networking help

[toddp442]

first let me say that this is my first time posting on a forum so please forgive me if I have put this in the wrong section.
I have a freenas server using 2 NIC's to allow me to run some traffic through a vpn on a router running dd-wrt on subnet 10.0.2.1 with my home network being 10.0.1.1 and all works fine however I would like to access 10.0.2.0 from 10.0.1.0 and over the past couple of weeks I have tried everything that I can find on the subject without success. I am not set on this configuration as all I really want to accomplish is to have my jails run throught the vpn and still have access to them from my home network. a brief description of my setup, I have 6 Apple Airport Extremes wired to give me gigabit ethernet as well as excellent WiFi coverage throughout my home and property, configuration 10.0.1.1 subnet 255.255.255.0 plus 1 Linksys N600 running dd-wrt configured as 10.0.2.1 subnet 255.255.255.0. on the FreeNAS server I have 2 NIC's with the default being connected to 10.0.2.1 to allow internet access for the jails with the second NIC being set to 10.0.1.20 to allow for full speed access on my local LAN, this setup also prevents my 2 FreeNAS box's from talking to one another to share a UPS for example, this is my first time messing with servers of any kind so it may be that I just need some insight, I have read through the freenas user guide as well as reading posts in this forum and others with no success, any help would be greatly appreciated, as I said to start, I am not one to ask questions first expecting someone else to solve my problem for me but I have not been able to solve this one on my own.

 

[rogerh]

Are all the 10.0.1.x NICs connected to a switch, and all the 10.0.2.x NICs connected to the Linksys? Is the default gateway on the FreeNAS servers set to the Linksys address (10.0.2.1)? Are the IPs of the NICs connected to the Linksys set by DHCP; if not what precisely are they? You mention two FreeNAS servers, what IP addresses does each have? From what you say they should easily be able to connect to each other by IP address, even if connection by hostname is going to be a bit of a problem.

The only reason for accessing 10.0.2.x from 10.0.1.x would seem to be if you have any machines connected only to the latter, and not the former, subnet. The machines on both subnet will just choose the right NIC for the relevant traffic. If you do want to connect the subnets then you need another machine to act as a router, but as I say only machines with their single NIC on the 10.0.1.x subnet would seem to need this.

An alternative might be to use only one subnet and bridge the two NICs in some way.

It is not clear what you are trying to achieve and what problem you are seeing.

 

[toddp442]

my local LAN is on 10.0.1.0/24, 6 Airport Extreme routers 5 configured as bridges with WiFi running on 4 configured with same SSID and password, everything is configured with static IP's.
Linksys N600 running dd-wrt openVPN 10.0.2.0/24 LAN 10.0.2.1, WAN 10.0.1.7
freenas 1 default NIC 10.0.2.11 several jails also on 10.0.2.0 NIC 2 10.0.1.20
freenas 2 10.0.1.30

I have a WRT54G with dd-wrt and an machine with pf sense if I can leverage either to my advantage, the only thing on the 10.0.2.0/24 network is the single freenas box, I only want to be able to log into the webUI of the jails running on 10.0.2.0 from my local LAN 10.0.1.0 as I am able to log into both freenas boxes from my local network just not the jails without either connecting into the Linksys LAN or by having the WLAN on neither of which is convienient, I dont even care if they are on separate subnets although I dont know of any other way to separate the jail traffic to run through the OpenVPN without running all of my traffic through it.

 

[rogerh]

Do the jails need to use the VPN? If so, then perhaps you need either to get the jails to use both NICs (no idea how) or use a router to specifically forward traffic from one subnet to the other, and put a fixed route to the router in all the other machines for the other subnet.

If the jails don't need to use the VPN, can you get them to bridge to the other FreeNAS NIC?

The clever networking people will probably tell us how you can use a single subnet for all your purposes including the VPN, but that is well beyond me.

 

[toddp442]

I am open to any configuration that will allow me to separate some of the jails, ex. SABnzbd to run through a private VPN, I have tried many things, I first tried to set everything up in a single freenas box with 2 NIC's but I want to use owncloud and Subsonic and not run them through the VPN which I managed to do but then ran into the problem that ownCloud and Subsonic had no internet access since they were not set to the default NIC and I was not able to find anyway around that so that is why I added the second freenas (no downside), this also seems to prevent me from connecting them to the same UPS as master and slave, I would even be open to running a private VPN service from within freenas and only routing specific jails through it but I am no where near comfortable enough with bsd to have any idea how to do that and have found no help other than openVPN which is not what I am looking to do, I assume it could be done with a script as that is how it is being done in the router with DD_WRT but also beyond my abilities, I am just an auto mechanic who likes to tinker with computers and learn new things. as I said I can access both servers webUI and their content using CIFS shares and they can share files with one another on my local LAN 10.0.1.0 but I have to change to the other network to access the jails running on 10.0.2.0 and I have not been able to get them to share a single UPS since freenas 1 default NIC is on 10.0.2.11 and freenas 2 default NIC is on 10.0.1.20, I have also tried to set everything up on a single subnet but have been unable to insert the Linksys on the 10.0.1.0 network in any configuration that will allow traffic to pass through, I believe that may be due to the airport routers but I have such a large investment in them that it would be a hard pill to swallow to replace them right now.

 

[rogerh]

There must be lots of good ways to do this. A messy but possibly successful way is to set up a pfsense box with NICs on each subnet (perhaps using the Linksys as a switch for 10.0.2.*, or adding another switch if it does not have a spare ethernet port). Set up pfsense to forward from 10.0.1.o/24 to 10.0.2.0/24. On each 10.0.1.x box that needs to contact the jails or the NUT server set up a fixed route for 10.0.2.0/24 via the 10.0.1.x address of the pfsense box.

 

[toddp442]

rogerh, it seems like this would be an easy and straightforward thing to do but so far it has been anything but, as I have been thwarted in every attempt, my next effort will be to try the pfsense machine although I am still hoping that someone is able to give me a more streamlined approach, fingers crossed.

 

[rogerh]

Let us know how you get on! There are some good networking people on this forum but they don't seem to have taken up your thread. You could try again with a more specific question - like 'how to bridge VPN connections' or something?

 

[cyberjock]

@toddp442-

This is anything but "straight forward". You've got multiple gateways, multiple subnets, and you have to know how to set that all up. This is not a simple network in the slightest.

@rogerh-

The reason why those of is with experience have stayed away is because every "node" of the network is going to have different gateways and subnets that are exposed to it. So you literally have to know the exactly layout and the exact "desired" values, and then set all that up properly. This is far beyond basic Q&A which a forum is good for. This requires a networking expert and someone that can physically touch the hardware and make sure its all setup properly.

Bigger picture I'd wipe all those routers out and use wifi hotspots. That would make your network flat and easy to manage (like your typical home network). Right now you've got multiple layers that are a mess if you aren't experienced with them.

 

[toddp442]

@cyberjock-

maybe I don't quite understand but my network doesn't seem that complicated, the Airport routers "are configured as hotspots", main router 10.0.1.1 the rest are bridged on the same subnet as switches/AP's then I am running a Linksys with DD-WRT from a LAN port on an 8 port switch on the 10.0.1.0/24 network configured with WAN 10.0.1.7 and LAN 10.0.2.1/24 with a single LAN connection going to a freenas box 10.0.2.12 with 4 jails running in the freenas box also with 10.0.2.0/24 IP's, all that I want to be able to do is log into the web GUI's of the 4 jails from within my local LAN only, from a pc on 10.0.1.0/24, I would think that I could simply do it from within freenas itself since it has a connection to both subnets already. I have access from 10.0.2.0 > 10.0.1.0 just not from 10.0.1.0 > 10.0.2.0? I even managed to finally get them to work on a single UPS as master and slave.

 

[rogerh]

So you only have one connection to the Internet (via an unspecified router, ??? one of the airports) and that provides a NATed connection to the 10.0.1.0 subnet. The Linksys just uses 10.0.1.7 as its WAN connection which is NATed automatically to the outside world? Maybe it doesn't need to do incoming connections or is the relevant port forwarded to 10.0.1.7?

In that case, I agree, it is not at all complicated,[1] the only complication arising from one of the Freenas servers only having 10.0.2.0 addresses so that it can use the VPN. Can't you just use a second NIC on this box connected to the other subnet? Or find some way to get the Linksys router to accept 10.0.1.0 addresses on its input *and* output, maybe using ARP or something?

Edit: I see you do have two NICs on the FreeNAS server, can't you just use this machine as the NUT slave and tell it to listen to the other server's 10.0.1.x IP so it will automatically use the right NIC?

[1] Having 6 WiFi access points may be confusing people, but really (as you know) it is no more complicated than having two. Though you must have a very difficult house RF-wise! Do the airports co-operate to share channels or synchronise their radio activities, otherwise you'd think they would interfere with each other?

 

[toddp442]

Yes, my main airport is directly connected to my Verizon fios ONT's Ethernet connection, with its address being 10.0.1.1/24 with the Linksys' WAN 10.0.1.7 set as a default host , the entire network is hard wired with static IP's for everything, I only have the Wifi enabled on 4 of the 6, all configured with the same SSID and Password a feature that is native to the airports and 1 of few with dual 2.4/5.0 ghz radios when I bought the first one in 2007 (large screen enclosure with pool and a steel workshop on large property with poor cell coverage, so Wifi calling across the property is the main goal ) then I have the 2 freenas servers, server one does have 2 NIC's configured as 10.0.1.20/10.0.2.11 freenas 2 has 1 NIC configured as 10.0.1.30 the only connection the Linksys has is to freenas 1, for now I have just turned on the Wifi in the Linksys and connect to the jails that way, I can log into freenas 1 Just not the jails web GUI's except from outside my Local network Ironically, which I put on the other subnet to run through a VPN client on the Linksys with DD-WRT since that was the only way that I knew how to, without running all of my traffic trough the VPN and with a 75/75 internet connection that was not very appealing, with freenas 1 having 2 NIC's each being connected to one of the subnets I didn't think this would be so difficult seeing how that the jails have 2 way access to the internet , as much as I appreciate the feedback and help and hope for a solution, I would prefer to read and really understand my problem and possible solutions but I have not been able to find much of anything of any help for my application, compounded by the fact that I can not create a static route in the airport, I can say that I absolutely intend to really dive into learning more about freenas and BSD in general since I have been wanting to run my own server and cloud service for quite some time now but it is not something that I am going to be able to pick up over night, because it seems to me that I could probably do what I want from within freenas itself without the Linksys.
I also managed to get the other machine as a NUT slave by making freenas 1 the master?

 

[rogerh]

You seem to be making progress. I wish you success with further optimisation!