vlan and volume segmentation/security

[noprobs]

I have various VLANs in my network and would like freenas to provide storage to them all but using VLAN tagging for segmentation/security ie limiting Volumes/Dataset access to specific VLANs

Example use case.

VLAN 1 192.168.1 /24 - management traffic so only this subnet can access freenas management interface

VLAN 2 192.168.2 /24 - Xen hosts connecting to FreeNAS volume presented by iscsi, only xen hosts should see these volumes

VLAN 3 192.168.3 /24 - PCs who can browse NFS/CIFS shares on freenas - but nothing else


Anybody else like to see this (or is this already available and I have missed in the manual/my testing)

Cheers,

Jon

 

[jgreco]

The access control you want has nothing to do with vlans. Vlans are simply how your network presents the networking environment to the NAS server. You could substitute the word "Intel gigabit ethernet" for "VLAN" in your message and you would have the same problem, just different network attachment. It is all pretty much the same thing to the abstracted higher levels of UNIX networking. Obviously there are some practical differences, such as three Intel gigE interfaces have more aggregate bandwidth than three vlans being attached via a single gigE... but it seems like you have at least some knowledge of vlans, so I'll leave that there.

You can certainly limit access by network. You just have to configure your shares appropriately. For example, for an NFS share, make sure that it is only shared with 192.168.3.0/24. For iSCSI, you can set both a portal address (that's the FreeNAS server's address on the Xen/"VLAN 2" network) and specify access from 192.168.2.0/24. You can pick a WebGUI address under Settings->General. I'd suggest actually testing things like ssh if you set them up, though, FreeNAS is likely to expose them to other networks unless you're clever with the options.

 

[TurboSquid]

I have a very similar situation.

I have FreeNAS set up in my home-office/lab configured with several VLANs:

10: Office
20: Workbench
30: VirtualMachines
40: HomeNetwork

I would like to be able to decide which service each VLAN gets to see. For example, on the Office VLAN I need to have CIFS and HTTPS access, on the Workbench VLAN I need to have tFTP and FTP to boot systems I am working on, on the VM VLAN I need to have iSCSI and NFS and on the Home VLAN I only want NFS access.

Right now my only option is to expose all of these services to all of the VLANs and try and configure ACL rules as best as possible, ideally I would like to set up a local firewall on FreeNAS to be able to only allow connections to the services specifically needed by that VLAN. If any one has any suggestions for doing this I would love to try them out.

 

[jgreco]

FreeNAS has no support for firewalls at this time.

Most (all?) of the services you mention already include strong access controls, and some of them will allow binding to specific interfaces, HTTPS and iSCSI in particular come to mind. Since you should be thoroughly configuring that kind of thing anyways, rather than relying on a firewall, you could focus on getting the configuration right and then going forward from there.

It should be possible to generate a FreeNAS image that includes ipfw support, and take the module (or the entire kernel directory) and install that, but it would leave you with the task of manually configuring ipfw.