best way to share a nas between a DMZ and Office lan

Currently reading
best way to share a nas between a DMZ and Office lan

B

benoitc

Media
57
18
NAS
RS819
Due to some budget constraints I would like to share my NAS between the machines on the DMZ (a proxmox cluster) and my office lan. I currently have a RS819 with 2 ports (soon to be upgraded to the RS1820+ with 4 1Gb ports and 2 10G ports).

On the proxmox cluster the volumes are mounted using ISCSI. The Office is using actually the File application.

The network is like this:

Code: 
       INTERNET
              |
              |
         CORE ROUTER
          |        \ (Fiber)
          |         \
        SWITCH     OFFICE Gateway (Nat)  --- LAN
          |
          |
   PROXMOX CLUSTER

I can see 4 possibilities to share the NAS:

  • 1 ports plugged to the DMZ, 1 another to the office network, then the connection is physically isolated. But i lost the possibility in the proxmox cluster to use the 2 ports in // using ISCSI Multipath
  • 2 ports plugged to the DMZ. use a tunnel/vpn to connect to the proxmox cluster
  • 2 ports plugged to the DMZ, and minimise routing to the IP when it comes from the office gateway (not sure how to do it though)
  • Plug the nas to a switch, create 2 subnets in 2 vlans and connect the 2 ports to it, and then connect the DMZ and the the LAN each to one isolated port of the switch.

Thoughts? What are the good patterns for it (beside having 2 distincts NAS ;) ?
 
Today, where is the NAS on the diagram? Connected to the switch between core router and proxmox cluster?

What is stopping access from office gateway <-> core router <-> switch <-> NAS ? Assuming firewall policies and ACLs are correct.

What's protecting the proxmox DMZ from the Internet? I'm guessing 'Internet' on the diagram is not the next hop from core router, but rather indicates generally where the Internet is in relation to this.
 
@fredbert the nas need to be accessible from the proxmox cluster and the network behind the office gateway. So either connected to the switch between the core router and the cluster or connected to this switch and on a switch in the office network.

What is stopping access from office gateway <-> core router <-> switch <-> NAS ? Assuming firewall policies and ACLs are correct.
Click to expand...
well the the office gateway is in its own subnet on a different port of the router. maybe the is a way to connect them directly using a firewall rule ?

What's protecting the proxmox DMZ from the Internet? I'm guessing 'Internet' on the diagram is not the next hop from core router, but rather indicates generally where the Internet is in relation to this.
Click to expand...

The proxmox cluster is in its own subnet on one port not connected to others. The firewall on the router ensure to connect it directly to internet and it has no relation with other subnets.
 
benoitc said:
@fredbert the nas need to be accessible from the proxmox cluster and the network behind the office gateway. So either connected to the switch between the core router and the cluster or connected to this switch and on a switch in the office network.
Click to expand...
Ok, but what I asked was: where is the NAS today? Connected to the switch?

benoitc said:
well the the office gateway is in its own subnet on a different port of the router. maybe the is a way to connect them directly using a firewall rule ?
Click to expand...
Routers route traffic between subnets, provided that they have been configured to do that. Even if the subnets are within different VRFs you can use the router to bridge two VRFs and pass traffic between them (subject to configuration etc).

So I'm not sure why being in different subnets is an issue when you have the office gateway (which will have routing capabilities, plus the NAT you identify) and a core router. You would need to add ACLs to the core router to permit office LAN traffic (hidden behind the office gateway's NAT IP) to router to the NAS in the proxmox cluster's subnet. And back, if the router works at packet level and not session.

If you just connect the NAS directly to each subnet then you are relying on the NAS not to bridge the two subnets in ways that are undesirable. While each subnet's devices can access the NAS, the NAS's services can likewise access each subnet... and today that's not the case and wouldn't be if you adapt your network's routing and security configurations. Why have a proxmox DMZ if you bridge it?
 
Last edited:
fredbert said:
Ok, but what I asked was: where is the NAS today? Connected to the switch?


Routers route traffic between subnets, provided that they have been configured to do that. Even if the subnets are within different VRFs you can use the router to bridge two VRFs and pass traffic between them (subject to configuration etc).

So I'm not sure why being in different subnets is an issue when you have the office gateway (which will have routing capabilities, plus the NAT you identify) and a core router. You would need to add ACLs to the core router to permit office LAN traffic (hidden behind the office gateway's NAT IP) to router to the NAS in the proxmox cluster's subnet. And back, if the router works at packet level and not session.

If you just connect the NAS directly to each subnet then you are relying on the NAS not to bridge the two subnets in ways that are undesirable. While each subnet's devices can access the NAS, the NAS's services can likewise access each subnet... and today that's not the case and wouldn't be if you adapt your network's routing and security configurations. Why have a proxmox DMZ if you bridge it?
Click to expand...
until now i didn't have the split with the core router. I only had the UDM Pro and the nas in the lan. Sorry to not have made it that clear...

If I understand correctly you suggest toxonnect the nas only in the dmz and let the core router handle the routes between the udm pro and dmz subnet?
 
It would seem better to adapt routing. But there are still things you need to consider:
  • security policy that dictates interaction and controls between LAN segments of different use types: are there restrictions to expose to the Internet; business criticality of devices and data; intellectual property of data; data access restrictions.
  • should devices on the different subnets actually have access to the same NAS? Is it the same data for both; Why is the NAS being used for different data.
  • by allowing office LAN to route to the proxmox LAN will there be an increased risk (if proxmox LAN doesn't currently have the same external accesses as the office LAN).
These are just off the top of my head. A business environment is not the same as home and there are many risk factors that need to be considered before deciding to do something "just because it is technically possible to do it".

At present there has been a decision to place the NAS where it is and to allow the current connectivity to it. You should review what consideration resulted in the current situation and decide if they are maintained by adapting the network routing (just enough to all office file sharing/File Station access), or if the original reasons still hold true.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Similar threads

G
  • Question
Best proxy - traefik, NPM, SWAG, caddy or other?
@Akira funnily enough I think it was me in the discord that shared the script with you. cheers for the...
Replies
9
Views
13,079
gdb19
G
0
  • Question
Remote file sharing from NAS configured as reverse proxy - how best to ensure security?
Drive web site can be configured via RP, 6690 is only needed if you need Drive desktop client syncing...
Replies
8
Views
3,507
Rusty
Rusty
P
best ways to sync sahred folders between 2 synology NAS in different networks
@Rusty I finally got this to work. The ports need to be open on both Source & destination. Also, we need...
Replies
10
Views
3,040
psunith
P
D
  • Question
QoS for best remote streaming
Hey, I am running a ds920+ and I want to smoothly stream media remotely when I am out of the house, Does...
Replies
0
Views
1,901
DoomTroopa84
D
aGraphicz
  • Question
Is WebDAV the best option for remote access?
You can edit user app access using the user permissions tab. This is per user/per app. So, yes.
Replies
12
Views
12,615
Rusty
Rusty
C
Share/File Permission Changing From NFS To Smb
Hey All, I have recently been playing with 2.5Gbe usb Nics, I previously had a single share via NFS to...
Replies
0
Views
887
cwalkin
C
C
  • Question
Restricting legitimate user access to share when connecting via server website instead of SMB?
I think the subject probably says it all, but to further explain: for security reasons, we need users to...
Replies
0
Views
866
cameronjpu
C

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Trending threads

Back
Top