Connecting to a colocated FreeNAS

[Mr. Evan]

To preface, I'm new to configuring network routing. I originally setup my system on my LAN without any problems, however it has now been moved offsite using a colocation service (colo) as I couldn't keep it in my building (too noisy).

Using FreeNAS's default menu, I updated the network interface to its new IPv4, Netmask, IPv4 default route, and DNS nameservers given to me by the colo. I also updated the line "hostname=" in /etc/rc.conf to its new hostname specified by the colo. Finally the colo has also added the necessary rules to its firewall accepting incoming connections from my IP to my server's IP on ports 22 (SSH), 80 (HTTP), and 443 (HTTPs), and their firewall does not filter outgoing data.

However when I try to ping out from the server (either to my IP or even just Google) I get "No route to host". And if I try pinging the server from my IP I get "Destination host unreachable".

ifconfig shows that it recognizes an active connection on the network interface I've configured. But netstat -r returns nothing. I'm using FreeNAS 9.3.

What am I missing here? Does FreeNAS have a firewall that I need to manually adjust? I couldn't find information on it in the documentation. Otherwise I'm pretty lost. Are there other network configuration files that I have to manually update?

 

[jgreco]

Try "netstat -rn". You need a default route, and it sounds like you have none.

Code:

# netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.1.1         UGS         0   517208   igb0

plus some other cruft after that; the important part right now is the "default". Go back into your network settings after you find out from your provider what that's supposed to be. You can also temporarily add it by hand, "route add default 192.168.1.1" or whatever, but that will not be persistent.

 

[Mr. Evan]

Entering "netstat -rn" shows that the default route does exist and matches the default gateway provided to me by the colo.

 

[jgreco]

Okay, then, can you ping the default gateway address? What does "arp -an" show after that? It should show an ARP address for the default gateway, not "incomplete".

 

[Mr. Evan]

Pinging the default gateway address from my desktop works fine.

I'm not currently at the colocation site, but will be over there later today and will ping the gateway from the server and run "arp -an". If it reads "incomplete" how would I go about fixing that? I did change out my copper network interface card (NIC) to a fiber NIC when I moved the unit. I've rebooted several times since, but is there something else I have to do?

Thanks for the help.

 

[jgreco]

If you can ping the default gateway, that's sufficient. If you've got it configured with the default gateway, and you're getting "no route to host", the likely answer is that you're getting denied by the firewall.

 

[Mr. Evan]

Ok, I'm now on site. Pinging the default gateway from the server fails and returns "Host is down".

Entering "arp -an" returns only my IP followed by its ARP address, and does not list the default gateway address.

So yes, it looks like my default gateway isn't configured correctly even though it appears on the netstat -rn list.

How can I fix it? Thanks again.

 

[jgreco]

That, I don't know. Do you have ethernet link? ("ifconfig ifx0" where ifx0 is whatever the interface name might be). It should give you something like "media: Ethernet autoselect" and "status: active". If not, hook up the ethernet cables. If still not, then talk to your colo provider about their networking, and tell them "I have no link."

If you have ethernet link, it seems likely to be related to the firewall. Confirm that you've got the correct config installed, then let them know that you cannot ping the gateway and have no Internet connectivity.

 

[Mr. Evan]

ifconfig ix0 returns "media: Ethernet autoselect (10Gbase-SR <full-duplex>)" (which is okay for a fiber connection, correct?) and "status: active".

FreeNAS doesn't have a built-in firewall that would be blocking any connections outside the LAN does it?

I'll contact the colo and tell them I have a link but can't ping the gateway. Thanks.

 

[depasseg]

My network-fu is a little rusty, but if arp -an only shows your interface, then you have a layer 2 problem connecting to the colo. Which implies you aren't really connected. I realize you have link (Layer 1), but the colo switch port might not be configured properly.

 

[jgreco]

So yes you have link, but probably not directly to a firewall, and instead to a switch of some sort.

If you try to ping the gateway and then "arp -an" only shows your interface and not some entry for the gateway, then you have a local network configuration problem. arp -an would show "(incomplete)" for the IP address of the gateway if it is unable to communicate at layer 2.

A firewall is not obligated to respond to pings, but configuring it not to is kinda idiotic as it makes debugging a pain.

 

[solarisguy]

Fiber and twisted pair..., maybe that is not where the mix-up is...

In case things are still not working, I have some random questions:

• What is your FreeNAS version as shown after Build? (E.g FreeNAS-9.3-STABLE-201511040813)
• Do you have access to the console through IPMI? Can you get access if you have IPMI?
• I am a little confused, from outside of colo can you access the WebGUI?
• Why did you move up from Gigabit Ethernet?
• How did you disable the old interface (Gigabit Ethernet) and enable the new one (10G)?

 

[Mr. Evan]

1. Can't remember the exact version, but will update when I'm next onsite at the colo. It is a STABLE 9.3 build originally downloaded in September and updated at least once since.
2. I have not tried IPMI. Would it provide me access to any information or functionality that I don't have access to via the command line?
3. I cannot access the WebGUI from outside the colo.
4. This NAS is for my research lab which streams a ton of data between various high speed cameras and the NAS each day. I don't believe we ever saturated our old gigabit connection, but the 10G connection is essentially future proofing the unit as the lab expands and adds more high speed imaging systems.
5. While powered down I simply removed the old copper network interface card (NIC), and replaced it with a fiber NIC. I was told this was all that was necessary, but is there some configuration file I have to change?

The colo has agreed to get their network guy to check out the connection, not sure on a timeline but will update this post once I have more information.

 

[depasseg]

While powered down I simply removed the old copper network interface card (NIC), and replaced it with a fiber NIC. I was told this was all that was necessary, but is there some configuration file I have to change?

Umm, yes, you need to configure that interface. I'm guessing the interface name changed.

you can make the change via the console or gui. no configuration file editing.

 

[Mr. Evan]

Sorry, yes I did do that (not a complete idiot): I reconfigured the network interface. Specifically configured the active port on the new NIC with the correct IPv4 and subnet mask in "1) Configure Network Interfaces", changed the default gateway in "4) Configure Default Route", and updated the DNS in "6) Configure DNS".

 

[jgreco]

Sorry, yes I did do that (not a complete idiot): I reconfigured the network interface. Specifically configured the active port on the new NIC with the correct IPv4 and subnet mask in "1) Configure Network Interfaces", changed the default gateway in "4) Configure Default Route", and updated the DNS in "6) Configure DNS".

That seems like it'd be sufficient.

 

[solarisguy]

Thank you for the answers! Please take a look at console access through IPMI.

From what you had explained so far, an out-of-band management would be very useful. And essential when no network access (or troubleshooting any network issues)

 

[jgreco]

It is VERY IMPORTANT that any out-of-band management is not accessible from the general Internet.

 

[solarisguy]

It is VERY IMPORTANT that any out-of-band management is not accessible from the general Internet.

Would the colo allowing traffic only from his IP be enough in your books?

 

[jgreco]

Assuming a static IP, yes. The big concern is that these IPMI's are essentially full busybox SoC type systems, which infrequently get updated. So when you expose them to the Internet, the bad guys scan it and try to identify what it might be, and then they save that knowledge off in a database somewhere. Later, when a vulnerability in the busybox platform becomes known, these guys just go poll their database and suddenly within hours of a viable exploit, your IPMI is exploited. In the best case, your IPMI is merely sending ads for Viagra and porn. In a more serious case, an attacker actually takes interest in the attached console, and finds out that he's got access to your NAS and all the files on it.