Port Translation in FreeNAS

[Leroy_Weber]

I have a problem that someone may be able to help me with. My issue seems so simple but a search of the FreeNAS docs, forum and Google have proved fruitless.

I have a jail set up and working to serve up my OwnCloud Server. IP of Jail 192.168.1.101
I have a jail set up and working to serve up my PlexMedia Server. Ip of Jail 192.168.1.102

Plex Media server works perfectly Both WAN and LAN because Plex Media Server set itself up as:
LAN 192.168.1.102:32400
WAN 24.201.xxx.xxx:32400
So, I set a port forwarder up in the WAN router to forward all traffic from 24.201.xxx.xxx:32400 to the Jail at 192.168.1.102. Wow! everything works great!

Now, for the problem. The Owncloud Jail is LAN 192.168.1.101. as far as I know, OwnCloud has no specified port. So... I cannot port forward to it. As long as I am inside (on the LAN) I can get to OwnCloud by going to the Jail address (192.168.1.101) It works great. But... I have had to do some tricky stuff to get access to the OwnCloud from the WAN. Here is what I did that worked:

I Set a Port address translation for UDP and TCP to have port 10000 translate to port 80 and send the port 80 traffic to 192.168.1.101. So now I can access my OwnCloud server from the WAN by typing "http://24.201.xxx.xxx:10000" The router sees the request for port 10000, converts the traffic to port 80 traffic (what the OwnCloud server is expecting) and works perfectly.

However, I cannot set my domain name "cloud.mydomainname.com" to function because you cannot specify a port number when asking for a domain name to come up.

Does FreeNas have a way of doing Port Translation? Remember, I'm NOT looking for Port Forwarding. Port forwarding would not work in this case. It must be Port Translation.

Second Issue: my server has 6 discrete NIC's in it. I would like to have my OwnCloud accessible from the WAN by setting up one of the unused NIC's to have a static IP (I have 75 static IP's I can use) So even though I set up a new network interface with the static IP 24.201.xxx.xx5 (and the IP can be pinged from a WAN connection) I cannot figure out how to make the outside NIC 24.201.xxx.xx5 connect to the LAN address of the Jail 192.168.1.101
Any help would be appreciated.

Thanks,
Leroy

 

[adamgoldberg]

However, I cannot set my domain name "cloud.mydomainname.com" to function because you cannot specify a port number when asking for a domain name to come up.

Are you saying you can't set up your DNS entries so that entering "http://cloud.mydomain.com" ends up at "http://cloud2.mydomain.com:10000"? If so, you might want to look at DynDNS "webhop".
If that's not what you're saying, please elaborate.

On your second question, why is this not just port forwarding on your firewall (24.201.xxx.xx5:80 -> 192.168.1.101:80)?

 

[depasseg]

Now, for the problem. The Owncloud Jail is LAN 192.168.1.101. as far as I know, OwnCloud has no specified port. So... I cannot port forward to it. As long as I am inside (on the LAN) I can get to OwnCloud by going to the Jail address (192.168.1.101) It works great. But... I have had to do some tricky stuff to get access to the OwnCloud from the WAN. Here is what I did that worked:

I Set a Port address translation for UDP and TCP to have port 10000 translate to port 80 and send the port 80 traffic to 192.168.1.101. So now I can access my OwnCloud server from the WAN by typing "http://24.201.xxx.xxx:10000" The router sees the request for port 10000, converts the traffic to port 80 traffic (what the OwnCloud server is expecting) and works perfectly.

This makes no sense. Most of the guides For owncloud that I've seen talk about forwarding port 80 or 443. What makes you think that won't work? Where does port 10000 come from?

Second Issue: my server has 6 discrete NIC's in it. I would like to have my OwnCloud accessible from the WAN by setting up one of the unused NIC's to have a static IP (I have 75 static IP's I can use) So even though I set up a new network interface with the static IP 24.201.xxx.xx5 (and the IP can be pinged from a WAN connection) I cannot figure out how to make the outside NIC 24.201.xxx.xx5 connect to the LAN address of the Jail 192.168.1.101

You are talking about 2 different things here, I think. First is straight forwarding on your router. Just forward 24.201.xxx.xx5:80 to 192.168.1.101:80. The second sounds like you want to use a different physical NIC for your Jail. Is that correct? I've seen a couple posts about it, but I'm not sure if that is possible.

 

[adamgoldberg]

This makes no sense. Most of the guides For owncloud that I've seen talk about forwarding port 80 or 443. What makes you think that won't work? Where does port 10000 come from?

He's wanting to use a non-standard port for access, and using the port mapping to allow that to happen without changing OwnCloud. That seems fine.

sounds like you want to use a different physical NIC for your Jail

Not sure he needs to do this, though. One NIC would be fine on the FreeNAS, and the NAT device (firewall, presumably) might have multiple IPs on one WAN-facing NIC, or might have 3 or more NICs. Either way, it seems like a NAT config, not a FreeNAS one.

 

[depasseg]

as far as I know, OwnCloud has no specified port.

This was the key part of what I didn't understand, as it related to the rest of the message.

Remember, I'm NOT looking for Port Forwarding. Port forwarding would not work in this case. It must be Port Translation

And Port Translation is the same thing as Port Forwarding, except the source and destination ports are different. This is handled by your router/firewall.

 

[Leroy_Weber]

This was the key part of what I didn't understand, as it related to the rest of the message.


And Port Translation is the same thing as Port Forwarding, except the source and destination ports are different. This is handled by your router/firewall.

Thanks depasseg, port forwarding is exactly the same as port translation with the notable exception that you can have the router forward a PORT to a different port. You see, the jail wants to have traffic on port 80. But at the WAN IP port 80 is the Freenas server, the OwnCloud server, and the Router. So, if you simply go to http://24.201.xxx.xxx (port 80 is implied anytime you don't specify a port) who knows what device will pop up! So, we choose different ports. Say 8181 for the FreeNas Server or 8080 for the Router. If that is the case, going to 24.201.xxx.xxx:8080 will pull up the router. Well, the problem with Jails is that they also want to respond to port 80 traffic. So if you use port forwarding and set port 10000 to forward to your OwnCloud server (24.155.xxx.xxx:10000) the Jail will NOT respond because it is looking for port 80 traffic NOT port 10000 traffic. However, if you use the router's port translation and translate port 10000 to port 80 (again, what the Jail wants) you can then go to http://24.201.xxx.xxx:10000 and even though you got to the router at the proper address the router will then convert all traffic to port 80 because of the port translation. This works properly. It seems messy.
So..... I am asking a specific question here. Can I get a Jail to respond at a different port number (like the plex server does) or is there a method for doing this another way?

 

[adamgoldberg]

However, if you use the router's port translation and translate port 10000 to port 80 (again, what the Jail wants) you can then go to http://24.201.xxx.xxx:10000 and even though you got to the router at the proper address the router will then convert all traffic to port 80 because of the port translation. This works properly. It seems messy.

With some firewalls, e.g., Sophos UTM, you can trigger translation based on the FQDN (so you could have server1.cloud.net -> 192.168.0.1:80, and server2.cloud.net -> 192.168.0.2:80). That's maybe the most elegant solution unless you're using port 10000 as a security/obscurity measure.

The configuration of the NAT translation seems probably much easier than reconfiguring OwnCloud to listen to a weird port.

 

[depasseg]

I completely understand the situation. I think you missed the part where I said "except the source and destination ports are different."

So..... I am asking a specific question here. Can I get a Jail to respond at a different port number (like the plex server does) or is there a method for doing this another way?

The port usage isn't jail specific. It's handled by owncloud, so I would look in that direction.

And you have 75 ip addresses. Just pick one for owncloud and forward traffic to that public IP & port 80 to your internal Owncloud IP and port 80.