November 28, 20232 yr Hi, I have recently set up a hardware firewall on my home network. In doing so i've put my Unraid server in a dedicated DMZ (192.168.1.0/24) and have kept my other LAN devices in it's own subnet (192.168.2.0). I've opened connectivity from my LAN towards the DMZ, and have opened the SMB/SAMBA ports from DMZ towards the LAN. When trying to access my Unraid shares i am unable to access the shares using the Unraid hostname. I am however able to access the shares using it's IP address. Is there any special configuration needed to use the hostname for this?
November 28, 20232 yr Community Expert 1 hour ago, deviani said: Is there any special configuration needed to use the hostname for this? yes and no: no: SAMBA uses mdns to broadcast the hostname. Broadcasts cannot cross subnet borders. So there will be no automatics for your setup scenario yes: of course, you could add some kind of (static) dns server to the 2 subnet that "knows" about the UNRAID host and delivers the info to those clients. But you have to set it up on a different server. Your setup sounds "strange". Usally people want to protect their data as much as possible, what you do is to expose it freely to everybody in the world, but to filter out your own devices... Are you sure, you have understood what DMZ means???
November 29, 20232 yr Community Expert For both of you, here is a simple explanation of a DMZ: https://www.techtarget.com/searchsecurity/definition/DMZ Read particularly the section entitled: Home networks Notice that devices in the DMZ are exposed directly to the WAN/InterNet while the computers on the LAN are isolated. In the Business world, it appears that sometimes computers are placed into a DMZ which is set up so that they are provided with Internet access In much the same way as a home LAN network. But there is another firewall behind that where the computers assigned there can not even access the Internet at all. And, in some cases, there may be a third DMZ which allows incoming WAN/InterNet traffic to access certain computers directly. These computers have to hardened (and monitored) to withstand constant attacks to hack them. (Think of those computers that you use to log into services like those of Amazon, Google, Microsoft, and even this forum.) Now, @deviani, it is not recommended that anyone place an Unraid server into a DMZ environment where a computer on the Internet can establish a connection to it by itself! Most Home routers are setup so that a computer has to contact a computer on the InterNet first before any traffic from that computer is allowed through the firewall.The OS does not have the protection necessary to survive more than a few minutes before it is compromised. i.e., "hacked".
November 29, 20232 yr Author I want to clarify that this is a DMZ on a hardware firewall that is more similar to an enterprise setup. This isn't a typical DMZ you find on a home modem. Hence it has it's own firewall between the Internet and the DMZ, and then a 2nd firewall between the DMZ and the LAN network. The reason that it's in a DMZ is that there are a number of services running on unraid that require internet access (websites, password manager, nextcloud, ...). It are these services that are getting exposed from the internet, not unraid itself. I understand that this is a more unusual setup than most, however i can't currently set up a 2nd server to separate the web apps from the storage. Edited November 29, 20232 yr by deviani
November 29, 20232 yr Community Expert 15 minutes ago, deviani said: however i can't currently set up a 2nd server to separate the web apps from the storage. But you're not separating the web apps from the storage this way either, as evidenced by your need to cross into the DMZ to reach your storage. Simply seems pointless.
November 29, 20232 yr Author 1 minute ago, Kilrah said: But you're not separating the web apps from the storage this way either, as evidenced by your need to cross into the DMZ to reach your storage. Simply seems pointless. That is what i was saying. i currently can't separate my web apps from my storage as i can't set up a separate server. This just separates the LAN devices from the network accessible from the Internet. In the future i might see if i can move the storage to a device that's also on the LAN network but for now this will have to do.
November 29, 20232 yr Community Expert 3 minutes ago, Kilrah said: cross into the DMZ to reach your storage Storage should never be in the DMZ. If your data is valuable enough to protect with that many layers then the storage server should not be hosting WAN facing applications
November 29, 20232 yr Author Solution Insead of using the hostname i've switched to using a dns record running on a local DNS server. This makes the files accessible without having to use the IP address directly.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.