Jail on NIC with no address

[johnjaylward]

My FreeNAS box has 2 NIC ports, one is on my LAN, and the other I want to use for Jails that will be on the WAN. My ISP provides me with 5 static IPS and my current Gentoo server (that I want to replace with my FreeNAS server) just aliases them all except one that is used to let my WAN access the internet through a dedicated router. My Gentoo box currently has complicated firewall rules to keep WAN access off the LAN.

I would like to do something similar with FreeNas using jails (3 jails 1 for each static IP). My network topology would look something like the attached image (I couldn't figure out how to get formatted text...)

Does anyone know the best way to set up jails so I can use all the IPs in the actual Jails and not assign one to the physical NIC? Would I need to assign them all to the NIC then use NAT and PF rules to limit access similar to my Gentoo setup?

Or if anyone has a good book or links on networking and Jails for FreeBSD that would be great. I'm not used to working with chroot or jails, and am mostly familiar with Linux, so any docs from beginner to advanced would be welcome.

 

[BigDave]

Until someone else responds who has way more experience than me...
You might find this post helpful.
https://forums.freenas.org/index.php?threads/multiple-network-interfaces-on-a-single-subnet.20204/

 

[Ericloewe]

I strongly recommend you keep FreeNAS behind the router. WAN access should be done via VPN or similar, as FreeNAS is not hardened for internet-facing use.

You *can*, however, set up routes to allow jails to be exposed to the internet, since jails are sandboxed and can be more freely set up.

As for assigning those IPs, that oughta be possible on the router, ideally with the jails using one or more separate NICs (this will be possible in 9.3).

 

[johnjaylward]

I strongly recommend you keep FreeNAS behind the router. WAN access should be done via VPN or similar, as FreeNAS is not hardened for internet-facing use.

You *can*, however, set up routes to allow jails to be exposed to the internet, since jails are sandboxed and can be more freely set up.

As for assigning those IPs, that oughta be possible on the router, ideally with the jails using one or more separate NICs (this will be possible in 9.3).

Well yes, that is the point. I ONLY want the jails on the WAN. one NIC is on the LAN, the other is on the WAN. I DO NOT WANT the WAN to have access to the freenas server itself, only the jails. I'm looking for information on how to accomplish that.

-- edit, I would prefer to not use a VPN to accomplish this, as I'd like to share items with family and friends and I don't want them having access to my network via the VPN. This is to enable publicly accessible services for limited sharing.

 

[Ericloewe]

You can expose the jails, as long as you take proper precautions. I'm not sure you can assign jails to a separate NIC in 9.2.X, but you can in 9.3, which should be out any day now. It should be a matter of choosing the adapter in the GUI, if I'm not mistaken.

 

[johnjaylward]

I can wait for 9.3. Do you know if a configuration like this would be in the 9.3 docs, or somewhere else that I can read up on configuring jails?

 

[Ericloewe]

I can wait for 9.3. Do you know if a configuration like this would be in the 9.3 docs, or somewhere else that I can read up on configuring jails?

The jails setup should be in the 9.3 manual, but what goes inside the jails is probably more within the purview of a FreeBSD forum, except for the couple of popular jails used around here.