New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !

Attaching an "outsourced" NAS

Got problems with your B2 or B3? Share and get helped!
Post Reply
Anders_W
Posts: 34
Joined: 13 Sep 2011, 09:22

Attaching an "outsourced" NAS

Post by Anders_W »

Hi again!

Having struggled to get ZFS to work on the B3 - and eventually having to concede defeat, since the key software has not (yet) been developed for use on ARM machines - I am instead considering to use an external NAS solution, but this brings another problem:

How does one get the Bubba to reroute incoming calls from users (wether from the LAN/WiFi or from the Net) to the NAS?

The NAS is for all intents and purposes just another computer sitting on the LAN, so surely there must be some 'hack' one can do in the Bubba to reroute the file requests (using whatever protocol) to the NAS? (I'm just a beginner at this, so I'm completely in the dark. My best guess is that one might be able to do something in IPtables, but that's just a guess.)
Nrde
Posts: 75
Joined: 17 Nov 2010, 06:41

Re: Attaching an "outsourced" NAS

Post by Nrde »

the outsourced nas has it's own name and address surely. Bubba doesn't play any part on accessing that NAS outside acting as a possible router for the network.
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: Attaching an "outsourced" NAS

Post by Gordon »

Well, the firewall rules will of course be oriented towards the WAN port, but there's nothing keeping you from manually adding rules to DNAT internal traffic accessing specific service ports to another IP. This is in fact a common thing to do to allow LAN users to access locally hosted services (either in the same LAN or a DMZ) using the common internet name.
Anders_W
Posts: 34
Joined: 13 Sep 2011, 09:22

Re: Attaching an "outsourced" NAS

Post by Anders_W »

Yes, that's about what I wanted.

I'd like my laptop to access the NAS by connecting to, say, myname.b3.com, wether I'm using it at home or somewhere else.

When away, the connection would be made over the Internet, and the B3 would recieve the connection request through the WAN-port and forward it to the NAS.

When at home, the request would come through the WiFi, and I would then like the B3 to send the request directly to the NAS, without first sending the call out onto the internet and then getting it back through Excito's DNS-service.

Anyone who knows how to accomplish this?
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: Attaching an "outsourced" NAS

Post by Gordon »

A small example for a webserver that is behind the firewall

To rewrite the incoming packet add the following rule

Code: Select all

iptables -t nat -A PREROUTING -s 0.0.0.0/0 -d ${EXTERNAL_IP} \
  -p tcp --dport www -j DNAT --to ${WWW_SERVER}
For traffic coming in from the outside you'll also have to enable forward

Code: Select all

iptables -A FORWARD -i eth0 -s 0.0.0.0/0 -d ${WWW_SERVER} \
  -p tcp --dport www -j ACCEPT
Anders_W
Posts: 34
Joined: 13 Sep 2011, 09:22

Re: Attaching an "outsourced" NAS

Post by Anders_W »

Aha - thank You, very useful.

I will probably use SSH to tunnel into the network. Does that change the scripts/codes?
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: Attaching an "outsourced" NAS

Post by Gordon »

Anders_W wrote:Aha - thank You, very useful.

I will probably use SSH to tunnel into the network. Does that change the scripts/codes?
Totally different ball game. Possibly dangerous one as well; you should at least restrict access to port 22 to addresses you trust.

More info and howto here

I'd suggest though that you look into using VPN instead.
Anders_W
Posts: 34
Joined: 13 Sep 2011, 09:22

Re: Attaching an "outsourced" NAS

Post by Anders_W »

That was the plan. I've heard people who seem to know network security promote VPN through SSH.

Maby I misunderstood them?

In the Wiki there is a tutorial for accessing the web through a vpn tunnel to the bubba, but not about how to get access to the bubba itself (and the LAN behind it) through VPN.
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: Attaching an "outsourced" NAS

Post by Gordon »

Ah, okay...

Well there is a kind of cookbook on that subject on Debian Administration. I did a quick read and actually learned something new on the PermitRootLogin setting; a day well spent 8) Looks like this might work if you're not too picky about functionality. A major problem might be that this doesn't appear to support MS Windows though.

The "simple" method is to use openvpn, which is available for both Windows and Linux. If you follow the wiki "Connect Two Bubba Servers via VPN" for the server you should also be able to make a Windows client connect to it. I'm not a real fan of openvpn; I think it's messy, especially when including Windows.

The bottom half of that wiki is about setting up pptpd. Windows supports the PPTP protocol by default, so this may be a good place to start. Authentication is somewhat simplistic, but if you're okay with that this is likely the simplest way to achieve a VPN connection using a Windows client.

The difficult approach is to set up ipsec and L2TP, which is also readily supported by Windows. The wiki for setting up ipsec is quite complete, but I found it to be seriously unstable when using netkey. I've added some comments and a solution on this subject here: http://forum.excito.net/viewtopic.php?f=9&t=3278. Setting up L2TP should be pretty straightforward. Ipsec is not an easy concept to grasp at first, but paired with L2TP simplifies most of it. The good thing is that ipsec is the industry standard, so once you've got this running you should also be able to establish net-to-net VPNs with routers from lead manufacturers.

A note (this is from the wiki mentioned above):

Code: Select all

-A INPUT -i tun+ -j ACCEPT
This will in fact cause you not to be able to access anything. The reason for this is that this rule will only apply to *existing* tun interfaces, while the one you'll be connected to is automatically created when you enable the tunnel.
Anders_W
Posts: 34
Joined: 13 Sep 2011, 09:22

Re: Attaching an "outsourced" NAS

Post by Anders_W »

Aha, thank You!

I'm currently trying to simplify the network by implementing the NAS in the Bubba itself.

(I have been searching for a hard drive cabinet that would allow me to access eight disks through the single eSATA-port on the back of the Bubba, and now I think that I have found one - I'll keep You updated on this.)

@Gordon: Would using the B3 itself for the NAS function alter the IPtables script that You provided?
To rewrite the incoming packet add the following rule
CODE: SELECT ALL
iptables -t nat -A PREROUTING -s 0.0.0.0/0 -d ${EXTERNAL_IP} \
-p tcp --dport www -j DNAT --to ${WWW_SERVER}


For traffic coming in from the outside you'll also have to enable forward
CODE: SELECT ALL
iptables -A FORWARD -i eth0 -s 0.0.0.0/0 -d ${WWW_SERVER} \
-p tcp --dport www -j ACCEPT
Thanks in advance.
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: Attaching an "outsourced" NAS

Post by Gordon »

There's no forwarding involved if you host NAS functionality on the B3, so these lines would not apply.

Be aware that you need to be able to route both ways in all circumstances. An example:

You send a valentine card and inside you wrote "I've been your secret admirer for years". Of course you did not sign it because then it wouldn't be a secret anymore now, would it? You write the name and address of your desired love on the front of the envelope, but again you do not write a return address on the back. Two scenarios may derive from this:
  • The mailman may not be able to deliver the card (she may have moved). Because the sender is unknown he can also not deliver it back to you.
  • She (dis?)likes the card very much, but since she doesn't know you wrote it she never tells you.
Assuming you're still after some sort of VPN solution, the problem with most of these solutions is that routing becomes invalid when you want to access the VPN router on the other side itself. Before buying stuff and installing all kinds of things, you should therefore make sure you can access already existing services on the B3 first.
Anders_W
Posts: 34
Joined: 13 Sep 2011, 09:22

Re: Attaching an "outsourced" NAS

Post by Anders_W »

I see. That was most insightful.

Then it will probably be best to use a separate computer for the NAS anyway.

I'll report back when the whole thing is done.

Thank You very much!
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: Attaching an "outsourced" NAS

Post by Gordon »

You *might* be able to tweak whatever you want to use and make it work with just the B3

I can't help you with all of it because I simply have no need for anything I'm not already using and am lacking the options to test all the other stuff. What I'm using is an ipsec net-net connection using the klips interface. Default this also does not allow access to the router itself, but by rewriting the routing rule I can in fact access the Samba shares from a remote computer on the other side of the VPN connection.
ip route replace 192.168.0.0/24 dev ipsec0 src 172.18.10.254
This is actually a step further from the valentine card example. The source of this case is that the card is received and an answer is returned to you, but it is signed by someone you don't know. And also the one that is answering leaves an invalid address, so you can't know if this answer is for real or not. By adding the green part (which is my B3 LAN address) I tell the B3 what sender to use when answering, which is all that is needed to create a meaningful communication.
Post Reply