Multiple NICS on multiple subnets, 1 NIC per subnet - How do I do this?

[Philip Richardson]

I want to use my home FreeNAS server for the following purposes:
1) Time machine backups
2) Plex server
3) Storage of footage from my CCTV

For the sake of security and performance, I'd like to keep (1) and (2) on the same subnet - my 'Home LAN', which is separate from a subnet that is dedicated to (3) - my 'CCTV LAN'. I thought it would be easy to achieve this, because I have 4 NICS on my motherboard (please see my signature for the setup); and so I was planning to connect the FreeNAS server to the Home LAN using one NIC, while I connected the same FreeNAS server to the CCTV Lan using one of the remaining three NICs. However, I can't find any help online on how to do this; and I can't figure it out.

Is there anyone who can help me?

 

[MatthewSteinhoff]

Good day, Philip.

1. I wouldn't bother segmenting the network. You're not generating enough traffic that there will be performance problems and all you're doing is adding complexity.

2. If you allow off-premises devices to access your Plex server, that is going to be the intrusion point of your network. It sounds like Plex is going to be on the main network with your time machine backups and other devices. So, I also don't see any security improvements by moving CCTV to its own subnet.

3. You need two subnets. For example...

10.10.10.0/24 = Time Machine, Plex, normal devices = plug into NIC1
10.20.20.0/24 = CCTV devices = plug into NIC2

The problem with that configuration is you're probably going to want to route traffic between the two subnets. That way, you can watch security video on your iPad while sitting in front of the television watching pirated videos on Plex. How are you going to route that traffic?

You could probably fire up a pfSense VM under FreeNAS and use that as your router - you have plenty of NICs - but then you're adding another layer of complexity. And, for what?

If you really wanted to do it right without adding hardware, you'd install pfSense in a VM then configure your NICs as...

* NIC1 = 10.10.10.0/24 = Internal protected network, Time Machine
* NIC2 = 10.20.20.0/24 = CCT Network
* NIC3 = 10.30.30.0/24 = Plex DMZ
* NIC4 = {handoff from ISP} = naked and exposed internet connection

Of course, by 'without adding hardware', I mean you'll need a switch for each of those NICs assuming you have more than two devices on each. Or a switch that supports VLANs. Of course, if you have a switch that supports VLANs, you could only need one NIC on the FreeNAS server assuming you trust your ability to VLAN correctly.

TL;DR: put everything on the same subnet and get on with your life.

Cheers,
Matt

 

[Philip Richardson]

Hi Matt,

Thanks for the reply - really well thought-through and helpful. I realise that I'm potentially creating an overly complex system, but part of my interest is to 'learn by doing'; so I hope you'll humour one more post and some associated questions...

Regarding your post above:
Point 1. - Yup, I agree
Point 2. - I'm not sure I've understood what you posted. Here's my thinking on the security improvements...

My main consideration is creating a CCTV network that is isolated from everything else at home (to stop an exploitation of these cameras compromising the rest of my network) and the outside world (to stop someone outside my LAN being able to see what the CCTV is capturing).

I'm using HikVision cameras, so the three main components of the CCTV are the image/video capture, the image/video storage, and the playback...
Capture: Capture will be performed by the IP cameras,
Storage: Each camera will store its footage on a dedicated share from a Network File System (NFS) server
Playback: Playback will be using a client (iVMS 4200) run on a computer connected to the network and therefore able to access the cameras.

For the storage, I want to use my FreeNAS, because it provides a much larger capacity that is much less susceptible to a hardware failure than the internal HDD of a spare desktop I current have currently sitting around unused.

For the playback, I'm planning to either use that spare desktop, or alternatively make the subnet of the CCTV network (e.g. 10.20.20.0/24) accessible via a wireless network (e.g. SSID 'Cams'). When I need to view the footage, I would then use my laptop to join the 'Cams' wireless network temporarily and use a client installed on that laptop to view the footage I'm interested in.

In summary, the CCTV network would be 10.20.20.0/24 with the following attached:
- Cameras
- FreeNAS (with access only to the FTP shares used by the cameras)
- WAP, broadcasting 'Security' SSID, accessible only within the range of the wireless network (i.e. within my house)

This CCTV network would be separated from the WAN by blocking any traffic in my firewall.

When you posted 'If you allow off-premises devices to access your Plex server, that is going to be the intrusion point of your network.' what were you considering as a potential attack? What are the vulnerabilities of a Plex server running as a jail on FreeNAS?

Point 3. - Following the design described above, everything that wasn't CCTV (e.g. Plex server, games consoles, etc.) would then be on a separate subnet (e.g. 10.10.10.0/24). There wouldn't need to be any route from the 10.10.10.0/24 subnet to the 10.20.20.0/24 subnet, as far as I can tell. Have I missed something?

I'm using Ubiquiti hardware for the network, which supports VLANs and has a highly configurable firewall, so perhaps I could do things that way. I'd prefer to use the NICs though, because I'd have more confidence to test the setup if there are separate physical connections for each subnet. This is where I come really unstuck (the cause of my original post).

I thought linking the different NICs would be as easy as assigning an appropriate IP address to each interface within the GUI:
Network>>Interfaces>>Edit (e.g. static IP 10.20.20.5 for NIC igb0, and static IP 10.10.10.5 for NIC igb1)
... but when I try this, the FreeNAS box fails to connect to my network at all (no ping'able interface); and I have to reset the interfaces using the CLI of a monitor connected directly to the FreeNAS box.

Is there some abstraction between the 'Interface' shown by the GUI and the NIC? If you can shed some light on what I might be doing wrong, I'd really appreciate it.