Setting up FreeNAS box and Jaild without a router - prerequirements

[Chakalov]

Hello all,

I'm more than a beginner when we cross the lines of simple home networking so please excuse my french in advance.

I'll have to move my FreeNAS box out of my home into our corporate server room as I can't manage heat and noise levels the way I (to be read "my wife") wish. Due to security concerns the box will only receive a single external IP settings direct attached to one of my NICs. I also have some Jails that are running and I would like to continue having access to them after I move the box to the new location. Currently the NAS and the Jails with all other devices at home are sharing a single network. So my questions would be like:

- What do I have to consider at first place regarding network configuration of the FreeNAS box itself?
- What would I probably have to change in my Jail network configs so that I can reach them from outside?
- Anything else?

I know the most suitable answer to all of the above would sound like "Well, why don't you leave your local admin guys handle this?" and that would be just great but since they are doing me a big favor I would like to come at least a little more prepared. That's why I'm turning to you as every advice will be highly appreciated!

Thanks,
Andy

 

[Robert Trevellyan]

Are you asking how to access your FreeNAS over the public internet? If so, this is strongly discouraged, and people who seem to know what they're talking about always say "use a VPN".

 

[Chakalov]

Hello Robert,

The NAS will still be behind a firewall allowing only 3-4 ports I need for like Plex, Transmission and ownCloud. This is pretty much the same security configuration as I have right now and perhaps at the end it will be even better as additionally I would be able to SSH only from my home IP (with no direct root access + SSH key authentication) and everything else within the NAS would be reachable only though the OpenVPN Jail. So me personally I don't feel that insecure about doing all this. The whole idea behind all this is that I'll have another small traditional NAS at home which will rsync whatever I need to my current NAS in the server room.

My questions would be like how should I config my Jails and FreeNAS to work together without being behind a DHCP server and any other suggestions/recommendations that could fit in the above described scenario. :)

 

[Robert Trevellyan]

Sorry, I'm not clear what it is you need to know that anyone can help with who doesn't know how your corporate network is configured. I mean, for starters, why is there no DHCP server?

 

[Chakalov]

Sorry, I'm also not clear why my corporate network configuration should be in the middle of this. I take this just as simple case scenario that could theoretically happen everywhere else.

I also don't think I would need DHCP server to configure one single host.

 

[pirateghost]

Sorry, I'm also not clear why my corporate network configuration should be in the middle of this. I take this just as simple case scenario that could theoretically happen everywhere else.

I also don't think I would need DHCP server to configure one single host.

Jails aren't just one single host. Each jail needs an IP address.

 

[Chakalov]

True. Thanks for correcting me. I like to put statis IP for my Jails, so that's why I made a mistake by saying I need DHCP only for one host.

 

[pirateghost]

True. Thanks for correcting me. I like to put statis IP for my Jails, so that's why I made a mistake by saying I need DHCP only for one host.

But each jail still needs an IP. If you only have one IP available for your server, I don't see how this will work. Furthermore, I don't understand what NAS features you're actually going to be using across a WAN link. What is the NAS to be used for?

 

[depasseg]

If this were my, I would put a small router (pfsense or ubuquiti edgre router lite) on that single connection, assign the IP address to the router and setup a VPN. Then configure the FreeNAS behind the router.

 

[Chakalov]

But each jail still needs an IP.

Each Jail needs an internal IP

If you only have one IP available for your server, I don't see how this will work.

Where's the difference? You will most probably always have one external IP which the internal (Jail) IP's are using via certain firewall and port forwarding rules.

Furthermore, I don't understand what NAS features you're actually going to be using across a WAN link. What is the NAS to be used for?

Like I said earlier: ownCloud and Plex services + rsync in the near future.

 

[depasseg]

Will your company give you multiple internal IP addresses? What is the boundary for internal and external? My assumption is it is your corporate router/firewall.

 

[pirateghost]

Each Jail needs an internal IP



Where's the difference? You will most probably always have one external IP which the internal (Jail) IP's are using via certain firewall and port forwarding rules.



Like I said earlier: ownCloud and Plex services + rsync in the near future.

What do you mean, what's the difference?

You need a NAT device to handle converting one IP to a private subnet. In a home setting, you have a 'router' that handles that function and puts your server and all jails behind your external IP address. In a private space.

What you have described is that you're getting one internal IP (?) From your company, and you want to run multiple devices (jails) on this one IP. Am I mistaken in this assumption? Because that is literally what we are talking about right now.

 

[zoomzoom]

As depasseg mentioned, and pirateghost elaborated on, the single connection should be assigned to a VM running pfsense or another router OS, of which provides the necessary routing for NAT. If NAT is not going to be performed via the corporate firewall and router, you're going to either need a physical hardware router to perform NAT for the NAS box, or you'll need to run a router OS within a VM.

 

[Chakalov]

Thank you all for your answers and solutions!

Allow me please just ask one final question: in order to make things easier (hopefully) we are considering to have one NIC connected to an internal network with an router but under restricted internet access and the second NIC set up just with the external IP and internet connectivity. In such scenario could we then just configure the firewall to use the second NIC as preferred network source for the jails and the NAS as well?

Thanks in advance!