Strange FreeNAS PPPOE interaction and How to disable internet connectivity?

[richh1833]

Hi everyone. New to FreeNAS. I've gotten my FreeNAS up and running however, I've run into a strange issue. While I was switching ports on my NTD to speedtest my ISPs I switched from Dynamic IP to PPPOE on my router. While I was on PPPOE I wasn't able to connect to my box but I could connect via wifi devices. Switching back to Dynamic IP seemed to fix the problem. Any ideas why this is the case?

Also.. it seems that my box has internet access since I can ping websites via ssh. I was hoping to use this as an internal box for most of the time. My network setup is like this NTD -> Router -> Box/Desktop/Misc Devices. Is there something in the Web GUI I can sever the connection to the internet?

 

[melloa]

Without understanding your network, I can only speculate.

My network setup is like this NTD -> Router -> Box/Desktop/Misc Devices.

What is NTD? An ISP provided modem (router)?

Is there something in the Web GUI I can sever the connection to the internet?

You don't want your server to be open to the internet. You should build firewall rules to open to the applications you are running and need external access (i.e. Plex).

Also if NTD is a router, try not to double NAT. Some applications (games) wouldn't like that.

At home I have an ISP provided router -> pfsense -> switches. My router is bridged, so I won't double NAT. My servers (FreeNAS included) are on DHCP and I set an static IP on my pfsense based on the MAC. That makes configuration easier for me, but it's your choice.

 

[richh1833]

Without understanding your network, I can only speculate.



What is NTD? An ISP provided modem (router)?



You don't want your server to be open to the internet. You should build firewall rules to open to the applications you are running and need external access (i.e. Plex).

Also if NTD is a router, try not to double NAT. Some applications (games) wouldn't like that.

At home I have an ISP provided router -> pfsense -> switches. My router is bridged, so I won't double NAT. My servers (FreeNAS included) are on DHCP and I set an static IP on my pfsense based on the MAC. That makes configuration easier for me, but it's your choice.

Thanks for taking the time to reply.

The NTD is the Network Termination Device - where the fibre terminates in my apartment. I have two IPSs, one which requires auth to connect via pppoe and the other connects automatically.

I thought that by default a freeNAS box doesn't have connectivity to the internet without the user setting up firewall rule which is why I'm perplexed as to how I could have pinged websites from my box. Is it possible to restrict access for the box to research outwards?

 

[melloa]

FreeNAS is like any server. If a service is running and the port is open you can access.

Take for instance the Web gui. If the want has that port open, you and everybody else will be able to get to it.

I'd have a firewall between your NTD and your network, specially because I think you are on a shared link with other units.

Pfsense supports pppoe by the way.

 

[BigDave]

I thought that by default a freeNAS box doesn't have connectivity to the internet without the user setting up firewall rule which is why I'm perplexed as to how I could have pinged websites from my box. Is it possible to restrict access for the box to research outwards?

FreeNAS does connect to the iXsystem server to keep up with updates by default, but you can turn this off by unchecking the *automatically check for updates* feature (under Updates in the GUI's Sysytem tab).
This feature is outbound traffic to one particular server only AFAIK (not a security issue).

As far as contacting any other IPs, it (FreeNAS) can't do that by itself. You are in total control
FreeNAS can not connect to anything on it's own. You must install additional software and
open ports.
Your router would be used to block inbound traffic to any and all devices on your LAN.

 

[BigDave]

FreeNAS does connect to the iXsystem server to keep up with updates by default, but you can turn this off by unchecking the *automatically check for updates* feature (under Updates in the GUI's Sysytem tab).

There's something else as well, IIRC turning off automatic updates shuts off the ntp daemon
which means FreeNAS can't ping the ntp websites for keeping the correct time. lol

 

[Ericloewe]

There's something else as well, IIRC turning off automatic updates shuts off the ntp daemon
which means FreeNAS can't ping the ntp websites for keeping the correct time. lol

Seriously? I don't think I'd heard that one before.

 

[SweetAndLow]

Which router is handing out IPs? You should figure out how to remove everything but one router and DHCP server.

Sent from my Nexus 5X using Tapatalk

 

[richh1833]

FreeNAS is like any server. If a service is running and the port is open you can access.

Take for instance the Web gui. If the want has that port open, you and everybody else will be able to get to it.

I'd have a firewall between your NTD and your network, specially because I think you are on a shared link with other units.

Pfsense supports pppoe by the way.

My NTD is private and isn't shared with others but I do have a router between the NTD and my devices. The issue with regards to the PPPOE was that if I used PPPOE to auth with my ISP1, I wouldn't be able to connect to my NAS box via my desktop through ethernet. But if I used dynamic IP where ISP2 automatically connects without auth then I can connect. I'm personally not too sure why this is the case.

FreeNAS does connect to the iXsystem server to keep up with updates by default, but you can turn this off by unchecking the *automatically check for updates* feature (under Updates in the GUI's Sysytem tab).
This feature is outbound traffic to one particular server only AFAIK (not a security issue).

As far as contacting any other IPs, it (FreeNAS) can't do that by itself. You are in total control
FreeNAS can not connect to anything on it's own. You must install additional software and
open ports.
Your router would be used to block inbound traffic to any and all devices on your LAN.

By default, should I be able to ping IPs on my freeNAS box? I don't have any additional apps installed but from reading, I assumed that my box wouldn't have any internet access at all even if it was behind my router.

Which router is handing out IPs? You should figure out how to remove everything but one router and DHCP server.

Sent from my Nexus 5X using Tapatalk

There is only 1 router which is also the DHCP server. The NTD is not a router. - its a device that provides UNI jacks for the subscriber to connect to.

https://en.wikipedia.org/wiki/Network_Termination_Device_(NBN)

 

[melloa]

By default, should I be able to ping IPs on my freeNAS box?

From your LAN? Yes.

Code:

[root@zabbix ~]# ping 10.10.10.200
PING 10.10.10.200 (10.10.10.200) 56(84) bytes of data.
64 bytes from 10.10.10.200: icmp_seq=1 ttl=64 time=0.354 ms
64 bytes from 10.10.10.200: icmp_seq=2 ttl=64 time=0.264 ms
64 bytes from 10.10.10.200: icmp_seq=3 ttl=64 time=0.159 ms
64 bytes from 10.10.10.200: icmp_seq=4 ttl=64 time=0.252 ms

--- 10.10.10.200 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.159/0.257/0.354/0.070 ms

 

[richh1833]

From your LAN? Yes.

Code:

[root@zabbix ~]# ping 10.10.10.200
PING 10.10.10.200 (10.10.10.200) 56(84) bytes of data.
64 bytes from 10.10.10.200: icmp_seq=1 ttl=64 time=0.354 ms
64 bytes from 10.10.10.200: icmp_seq=2 ttl=64 time=0.264 ms
64 bytes from 10.10.10.200: icmp_seq=3 ttl=64 time=0.159 ms
64 bytes from 10.10.10.200: icmp_seq=4 ttl=64 time=0.252 ms

--- 10.10.10.200 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.159/0.257/0.354/0.070 ms

Are you able to ping external IPs? Cause that was my problem. I was able to ping external IPs which I thought I shouldn't be able to. This was after a factory reset on the NAS box as well.

 

[melloa]

Yes.

Code:

[root@zabbix ~]# ping yahoo.com
PING yahoo.com (206.190.38.111) 56(84) bytes of data.
64 bytes from media-router-fp1.prod.media.gq1.yahoo.com (206.190.38.111): icmp_seq=1 ttl=43 time=86.9 ms
64 bytes from media-router-fp1.prod.media.gq1.yahoo.com (206.190.38.111): icmp_seq=2 ttl=43 time=87.5 ms

--- yahoo.com ping statistics ---
3 packets transmitted, 2 received, 33% packet loss, time 2001ms
rtt min/avg/max/mdev = 86.955/87.247/87.540/0.415 ms

 

[richh1833]

Yes.

Code:

[root@zabbix ~]# ping yahoo.com
PING yahoo.com (206.190.38.111) 56(84) bytes of data.
64 bytes from media-router-fp1.prod.media.gq1.yahoo.com (206.190.38.111): icmp_seq=1 ttl=43 time=86.9 ms
64 bytes from media-router-fp1.prod.media.gq1.yahoo.com (206.190.38.111): icmp_seq=2 ttl=43 time=87.5 ms

--- yahoo.com ping statistics ---
3 packets transmitted, 2 received, 33% packet loss, time 2001ms
rtt min/avg/max/mdev = 86.955/87.247/87.540/0.415 ms

Ah I see. So pings are okay. When Bigdave mentioned that contacting other IPs I assume he meant active connections?

 

[BigDave]

Seriously? I don't think I'd heard that one before.

As soon as you uncheck the little box and save that config,
the log immediately prints out:

Code:

May 30 22:10:30 testbench ntpd[8420]: ntpd exiting on signal 15 (Terminated)
May 30 22:10:30 testbench ntpd[20242]: ntpd 4.2.8p10-a (1): Starting

I don't really know what that means...

 

[c32767a]

Ah I see. So pings are okay. When Bigdave mentioned that contacting other IPs I assume he meant active connections?

It would be helpful to have the output of "netstat -in", "netstat -rn" and "arp -an" from the freenas when you're having this issue. It would also be helpful to have the ip address and ethernet MAC addrsses of your router(s).

 

[richh1833]

It would be helpful to have the output of "netstat -in", "netstat -rn" and "arp -an" from the freenas when you're having this issue. It would also be helpful to have the ip address and ethernet MAC addrsses of your router(s).

The PPPOE and connective issue are two different things. I was confused since I assumed that if my NAS could ping external IPs it meant that it was connected to the internet which was a bit concerning since I thought that freeNAS boxes weren't connected when first installed. But I see that you can ping without being actively connected through plugins.

 

[danb35]

As far as contacting any other IPs, it (FreeNAS) can't do that by itself.

Of course it can. It doesn't, in that there's no default process on the FreeNAS box that routinely contacts anything other than the updates server and pool.ntp.org (Edit: isn't there also a telemetry task that's on by default?), but a default FreeNAS installation on an Internet-connected network with a properly-functioning DHCP server (i.e., 99.9% of home networks) will be able to connect to any other Internet host. If this is not the desired behavior, it needs to be blocked at the firewall.

 

[BigDave]

Of course it can. It doesn't, in that there's no default process on the FreeNAS box that routinely contacts anything other than the updates server and pool.ntp.org

I'm gonna guess you speak frequently in front of a judge and jury.
You silver tongued devil :D
Aren't you due in court this morning, go pick on a witness and leave me alone *whimper* *sniff*
lol

 

[danb35]

I'm gonna guess you speak frequently in front of a judge and jury.

Very, very rarely in front of a judge, and never (at least so far) in front of a jury--not that kind of lawyer. But it sounded like both you and @richh1833 were saying that a FreeNAS box can't communicate with outside hosts, which is just wrong. If I misunderstood your post, my apologies.

 

[BigDave]

If I misunderstood your post, my apologies.

No need to apologize, my comeback was an attempt at humor, nothing more...

Very, very rarely in front of a judge, and never (at least so far) in front of a jury--not that kind of lawyer.

IMHO, You missed your calling counselor ;)