madtulip
Explorer
- Joined
- Mar 28, 2015
- Messages
- 64
Thanks for reading :).
noobs configuring electronics part 14.:
I got a "webserver" jail running with a FAMP stack and id like to separate it from my LAN in case somebody breaks in. Even more so since i read that the main system on the jails is not updated as FreeNASs OS is updated. So i thought i could use the 2nd NIC "igb1" of my very close to FreeNAS mini box and plug it into a port of a vlan2 while i keep the rest of my home network on vlan1. I would then want to use igb1 only for the "webserver" jail. Im not sure if the way i plan to implement this is the right one so i thought id ask before diving into it.
There is the router 192.168.0.1 and it can not have multiple IP adresses. So i can not setup the 2nd NIC using the GUI to be on a different network like 192.168.1.XXX as that woud not be on the same network as the router. I connect that to switch port fa0/1 which is in trunking mode for vlan 1-2.
I connect igb0 (home network and FreeNAS) to switch port fa0/2 which in in vlan1.
I connect igb1 (Servers 2nd NIC for "webserver" jail) to switch port fa0/3 which in in vlan2.
from ifconfig on the FreeNAS i got that there is currently.:
So the idea is to create bridge1 connecting igb1 and epair1a and to remove epair1a from bridge0 so it would look like this.:
I would not assign an IP adress to igb1 (as above) as thats on the vlan2 and the main FreeNAS system which i do not want to expose.
Is that a possible configuration or am i doing something categorically wrong? Is it possible to not assign an IP to igb1 so that FreeNAS is not accessible from vlan2? Is that sufficient to exclude someone with root access on "webserver" from vlan1?
I exspected bridge0 to be created in /etc/rc.conf but found that FreeNAS seams to initialize the interfaces from /etc/rc.conf.local using the _interface_config() function by importing the settings for the network adapters from somewhere (probably the whole GUI thing). I probably dont want to mess with that file so i would execute a script after /etc/rc.conf.local loads in order to disconnect epair1a from bridge0, create bridge1 and attach epair1 to bridge1?
Im sorry if the questions seem noobish. Its garage level fidding around with stuff and Id just like to get some feedback before i even start tempering with the root FreeNAS system. Thanks!
noobs configuring electronics part 14.:
I got a "webserver" jail running with a FAMP stack and id like to separate it from my LAN in case somebody breaks in. Even more so since i read that the main system on the jails is not updated as FreeNASs OS is updated. So i thought i could use the 2nd NIC "igb1" of my very close to FreeNAS mini box and plug it into a port of a vlan2 while i keep the rest of my home network on vlan1. I would then want to use igb1 only for the "webserver" jail. Im not sure if the way i plan to implement this is the right one so i thought id ask before diving into it.
There is the router 192.168.0.1 and it can not have multiple IP adresses. So i can not setup the 2nd NIC using the GUI to be on a different network like 192.168.1.XXX as that woud not be on the same network as the router. I connect that to switch port fa0/1 which is in trunking mode for vlan 1-2.
I connect igb0 (home network and FreeNAS) to switch port fa0/2 which in in vlan1.
I connect igb1 (Servers 2nd NIC for "webserver" jail) to switch port fa0/3 which in in vlan2.
from ifconfig on the FreeNAS i got that there is currently.:
Code:
% NIC for home LAN igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO> ether XX:XX:XX:XX:XX:X inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255 nd6 options=9<PERFORMNUD,IFDISABLED> media: Ethernet autoselect (1000baseT <full-duplex>) status: active % NIC for webserver igb1: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO> ether YY:YY:YY:YY:YY:YY nd6 options=9<PERFORMNUD,IFDISABLED> media: Ethernet autoselect (1000baseT <full-duplex>) status: active % Bridge between igb0 and all epairs of all jails bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 ether ZZ:ZZ:ZZ:ZZ:ZZ:ZZ nd6 options=1<PERFORMNUD> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: epair1a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 8 priority 128 path cost 2000 member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 7 priority 128 path cost 2000 member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 1 priority 128 path cost 20000 % epairs to jails % epair0a connects to some intranet jail like a media player epair0a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether AA:AA:AA:AA:AA:AA nd6 options=1<PERFORMNUD> media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) status: active % epair1a connects to "webserver" jail epair1a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether BB:BB:BB:BB:BB:BB nd6 options=1<PERFORMNUD> media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) status: active
So the idea is to create bridge1 connecting igb1 and epair1a and to remove epair1a from bridge0 so it would look like this.:
Code:
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 ether ZZ:ZZ:ZZ:ZZ:ZZ:ZZ nd6 options=1<PERFORMNUD> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 8 priority 128 path cost 2000 member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 1 priority 128 path cost 20000 bridge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 ether WW:WW:WW:WW:WW:WW nd6 options=1<PERFORMNUD> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: epair1a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 8 priority 128 path cost 2000 member: igb1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 1 priority 128 path cost 20000
I would not assign an IP adress to igb1 (as above) as thats on the vlan2 and the main FreeNAS system which i do not want to expose.
Is that a possible configuration or am i doing something categorically wrong? Is it possible to not assign an IP to igb1 so that FreeNAS is not accessible from vlan2? Is that sufficient to exclude someone with root access on "webserver" from vlan1?
I exspected bridge0 to be created in /etc/rc.conf but found that FreeNAS seams to initialize the interfaces from /etc/rc.conf.local using the _interface_config() function by importing the settings for the network adapters from somewhere (probably the whole GUI thing). I probably dont want to mess with that file so i would execute a script after /etc/rc.conf.local loads in order to disconnect epair1a from bridge0, create bridge1 and attach epair1 to bridge1?
Im sorry if the questions seem noobish. Its garage level fidding around with stuff and Id just like to get some feedback before i even start tempering with the root FreeNAS system. Thanks!
Last edited: