truenas in separated lan

[ulrich_h]

Hello, i have 2 lans connected to my router. LAN (A) for clients run 192.168.1.0/24, LAN (B) for server run 192.168.9.0/24. E-mail server's address is set zu 192.168.9.99. I can reach with client set to 192.168.1.127. When i set my truenas scale to 192.168.9.11 i can't reach, neither admin gui nor smb shares.
My router is a lancom V800 business router. Firewall from LAN (A) to LAN (B) has all ports opened.
Can someone help me solve the problem?

 

[Elliot Dierksen]

I doubt you will be happy with the performance if storage traffic goes through your firewall. Making a guess with limited information, I would suggest you have one NIC on the 192.168.9.0/24 network with a static IP for storage traffic, and then another NIC on the 192.168.1.0/24 network.

 

[ulrich_h]

Hi Elliot, thank you for answering...
I started setting one NIC (192.168.1.11) to office LAN (A) and second NIC (192.168.9.11) to DMZ LAN (B). I can't reach truenas gui at 192.168.9.11. When i bind Nextcloud to this address (192.168.9.11) i also can't reach NC. NC only works with LAN (A) address of ...1.11. When i will successful run this configuration above that's my first choice.

 

[Elliot Dierksen]

Are you serving NFS/iSCSI to the servers in 192.168.9.0/24? If the data heading towards Nextcloud is living on the FreeNAS, you could bind that and the GUI to 192.168.1.0/24. The 9/server network could be just for storage.

 

[ulrich_h]

My desired configuration looks like that: bind smb/nfs services and admin gui to NIC 192.168.1.11 (office lan 192.168.1.0/24), bind nextcloud/mailserver on docker image to NIC 192.168.9.11 (DMZ 192.168.9.0/24) accessible from outside/internet.
Office lan configuration works pretty good. I can read nextcloud on 192.168.1.11:9009. When i alter nextcloud address to 192.168.9.11:9009 service is unavailable.

 

[Elliot Dierksen]

I can read nextcloud on 192.168.1.11:9009. When i alter nextcloud address to 192.168.9.11:9009 service is unavailable.

I don't think it will ever work if you source NC for 192.168.9. Your default route is on 192.168.1, so it will exit FreeNAS via the interface. The firewall has a directly connected interface on 192.168.9, so it would try to respond there. One side of the conversation would be on one interface, and the other on a different ones. All of the firewalls I have worked with won't deal with that, at least not easily. The million dollar question to me is if you have a solution that works, why are you trying to do it a different way that doesn't work?

 

[ulrich_h]

I try to isolate all services (nextcloud, email) in a dmz, that's for security reason. Otherwise i have to open my private lan for internet access.

 

[Elliot Dierksen]

Not to be too snarky, but you are at cross purposes here. The snarky translation of what you said is that you want it locked down except when you don't. Snarkiness aside, you have a platform (FreeNAS) that has an interface in in zones with different security posture. It is only going to be as secure as the zone with the lowest security posture. My statement about the routing also still stands. This will not work if your default gateway is via 192.168.1 but you source the traffic from 192.168.9. The firewall will block that because different sides of the conversation are being seen by different interfaces (aka asymmetric routing). You could perhaps make it work, but you would probably have to disable a lot of rules/features in the firewall which would defeat its purpose.