Run a Local DNS Server for internal lan on TrueNAS 13?

[Geoff]

Gentlemen, thank you all for your input, I'm going to take some time and go through your suggestions and see what will work best.
I'm stuck with this ISP for the present, but others are similarly restrictive when it comes to SIP telephony, though less so where 3rd party modems are concerned. I'm making enquiries about that with other ISPs as part of this process, but there seems to be general paranoia about end users having access to SIP credentials for some reason.

I've now got a bigger issue in that the 'Public' share I created on the RAID pool can't be written to for some odd reason, no matter what permissions I give in the ACL (which I 'think' I'm doing right. I've removed and recreated the share several times, but it seems to allow read access but not modify, create or delete and nothing I do seems to alter that. Another share on the same Pool is fine. And a third share on a different pool is also ok. Not sure what's going on other than that I HATE TrueNAS permission setting which seems to have very complicated and multiple points where you can inadvertently break something. In 11.3 I simply used root for access (no I don't need to worry about security in this environment) but upgrading to TrueNAS broke this - it's disallowed for SMB authentication for some unstated reason (presumably corporate security paranoia) and I had to create users, which seemed to work on 12.1 but after updating to the latest in the maintenance feed, now it doesn't. I've tried tinkering with the filesystem ACL (why that even exists is a mystery, possibly broke something there.). Anyone know a way to get rid of ACLs and just let anyone access anything with full permissions? That's all I really need anyway. But just a way to fix the stuff below the Public sharepoint would be good, I have no idea what half the stuff in the ACLs is even for, the more I use TrueNAS the more I love Netware....

Thanks again for all your help with this.

Regards

Geoff
ETWebs

 

[Geoff]

pfSense might be a better long term solution rather than trying to cobble something together with jails/plugins. Maybe even pick up some marketable knowledge in the process.
1. pfSense can be virtualized very easily, even on TrueNAS CORE/SCALE
2. Or you can buy a used fanless mini PC off evilBay and put it behind your ISPs kit (except for SIP phones). Does mean you will be running double NAT if you can't put the ISPs kit in bridge mode.

Qotom Q305p 3205u Mini PC COM Serial Port IPC POS Computer RS-232 4GB 32GB SSD | eBay

Default 3205U Dual Core Processor, 1.5GHz, 2M Cache mSATA 1xFull Size Mini-PCIe for SSD. Support Msata SSD. Hard Drive. Serial Port 4 x RS-232 (COM1, COM2, COM3, COM4) Weight 1.1kg. 1, Full-length for 3G, Half-length for Wi-Fi Module by Default.

www.ebay.com

Double NAT? No, don't think so. The phone base is on the same lan/subnet as the computers. Pure IP Yeahlink base with two DECT handsets. I'm locked out of that too. So everything is NAT from the Class c 192.168.11.x net to the ISP router.
Where would double NAT come in?

Cheers

Geoff

 

[Whattteva]

've tried tinkering with the filesystem ACL (why that even exists is a mystery, possibly broke something there.). Anyone know a way to get rid of ACLs and just let anyone access anything with full permissions? That's all I really need anyway. But just a way to fix the stuff below the Public sharepoint would be good, I have no idea what half the stuff in the ACLs is even for, the more I use TrueNAS the more I love Netware....

ACL's exist to enable Windows permissions. If you don't need that and just need simple per-user permissions, just get rid of them all and use UNIX permissions.

To remove all ACL's, run the following command on the directory you want to be reset:

Code:

setfacl -b -R /path/to/directory

From there, if you want write permission just for the user and read permission for everyone else, do this:

Code:

find /path/to/directory -type f -exec chmod 644 {} \+
find /path/to/directory -type d -exec chmod 755 {} \+

 

[Geoff]

ACL's exist to enable Windows permissions. If you don't need that and just need simple per-user permissions, just get rid of them all and use UNIX permissions.

To remove all ACL's, run the following command on the directory you want to be reset:

Code:

setfacl -b -R /path/to/directory

Um... ok. I'm guessing there's a command shell somewhere that will let me do that. Um, so... how do UNIX permissions work on a Windows workstation? Or must I have one to allow access? I don't pretend to comprehend Unix permissions. I have no idea what the code below actually does or which one is read only and which is full access. Sorry I guess I'm even more ignorant than I thought.

So... does it still need to authenticate with SMB Authentication? To get access?

Alternatively, can I simply recreate the share or just create a blank ACL?

There seems to be no easy way to give someone full access and everyone else read only. The reason I used root on the Freenas 11.3 was because I couldn't get full permission to work for anyone else no matter what I did. It would sometimes let me change files but not write them back, some files disappeared from view, others were fine depending on where they were created. Very confusing. So I used root and it all worked and I could see and write to everything. Perfect.

The user I've created in TrueNAS is 'me' which is not the user on the Windows boxes (vary) and I've set the FULL CONTROL and ALLOW. However it also lets me browse the share even when I delete the credentials in Windows credential manager - in short the credentials when used don't seem to have any affect on access to that share at all. You can read it without any but credentials with supposed 'full control' don't do a thing. You can't create anything or write a file back after modifying it in word or whatever.

It seems to demand a 'domain' and I've been using 'FREENAS' which is the name of the system inherited from the original configuration and a 'group' I've used WHEEL which seems to come preinstalled.

Should there be a SID or something in the code below? I'm assuming that's recursive or whatever it's called for all directories/files below the sharepoint.

so...

Code:

find /MNT/RAIDONE/Public -type f -exec chmod 644{} \+ 

All that gives what permission to whom?  This is why I'm learning to hate Linux, -type f? -exec?  whatever that means?  or the {} \+ at the end.  This is like C code.  Clearly the 644 is the permissions...

I think I'm regretting updating from FreeNAS. In three years it's never given an ounce of trouble.

I'm going to consider Pi Hole, perhaps in a VM, I'm a little surprised the TrueNAS people don't include DNS, they have DDNS but not DNS for some odd reason. No use for DDNS but a DNS server for an internal lan combined with a caching server for the internet would be nice.

Thanks for all your help, I'm going to consider my options.


Regards

Geoff
ETWebs

From there, if you want write permission just for the user and read permission for everyone else, do this:

Code:

find /path/to/directory -type f -exec chmod 644 {} \+
find /path/to/directory -type d -exec chmod 755 {} \+

 

[Whattteva]

Um... ok. I'm guessing there's a command shell somewhere that will let me do that.

It's on the left-hand side of the web GUI menu list.

Um, so... how do UNIX permissions work on a Windows workstation?

There's nothing complicated really. As long as your credentials pass SMB login, it should just work. It won't have the fancy group-level permissions though. Everything is just simple per-user and you probably wouldn't be able to

Or must I have one to allow access? I don't pretend to comprehend Unix permissions. I have no idea what the code below actually does or which one is read only and which is full access. Sorry I guess I'm even more ignorant than I thought.

You won't really need to understand them really.

So... does it still need to authenticate with SMB Authentication? To get access?

Yes.

Alternatively, can I simply recreate the share or just create a blank ACL?

This might be the more simple approach. Just start fresh. I think you may be able to do this from the web GUI non-destructively.

There seems to be no easy way to give someone full access and everyone else read only. The reason I used root on the Freenas 11.3 was because I couldn't get full permission to work for anyone else no matter what I did. It would sometimes let me change files but not write them back, some files disappeared from view, others were fine depending on where they were created. Very confusing. So I used root and it all worked and I could see and write to everything. Perfect.

Yeah, the Windows ACL's can be a bit of a mystery. You're supposed to manage it from the properties menu when you right-click the file/folder on Windows. I do remember that some people did have problems when they upgraded some years back, so you're probably correct that something changed in the SMB code.

Should there be a SID or something in the code below? I'm assuming that's recursive or whatever it's called for all directories/files below the sharepoint.

so...

Code:

find /MNT/RAIDONE/Public -type f -exec chmod 644{} \+

All that gives what permission to whom?  This is why I'm learning to hate Linux, -type f? -exec?  whatever that means?  or the {} \+ at the end.  This is like C code.  Clearly the 644 is the permissions...

It basically says find all files under that directory recursively and give read/write permission to the owner and just read for everyone else.
The one that says "-type d" roughly does the same thing, but for folders because folders also require execute permission to be able to be navigated through.

I think I'm regretting updating from FreeNAS. In three years it's never given an ounce of trouble.

Unfortunate.

I'm going to consider Pi Hole, perhaps in a VM, I'm a little surprised the TrueNAS people don't include DNS, they have DDNS but not DNS for some odd reason.

I guess they don't mean it to be providing network services like that. You CAN do all that and a lot more in the jails.

 

[Geoff]

Ok, I found a an option in the Edit Filesytem ACL to apply permissions for that recursively. Set the ACL to 'Open' and 'applied recursively' it warned about how it might make files inaccessible... but what the hell.

Took a while and seemed to finish with an error, but I can modify and create files and folders in Public again, so apparently it fixed something.
I'm also now able (as you suggest) to manipulate permissions from within Windows. So that problem seems to be gone now. I suspect this is all related to the updates from 11.x.

So I'm going to look at DNSMASQ in a jail again now that headache is gone.

I eventually found where it hides its .conf files and there's a sample.conf I'm going to have a look at. Perhaps that will give me some clues.

Appreciate your time with a rank amateur to Linux.

Thanks for your help.

Geoff
ETWebs.

 

[Geoff]

pfSense might be a better long term solution rather than trying to cobble something together with jails/plugins. Maybe even pick up some marketable knowledge in the process.
1. pfSense can be virtualized very easily, even on TrueNAS CORE/SCALE
2. Or you can buy a used fanless mini PC off evilBay and put it behind your ISPs kit (except for SIP phones). Does mean you will be running double NAT if you can't put the ISPs kit in bridge mode.

Qotom Q305p 3205u Mini PC COM Serial Port IPC POS Computer RS-232 4GB 32GB SSD | eBay

Default 3205U Dual Core Processor, 1.5GHz, 2M Cache mSATA 1xFull Size Mini-PCIe for SSD. Support Msata SSD. Hard Drive. Serial Port 4 x RS-232 (COM1, COM2, COM3, COM4) Weight 1.1kg. 1, Full-length for 3G, Half-length for Wi-Fi Module by Default.

www.ebay.com

I'm going to look at pfsense as well. I'd never heard of it. I now understand your reference to 'double nat' as it seems it's a firewall. A VM is possible however the box TrueNAS is on only has 8gb so I don't think it will have the RAM for a full VM vs a Jail with plugin. Might see if I can dig up some 4gb DIMM and run it up to 16gb as I don't want to spend big money (anything over $20 being big money to me) on a standalone 'appliance' approach. I have more old hardware but it seems an expensive way (power wise) to do that.

I've also screamed at my ISP and they are (finally) contemplating replacing the modem with a newer one which, supposedly, can do what I want, I'm also looking at a couple of old routers I've got kicking around that might have enough DNS savvy to do the same. We'll see.

I'm presently looking at DNSMASQ in a jail again, I found where it hides it's .conf files and it seems there's a sample.conf that might be helpful.


Thanks again for your help with this.

Regards

Geoff
ETWebs

 

[Geoff]

It could, by way of a virtual machine, though I wouldn't ordinarily recommend doing so, and I think it would likely be overkill for your needs (I'd also prefer OPNsense over pfSense, but that would likewise be overkill for your needs).

Broadly speaking, you have three four options:

• If appropriate software is available via a plugin, install it that way.
  • Strongly discouraged; plugins are deprecated and a "path to sadness" in the words of iX' CTO
• If appropriate software is available under FreeBSD at all, create a jail, and install it there
  • "Appropriate software" certainly is available under FreeBSD; you can run dnsmasq as a DNS cache, unbound as a full resolver, etc. But I'm not aware of anything that would give a GUI or other web interface in this regard
• Create a VM with a suitable OS, and install whatever software you like there.
• Run your DNS on separate hardware, which could be as minimal as a Raspberry Pi or other single-board computer of that ilk
  • I understand you want to avoid additional hardware, but Raspberry Pis used to be cheap, and many of the similar SBCs still are--and it'd be nice to not have DNS for your whole network depend on your NAS being up

The third is what I chose for local DNS on my parents' NAS--create a VM under TrueNAS, install the latest LTS version of Ubuntu on that, and install Pi-Hole there. Pi-Hole is marketed as a network-level ad blocker, which it does pretty well, but it does it by acting as your network's DNS server. By default it uses dnsmasq and caches whatever backend server(s) you tell it to use, but you can also install unbound and use it as a full-fledged recursive resolver.

As an alternative to Pi-Hole, you could also look at Technitium. Also has a nice GUI, seems to offer more comprehensive DNS capabilities, but doesn't seem to be nearly as well-known.

I'm not certain, but ee may be available in the plugin. It isn't great, but I think it's better than edit.

Or, if you allow the root user to access via SSH, you can use a "real editor" on your desktop machine (e.g., BBEdit on Mac, Notepad++ on Windows) to connect via SFTP and edit the files that way.

Ok, I thought, in passing I'd take a look at AdGuardHome which is available as a plugin for a jail. In theory.

In practice... at 75% "Error: DNSJAIL had a failure Exception: GitCommandError Message: Cmd('git') failed due to: exit code(128) cmdline: git clone -v https://github.com/leandroscardua/iocage-plugin-adguardhome.git /mnt/RAIDONE/iocage/jails/DNSJAIL/plugin stderr: 'Cloning into '/mnt/RAIDONE/iocage/jails/DNSJAIL/plugin'... fatal: unable to access 'https://github.com/leandroscardua/iocage-plugin-adguardhome.git/': Could not resolve host: github.com ' Partial plugin destroyed"

Checked DNS on the TRUENAS - it's got the router's forwarder 192.168.11.1 first, 8.8.8.8 second and 4.4.4.4 third. No idea why this is happening.

Any suggestions?

Cheers

Geoff
ETWebs

 

[Patrick M. Hausen]

What is the jails default route and DNS server set to? Also why are you cloning AdGuard Home from Github? It's available as a FreeBSD package: pkg install adguardhome as root inside the jail. Best to enable SSH in the jail and use an SSH client. Alternatively login to the NAS host via SSH and use iocage console <jailname> to get a root shell inside the jail.

 

[danb35]

plugin

Don't use plugins--they're a dead feature walking. Just install it in a jail, using the commands I posted up-topic.

 

[Whattteva]

Don't use plugins--they're a dead feature walking. Just install it in a jail, using the commands I posted up-topic.

Honestly, not sure why plugins was abandoned. My experience with SCALE apps is honestly even worse than the short time I had with plugins. The issues range from:

• Update available, but fails to update when I do click upgrade
• High CPU utilization for seemingly no reason (idles higher than my Windows VM)
• Deploying forever
• Broken apps after TrueNAS update

The last 2 bullet points have been echoed in various forum posts.
If they were going for stability and more robust apps, SCALE ain't doing it or it is doing a terribad job at it.

 

[Patrick M. Hausen]

The foundation of plugins - jails - are solid proven technology. Just deploy standard jails and use the regular tools to install all the applications you want, as long as they are available as FreeBSD packages.

I run

• Nextcloud
• Observium
• Influx & Grafana
• Gitea
• Mineos
• Guacamole

that way. No pain when updating, just stable operation.

 

[Davvo]

Once you get the gist of it you can't not fall in love with jails. Way more simple than most people think too.

 

[Whattteva]

The foundation of plugins - jails - are solid proven technology. Just deploy standard jails and use the regular tools to install all the applications you want, as long as they are available as FreeBSD packages.

Exactly.

Honestly, they could've either piggy-backed or helped the development of BastilleBSD as they do have templates, which could be easily expanded to support plugins. I myself have several custom templates I made myself to help deploy my own version of "plugins".

 

[danb35]

not sure why plugins was abandoned.

Because iX were unwilling or unable to devote the necessary resources to maintaining them. And they believe--rightly or wrongly is TBD--that the SCALE apps will be a more maintainable solution.

But really, this isn't the place to discuss whether iX should or shouldn't continue to support plugins; the fact is that they've made it perfectly clear they don't intend to. Jails work well, and installing AdGuard Home in one is trivial. VMs work well-ish. Plugins are a dead-end road, and nobody should be using them for new deployments.

 

[Geoff]

What is the jails default route and DNS server set to? Also why are you cloning AdGuard Home from Github? It's available as a FreeBSD package: pkg install adguardhome as root inside the jail. Best to enable SSH in the jail and use an SSH client. Alternatively login to the NAS host via SSH and use iocage console <jailname> to get a root shell inside the jail.

1) No idea. I imagined it would be the same as the NAS, but maybe not. I'll check.

2) AdGuard home is a Community Plugin, I would have thought that was the easy way?

3) SSH? Never used it. But you get root access in the Jail settings etc. I'll try that.

Thanks for your help.

Regards

Geoff
ETWebs

 

[Geoff]

Don't use plugins--they're a dead feature walking. Just install it in a jail, using the commands I posted up-topic.

Um, ok, that would have been good to know before I started this exercise. I'll try that, thanks.

Geoff
ETWebs

 

[Geoff]

Don't use plugins--they're a dead feature walking. Just install it in a jail, using the commands I posted up-topic.

Ok, did that. I had to install the package retriever first, but that was fine. However....

root@ADGUARDJAIL:~ # help start
help: Command not found.
root@ADGUARDJAIL:~ # adguardhome start
2023/05/22 14:06:23 [error] unknown option start
Usage:

adguardhome [options]

Options:
-c, --config VALUE Path to the config file.
-w, --work-dir VALUE Path to the working directory.
-h, --host VALUE Host address to bind HTTP server on.
-p, --port VALUE Port to serve HTTP pages on.
-s, --service VALUE Service control action: status, install (as a service), uninstall (as a service), start, stop, restart, reload (configuration).
-l, --logfile VALUE Path to log file. If empty, write to stdout; if "syslog", write to system log.
--pidfile VALUE Path to a file where PID is stored.
--check-config Check configuration and exit.
--no-check-update Don't check for updates.
--update Update the current binary and restart the service in case it's installed.
--no-mem-optimization Deprecated. Disable memory optimization.
--no-etc-hosts Deprecated. Do not use the OS-provided hosts.
--local-frontend Use local frontend directories.
-v, --verbose

Sigh.

However, just typing adguard home got it to run with what appears to be defaults. The web interface is up at 3000. I guess that's a start. I think I see how to install it as a service for restart.

Let you know how I go.

Cheers

Geoff
ETWebs

 

[Geoff]

Plugins are a dead-end road, and nobody should be using them for new deployments.

Ok, fine. I have got ADGuardHome up in a Jail. And its working. (Blocking ads beautifully - bonus).

I see no mechanism for running a local 'inside' domain. Talks about using hosts... so... I suppose search for and find hosts file on the jail and fill in the 192.x ips with hostnames? That should be simple I suppose. Is that all it takes?

Geoff
ETWebs

 

[danb35]

that would have been good to know before I started this exercise.

You really should read more carefully, this was already brought up pretty explicitly in this very thread. And it isn't like iX are making any secret of this:

The Future of SCALE Apps and CORE Plugins

This blog addresses a complex and important issue of how IXsystems plans to support Apps and Plugins over the coming years. https://www.truenas.com/blog/the-future-of-truenas-plugins-is-apps/ As the Community has told us (repeatedly). Jails are very solid, but Plugins have not been as...

www.truenas.com

I think I see how to install it as a service for restart.

I gave the exact commands to do this up-thread.

I see no mechanism for running a local 'inside' domain.

Once again, this has already been discussed up-thread.