Static Routes

[SilverJS]

Two questions, actually :

1. Manual says that it's recommended to set up a static route between FreeNAS and the Internet, and not just to blindly plug in gateway addresses. I've tried to search (the wider Internet mostly) to find out what a static route is, and seems to be it's pretty much as the name implies. But, if it's better for security, I'd rather do that - but from what I can see, there's only two components to the static route : the gateway, and the "Destination Network". What exactly is the latter?

2. I'll be setting up a pfSense install soon, and will use it to make DHCP reservations to most of the hardware boxes on my network - save the FreeNAS boxes. I was under the understanding most people did full-up static IP's on their interfaces, and that's how I've got it setup. From my research, there doesn't seem to be much of a preferred method between the two for the actual servers - if I could manage everything centrally in pfSense, I'd rather do that, but is there a downfall to this?

Cheers!

 

[pirateghost]

1. Manual says that it's recommended to set up a static route between FreeNAS and the Internet, and not just to blindly plug in gateway addresses.

What? Where does it say that? You still need a gateway IP address in order to use a static route. I am not sure what exactly you are referring to.

2. I'll be setting up a pfSense install soon, and will use it to make DHCP reservations to most of the hardware boxes on my network - save the FreeNAS boxes. I was under the understanding most people did full-up static IP's on their interfaces, and that's how I've got it setup. From my research, there doesn't seem to be much of a preferred method between the two for the actual servers - if I could manage everything centrally in pfSense, I'd rather do that, but is there a downfall to this?

Cheers!

The downfall being if your pfsense box and freenas box are rebooting at the same time. I actually had DHCP service die on my domain controller a couple of weeks ago and I couldnt figure out why my machines were not getting IP addresses.

Note

in many cases, a FreeNAS® configuration does not include default gateway information as a way to make it more difficult for a remote attacker to communicate with the server. While this is a reasonable precaution, such a configuration does not restrict inbound traffic from sources within the local network. However, omitting a default gateway will prevent the FreeNAS® system from communicating with DNS servers, time servers, and mail servers that are located outside of the local network. In this case, it is recommended to add Static Routes in order to reach external DNS, NTP, and mail servers which are configured with static IP addresses. If you add a gateway to the Internet, make sure that the FreeNAS® system is protected by a properly configured firewall.

it says *IF* you don't put a default gateway. The static routes would be used to direct specific traffic to specific servers for those functions.

Put a firewall in place (hell your standard consumer router device is sufficient for a standard home user), and call it a day. If you don't understand the network, don't futz with it.

 

[SilverJS]

The downfall being if your pfsense box and freenas box are rebooting at the same time. I actually had DHCP service die on my domain controller a couple of weeks ago and I couldnt figure out why my machines were not getting IP addresses.

Right. But, from what I've seen so far, there's a fart's chance in a cyclone the FreeNAS box would be done rebooting before the pfSense one. =) But, in any case, I had indeed thought of that. I guess there's probably nothing wrong with sticking to static IP's on the FreeNAS boxes themselves.

it says *IF* you don't put a default gateway. The static routes would be used to direct specific traffic to specific servers for those functions. Put a firewall in place (hell your standard consumer router device is sufficient for a standard home user), and call it a day. If you don't understand the network, don't futz with it.

OK, you're right - upon second reading, it's apparent I had misread that. Thanks for clarifying.

 

[Ericloewe]

You can easily do both static IPs and DHCP reservations for the server's interface. Saves you time if one of the endpoints is replaced and allows for a more calm transition into the new setup.

...Just don't make them conflicting.

 

[SilverJS]

I had actually thought about that. For the servers, maybe two layers of (yes, non-conflicting! lol) IP address assignment. I'll do that.

 

[jgreco]

What? Where does it say that? You still need a gateway IP address in order to use a static route. I am not sure what exactly you are referring to.

False. You can absolutely have static routes without a gateway IP address. The default route (gateway, whatever) is actually a specialized static route.

 

[pirateghost]

False. You can absolutely have static routes without a gateway IP address. The default route (gateway, whatever) is actually a specialized static route.

well, that's weird, because the FreeNAS GUI calls for a GATEWAY while setting up a static route. Whatever machine you point it to becomes the gateway, right? So then it's a gateway?

 

[jgreco]

well, that's weird, because the FreeNAS GUI calls for a GATEWAY while setting up a static route. Whatever machine you point it to becomes the gateway, right? So then it's a gateway?

No. Context matters. The default gateway is the IP address of the router on the local subnet that all nonlocal traffic will be passed to. It's a special case static route. However, you can add additional static routes for other nonlocal traffic (such as another subnet). For each additional static route, you also need a gateway address, which is, again, the IP address of the router on the local subnet that such traffic will be passed to. But in the context of the OP's original question, we were really talking about the default route gateway, because he's talking about "between FreeNAS and the Internet." Gateway is also a poor term because it has been twisted to mean a variety of somewhat-bad things; a better term is "next hop".

The default route is actually just a static route for 0.0.0.0/0 with an appropriate nexthop. The nexthop is typically the NAT gateway device that connects you to the Internet, though on a real network it's probably an actual IP router.

Packets like to have a place to go but you can define more routes if needed. You don't even need a default route, you could just have specific statics.

For example, if your NAS is on 10.1.1.100/24 and you have a router at 10.1.1.1 that provides NAT connectivity to the Internet, and a router at 10.1.1.2 that provides routed connectivity to 10.1.2.0/24, you would want a default route with nexthop of 10.1.1.1 and an additional static route added for 10.1.2.0/24 with a nexthop of 10.1.1.2. This configuration tells the kernel that any traffic on 10.1.1.0/24 is to be delivered directly (implicitly from the network interface configuration), any packets to 10.1.2.0/24 to be sent to 10.1.1.2, and everything else to 10.1.1.1.

So, this is a horribly bad statement:

Whatever machine you point it to becomes the gateway, right? So then it's a gateway?

A networking expert would say that both of those are true, because he'd expect the first sentence there means "Whatever machine you point it to becomes the gateway for traffic to that specific subnet, right?"

The average non-networking person will be confused by "becomes the gateway" because in their mind they don't really understand routing and the "gateway" is the magic address ending in .1 that they always have to add or else "things no work." They'll be assuming it "becomes the gateway for all traffic" or some other variation of misunderstanding.

 

[pirateghost]

But I never stated 'Default Gateway'. I said a gateway

FWIW, I agree that the lingo should be used as 'next-hop' in the FreeNAS GUI

 

[jgreco]

But I never stated 'Default Gateway'. I said a gateway

Yes, but we need to be clear and unconfusing when discussing things in the forum. This is the networking equivalent of saying "RAID" or something else equally vague. "A gateway" will be taken by most non-networking folks the wrong way, etc.

 

[SilverJS]

Thanks all. I've been reading up a fair bit on networking recently, with the upcoming pfSense install - and I totally understand now how a static route could be used - at least, in jgreco's example. I'm sure there's tons of other ways to use them I'm not cognizant of, but it's a start. =)

 

[cyberjock]

Here's my example...

My home router is 192.168.0.1. It's a pfsense box. My DHCP tells all machines that the gateway for my network is 192.168.0.1.

Now, internal to my pfsense box, it has several gateways. I have a point-to-point VPN to a friend's network, so any traffic that comes in that goes to the 192.168.1.x subnet is automatically routed through the VPN tunnel. All other traffic goes out to the internet. In essence, my routing table has 2 entries, one for 192.168.1.x, and one for "everything else" (aka the default gateway for my router). The default gateway for my router is....... wait for it.. my cablemodem! Who'd have thunk it!?

Make more sense with a working example?

 

[jgreco]

Well, moving upstream, there's always many routes. That's what makes the Internet work. You still only have a single gateway on yout 192.168.0.0/24 network, so I'd say my 10net example above was a better example of how you might have multiple gateways on a single network. With devices like the EdgeRouter-X becoming incredibly cheap, it may actually be practical for home users to build decent networks...

Static routes are simply administrator-configured routes. In most networks, routing information is actually learned through an interior gateway protocol, so that you only configure the interface and IGP, connect it up, and it learns all the necessary routes for proper operation. This poses a bit of a problem for a NAS that lacks the IGP, as it becomes dependent on the default gateway to issue ICMP redirects to maintain the nexthop for a given destination. It is kind of too bad that FreeNAS doesn't support IGP's, but then again, many appliances don't.

One hop up from your cable modem, your service provider's aggregation router probably has a much more complex routing table, as the goal becomes to get traffic to the correct core router without excessive hops. A router with full routes will have hundreds of thousands of routes, actively being updated by the IGP and EGP's.