Login    Register

[HOWTO] - SECURE Startup of your NAS4Free Server

Only Admin's or Moderators can move thread's to this sub-forum.
Nobody should start a new thread on this sub-forum.
Anybody can reply to a thread on this sub-forum.
Forum rules
Set-Up GuideFAQsForum Rules
  • Author
    Message

[HOWTO] - SECURE Startup of your NAS4Free Server

Postby ldkraemer » 30 Jun 2012 14:17

HOWTO - SECURE Startup your NAS4Free Server - Part #1:

There are several postings on the old FreeNAS Forum & Phan Vinh Thinh's Blog about the proper things that are necessary to make sure
that your NAS4Free Server is as SECURE as possible. Phan Vinh Thinh's Blog is located at:
http://phanvinhthinh.blogspot.com/2010/02/how-to-secure-your-freenas-server.html

Q: How do I make sure my NAS4Free server is secure?

Before we can answer that question, there needs to be a bit of explanation of what you will need to do to make sure your Server is secure during
the process of enabling the Services, and what Router Ports will be “OPEN” to the Internet. If your NAS4Free System is Powered up with only the
HTTPS: Protocol enabled for WebGUI Access, then NAS4Free Port 443 will be the ONLY port “OPEN”. As you Enable more Services you will be
adding to the list of "OPEN" NAS4Free Ports. Here is a List of the Ports as they are scanned after turning on their Specific NAS4Free Service.

Code: Select all
                     Port          Service         
HTTP                  80           HTTP
HTTPS                443           HTTPS
CIFS/SMB             139           netbios-ssn
                     445           microsoft-ds   
FTP                   21           ftp     
SSH or SFTP           22           ssh
NFS                  111           sunrpc
                     629           unknown
                     856           unknown
                     913           unknown
                    2049           nfs   


You should also realize that these TYPICAL Port Assignments can be changed as per your Specific requirements. They are not FIXED.

A comprehensive list of Port Number Assignments is located at: http://www.iana.org/assignments/port-numbers


If you haven't a clue what a LAN or WAN is, you need to do some reading from the following Site:
http://www.netfilter.org/documentation/HOWTO/networking-concepts-HOWTO.html

Now, realizing that your NAS4Free ports must have access to the Internet before anyone from the outside can access your NAS4Free Server,
we can DELAY Opening ANY Router Ports until the NAS4Free Setup and Configuration is complete. The NAS4Free Ports will be “OPEN” to any
LOCAL Computer that is connected to our Local Area Network (LAN), but NOT the WAN because your Router Port must be MANUALLY FORWARDED
allowing Server access via WAN.

There is one thing you need to understand about setting up your router. If your Client Software is accessing your neighbors NAS4Free Server
sitting behind your neighbors router on the WAN, ONLY your neighbor needs to OPEN his router's Port 22 to his NAS4Free Server for you to be
able to access it via ssh. Your router doesn't need Port 22 "OPEN" (MANUALLY FORWARDED).

So, with your Router Ports CLOSED, you are now ready to setup your NAS4Free Server with a computer connected to your Local Area Network (LAN).

Now lets review the previous Question again...........Along with Phan Vinh Thinh's answers.....

Q: How do I make sure my NAS4Free server is secure?

A: You can ensure basic security by following the NAS4Free Security Checklist:
1. Change the WebGUI default admin/root password.
Use a very strong password if you intend to access NAS4Free over the Internet (WAN).
Use a long password and not something that is a word that is found in any language dictionary. (Google your proposed password. If it has no
hits in Google, that is a good thing.) Include numbers and Special Characters as part of your password.
Please Note: - admin/root accounts use the same password.
Please Note: - Users that are members of the wheel group can su to root if they know the root password.
2. Change WebGUI admin user name, to protect your system against dictionary attacks. Don’t use ‘admin’ or ‘administrator’
3. Always use https protocol to access WebGUI interface over the WAN.
You do not need to have a security certificate to do this, but you will get a warning message if you don’t.
4. DO NOT open your WebGUI server to the internet, rather open a tunnel via SSH from client to server.
5. Check your logs regularly. While NAS4Free has security measures to protect against some brute force attacks, it never hurts to make sure you have not been hacked.
6. DO NOT give shell access to everybody.
7. DO NOT use FTP over the Internet, use SSH or SFTP instead to encrypt your traffic.
8. DO NOT enable Password Authentication with SSH, set-up and use SSH key based authentication.
9. Don’t allow the root account to access SSH. Under Services/SSHD, make sure the Permit root login box is NOT checked. If this is checked, someone can log
in as root if they know or crack your password. If this is not checked, they must guess your user LoginID and your password.
10. Have some kind of hardware firewall in place. Netgear or Linksys routers work nicely.
Only pass through the ports you need to make services work. Port 22 for SSH, port 443 for HTTPS. This may be under the application/gaming section of your router.

Let's start from the first item:

1.
Change the WebGUI admin password under System | General | Password:
See – SUG Section 3.1.1-System|General|Password
http://wiki.nas4free.org/doku.php?id=documentation:setup_and_user_guide:system_general_password

2,3. Change WebGUI admin user name and access protocol under System | General:
See – SUG Section 3.1-System|General Setup
http://wiki.nas4free.org/doku.php?id=documentation:setup_and_user_guide:general_system_options

6->9. SSH setup under Services | SSH:
See – SUG Section 6.4-Services|SSH
http://wiki.nas4free.org/doku.php?id=documentation:setup_and_user_guide:services_ssh

Of course, you need to create a non-admin user, create SSH keys, and upload them to your NAS4Free server. Please read SSH manual, and refer to the man pages.
Please note that the command below is a final ssh product, and the ssh setup and testing is covered in another [HOWTO].

Once ssh has been setup and tested, you can use SSH tunneling from the Linux box to the NAS4Free WebGUI over the Internet. In a Terminal (Console) type:
Code: Select all
$ ssh -v -p 22 -L 8888:localhost:443 username@your.NAS4FreeorRouter.IP.address


Then open your web browser, and type address:
Code: Select all
https://localhost:8888/

and you are there. Windows users can read the instruction in NAS4Free KnowledgeBase.

If you don't have a static IP address, you can use (free) DynDNS service.


Tighten Your Security Parameters:
You can now tighten the parameters in ssh by turning off Enable Keyboard-Interactive Authentication, and by adding the following Extra Options:

Code: Select all
AllowUsers loginBoZo4321&1234 JoESmithTOO!4433
MaxAuthTries 2
LoginGraceTime 45


At this time you might want to “FORWARD” your Routers External Port 22 for direction “IN” so you can further test your NAS4Free Server, while keeping
an eye on your log files.............


Unauthorized Login Attempts:
If your diagnostic logs show multiple login attempts by 49.212.28.207 & 116.125.127.119, you can “DENY” their access by adding their IP address
to (/etc/hosts.allow as hosts.deny is depreciated). By adding these IP addresses to NAS4Free you will actually be inserting the specific IP Address in
/etc/hosts.allow as DENY.

Network | Hosts
Code: Select all
#ftpd  : xxx.xxx.xxx.xxx : deny
#sshd : .example.com : deny
#in.tftpd : xxx.xxx.xxx.xxx : deny
#bsnmpd : xxx.xxx.xxx.xxx : deny
sshd : 49.212.28.207 : deny
sshd : 116.125.127.119 : deny
sshd : 205.214.192.101 : deny
sshd : 222.240.224.43 : deny
ALL : ALL : allow


10. IP Addressing – for IPFW Usage:
There is a standard notation for groups of IP addresses, sometimes called a `network address'. Just like a phone number can be broken up into an
area prefix and the rest, we can divide an IP address into a network prefix and the rest.

It used to be that people would talk about `the 1.2.3 network', meaning all 256 addresses from 1.2.3.0 to 1.2.3.255. Or if that wasn't a big enough
network, they might talk about the `1.2 network' which meant all addresses from 1.2.0.0 to 1.2.255.255.

We usually don't write `1.2.0.0 - 1.2.255.255'. Instead, we shorten it to `1.2.0.0/16'. This weird `/16' notation (it's called a `netmask') requires
a little explanation.

Each number between the dots in an IP address is actually 8 binary digits (00000000 to 11111111): we write them in decimal form to make it more
readable for humans. The `/16' means that the first 16 binary digits is the network address, in other words, the `1.2.' part is the the network
(remember: each digit represents 8 binary digits). This means any IP address beginning with `1.2.' is part of the network: `1.2.3.4' and `1.2.3.50' are,
and `1.3.1.1' is not.

To make life easier, we usually use networks ending in `/8', `/16' and `/24'. For example, `10.0.0.0/8' is a big network containing any address from
10.0.0.0 to 10.255.255.255 (over 16 million addresses!). 10.0.0.0/16 is smaller, containing only IP addresses from 10.0.0.0 to 10.0.255.255. 10.0.0.0/24
is smaller still, containing addresses 10.0.0.0 to 10.0.0.255. To make things confusing, there is another way of writing netmasks. We can write them
like IP addresses: 10.0.0.0/255.0.0.0

Finally, it's worth noting that the very highest IP address in any network is reserved as the `broadcast address', which can be used to send a message to
everyone on the network at once. Here is a table of network masks:

Code: Select all
       Short   Full                    Maximum        Comment
       Form    Form                   #Machines

       /8      /255.0.0.0             16,777,215      Used to be called an `A-class'
       /16     /255.255.0.0               65,535      Used to be called an `B-class'
       /17     /255.255.128.0             32,767
       /18     /255.255.192.0             16,383
       /19     /255.255.224.0              8,191
       /20     /255.255.240.0              4,095
       /21     /255.255.248.0              2,047
       /22     /255.255.252.0              1,023
       /23     /255.255.254.0                511
       /24     /255.255.255.0                255      Used to be called a `C-class'
       /25     /255.255.255.128              127
       /26     /255.255.255.192               63
       /27     /255.255.255.224               31
       /28     /255.255.255.240               15
       /29     /255.255.255.248                7
       /30     /255.255.255.252                3
       /31     /255.255.255.253                2
       /32     /255.255.255.254                1



IPFW for Unauthorized Login Attempts:

If you wanted to use IP Fire Wall (IPFW) instead, you could have created a rule to block the IP Address, or a Block of addresses and then ENABLED IPFW
to block those that continually attempt to hack/login to your NAS4Free Server. There were several IP Addresses that continuously tried to gain ssh access.

ipfw1.gif
ipfw1.gif
ipfw1.gif (56.57 KiB) Viewed 6904 times


In my initial setup I had only Protocol “TCP” selected, but have since changed that to “ALL”. Likewise Direction could be changed to “ANY” versus “IN”.


IPFW RULES:

ipfw2.gif
ipfw2.gif
ipfw2.gif (46.82 KiB) Viewed 6904 times


As you see the list continues to grow each day, and there is a better way to block those IP Addresses that continually try to access your Server.
The NAS4Free IPFW RULES will do the job much easier, and there is a [HOWTO] posted with that information.

The following photo shows the items I have setup in the ssh service:

ssh.gif
ssh.gif
ssh.gif (55.6 KiB) Viewed 6904 times



Last Words:

To eliminate Windows users' advantage of using shortcut Linux users can create an alias:

$ cat .bashrc
Code: Select all
alias ssh-nas="ssh pvt@192.168.1.250"
alias ssh-dir="ssh pvt@192.168.1.1"
alias tunnel-nas="ssh -v -p 22 -L 8888:localhost:443 tvp@xxx.dyndns.org"


# sudo alias
Code: Select all
alias apt-update="sudo apt-get update"
alias apt-install="sudo apt-get install"
alias apt-remove="sudo apt-get remove"
alias mount="sudo mount"
alias umount="sudo umount"
alias suvim="sudo vim"


$ tunnel-nas



Now we need to begin the advanced configuration and usage.


I booted my NAS4Free Server, and configured the first two menu items:

1. Assign NIC Interfaces(x10)
2. Set LAN IP Addresses for my NAS:(192.168.1.250)

See- SUG Sections - 2.2-LAN interface and IP Configuration and 2.3-Basic System Configuration

Wired LAN: I chose to use a Hub with two patch cables to test my NAS4Free. Once you have the LAN connected, configure your CLIENT IP Address
and PING the server to verify that it is all communicating. (You can also use PING from the SERVER to verify the CLIENT.)

Realize that one of the three Computers below could actually be your NAS4Free Box.

pic5.gif
pic5.gif
pic5.gif (15.31 KiB) Viewed 6950 times


If your Ethernet NIC card has the capability to do Crossover Detection & Auto-Correction, you won't need to use Special Crossover Ethernet Cables.

pic6.gif
pic6.gif
pic6.gif (11.89 KiB) Viewed 6950 times


Crossover Cable Wiring.

pic8.gif
pic8.gif
pic8.gif (26.12 KiB) Viewed 6950 times

Go to NETWORK | LAN Management and Set your MTU & Media Configuration .

If your Network appears to be Slow this Posting may be of help.

Mine is shown here:

adv_config.png
adv_config.png
(27.3 KiB) Downloaded 4434 times

At this point you should be ready to access your Advanced Configuration via WebGUI:

Open your Browser on your Laptop and type in the address that you previously configured as "192.168.1.250:80"
Use the default login username and password to access the WebGUI.

Since there are no "OPEN" Router ports (we are using a Hub) you should not have any Unauthorized Login Attempts on your system.
Once we get our NAS4Free tested, all we need to do is replace the Hub with the actual Router and keep an eye on the Log file.
Make it a habit to periodically view the Log File so you know what is going on, to determine if your NAS4Free is being Probed/Attacked for access.

Next time we'll keep adding Services, and Configuration to end up with a system that looks like this:

ipfw0.gif
ipfw0.png
ipfw0.gif (53.54 KiB) Viewed 6824 times


Be sure to read the [HOWTO] - NAS4Free IPFW RULES for information on setting up IPFW Rules.


Thanks.

Larry
Updated 07-18-2012
Last edited by ldkraemer on 18 Jul 2012 15:49, edited 9 times in total.
PowerUser
ldkraemer
 
Posts: 72
Joined: 26 Jun 2012 20:35

Re: [HOWTO] - SECURE Startup of your NAS4Free Server

Postby ldkraemer » 09 Jul 2012 11:16

HOWTO - SECURE Startup your NAS4Free Server - Part #2:


From the Part #1 Guide you should now be able to access the login WebGUI from your LAN as shown:

n4f1.png
n4f1.png
(108.68 KiB) Downloaded 2203 times

After inserting your login & password you will need to setup a user, or a group with several users. That will be determined by how many
users will be accessing your NAS. Then, you will need to setup at least three services to allow you access to your NAS. I'll be setting
up SSH, CIFS, and NFS. This will allow me to ssh into my NAS from the LAN, and test CFS & NFS. Later I'll be forwarding a port to
Port 22 so I can use ssh to tunnel into my NAS from the WAN. I'll use Filezilla with SFTP to do that.

Setting up the Hard Drive is very easy. Just go to DISKS -> MANAGEMENT, then DISKS -> FORMAT, then DISKS -> MOUNT, ending up with
your Drive or Drives prepared. You may also have decided to use some combination of RAID, which isn't covered in this [HOWTO].
Note that if you decide to wipe the drive by formatting it when you are half way through the setup process, you will have to un-mount
the drive with the "umount" command. When finished with the format, be sure to mount the drive again.

Your NAS4Free should now have a Storage Hard Drive attached, similar to this:

n4f4.png
n4f4.png
(121 KiB) Downloaded 2203 times

As you can see, this is the current version of NAS4Free, and the Storage hard Drive is setup (selected, formatted, and mounted).

n4f2.png
n4f2.png
(108.18 KiB) Downloaded 2203 times

From ACCESS -> USERS & GROUPS, setup for a group of users. At least one user needs to have the following items selected to have ssh access.
1. SHELL - set for sh or bash - or whatever shell you require. NOTE: A SHELL must be selected for SSH access.
2. PRIMARY GROUP - Wheel
3. ADDITIONAL GROUP - sshd

Be aware that if you have already set up your ssh dsa keys, you may need to go to the /home/user/.ssh subdirectory and grab all those files and
temporarily move them into a "hidethese" folder until you can get logged in with ssh. Once you get finished with ssh, just copy the files in the "hidethese"
folder back to their .ssh folder. That will prevent you from messing up the dsa keys and the known_hosts file you use to access other systems.

n4f3.png
n4f3.png
(101.22 KiB) Downloaded 2203 times

By going to SERVICES -> SSH you can ENABLE ssh: For the first time we need Keyboard authentication versus dsa key. That will be a bit later.

n4f5.png
n4f5.png
(107.85 KiB) Downloaded 2203 times

And login via ssh in a Terminal (Console):
Code: Select all
larry@debian:~$ ssh loginuser@192.168.1.250
loginuser@192.168.1.250's password:
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
   The Regents of the University of California.  All rights reserved.

Welcome to NAS4Free!$ pwd
/mnt
$

And you should be able to su to root with:
Code: Select all
su root

by using the WebGUI Password. You can exit su and/or ssh with:
Code: Select all
exit

With root access you can create any directories you need, or change permissions on subdirectories.


Setting up NFS is as easy as:

n4f6.png
n4f6.png
(124.01 KiB) Downloaded 2203 times



n4f7.png
n4f7.png
(120.54 KiB) Downloaded 2203 times


n4f8.png
n4f8.png
(139.18 KiB) Downloaded 2203 times

And to access your NFS shares you can mount the shares in a Terminal with: (Assuming /mnt/nas4free exists)

Code: Select all
sudo mount 192.168.1.250:/mnt/store /mnt/nas4free

If you can't mount the NFS Shares, check to see if nfs-common is installed. Use Synaptics Package Manager to install it if needed.

Code: Select all
larry@debian:~$ cd /
larry@debian:/$ cd /mnt/nas4free/
larry@debian:/mnt/nas4free$ ls
anderson  cutrell  lkraemer  lukefahr  publicfiles  shaw
larry@debian:/mnt/nas4free$


Once the share is mounted you can do what you need to access or modify the share. When you are finished, be sure to cd .. so you can un-mount the share.
If you don't cd to another higher subdirectory you won't be able to execute the umount command.

Code: Select all
sudo umount /mnt/nas4free



Setting up CIFS/SMB is as easy as:

n4f9.png
n4f9.png
(113.63 KiB) Downloaded 2203 times


n4f10.png
n4g10.png
(125.86 KiB) Downloaded 2203 times


n4f11.png
n4f11.png
(34.11 KiB) Downloaded 2203 times

To access your CIFS/SMB shares from Linux you can use Nautilus, click on Network, and enter your password. When you are finished you should
umount your drive from within the Left Panel in Nautilus. Just Right Click on the mounted CIFS/SMB and umount.

n4f12.png
n4f12.png
(59.08 KiB) Downloaded 2203 times

At this point we have everything functional except for setting up the DSA Public & Private keys to allow access without password authentication over
the WAN. That information is covered in another old FreeNAS [HOWTO].


Hopefully, I haven't forgotten anything in the process. If you find something that needs updated let me know.

Thanks.


Larry
Updated 07-11-2012
PowerUser
ldkraemer
 
Posts: 72
Joined: 26 Jun 2012 20:35

Re: [HOWTO] - SECURE Startup of your NAS4Free Server

Postby ldkraemer » 18 Jul 2012 16:21

Here are a few photo's of:

1. CPU Load during a LARGE FTP Transfer.
2. NAS FTP Transfer rate on my LAN.
3. Filezilla in action for LAN FTP of LARGE subdirectory.

NAS_CPU_Load.png
NAS_CPU_Load.png
(17.52 KiB) Downloaded 4432 times


NASftp_RX_xfer.png
NASftp_RX_xfer.png
(16.92 KiB) Downloaded 4432 times


ftp_xfer2.png
ftp_xfer2.png
(100.67 KiB) Downloaded 2185 times


Thanks.


Larry
PowerUser
ldkraemer
 
Posts: 72
Joined: 26 Jun 2012 20:35

Re: [HOWTO] - SECURE Startup of your NAS4Free Server

Postby ldkraemer » 18 Jul 2012 16:53

Extra information on setting up CIFS/SMB (Samba) can be found here


Your Samba server can share directories with all the other user. However, if you start to copy a lot of data to your Samba server you will notice that
the transfer speed is very low. I would say, almost the same as that of FTP.

The following tests show how to improve the transfer speed on the Samba Server changing basically two parameters.

Requirements:
One Samba server
One client with smbclient and smbfs


Testing for different configurations:

On Server smb.conf:
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192

On Client:
# mount -t smbfs -o rw,username=mpi //load01/data /mnt
# cd /mnt
# dd if=/dev/zero of=testfile count=10240 bs=10240
10240+0 records in
10240+0 records out
104857600 bytes (105 MB) copied, 3.93339 s, 26.7 MB/s

On Server:
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=16384 SO_SNDBUF=16384

On Client:
# dd if=/dev/zero of=testfile count=10240 bs=10240
10240+0 records in
10240+0 records out
104857600 bytes (105 MB) copied, 2.08827 s, 50.2 MB/s

On Server:
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=32768 SO_SNDBUF=32768

On Client:
# dd if=/dev/zero of=testfile count=10240 bs=10240
10240+0 records in
10240+0 records out
104857600 bytes (105 MB) copied, 1.5947 s, 65.8 MB/s

On Server:
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=65536 SO_SNDBUF=65536

On Client:
# dd if=/dev/zero of=testfile count=10240 bs=10240
10240+0 records in
10240+0 records out
104857600 bytes (105 MB) copied, 1.56355 s, 67.1 MB/s

On Server:
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=262144 SO_SNDBUF=262144

On Client:
# dd if=/dev/zero of=testfile count=10240 bs=10240
10240+0 records in
10240+0 records out
104857600 bytes (105 MB) copied, 1.52957 s, 68.6 MB/s

On Server:
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=524288 SO_SNDBUF=524288

On Client:
# dd if=/dev/zero of=testfile count=10240 bs=10240
10240+0 records in
10240+0 records out
104857600 bytes (105 MB) copied, 1.46897 s, 71.4 MB/s

On Server:

socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=1048576 SO_SNDBUF=1048576

On Client:
# dd if=/dev/zero of=testfile count=10240 bs=10240
10240+0 records in
10240+0 records out
104857600 bytes (105 MB) copied, 1.45731 s, 72.0 MB/s

Note: This test assumes that you are writing data to the Samba Share. Changing those values definitively shows an improvement in transfer speed,
however I have not tested all the possible scenarios.

On Server:
The local transfer speed is the following:
# dd if=/dev/zero of=testfile count=10240 bs=10240
10240+0 records in
10240+0 records out
104857600 bytes (105 MB) copied, 0.242673 s, 432 MB/s


Here are some photo's of my CIFS/SMB Tranfers on my LAN:

cifs_CPU_Load.png
cifs_CPU_Load.png
(12.21 KiB) Downloaded 4427 times


cifs_xfer.png
cifs_xfer.png
(16.87 KiB) Downloaded 4427 times


All Credit goes to Carlos Gomez for his Blog!


Thanks.

Larry
Last edited by ldkraemer on 18 Jul 2012 19:24, edited 1 time in total.
PowerUser
ldkraemer
 
Posts: 72
Joined: 26 Jun 2012 20:35

Re: [HOWTO] - SECURE Startup of your NAS4Free Server

Postby ldkraemer » 18 Jul 2012 18:59

Dismal transfer rates - please help
by bakcompat » Wed Jun 01, 2011 3:30 pm

FTP is your best overall benchmark for speed IMO. But, you list a Silicon Image controller board without the model number. I'll bet that's a Sil3114 card.
These go for about $5 on ebay. This chipset is notoriously poor in FreeNAS and can lead to data corruption. I'd recommend you replace it with something
well supported by BSD. I like the Promise TX4 controller.

See the hardware compatibility list: http://wiki.nas4free.org/doku.php?id=nas4free_users_hardware
Read the notes on Silicon Image controllers: http://sourceforge.net/apps/phpbb/freenas/viewtopic.php?f=65&t=6210&start=0
There's a reason they are so damn cheap. They suck.

Additionally, those are 4k sector hard drives. See http://wiki.freenas.org/faq:0139 just to be aware and make sure you set them up as 4k sector drives.

Also try: (substuting your correct drive number for x)
Code: Select all
dd if=/dev/adx of=/dev/null bs=10M count=1000

from a shell prompt where "ad4" is one of your data drives. I have 4 of those same drives, and I get sustained data rate of 100828642 bytes/sec which is approximately 96MB/s, so I know they are set up right. You should see a similar value if your drives are configured correctly.


Test #1: Raw througput.


Test was run using your suggestion.
dd if=/dev/adx of=/dev/null bs=10M count=1000


Results:
ad4 = 77 Mb/s
ad6 = 77 Mb/s
ad8 = 77 Mb/s
ad10 = 77 Mb/s
ad0 = 100 Mb/s
ad14 = 100 Mb/s

in addition, to check the PCI board two disks (ad4 and ad6) were dd' simultaneously with the results of

ad4 = 56 Mb/s
ad6 = 56 Mb/s


Conclusions:

1 - Test #1 indicates that the HDD's are indeed capable of raw transfer of about 100 Mb/s. This transfer is degraded by about 25% if completed through the PCI-SATA adapter.

2 - From Test #1, a 77 Mb/s raw transfer is sufficient for my purposes wrt the PCI-SATA card.

3 - From Test #1, if two raw transfers are initiated simultaneously into two HDD's attached to the same PCI-SATA, the performance is degraded, but not to an unsustainable point (i.e. 56 Mb/s).

4 - In conclussion, after having read regarding the Sil chip and looking at my performance, for the time being I'll stick with the board since there seems to be no critical issues here.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Can't figure out network speed issues. Please help.
by allistars » Sat Jul 04, 2009 7:38 pm

Version 0.7RC1 Sardaukar (revision 4735)
built on Sat Jun 20 20:25:01 UTC 2009
OS Version FreeBSD 7.2-RELEASE-p1 (revision 199506)
Platform i386-embedded on Intel(R) Pentium(R) 4 CPU 3.00GHz


I have a FreeNAS Setup (5x 1 TB Western Digital Caviar Black and Green drives) using a Socket 478 P4 3.0 GHZ and 1 GB RAM.

I have run into an issue where network transfers are horribly slow. 7-8 MB/s whether or not I'm using FTP or SMB.

My disks are quite capable and running diskinfo -ct /dev/eachoftheharddrives reports back transfer rates of 75,000-95000 kbytes/sec. I've even gone out
and bought a D-Link gigabit nic and enabled kernel tuning. The transfer rates remain the same, still no increase in speed.


Any help would be greatly appreciated. I'm sure I've left out some crucial data, but I've gone through everything I know of. FreeNAS even reports the link speed is 1000.


Danmero responds:

Run the following command on Advanced|Execute command and post back the output.

Code: Select all
dmesg | grep interface && ifconfig | awk '/lo0/{exit}1'


allistars responds:

Code: Select all
$ dmesg | grep interface && ifconfig | awk '/lo0/{exit}1'
rlphy0: <RealTek internal media interface> PHY 0 on miibus1
rlphy0: <RealTek internal media interface> PHY 0 on miibus1
rlphy0: <RealTek internal media interface> PHY 0 on miibus1
sk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=b<RXCSUM,TXCSUM,VLAN_MTU>
   ether 00:22:b0:51:46:5b
   inet 10.0.1.85 netmask 0xffffff00 broadcast 10.0.1.255
   media: Ethernet 1000baseTX <full-duplex>
   status: active
rl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=8<VLAN_MTU>
   ether 00:11:09:06:15:4a

I forced the 1000baseTX full-duplex, I don't trust auto negotiation.

Danmero responds:

You must have a perfect match. READ THIS!

So remember:
10 to 10
100 to 100
1000 to 1000
half to half
full to full
auto to auto

The long and the short of it is that you have to be sure that what is on one end of a patch cable is the same on the other end of the patch cable. That also goes
for autonegotiation. Both devices need to be set to autonegotiation. If only one is set that way, then you will experience all types of network slowdowns!
Make sure that all of your speed and duplex match on all of your devices.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Another suggestion was to use a crossover cable to eliminate the network as an issue and test speed:
Connect the server directly to the client with a crossover cable (easy to make your own, just cut a standard cable in half and jumper the correct wires) this will
eliminate all other hardware. If speeds improve then you know it is something other than the hardware in use, most likely your USB-powered switch. If speeds
don't improve then you have a problem with the server or client hardware.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Don't Overlook the Client:
Don't forget the client. You can tweak server settings (hardware and software) till you're blue in the face and it won't make a difference if the client can't go
faster too. That's one of the reasons the law of diminishing returns applies with a vengeance to this type of tuning.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Learned by Error Blog:
http://learnedbyerror.blogspot.com/2009/09/lets-tune-er-up.html

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Which NIC should I use:
Use NIC hardware from the FreeBSD Hardware Notes and you should be fine! No magic!

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Copied from the Old FreeNAS Knowledge Base, and FreeNAS Forum so it's archived.


Thanks.

Larry Kraemer
Last edited by ldkraemer on 18 Jul 2012 20:18, edited 17 times in total.
PowerUser
ldkraemer
 
Posts: 72
Joined: 26 Jun 2012 20:35

Re: [HOWTO] - SECURE Startup of your NAS4Free Server

Postby raulfg3 » 18 Jul 2012 19:23

Thaks to save this valuable data ( and others) from Old forum.
Site Admin
raulfg3

User avatar
 
Posts: 3713
Joined: 22 Jun 2012 20:13
Location: Madrid (ESPAÑA)

Re: [HOWTO] - SECURE Startup of your NAS4Free Server

Postby ldkraemer » 18 Jul 2012 20:08

Is there a complete list of all available commands and explanation of those commands, which could be used with sysctl.conf and rf.conf??


You could start here: sysctl
then:
rc
and
rc.conf
Hope that helps.

Regards,
Al562


Copied from the Old FreeNAS Forum so it's archived.


Thanks.

Larry Kraemer
PowerUser
ldkraemer
 
Posts: 72
Joined: 26 Jun 2012 20:35

Return to [HowTo]

Who is online

Users browsing this forum: No registered users and 1 guest