emails, one for the browser, one for the notepad, one for the calculator and one for minesweeper. I mean you would probably get hacked within a minute if you were to run all these on the same device, right?But (I probably said this a million times by now) what makes you think that pfsense would be any less secure when you install a NAS package on it? I mean seriously WHAT EXACTLY do you think would cause pfsense to be any less secure? I mean the NAS package would have no reason to temper with the router config and I highly doubt that pfsense would accidentally create a vulnerability upon spotting a NAS package.
-
NopIt,
I'm not sure why you are beating a dead horse; you have already been provided an answer and venting is not likely to change anything.
The fact that Windows is not very secure does not justify NAS functionality being added to pfSense. I do not follow this logic. As a security professional, I would not want NAS functionality added to pfSense.
If you have a decent enough computer with a few network cards on it, consider loading the free VMware ESXi hypervisor on it and then load FreeNAS and pfSense as separate virtual machines (VM) on ESXi. This will allow you to share hardware for both services. I personally do this for several services on my home network including Plex, SABnzbd, Deluge, etc., all running Ubuntu server on separate VM's. Pfsense would also run fine as a VM, but I prefer a dedicated box for this so that I can do maintenance on ESXi whenever I please without impacting internet service.
Just my 2 cents.
-
"The fact that Windows is not very secure does not justify NAS functionality being added to pfSense."
I'm just arguing that almost everyone has private data on the same computer that they use to surf the Internet. Thus there is absolutely no reason to not reduce pfsense's security by 0.00001 nano-percent (or whatever that would be) to get a ton of benifits.I mean seriously. It feels like some people here are living in a dreamworld. Maybe an analogy helps you understand my POV:
Imagine you live in a house and you buy a super heavy titanium steel bunker door because you care about security. At the same time you don't even spend a second about the fact that a small stone could easily penetrate any window in your house and you refuse to add a door handle to the inside of the bunker door because you somehow think that it could have any affect on the security of the door.
See the irony? -
I'd wager that the person putting a bunker door on the house would have already secured the rest of it, and they would put a door handle on the inside, but have the deadbolt be keyed instead of just a knob. (Basically, I think your analogy is faulty).
NAS gives a potential way in; every service running on a computer/firewall/router has the potential to allow someone a way in. Software is written by humans, people make mistakes. Mistakes lead to buffer overflows, which lead to privilege escalation, which lead to access.
Access can lead to malware or programs using your equipment to act as part of a bot net to DDOS a bank. DDOS could lead to Federal charges. Oh, you didn't know someone "broke into" your computer/NAS/firewall? Too bad, enjoy the next 20 years of your life in a small cell.
NAS on your firewall/router. Someone that doesn't like you, they figure out your public IP, start a DOS against you. Your ISP doesn't do anything about it, so until you unplug from the Internet, you can't even access the files on your NAS.
"…a ton of benefits."
I don't see any benefit other than maybe having one less device, and given the cost, I can do without that benefit. Noone is telling you "you can't do that". They are saying "It's a bad idea, go ahead if you want to, I am not helping you".Perhaps we are living in a dreamworld, where there is understanding that bad things can happen and bad people exist.
-
"…a ton of benefits."
Not only one I saw or can imagine! ;)
In the Link I was posting you, you were able to read that your dream becomes perhaps going on
or happen. It was the last statement from @jwt and so this discussion about is in my eyes obsolete! ::)
Now that bhyve has been added, you could probably have pfReeNAS without too much trouble.So this might be a real gain for someone, but I personally hope that the development team is not
doing it in another way and let all the code fleeting in the pfSense source code, because than we
would fall back for seeing many fine functions and options that is really missed at this time from
much more peoples;- Intel QuickAssist support
- CPU multicore usage for the entire core system
Would be making much more sense in my eyes than getting a NAS box on top!
If you want to have a NAS there are many different ways to walk this road and
for each need another system likes; ::)- FreeNAS
- NA4FreeS
- OwnCloud
- OpenMediaVault
So if the new Intel Xeon D-1548 would come out you could really built a new pfSense
box and spend your older one for a NAS, that this theme is really solved. ;D -
"Not only one I saw or can imagine! ;)"
So basically you didn't even read the first post. I guess I don't have to read yours either then…@mer
Yeah sure buffer overflows and all that stuff can happen. But we are living in 2015. We know about TDD/BDD and we can easily test edge cases before releasing a product. -
If you want a NAS, setup a NAS, if you want a firewall, setup a firewall. If you don't care about security, forego the firewall and just setup your NAS.
NAS and firewall are nearly as polar opposite as you can get. May as well ask for a NAS app to install on your cellphone. Ummm… No. Of course someone could always create a package for PFSense, but most people skilled enough to do so won't agree with NAS on a firewall.
This could just be my Server Admin, Server Security, Network Admin, and Network Security background talking. Now I just do software development, but I can smell a bad idea a mile away.
-
@mer
Yeah sure buffer overflows and all that stuff can happen. But we are living in 2015. We know about TDD/BDD and we can easily test edge cases before releasing a product.Anyone that does development knows that all the tools in the world does not automatically mean better code. I'd wager it lets you make mistakes faster. "One more feature", lack of unit testing, shortened QA cycles (because the release date can't be moved) all lead to test cases not getting covered. Edge cases? Sorry, but users will come up with ones you never thought of.
Another way of looking at it: Default Deny vs Default Accept security stance. Which is easier to verify? (Hint, OpenBSD does Default Deny, Windows does Default Accept).
I agree with Harvy66 and other that integrating NAS functionality onto a pfSense box is bad idea, but you know what? It's your hardware, you have complete control of it so you do what you want. You may get others to help you, but those who "waste too much time on security" are just going to sit back and chuckle.
-
I spent some more time thinking about this and I still think that all the security concerns are complete BS.
I mean if you think about it, having anything sensitive on a computer that has a browser or Windows on it (or even better: android) is a gazzilion times more risky.
Just think about the million Flash and browser vulnerabilities.
In my opinion everyone who argues that NAS and router on the same device is stupid has no right to run Windows in a network with private data. Period.
But I'm sure you all have figured this out and are running a separate computer for every program. One for the emails, one for the browser, one for the notepad, one for the calculator and one for minesweeper. I mean you would probably get hacked within a minute if you were to run all these on the same device, right?But (I probably said this a million times by now) what makes you think that pfsense would be any less secure when you install a NAS package on it? I mean seriously WHAT EXACTLY do you think would cause pfsense to be any less secure? I mean the NAS package would have no reason to temper with the router config and I highly doubt that pfsense would accidentally create a vulnerability upon spotting a NAS package.
I'm all for it, even if I had no firewall at all. Only thing people are going to see on my network is lot of furry porn. In enterprise environment, then whole other ball park even so you hardly see open sources used anyway.
There was day many years ago when my first firewall was Celeron 366 with 32mb of PC133 and cell phone were only made for calling. Have you seen smart phones lately? If I have to setup VM then I will, but it can be done. For now time go back to this "good all days of dailup and being teenager" >>>
Foxler
-
Hi!
Jumping in this discussion a little late, still my points are:
1 - We don't have even the available packages working as well we need, if you want to contribute more and have the time, help improve the packages.
2 - pfSense is intended as a Router/Firewall system, it also can be built as an UTM, but NAS fits a completely different category and functionality.
3 - If you say security concerns for NAS in pfSense are BS, you clearly understand s** about security. You NEVER, EVER expose your files or any sensitive data for that matter, in the very OS that serves as Firewall between your network and the rest of the world.
4 - If you want to host simple files for Proxy messages, simple web pages, there's already a package called vHosts, use that.
5 - IF you want to build a cheap NAS, buy Raspberry Pi 2 or a Cupieboard, they are cheap and you can learn a lot working with them.
-
@BlueKobold:
- Intel QuickAssist support
soon
@BlueKobold:
- CPU multicore usage for the entire core system
what do you think netmap-fwd is about? :-)
Also: "Woof!"
-
OP, I found the answer to your combined NAS/Firewall-router predicament.