Suggested Usage of Multiple Routers

[GIZMO_the_Great]

Hi

Further to this thread , I have decided to buy a second router for my home network.

Currently, I have one commercial grade router provided by my broadband supplier. It's quite good and has an OK firewall, but it lacks some of the features I need - most notably, concise IP address filtering\blocking\banning. Internally, it is the default gateway and all internal traffic routes through it. I need to SSH to my FreeNAS from outside my internal network occasionally, as well as from inside it.

I will soon have a D-Link router (again, fairly consumer level) that I intend to install DD-WRT on (having used that before some years ago) which will give me these more advanced filtering and blocking features.

However, I have a question based on my options.

I could but the current router into "modem mode" and connect the D-Link to it as the routing device meaning I discard the capabilities of the first router in favour of the second (the first therefore just provides the high speed connection). All my internal devices would then connect to the D-Link router instead (inc my FreeNAS server) and go Internet bound over the modem mode of the original. So my network topology would remain the same but I get some additional features for the safety of the FreeNAS.

Or, I could leave the first router in place for all my other devices EXCEPT the FreeNAS and configure the D-Link specifically for my FreeNAS system. In other words, traffic arrives at my first router and anything for FreeNas gets routed to the D-Link router, where any IP address filtering\blocking\banning etc can take place before any legitimate traffic is sent onward to FreeNAS. This has the effect of isolating the rest of my network meaning they are all protected as they are now (with no public facing open ports) but I can still communicate with the FreeNAS from my internal machines via the two routers.

To me, the second option seems the most preferable, but it is also more complicated and I have little experience of such configurations.

So my question is which option would you go with and are there any fairly simple HOW TO guides for this configuration? To simplify this rather long winded explanation I have created two diagrams :

Diagram A shows my current setup and Diagram B shows my proposed second option. From the diagram, does it look like I am on the right lines or is it all a bad idea? I want to keep things simple but equally I want to ensure that my FreeNAS and network system is protected once I allow SSH connections to the FreeNAS from the outside world.

Diagram A

Diagram B

 

[survive]

Hi Gizmo,

Personally I would just look for a router that supports OpenVPN. That way you can connect "home" & access all your systems securely.

-Will

 

[GIZMO_the_Great]

I do have a subscription to PureVPN but I wasn't sure how to set it up with FreeNAS etc. But I think the idea above, if successful, will be a more suitable long term plan?

 

[pirateghost]

Putting your freenas on an entirely different subnet (your option 2), will make it a big hassle for your clients on your network, and you are double natting your freenas 'network'. Keep it simple. Use ONE router and configure your firewall properly.

 

[GIZMO_the_Great]

OK, thanks - if it is a bad idea, I will follow your wisdom.

 

[GIZMO_the_Great]

Actually, I have just read several threads like this one and others, all of which say "FreeNAS should not be directly exposed to the Internet". So I want to check I'm not mis-understanding. By having a router that is firewalled, and then my FreeNAS box and my other systems behind it, with the exception of port forwarding for SSH to a non-default port being sent to my FreeNAS, does that constitue "exposing FreeNAS directly to the Internet"? Because if it does, then are we saying every FreeNAS server must have yet another hardware box acting as a firewall and then the default gateway that is also firewalled? Because if we are, then in my mind that rather defeats some of the object of FreeNAS. Whilst I know many people only every use it for internal file storage and sharing, surely there are many who need to access it remotely when afar?

 

[Tywin]

Actually, I have just read several threads like this one and others, all of which say "FreeNAS should not be directly exposed to the Internet". So I want to check I'm not mis-understanding. By having a router that is firewalled, and then my FreeNAS box and my other systems behind it, with the exception of port forwarding for SSH to a non-default port being sent to my FreeNAS, does that constitue "exposing FreeNAS directly to the Internet"? Because if it does, then are we saying every FreeNAS server must have yet another hardware box acting as a firewall and then the default gateway that is also firewalled? Because if we are, then in my mind that rather defeats some of the object of FreeNAS. Whilst I know many people only every use it for internal file storage and sharing, surely there are many who need to access it remotely when afar?

Generally speaking, a box is not "directly exposed to the Internet" if it is sitting behind a (quality) firewall.

Opening a port to a box exposes that one particular port on the box to the internet. This increases the attack surface, but in the case of SSH this is not entirely unreasonable. SSH's attack surface is fairly small and fairly well tested, but you are slightly increasing the security risk. I personally have no qualms about opening an SSH port to the Internet, as long as it is protected by strong passwords/keys, but this is a decision only you can make.

As for adding more and more firewalls between your box and the Internet, your security is only going to be as strong as the strongest firewall. So just use that one firewall and be done with it, unless you need to segregate parts of your internal LAN (which is a much larger discussion). Incidentally, if you are forwarding a port all the way down the chain of firewalls from the Internet to the box, it doesn't matter how many firewalls it goes through, that one port is still exposed to the Internet.

If you want to be able to access a service remotely, you need to let it through your firewall, period, and that's going to increase your attack surface.

As I mentioned, I am OK with exposing SSH, but that's about it. As soon as you get into wanting to expose multiple or less secure services, you're better off going with a VPN solution. Open that one port to your VPN server, connect to that remotely, and voila, you have access to everything behind your firewall. Again, you are slightly increasing your attack surface, but OpenVPN is pretty secure these days.

 

[GIZMO_the_Great]

Excellent - thanks for the clarification.

My firewall is provided by way of DD-WRT firmware on the router (as of today it is, anyway!). So hopefully that will be good cos DD-WRT is pretty much well regarded isn't it. I was hoping to find more blocking\denying aspects to DD-WRT than I have found so far in the settings (i.e. block all IP's EXCEPT 123.456.789.000) but I am sure I will work it out.

It will only be SSH - yes. Merely for me to upload or download particular files while working away. I won't use port 22, I don't use root. My passwords are good but I realise keys are better. I working on that one.

So hopefully

 

[Tywin]

I won't use port 22,

Can't hurt, just be aware that non-standard ports are "security through obscurity"; if someone does a port scan on you, and they care to try, it wouldn't take much to figure out port 48210 (or whatever) is a remapped SSH port.