LIGISTX

@LIGISTX cheers for providing valuable information 
 
Fortunately I don't need it now because I'm not planning to deploy any time soon.
And I'd never use windows anyways.
 
Yes it's true for some people its an annoying way of doing things.
However I've made smol linux desktop with one browser and attach virtual network to any of these vms and most of time I've implemented auto reboot cycle and update cycle if whole thing fails it just loads my configuration and reinstall itself.
So i usually don't need to change smol linux and keep attached to webgui i use.
 
Quite fascinating if you tell me.
 
🧑‍🔧
 
Thanks looks like my next project of tinkering is with vlans gotta crack my skull open and dump all that valuable information.
 
Openwrt router should be fine to start with then pfsense after?
 
Kinda pain to spend more money on router.
 
Yes all you have to do is kill your library and rebuild then redownload stuff you lost.
 
However do shutdown network and check logs/scan on your devices to see if you're infected or not.
 
Its not fun but you know its a must.
 
However you can reduce getting attacked is by choosing trustworthy source by research
 
I cannot help you to build one since it's against holy grail of forum rules.
 
However you can easy find YouTube videos about it. Plenty youtubers has made guide about it and I've learned from it and made it.

So... only partially. 
 
Yes, with proxmox you could create some VM's, set up virtual routing and put torrent downloaders on their own subnet, but that isn't really the issue here. The issue here is downloading a file that is compromised and having a windows machine connected via SMB play that file and thus execute said malware, or have a windows PC on the main LAN (which wouldn't be firewalled off from the management surface of proxmox and thus all VM's under it in this example.....) become compromosed and then laterally move to your proxmox box which can then pwn truenas.
 
Yes, your solution does provide more security than nothing at all, but it doesn't really fix the fact all of the management surfaces are on the main LAN, with all sorts of devices we don't trust.
 
To do this "properly", you need your edge router to have a proper firewall, and do all vlan setups there. That way you can have a management subnet that proxmox, truenas WebUI, the firewall itself (pfsense is what I use), and whatever else as at that management level live on. Then you would set up subnets "below" that for things such as windows machines, phones, laptops, etc as well as an SMB share from truenas so your windows machines can still access SMB but restrict their ability to interface with the mangament subnet, then "next to that" I would have VM's for download clients etc, with similar rules as the windows and normal devices subnet.... then a subnet with next to 0 ability to talk to anything outside of that subnet for all IoT devices and things we really, truly, do not trust. 

So... sort of.
 
There is nothing wrong with SMB or NFS, especially since people are going to want to use their NAS to actually do what NAS's do, which is be network attached storage.
 
The way to correctly lock things down is you NEED an edge router that does network segmentation, running pfsense within proxmox is not enough because that doesn't protect proxomox from your windows machines since they would all be on a flat network otherwise. 
 
In a normal home network, you have 1 router, say 192.168.1.1, its has a 192.168.1.x subnet. Your PC, AND proxmox, will both end up with 192.168.1.x IP's, which means there is no segmentation between your vulnerable windows PC, Macbook, IoT devices etc from your proxmox host.
 
Now depending on how difficult you have made things, yes, you can virtually route all of your VM's through a virtual pfsense, and put them behind a firewall and behind NAT from your 192.168.1.x network... but this is sort of an "annoying" way to do things. I think that is what you are saying you did, but that isn't really "the right" way to do it. It isn't "wrong", but it makes it much more difficult to manage since you can't admin any of the VM's that live within proxmox from your main PC, which is on the 192.168.1.x subnet.
 
What you need is a pfsense machine at the head of the network... right after your modem. From there, you do all segmentation with vlans and maanged switches.
 
In this situation, say your main network which pfsense lives on is 10.10.10.x (lets call this the top level manegment subnet), and this is the first router immedietly after the modem. From there, you set up vlans, set up 1 vlan for your windows PC and other "trusted" machines on say 10.10.11.x. Then you set up a homelab subnet for things like jellyfin, torrent clients, etc, on 10.10.12.x, and an IoT subnet on 10.69.69.x.
 
At the pfsense level, you do not allow 10.69.69.x to talk to anything except the WAN. This would mean all IoT devices can work normally, but they can not reach out and touch ANYTHING else on your network. Things on your network can reach out and control them, but nothing can initaite a connection from IoT subnet. If you have managed AP's, you assign this its own SSID, and boom, all IoT stuff is segmented off on its own WiFi SSID, in its own subnet, done.
 
Then you set up a WiFi and switch port vlans for your trusted 10.10.11.x subnet which you plug your PC ethernet into, connect your laptop to that SSID, etc. Done.
 
Then you plug proxmox into 10.10.10.x, along with all of your switches and AP's, they ALL get the management subnet (which is the trunk port) which now means proxmox lives on the 10.10.10.x mangement subnet and you can assign vlans's within proxmox to each VM. So if you want, you can spin up a homeasssitant VM on the 10.69.69.x vlans, and it will then be able to talk to your IoT devices, but nothing else. And you can pass a torrent client the 10.10.12.x vlan, and it can communicate across that subnet, and depending how you set up your firewalls rules, maybe can talk out of that subnet, maybe can't, up to you...
 
Then you set up truenas as a VM within proxmox. You pass truenas 10.10.10.x, so truenas lives on the management port. You then create SMB shares on both the 10.10.11.x and 10.10.12.x with different permsisions. This way, VM's within 10.10.12.x (like a VM hosting jellyfin, or a VM hosting a torrent client) can SMB to truenas, but only with those permissions, and only to the /mnt point you have your torrented media. In truenas on the SMB share shared over 10.10.11.x, you then would be able to use your NAS as a NAS where you can have all your personal files and data like pictures, home videos, documents, etc and be able to access them from devices on the 10.10.11.x subnet, but NOT from the 10.10.10.12 or 10.69.69.x networks since you only expose that SMB share over the 10.10.11.x network. 
 
Doing all of this 100% inside of proxmox means you are not really locking things down... you need to move things that have management ability up and away from anything that could infect or alter them. This does take some money though, as you would need a pfsense machine and managed switches and AP's. But I was able to do all of this for about 300 bucks. Use an old PC for pfsense, get a 2 port NIC (1 for WAN, 1 for LAN, DO NOT USE PFSENSE AS A SWITCH), get a few 5 port managed switches from Ubiquity for ~30 bucks each, and a managed AP or two also from Ubiquity for ~150 bucks, and thats it.
 
This is a very good guide on how to set it all up, Lawrence systems has MANY great videos on these topics:
 
Something to remember, the torrent client is not the piece of software to be worried about, IoT devices and not well admined Windows machines are the concern here. If you have a windows PC able to reach out and touch your proxmox WebUI, SSH, or truenas WebUI or SSH, if your windows machine got compromised, it could start ransomewaring your SMB share, AND THEN ALSO attack truenas webUI via stored crednetials in your browser and turn off ZFS snapshots, delete previous ones, lock you out of the webUI all together, etc etc. This is certainly a pretty extreme example, but THAT is what we are trying to protect against here which is why doing segmentation within proxmox is not enough. You need to protect proxmox itself (and all other things living on the management interface… firewalls, network routing equipment like switches and AP’s, TrueNAS webUI and SSH, and any other key infrastructure).
 
Anyways, hope this made sense... trying to convey the entire premise of network security in a single post is not exactly simple. 
 
Another good video that may help explain things a little better:
 
 

Igpu should make quick work of transcode, but regardless, 1080p transcode doesn’t take much at all even if you do it on CPU. Trying to transcode 4k isn’t super viable anyways, but it can certainly be done. 
 
I used to run my entire homelab on an i3 6100, and my Ubuntu VM which ran Plex only got 2 threads of the 4 total. It could transcode multiple 1080p to 720p movies at once… a 12600k would run circles around a 6100.
 
I posted some info about this the other day, I would give this a look. This was done on my current homelab, and my Plex VM gets 6 threads…. And my e5-2600 threads are much, much slower then 12600k threads. 
 
The post I linked didn’t have CPU usage from within the Plex VM itself, so see below for a 4k to 720p transcode on 6 threads of my much slower CPU… it’s transcoding at over 1:1 speed, and has headroom to spare. This is not the most intense 4k video as the bitrate is pretty low for 4k content, this matches up to the detail I provided in the linked post regarding the 4k bitrate of this file. 
 


 
A 12600k for a NAS is wild overkill. 

So... sort of.
 
There is nothing wrong with SMB or NFS, especially since people are going to want to use their NAS to actually do what NAS's do, which is be network attached storage.
 
The way to correctly lock things down is you NEED an edge router that does network segmentation, running pfsense within proxmox is not enough because that doesn't protect proxomox from your windows machines since they would all be on a flat network otherwise. 
 
In a normal home network, you have 1 router, say 192.168.1.1, its has a 192.168.1.x subnet. Your PC, AND proxmox, will both end up with 192.168.1.x IP's, which means there is no segmentation between your vulnerable windows PC, Macbook, IoT devices etc from your proxmox host.
 
Now depending on how difficult you have made things, yes, you can virtually route all of your VM's through a virtual pfsense, and put them behind a firewall and behind NAT from your 192.168.1.x network... but this is sort of an "annoying" way to do things. I think that is what you are saying you did, but that isn't really "the right" way to do it. It isn't "wrong", but it makes it much more difficult to manage since you can't admin any of the VM's that live within proxmox from your main PC, which is on the 192.168.1.x subnet.
 
What you need is a pfsense machine at the head of the network... right after your modem. From there, you do all segmentation with vlans and maanged switches.
 
In this situation, say your main network which pfsense lives on is 10.10.10.x (lets call this the top level manegment subnet), and this is the first router immedietly after the modem. From there, you set up vlans, set up 1 vlan for your windows PC and other "trusted" machines on say 10.10.11.x. Then you set up a homelab subnet for things like jellyfin, torrent clients, etc, on 10.10.12.x, and an IoT subnet on 10.69.69.x.
 
At the pfsense level, you do not allow 10.69.69.x to talk to anything except the WAN. This would mean all IoT devices can work normally, but they can not reach out and touch ANYTHING else on your network. Things on your network can reach out and control them, but nothing can initaite a connection from IoT subnet. If you have managed AP's, you assign this its own SSID, and boom, all IoT stuff is segmented off on its own WiFi SSID, in its own subnet, done.
 
Then you set up a WiFi and switch port vlans for your trusted 10.10.11.x subnet which you plug your PC ethernet into, connect your laptop to that SSID, etc. Done.
 
Then you plug proxmox into 10.10.10.x, along with all of your switches and AP's, they ALL get the management subnet (which is the trunk port) which now means proxmox lives on the 10.10.10.x mangement subnet and you can assign vlans's within proxmox to each VM. So if you want, you can spin up a homeasssitant VM on the 10.69.69.x vlans, and it will then be able to talk to your IoT devices, but nothing else. And you can pass a torrent client the 10.10.12.x vlan, and it can communicate across that subnet, and depending how you set up your firewalls rules, maybe can talk out of that subnet, maybe can't, up to you...
 
Then you set up truenas as a VM within proxmox. You pass truenas 10.10.10.x, so truenas lives on the management port. You then create SMB shares on both the 10.10.11.x and 10.10.12.x with different permsisions. This way, VM's within 10.10.12.x (like a VM hosting jellyfin, or a VM hosting a torrent client) can SMB to truenas, but only with those permissions, and only to the /mnt point you have your torrented media. In truenas on the SMB share shared over 10.10.11.x, you then would be able to use your NAS as a NAS where you can have all your personal files and data like pictures, home videos, documents, etc and be able to access them from devices on the 10.10.11.x subnet, but NOT from the 10.10.10.12 or 10.69.69.x networks since you only expose that SMB share over the 10.10.11.x network. 
 
Doing all of this 100% inside of proxmox means you are not really locking things down... you need to move things that have management ability up and away from anything that could infect or alter them. This does take some money though, as you would need a pfsense machine and managed switches and AP's. But I was able to do all of this for about 300 bucks. Use an old PC for pfsense, get a 2 port NIC (1 for WAN, 1 for LAN, DO NOT USE PFSENSE AS A SWITCH), get a few 5 port managed switches from Ubiquity for ~30 bucks each, and a managed AP or two also from Ubiquity for ~150 bucks, and thats it.
 
This is a very good guide on how to set it all up, Lawrence systems has MANY great videos on these topics:
 
Something to remember, the torrent client is not the piece of software to be worried about, IoT devices and not well admined Windows machines are the concern here. If you have a windows PC able to reach out and touch your proxmox WebUI, SSH, or truenas WebUI or SSH, if your windows machine got compromised, it could start ransomewaring your SMB share, AND THEN ALSO attack truenas webUI via stored crednetials in your browser and turn off ZFS snapshots, delete previous ones, lock you out of the webUI all together, etc etc. This is certainly a pretty extreme example, but THAT is what we are trying to protect against here which is why doing segmentation within proxmox is not enough. You need to protect proxmox itself (and all other things living on the management interface… firewalls, network routing equipment like switches and AP’s, TrueNAS webUI and SSH, and any other key infrastructure).
 
Anyways, hope this made sense... trying to convey the entire premise of network security in a single post is not exactly simple. 
 
Another good video that may help explain things a little better:
 
 

That isn’t going to cause a targeted digital attack…
 
Truenas and unraid are much more secure because they are not ever going to reach out to the internet… they don’t have web browsers, they are Linux based and not windows based, etc etc.
 
But this is not really how NAS’s get compromised, they get compromised by other devices on your network. If you have a fully locked down NAS, but the windows PC that is accessing shares gets ransomwared, it’ll start encrypting network drives including your NAS SMB shares. This is one reason Truenas and ZFS are the superior choice… ZFS snapshots are the best mitigation against this since snapshots can’t be encrypted or deleted except via TrueNAS itself (as in no network connected client could delete or alter those snapshots). 
 
This then means you need good network security, and have network segmentation so your TrueNAS machine lives on a subnet not accessible by your potentially infected windows machines, iot devices, etc etc. This is where you get into more prosumer grade network gear, set up vlans, and really dive into learning networking which is overkill for most people. But it is “the correct answer”. 
 
TLDR; windows is by far the least safe, TrueNAS is the most safe mostly because ZFS is your best shot against ransomware due to ZFS snapshots. 

As long as you know what you are doing, its fine. If you do not know what you are doing (which you will either know you know what you are doing, or you will know you do not know what you are doing), do not ever open up a PSU.
 
Do not pretend to know what you are doing either. If you know what you are doing, you know what you are doing, likely from electrical engineering cources in school, or being an electronics assmebly technitian etc. 
Good luck... I am not sure where that data would be, or if its even published anyway. I may suggest checking out https://forum.level1techs.com/ as folks there will be much more in the weeds and may even have a switch opened up they can just read the resistor color codes or values off of for you. Folks here may as well, but there is "less noise and more signal" on level1techs for things this technical, if you catch my drift. Potentially also Lawrence Systems forums as well, lots of folks there run Ubiquity gear as well.

So... only partially. 
 
Yes, with proxmox you could create some VM's, set up virtual routing and put torrent downloaders on their own subnet, but that isn't really the issue here. The issue here is downloading a file that is compromised and having a windows machine connected via SMB play that file and thus execute said malware, or have a windows PC on the main LAN (which wouldn't be firewalled off from the management surface of proxmox and thus all VM's under it in this example.....) become compromosed and then laterally move to your proxmox box which can then pwn truenas.
 
Yes, your solution does provide more security than nothing at all, but it doesn't really fix the fact all of the management surfaces are on the main LAN, with all sorts of devices we don't trust.
 
To do this "properly", you need your edge router to have a proper firewall, and do all vlan setups there. That way you can have a management subnet that proxmox, truenas WebUI, the firewall itself (pfsense is what I use), and whatever else as at that management level live on. Then you would set up subnets "below" that for things such as windows machines, phones, laptops, etc as well as an SMB share from truenas so your windows machines can still access SMB but restrict their ability to interface with the mangament subnet, then "next to that" I would have VM's for download clients etc, with similar rules as the windows and normal devices subnet.... then a subnet with next to 0 ability to talk to anything outside of that subnet for all IoT devices and things we really, truly, do not trust. 

Just to add to what @LIGISTX said if you can't do the transcode on an older ~6 core cpu then GPU transcode is the correct solution rather than a costly, high power usage, CPU. You don't even need a good or new GPU, just anything good enough like a GTX 1050 Ti which is already more than required for transcoding.

Igpu should make quick work of transcode, but regardless, 1080p transcode doesn’t take much at all even if you do it on CPU. Trying to transcode 4k isn’t super viable anyways, but it can certainly be done. 
 
I used to run my entire homelab on an i3 6100, and my Ubuntu VM which ran Plex only got 2 threads of the 4 total. It could transcode multiple 1080p to 720p movies at once… a 12600k would run circles around a 6100.
 
I posted some info about this the other day, I would give this a look. This was done on my current homelab, and my Plex VM gets 6 threads…. And my e5-2600 threads are much, much slower then 12600k threads. 
 
The post I linked didn’t have CPU usage from within the Plex VM itself, so see below for a 4k to 720p transcode on 6 threads of my much slower CPU… it’s transcoding at over 1:1 speed, and has headroom to spare. This is not the most intense 4k video as the bitrate is pretty low for 4k content, this matches up to the detail I provided in the linked post regarding the 4k bitrate of this file. 
 


 
A 12600k for a NAS is wild overkill. 

This should not be a new PC.  Any old computer from the last decade will handle this easily and you'll spend $20.

if its just a file server then you can use almost any modern cpu and choice shouldn't matter much

All you need is a USB to IDE adapter or an IDE to SATA adapter, then plug a Molex 4-pin into it for power.

You can find IDE to USB adapters pretty cheap.
 
Universal Drive Adapter (ifixit.com)
 
I have a couple of these, there's probably cheaper ones out there though that'll work just fine.

Unless you're doing some pretty sketchy stuff, you probably don't need to worry. Keep everything on the network reasonably up to date and you should be pretty secure. 

Frigate's pretty common too.

Seems odd to put the ISP box in the kitchen to me. I'd setup a little network cabient. There are wall inset ones that are pretty common in my area. Then put the isp box in there, and run cables to all the rooms from there. Then you can make a patch panel like setup in there, and get a switch to connect all the cables.

You should be able to access the data on there with linux. I'd give a linux distro a shot, and see what the drives are formatted as. I'd guess that there using mdadm + ext4/xfs/btrfs if there like other nas units out here.
 
I'd get anouther place to copy the data for now. Your gonna want to copy the data off, then format to the system the new nas OS likes.

Have you tried going to office hours? This is some pretty foundational material which, if you fail to grasp, will massively hamper your ability to actually DO networking professionally
Remember, the purpose of homework is to help drill in the lessons. If you can't just breeze through it, you still have stuff to learn
 

Hey everyone. Thanks for all your replies. 
 
I ended up implementing quite a few of the suggestions. 
 
Managed to get an old dell with a i5 8500, 16GB Ram, 256GB Nvme, and a 1TB Hdd for £120 which I think was a decent price. It's been rock solid for me and my friends game servers and going to set up jellyfin next.
 
Been really enjoying tinkering with is, experimenting with unraid might switch when my free trial ends.
 
Thanks again. 

There's @LIGISTX!! I was hoping you'd save me again LOL almost every post I make your advice is always easy to understand and super helpful! thanks dude!

RAID 5 or 6 is not the right terminology for "vdevs". vdevs are part of the ZFS architecture which is a software RAID solution (its a fantastic solution, I have been running ZFS via truenas for almost a decade).
 
I would advise you do A LOT more research before you buy or impliment anything. I would look in the truenas forums for beginner guides and explinations of whats what so you can get a better idea of pitfalls that are common, issues people run into, and gain a better understanding of what all is going on. These things are very important to understand up front because if you make config setups in the beginig, once you have the data populated, its really difficult to change things later since you will need to offload your data and start over...
 
This forum definitely can help a lot, but to get the mots out of said help, you need to do a good bit of reserach and homework on your own so we can all be speaking the same language per say :).
 
Things to understand first are:
How much storage space do you think you need? how long will it take to fill this up, and how do you plan to increase capacity? how much money do you want to spend what hardware do you already have what is ZFS what are vdev's look into unraid so you know what your two main options are

RAID is definitely not garbage... Its uptime availability AND it can save you headaches. I have had an annoying amount od drives fail in my truenas array, and have been extremely thankful I have ZFS Z2 (basically software RAID 6) running. The headache from downtime for my system would be huge as my homelab is a large part of the networking infrastructure of my house, as well as home automation and lots more. More uptime by definition = less headaches and stress. Its not a backup... but uptime is uptime, and that is not "garbage". 

The important thing to remember is that RAID is uptime insurance, not a backup solution. It's there so if you lose a drive, you should be able to recover without having to restore from your backups.
 
Even a robust array that can survive multiple drive failures, hosting a filesystem that supports snapshots isn't a replacement for a good backup strategy with offline media.

Thanks everyone! I’ll take the general advice and just sell the parts and get a more efficient system for a NAS