GUI *not* accessible without default gateway!

Louis2

Contributor
Joined
Sep 7, 2019
Messages
177
Hello,

My NAS is connected via three VLAN’s (A,B,C). One on interface-1 (1G) and two on the second one (10G). The GUI is defined as '0000' (accessible from all subnets/vlans). All VLAN’s have a DHCP-server and are using a different subnet (IPV4 and IPV6). The DHCP server is supplying the subnet GW.

My PC is on VLAN-D. All VLAN’s are interconnected via a router (pfSense).

The problem: Without a default gateway defined, I cannot access the NAS ☹ ☹

I tried to find the cause of the problem:
  • If I define a standard gateway, then it works somehow. That will say, the GUI-access queries are entering the NAS via the IP-addres related subnet, but the NAS sends the answer back via the VLAN as determined by the default gateway address (not strange given it is the default gateway, but never the less that is not at all OK!)
  • The NAS should return the answers via the involved VLAN! But it does not! Probably not because it is not aware of a / the VLAN-gateway ‘’hummmm”. Note that There is no gui option to enter the gateway IP’s (IPV4 and IPV6) on VLAN level
  • And you can, quite stupidly, only define DHCP on only one interface !!!!???? ☹
    (Note that normally the DHCP-server provides the GW-address)
  • The network summary screen does not show gateways for the VLAN’s (in line with my verdict)
  • If you are locked out due to lack of GW, the only option left to access the NAS is having the PC in one of the NAS its VLAN’s
    (which is in an advanced network normally not the case)!
Apart of “not having gui access”, the described traffic flow is asymmetric (different in and out path), so traffic should flow via the 10G, but is “diverted” via the 1G. And the FW is seeing asymmetric routing and 'tents' to block that traffic!!

So, there should NOT be a default gateway. All VLAN’s should all have their own default gateway used for both incoming and outgoing traffic. In and out data should flow through the same VLAN :)

So, big question is how to archive this!

Sincerely,
Louis
 
Joined
Dec 29, 2014
Messages
1,135
This sounds like a routing/source interface issue. Unless you configure it to do something else, FreeNAS's GUI will be available from all IP addresses. If you want to access it without some sort of routing, you need to access the IP on the network to which the client is directly connected. You mentioned pfSense, so I am assuming that is your inter-vlan routing device. As a rule, firewalls are not the best choice to do inter-vlan routing. It isn't clear to me whether you are talking about the lack of a default gateway on GUI client machine, or on the FreeNAS itself. Would you please clarify. Also, please include the hardware config and software version of your FreeNAS.
 

Louis2

Contributor
Joined
Sep 7, 2019
Messages
177
Yes,

It is a routing issue. The GUI is 'appart from the routing' accessable from all IP-adresses.

The probably missing V-LAN-gateways are at the FreeNAS side. FreeNas only seems to be aware of the default gateway :(

Will try to give extra explanation:
- default gateway at 192.168.a.1 (needed other wise there is no response comming back from the NAS at all :( )
- VLAN-A, 192.168.a.0/24 gateway 192.168.a.1, NAS at 192.168.a.2
- VLAN-B, 192.168.b.0/24 gateway 192.168.b.1, NAS at 192.168.b.2
- VLAN-B, 192.168.c.0/24 gateway 192.168.c.1, NAS at 192.168.c.2

PC on VLAN-D 192.168.d.0/24 gateway 192.168.d.1, NAS at 192.168.d.99

on the PC I tipe "http://192.168.b.2" ==> GUI appears, however:
- request was send via VLAN-B answer is comming via VLAN-A
- etc.


If the TCP streams are comming back from 192.168.a.2 (NAS) VLAN-A via 192.168.a.2 (VLAN-A GW) arrive at pf-sense it will route that to the pfSense PC-lan-GW (with FW-rule warnings). From there it arrives at the PC however
- towards NAS: PC -> PC-LAN (D) => pfSense ==> NAS VLAN-B ==> NAS
- back from NAS: NAS -> NAS VLAN-A => pfSense => PC VLAN-D ==> PC
….. NOT OK ….

Response schould be send via the same VLAN as the request was send (via VLAN-B). To make that happen, FreeNas should understand that VLAN B has its gateway at 192.168.b.1. (and the default gateway should not be necessary!!)

For information I did used pings, wireshark and pfSense logging to analyse the behavoir and this is defitinitly what happens!

Related to HW and SW
- SW: Very latest FreeNAS-11.2-U5 (for info: pfsense 2.4.4-RELEASE-p3)
- HW: Intel(R) Pentium(R) CPU G4560 @ 3.50GHz (4 cores) 16GB RAM 16 TB disk in total

Sincerely,


Louis
 
Joined
Dec 29, 2014
Messages
1,135
What does the config look like in System -> General? Is the WebGUI only bound to a single IP address? If so, I would consider it correct from a networking perspective that it responds back from that interface. Even if you sent the request to VLAN b and in responded to the initiator on VLAN d, that would probably still not work. The reason for that is the conversation passed through your pfSense firewall. When the firewall doesn't see the whole conversation, it will send a TCP reset to both sides of the connection. If you haven't changed the WebGUI bindings, I would expect the GUI to work if you attempted to reach 192.168.d.99. You can't draw much of a conclusion from pings as ICMP is not connection oriented, but TCP is.
 

Louis2

Contributor
Joined
Sep 7, 2019
Messages
177
Hi,

At this moment I do not have gui access limmited in any way. Webgui IPV4 0.0.0.0 V6 :: Wide open!

Related to the firewall, you are right saying that the FW does not like asymetric routing (and I do not like it as well :) ). Asymetric routing will probably be rejected it with or without sending a reject.

Note however that in the wireshark traces, I see:
- absolutely nothing(!) on any(!) vlan if I there is not a default gateway defined .... urrhh
- and with one defined I did not see that traffic was rejected. I just see TCP packets and retransmissions
- forget the pings, even they are not answered if there is no default gateway
- of course I see TCP:S blockings on the FW :(

From the Network summery I can see that:
- all vlans have an IPV4 and an IPV6 addres assigned (I did define static adresses), because I prefert that for a "server", but also because DHCP is only supported on one interface
- and I see the default routes I defined, given "not working" without them (IPV4 and IPV6, I took the GW of the 10G path, so that at least the high speed path is symetric)
- I do not see other default routes here (do not know if I should see the VLAN gateways there)
- I also see the DNS adress there. But what I normally do is 'saying via DHCP' DNS, NTP, DHCP should all be asked via the (VLAN) GW / are all provided by the router.

Louis
 

Louis2

Contributor
Joined
Sep 7, 2019
Messages
177
Sorry, the TCP packers and retransmissions I see if there is no default gateway defined :)
 
Joined
Dec 29, 2014
Messages
1,135
Let's start with something more basic. Does the guI work for the client on vlan d if you access the vlan d ip address of the freenas?
 

Louis2

Contributor
Joined
Sep 7, 2019
Messages
177
Yep. of course!

NAS and 'PC' can reach each other directly.

That is also the way I reached, the NAS after I removed the default gateway :)

I have a managed switch here, from which I can 'place' my PC on every VLAN I like (for testing).

Louis
 
Joined
Dec 29, 2014
Messages
1,135
IP forwarding (routing) is off by default in FreeNAS/FreeBSD. Perhaps that has something to do with it. I have a similar situation here (FreeNAS has the same last octet on 3 different VLAN's), and I manage it via the closest IP interface. I even have my DNS configured to resolve the name differently depending on the IP on the client machine. I don't understand why managing it that way is a problem. I have had the same experience of having to manage a device by the closest IP interface with firewalls as well.
 

Louis2

Contributor
Joined
Sep 7, 2019
Messages
177
Elliot,

Be aware that not only the GUI-traffic is routerd wrong, but even more sevire also the datastreams related to whatever services FreeNas provides!

Louis
 

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
Hey Louis,

You can keep working this one with Elliot or you can do something different... Because your problem is routing and you have pfSense in front of the NAS, you can use NAT to avoid the need to route at all in the FreeNAS box.

What you need is to create an outgoing NAT rule that will say Anything going out with the interface facing FreeNAS is to be NAT using pfSense's interface address. You do that for each of the 3 VLANs you mentioned.

Once done, your requests will leave your computer toward FreeNAS, no mater which IP you used. pfSense will route it and will replace the source with one that is in the same subnet as the FreeNAS destination. When FreeNAS replies, it will reply to that address for which it does not need routing and can reach directly from that same interface. pfSense reverses the NAT and gives you the reply packet back.

This is kind of band-aid solution but it would be straight forward and will work.

Good luck fixing your problem,
 
Joined
Dec 29, 2014
Messages
1,135
Overall I have to say that I don't fully understand what you are trying to accomplish. If you want everything to flow through a single IP address, why have multiple IP interfaces? Not to belabor the point, but firewalls make bad inter-vlan routing devices if you are trying to achieve fairly open communication. So back to the original question. Why all the different interfaces?
 

Louis2

Contributor
Joined
Sep 7, 2019
Messages
177
A short reaction

VLAN's are there to separate datastreams, for security reasons or to use another physical path (e.g. a data and a managment network)

Of course I could combine the VLAN's using NAT, but then I would simple join the on purpose separated VLAN's. So in that case it would be even simpler not to use VLAN's at all.

Perhaps strange, but ..... IMHO this functionallity should work! It is 'a bit strange' that FreeNAS offers a VLAN option, but does not handle them correctly.

And for information, I did decide to separate, managment, low-speed-data and high-speed data path via three VLAN's.

Sincerely,


Louis
 

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
Hey Louis,

Doing NAT will not defeat security at all...

Your traffic remains separated by the firewall and nothing can cross from one VLAN to another without being approved by the firewall.

To do routing on a host is not good practice. Usually, you do that on layer 3 switches. In these switches, you put very simple policies saying which VLAN can be routed to which other, or you can do VRF which will deploy a virtual IP stack per VLAN and so no routing will be possible at all between them.

To do Enterprise-class network segmentation, you need the proper Enterprise-class gear. And even in Enterprise, you do not do routing on hosts...
 

Louis2

Contributor
Joined
Sep 7, 2019
Messages
177
Heracles,


You know more about networks than I do. So I must think about this.

However IMHO, FreeNas is offering Level-2 VLAN support. Very logical for a NAS …. IMHO.
and that should simply work !!!!

Ik know there are more advanced options like VRF’s, but than you need more advanced switches and knowledge.
And your equipment should support it.

My network is an advanced home network. Having low end professional switches. I have two core switches
- my old switch, a Zyxel 1920, which I use for: mngt. 1G-network and fall-back
- my new switch, a Mikrotik CRS317 as 10G core
- some small 5 and 8 port Netgear managed switches

My actual network is built with level-2 VLAN's. All switches and pfSense support that (!) and …… FreeNas is supposed to support them as well.

There are more advanced options like mpls, VRF's (level-3 VLAN's) etc. I know. However:
- apart of the CRS317, my boxes (including FreeNas) do not support VRF's etc.
- I would like to keep the GS1920 as fall-back core, next to the CRS317. So, I prefer to have separate / redundant physical connections, in a couple of cases;
- I do not have any experience with network protocols like mpls, vrf's etc. (yet).

There are a couple of reason for me to build this network:
- For functionality (lot of access points of different kind, with to have fast access between a couple of devices)
- For Security !
- To learn / hobby

For my purpose Level2 separation, should be good enough!

Sincerely,



Louis
 
Joined
Dec 29, 2014
Messages
1,135
I think it would be helpful to back and describe in general terms (without vlan/technical specifics, etc) what it is you are trying to accomplish. I am sure there is a way to make it happen, but I can't tell you how without trying to understand what you are trying to accomplish.
 

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
Hey Louis,

There is one important thing that you must understand here : VLANs are layer 2 and your routing problem is Layer 3. As such, nothing here about VLANs...

Your VLANs are doing there job at layer 2. You got your routing wrong at layer 3. Either you fix your routing at layer 3 or you remove your divisions at layer 2. But for sure, if you try to fix your Layer 3 problems by working stuff at layer 2, you will suffer a long time...
 

Louis2

Contributor
Joined
Sep 7, 2019
Messages
177
Hi,

I agree that routing is level-3. But it is, should be IMHO connected.

For example:
- if you tell freenas that it should listen for gui on adres a.b.c.d then, I at least would expect, that it is listening to the VLAN with the corresponding VLAN.
- same for SMB, iSCSI etc

If I compare with pfSense
- you have a ethernet port or a lag
- bind a VLAN to that ethernet-port/lag
- bind a gateway to that VLAN
- assign a IPV4 and an IPV6 range to that GW
That is all logical to me

I would expect the same structure for FreeNas
- VLAN (= Gateway)
- bind application to one or more Gateways
- send the answers back to that particular GW (that is not normal routing I know, but it is what I would like to happen !!!!)

Perhaps I am wrong, but if so, is there any relation between
- a FreeNas application: SMB, GUI, iSCSI etc
- and a VLAN
- so wha tis the purpose of a vlan in this context


Louis
 

Louis2

Contributor
Joined
Sep 7, 2019
Messages
177
PS

I think that if you want to have the garantie that traffic incomming via a certain vlan is also returning via that vlan, you need a separate routekey per VLAN.
No Idea what FreeNas is doing in this regard.

Louis
 

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
Hi again Louis.

iSCSI is million better to be done peer-to-peer, so no routing at all. So no comparison here.

PfSense is Layer 3 only. As such, it uses VLANs only to create virtual independent Layer 3 interfaces on top of a single physical link. But once all of these interfaces are reached, they all merge in the same routing engine. Because a firewall like pfSense is meant to be a router, again, no comparison possible here.

Because you really want to keep you mess in place, let's try to figure out everything...

In your next post, please do something like this :

FreeNAS :
3 physical NIC
Nic 1 = VLAN-1 = IP.ADD.RE.SS1
Nic 2 = VLAN-2 = IP.ADD.RE.SS2
Nic 3 = VLAN-3 = IP.ADD.RE.SS3

PfSense :
Do the same...

Your computer :
Do the same

This will give us the inventory of your layer 2 zones.

Next, we need the inventory of your services :
Web Management : To be provided on Nic2 and reachable only from VLAN-X
SMB : To be provided on Nic 3 and to be reachable from everywhere
...
...

Let see if we can figure out the problem and solution from that...
 
Top