Configuration sanity check and question about security

[slayer99199]

FreeNAS config:
FreeNAS-11.0-U4 (54848d13b)
5x4TB HGST DeskStar NAS 7200 RPM
ASRock C236 WSI
16GB ECC memory

Ok, so I've set up FreeNAS 11u4. I did my drive burn-in using SMART short and long-tests as well as badblocks and encountered no errors.

I have the plugins for Plex (for movies) and Emby (for OTA TV and DVR) configured.

I've copied over my 900+ movies to FreeNAS and added the libraries in Plex. Everything seems to work flawlessly (actually, much better performance since Plex is directly on the NAS...no issues transcoding thus far).

I've added a number of scripts that do the following:
Backup to USB (nightly)
SMART Report and zPool Report (https://forums.freenas.org/index.ph...d-identification-and-backup-the-config.27365/)

Scrub jobs are set up weekly.
SMART short test set up weeky
SMART long test set up bi-monthly (set with days in between the other tests so there's no collision).

Anything obvious that I'm missing here?

I have 2 remaining tasks before I'm ready to put this into home production (unless someone more experienced can point out something I've missed). I need to emulate a boot drive failure and restore from backup once everything is configured. That should be fun.

The second thing and primary concern I have now is how to lock this thing down security-wise. I do need remote access to Plex (I'm on the road frequently and I like to watch movies from the hotel). Typically, I disable UPNP on my router and remote access in Plex until I depart then enable it. The issue is that my old NAS had no direct access to the internet...Plex was set up to access drive shares on my NAS and my Windows machine is locked down pretty well.

Now I'm eliminating Windows from the Plex and Emby piece where they're directly on the NAS, my NAS box is directly exposed to the internet. Being naive to FreeBSD, I was thinking I could set up iptables to lock it down...but alas, that's not possible.

So the question is how do I lock this down? Just from the router forwarding 32400 to Plex? I have DD-WRT so I have some flexibility with iptables there. I have yet to find a decent guide or consistent answer in the forums or from google.

 

[Chris Moore]

What RAID-z level are you using?

No need to simulate a boot drive failure. It is easy to recover from as long as you have backed up your config DB. If you use mirrored boot drives, it is even easier as you will be very unlikely to have both fail at once.

You don't need UPNP for remote access to Plex. The plex plugin has a different IP address than the NAS. It is effectively a virtual machine with a virtual interface. You can shutdown and reboot the jail that contains the Plex without having to reboot the NAS.

Emby also runs in a jail and should also have a separate IP address.

You should setup the system to take periodic snapshots of the data so you can roll back to a previous state if there is a problem.

You don't need to forward anything to Plex. When you enable remote access on your Plex, you login to the Plex website and it connects you to your media. The connection is made outbound from your local Plex to the Plex website and the Plex website negotiates the link to your remote call.

 

[slayer99199]

What RAID-z level are you using?

No need to simulate a boot drive failure. It is easy to recover from as long as you have backed up your config DB. If you use mirrored boot drives, it is even easier as you will be very unlikely to have both fail at once.

You don't need UPNP for remote access to Plex. The plex plugin has a different IP address than the NAS. It is effectively a virtual machine with a virtual interface. You can shutdown and reboot the jail that contains the Plex without having to reboot the NAS.

Emby also runs in a jail and should also have a separate IP address.

You should setup the system to take periodic snapshots of the data so you can roll back to a previous state if there is a problem.

You don't need to forward anything to Plex. When you enable remote access on your Plex, you login to the Plex website and it connects you to your media. The connection is made outbound from your local Plex to the Plex website and the Plex website negotiates the link to your remote call.

RAIDZ1

I have weekly snapshots set up for my personal data backups (backed up weekly). Not sure how often I'd want to set up snapshots for nearly 900+ movies. Granted, my movies folder doesn't change that dramatically (not like my personal data), but I'm not sure of the impact that snapshots will take on the system. I'll have to play with it a bit.

I was aware that they had different interfaces...but I hadn't thought through the ramifications. Thanks for pointing it out!

So I it sounds like I no longer need to mess with UPNP. If that's the case, I can likely keep that disabled on my router.

 

[danb35]

You don't need to forward anything to Plex

Yeah, you do, at least if you want to be able to access your server through plex.tv. If you're just going to VPN into your LAN, then maybe not.

 

[Chris Moore]

Yeah, you do, at least if you want to be able to access your server through plex.tv. If you're just going to VPN into your LAN, then maybe not.

I didn't.

Sent from my SAMSUNG-SGH-I537 using Tapatalk

 

[Chris Moore]

but I'm not sure of the impact that snapshots will take on the system

Snapshots don't really have any impact unless the data changes. The changes, over time, will add up to take up more space, so you will want to delete old snapshots that you don't need any more. I recently purged some very old snapshots and cleared up a couple TB of space on my primary array.

 

[slayer99199]

Snapshots don't really have any impact unless the data changes. The changes, over time, will add up to take up more space, so you will want to delete old snapshots that you don't need any more. I recently purged some very old snapshots and cleared up a couple TB of space on my primary array.

I'm thinking like a virtualization guy (which is what I do for a living), not a storage guy. Snapshots on a storage array, not so bad if you have a rotation. Snapshots as a virtualization guy...longer than a week, very bad.

I can probably get away with monthly on my media, weekly on my personal data backups.

 

[Jailer]

I need to emulate a boot drive failure and restore from backup once everything is configured.

Trivial. Keep a current copy of your config any time you make changes. If your boot device fails re install, upload your backed up config, reboot and you're right back where you were.

You don't need to forward anything to Plex.

You do if you want remote access. That is unless you are running UPNP which is a huge security hole in and of itself.

@slayer99199 do yourself a favor and disable UPNP if you have it enabled and forward the remote access port to your plex jail's IP address if you want remote access. Having a single port open to your Plex jail does not directly expose the host machine to the internet.

Also do note that you only have 1 drive redundancy so if you lose more than one drive your data is gone.

 

[slayer99199]

Trivial. Keep a current copy of your config any time you make changes. If your boot device fails re install, upload your backed up config, reboot and you're right back where you were.


You do if you want remote access. That is unless you are running UPNP which is a huge security hole in and of itself.

@slayer99199 do yourself a favor and disable UPNP if you have it enabled and forward the remote access port to your plex jail's IP address if you want remote access. Having a single port open to your Plex jail does not directly expose the host machine to the internet.

Also do note that you only have 1 drive redundancy so if you lose more than one drive your data is gone.

I only wanted to emulate a boot drive failure as I've never recovered a bad boot drive with FreeNAS and I want to understand the process. Part of being an IT geek. Part of the reason I'm testing this out for a couple weeks and making sure everything works as I expect before I put it into Home Production, wiping my old NAS and powering it down.

UPNP is disabled. I only enabled it when I was out of town with my previous setup (which I mitigated by only allowing certain MAC addresses in from the outside...sure, they could be spoofed, but they'd have to know what MACs I'm using). For this setup, I'll just do port forwarding from my router to the Plex jail interface.

As for 1 drive failure...I'm aware of the risks. I lost 1 HGST drive in 6 years of almost non-stop spinning on my old NAS array (in fact, other than SSD I have mostly HGST in my current PC and I haven't suffered a drive failure). I have all HGST in my FreeNAS array. The failure rates for HGST are very low. Losing 2 drives at the same time would be highly irregular. If I stay on top my SMART tests, I'll mitigate the risks.

PC:
Boot - 1tb PNY SSD
2 x 3TB HGST RAID1 (Mirror) (MP3s, my Windows Profile drive, etc)
2 x 4TB HGST (running VMs)
1 x 6TB Toshiba Temp storage (VM data)

As a side note I lost 3 x 3TB Seagate drives I had in that RAID 1 array inside of 3 years. I'll never purchase another Seagate drive.

 

[SweetAndLow]

I didn't.

Sent from my SAMSUNG-SGH-I537 using Tapatalk

You guys should read up how Plex works. You are both correct. In short if Plex cannot make inbound connection it will connect to Plex server using an outbound connection and stream in "indirect" mode which limits bandwidth but works. If you forward the correct port on your router it will directly connect and work fully.

Forwarding the port is the correct way to do it but Plex has really made it idiot proof for some people that can't forward ports.

 

[slayer99199]

You guys should read up how Plex works. You are both correct. In short if Plex cannot make inbound connection it will connect to Plex server using an outbound connection and stream in "indirect" mode which limits bandwidth but works. If you forward the correct port on your router it will directly connect and work fully.

Forwarding the port is the correct way to do it but Plex has really made it idiot proof for some people that can't forward ports.

I've already configured port-forwarding on my router for Plex. I'm not sure if there's anything else I need to do to lock this down...I'm just nervous now having my NAS directly exposed to the internet (though I'm pretty diligent checking my security logs for inbounds on my router and Win box...I'll have to do the same with my FreeNAS.

 

[danb35]

I'm just nervous now having my NAS directly exposed to the internet

You don't. You have a minimal FreeBSD installation with Plex directly exposed to the Internet.

 

[slayer99199]

You don't. You have a minimal FreeBSD installation with Plex directly exposed to the Internet.

Because it's in a jail.

So the question I have...isn't the storage that I have assigned to that jail exposed?

 

[danb35]

isn't the storage that I have assigned to that jail exposed?

Potentially, yes. First, if an attacker bypasses Plex authentication, he'd be able to watch your media. Second, if a vulnerability in Plex allows an attacker to get full access within that jail, yes, anything attached to that jail is at risk--you may want to consider mounting the storage read-only to mitigate this risk (Plex shouldn't need to write there anyway). But in that case, you have an attacker who's already on your LAN, so you have other, potentially bigger, problems.

 

[SweetAndLow]

I've already configured port-forwarding on my router for Plex. I'm not sure if there's anything else I need to do to lock this down...I'm just nervous now having my NAS directly exposed to the internet (though I'm pretty diligent checking my security logs for inbounds on my router and Win box...I'll have to do the same with my FreeNAS.

I think you're get way to worked up over nothing. You don't have a freenas system that is directly exposed on the internet. It's just sitting there like every single other machine in your network. Have your done other stuff on your firewall? With ddwrt you should basically have things as default as possible. All you do is forward a single port and that can be anything you choose, the paranoid change it to something other than 32400.

So technically Plex authentication is exposed to the internet and a single port in your jail. This is house what it takes to run Plex.

 

[slayer99199]

I think you're get way to worked up over nothing. You don't have a freenas system that is directly exposed on the internet. It's just sitting there like every single other machine in your network. Have your done other stuff on your firewall? With ddwrt you should basically have things as default as possible. All you do is forward a single port and that can be anything you choose, the paranoid change it to something other than 32400.

So technically Plex authentication is exposed to the internet and a single port in your jail. This is house what it takes to run Plex.

It's as much about familiarity as it is paranoia. I played with FreeNAS on a VM for a few weeks...researched a lot before I decided to go with FreeNAS. I just have a lot to learn about FreeNAS. I ran it in a VM for testing (as well as a couple other open-source NAS programs). I've been doing as much research as I can to make sure I maintain the system so it lasts as long as my old QNAP TS-439.

That's why I came here for a sanity check. I want to learn from people that have more experience (and thank you all very much!) to do my best to ensure everything is rock solid and I'm not missing anything glaring.

I suppose I could lock down and make the media folder read-only from Plex. But I have to balance that action with usability as I often optimize my media for movies to watch while I'm on the road (so Plex would need write access)...because even when I pay for premium internet, it still sucks.

 

[slayer99199]

The other thing I pondered was upgrading my switch to one that supports LACP so I can do link aggregation. Then I thought about it and read some comments on the forums here.

Both my NICs are on the motherboard. The Rokus around the house max out at 100mb and my PC is 1GB...so I'll likely never need an aggregated 2GB (not to mention my drives wouldn't be that fast). It's not like I'm running fiber channel connections. Tbh, if I was really concerned with my network bandwidth, I'd go with Infiniband...because it's pretty cheap for 10G+. In regards to failover... if I drop a NIC on the mobo, I have more serious issues.

 

[Chris Moore]

You guys should read up how Plex works. You are both correct. In short if Plex cannot make inbound connection it will connect to Plex server using an outbound connection and stream in "indirect" mode which limits bandwidth but works. If you forward the correct port on your router it will directly connect and work fully.

Forwarding the port is the correct way to do it but Plex has really made it idiot proof for some people that can't forward ports.

I don't forward a port because I want to avoid the potential risk of exposure to the Internet. It is not worth the risk, to me.
I have a Plex life member pass, and it works well enough to satisfy me.

Sent from my SAMSUNG-SGH-I537 using Tapatalk

 

[toadman]

I don't forward a port because I want to avoid the potential risk of exposure to the Internet. It is not worth the risk, to me.
I have a Plex life member pass, and it works well enough to satisfy me.

Or one can setup a DMZ. Put the plex server in the DMZ and forward the port without an issue of letting the more secure internal lan be exposed. I do that and setup another firewall for the internal lan.

 

[garm]

DMZ is what I use. I have “deployed” a few plex servers for friends and family (great way of sharing video and photos without social media). And what I normally do is to put up a reverse proxy on a hardened BSD (or equivalent) server that sits in a DMZ. Either locally or in a vps