Need advice on setup between remote FreeNAS boxes.

[KMR]

Hey Folks,

I have built my second FreeNAS server that I will be putting in my brothers house as a backup server and would like some suggestions on how best to achieve a fully automated backup process using Rsync or some other method. The new box uses a SM motherboard, 8GB ECC RAM, and 3x3TB RAIDZ pool. I know the pool configuration isn't optimal but I'll work on that later as I get more money or replace my current drives.
Initially I wanted to put a pfSense box in his place and configure a static VPN with my pfSense box between the two locations but the funds don't allow for this at the moment. I have seen posts about using OpenVPN on FreeNAS and was wondering if I could configure it on both machines and forward ports on either end to allow Rsync to do its job nightly. Are there any problems with this arrangement? I'm not happy about having to forward ports, especially to a server, so some suggestions would be great.

Thanks!

 

[Michael Wulff Nielsen]

Zfs has the ability to transmit snapshots. Check out the docs. :)

 

[KMR]

Yeah, I have looked into the snapshot / replication thing.. and it is definitely something I would like to try, but I was a little more interested in the security aspect of connecting two FreeNAS boxes using OpenVPN on both boxes with port forwarding. My personal preference would be a permanent VPN tunnel between two pfSense boxes that the FreeNAS boxes knew nothing about for security reasons, but funds don't really allow for that at the moment. So in order to get a decent backup configuration I am forced to review other alternatives. I really don't like the idea of forwarding ports to a file server and was hoping someone could weigh in on the matter. Please excuse coherency issues due to Christmas rum.

Thanks!

 

[KMR]

Nobody?

 

[jgreco]

I assume by "port forwards" we are talking a NAT environment?

Anyways, the controlling question there would be if the Internet facing interfaces of the NAT devices had a static address, and just how competent the NAT devices are.

 

[KMR]

Dynamic on both ends. One end is pfSense and the other is a generic crappy ISP provided box. FreeNAS has Dynamic DNS option so I was thinking that this would be the easiest way on the ISP provided box end. pfSense has the ability to update no-ip or dyndns so I can use it there.

 

[jgreco]

Then you cannot rely on restricting the IP addresses on the endpoints; generally that in combination with other precautions results in an extremely safe setup.

You can probably use the crummy ISP box side to initiate connections and implement some inbound restrictions on the pfSense (possibly including port knocking or similar). Ask the crummy ISP what the candidate DHCP IP ranges are, and have pfSense only allow those. Then you STILL configure ssh on the FreeNAS systems as though they were exposed on the public Internet, even though your pfSense is protecting against any connections from more than 99% of the net... It saves you from the Asian scripter attacks nicely.

 

[KMR]

Okay, awesome. I use pfBlocker on my side to deny basically everything except North America and Western Europe to start with. I assume I will still need to configure dyndns type pointers on both ends to update the IP addresses. Would it be best to use OpenVPN between the two FreeNAS boxes and then use rsync over SSH on top of that or will rsync over SSH be enough for these purposes?
You mentioned that the crappy ISP box side would initiate connections, but the pfSense side is the push side. How would the configuration you suggested work in this situation?

 

[KMR]

Just wanted to share my success with everyone. I was able to set up the remote FreeNAS box as an OpenVPN client and connect it back to my pfSense box at home which is running OpenVPN as a server. I am now able to manage the remote box via web GUI, SSH, and Rsync across the VPN tunnel as if it were right in front of me. The best part is that because OpenVPN is running as a client on the remote box no port forwarding is required on that end (I don't trust the crappy ISP supplied router). All I need is one open port on my end for the OpenVPN server on the pfSense box. I'm quite happy with this configuration because I have Snort setup on my pfSense box as an IDS/IPS so I don't have to worry about ports being open to any file servers. I might write up a guide if there is any interest in the setup. It was pretty simple and very effective. The only gotcha is the dynamic IP on both ends but the Dynamic DNS functions within pfSense mean that if my IP's change the setup can reconnect with only a momentary drop in the tunnel.

It all worked out really well because I just built the remote box out of spare parts I had laying around and didn't really have to buy all that much for it. Yes, I have spare ECC RAM and 3TB hard drives.. what of it?

 

[mpfusion]

I was able to set up the remote FreeNAS box as an OpenVPN client […] I might write up a guide if there is any interest in the setup. It was pretty simple and very effective.

I'd be interested in an OpenVPN client guide.

 

[KMR]

If you are using pfSense it is pretty easy.