best way to share a nas between a DMZ and Office lan

Currently reading
best way to share a nas between a DMZ and Office lan

Due to some budget constraints I would like to share my NAS between the machines on the DMZ (a proxmox cluster) and my office lan. I currently have a RS819 with 2 ports (soon to be upgraded to the RS1820+ with 4 1Gb ports and 2 10G ports).

On the proxmox cluster the volumes are mounted using ISCSI. The Office is using actually the File application.

The network is like this:

Code:
       INTERNET
              |
              |
         CORE ROUTER
          |        \ (Fiber)
          |         \
        SWITCH     OFFICE Gateway (Nat)  --- LAN
          |
          |
   PROXMOX CLUSTER

I can see 4 possibilities to share the NAS:

  • 1 ports plugged to the DMZ, 1 another to the office network, then the connection is physically isolated. But i lost the possibility in the proxmox cluster to use the 2 ports in // using ISCSI Multipath
  • 2 ports plugged to the DMZ. use a tunnel/vpn to connect to the proxmox cluster
  • 2 ports plugged to the DMZ, and minimise routing to the IP when it comes from the office gateway (not sure how to do it though)
  • Plug the nas to a switch, create 2 subnets in 2 vlans and connect the 2 ports to it, and then connect the DMZ and the the LAN each to one isolated port of the switch.

Thoughts? What are the good patterns for it (beside having 2 distincts NAS ;) ?
 
Today, where is the NAS on the diagram? Connected to the switch between core router and proxmox cluster?

What is stopping access from office gateway <-> core router <-> switch <-> NAS ? Assuming firewall policies and ACLs are correct.

What's protecting the proxmox DMZ from the Internet? I'm guessing 'Internet' on the diagram is not the next hop from core router, but rather indicates generally where the Internet is in relation to this.
 
@fredbert the nas need to be accessible from the proxmox cluster and the network behind the office gateway. So either connected to the switch between the core router and the cluster or connected to this switch and on a switch in the office network.

What is stopping access from office gateway <-> core router <-> switch <-> NAS ? Assuming firewall policies and ACLs are correct.
well the the office gateway is in its own subnet on a different port of the router. maybe the is a way to connect them directly using a firewall rule ?

What's protecting the proxmox DMZ from the Internet? I'm guessing 'Internet' on the diagram is not the next hop from core router, but rather indicates generally where the Internet is in relation to this.

The proxmox cluster is in its own subnet on one port not connected to others. The firewall on the router ensure to connect it directly to internet and it has no relation with other subnets.
 
@fredbert the nas need to be accessible from the proxmox cluster and the network behind the office gateway. So either connected to the switch between the core router and the cluster or connected to this switch and on a switch in the office network.
Ok, but what I asked was: where is the NAS today? Connected to the switch?

well the the office gateway is in its own subnet on a different port of the router. maybe the is a way to connect them directly using a firewall rule ?
Routers route traffic between subnets, provided that they have been configured to do that. Even if the subnets are within different VRFs you can use the router to bridge two VRFs and pass traffic between them (subject to configuration etc).

So I'm not sure why being in different subnets is an issue when you have the office gateway (which will have routing capabilities, plus the NAT you identify) and a core router. You would need to add ACLs to the core router to permit office LAN traffic (hidden behind the office gateway's NAT IP) to router to the NAS in the proxmox cluster's subnet. And back, if the router works at packet level and not session.

If you just connect the NAS directly to each subnet then you are relying on the NAS not to bridge the two subnets in ways that are undesirable. While each subnet's devices can access the NAS, the NAS's services can likewise access each subnet... and today that's not the case and wouldn't be if you adapt your network's routing and security configurations. Why have a proxmox DMZ if you bridge it?
 
Last edited:
Ok, but what I asked was: where is the NAS today? Connected to the switch?


Routers route traffic between subnets, provided that they have been configured to do that. Even if the subnets are within different VRFs you can use the router to bridge two VRFs and pass traffic between them (subject to configuration etc).

So I'm not sure why being in different subnets is an issue when you have the office gateway (which will have routing capabilities, plus the NAT you identify) and a core router. You would need to add ACLs to the core router to permit office LAN traffic (hidden behind the office gateway's NAT IP) to router to the NAS in the proxmox cluster's subnet. And back, if the router works at packet level and not session.

If you just connect the NAS directly to each subnet then you are relying on the NAS not to bridge the two subnets in ways that are undesirable. While each subnet's devices can access the NAS, the NAS's services can likewise access each subnet... and today that's not the case and wouldn't be if you adapt your network's routing and security configurations. Why have a proxmox DMZ if you bridge it?
until now i didn't have the split with the core router. I only had the UDM Pro and the nas in the lan. Sorry to not have made it that clear...

If I understand correctly you suggest toxonnect the nas only in the dmz and let the core router handle the routes between the udm pro and dmz subnet?
 
It would seem better to adapt routing. But there are still things you need to consider:
  • security policy that dictates interaction and controls between LAN segments of different use types: are there restrictions to expose to the Internet; business criticality of devices and data; intellectual property of data; data access restrictions.
  • should devices on the different subnets actually have access to the same NAS? Is it the same data for both; Why is the NAS being used for different data.
  • by allowing office LAN to route to the proxmox LAN will there be an increased risk (if proxmox LAN doesn't currently have the same external accesses as the office LAN).
These are just off the top of my head. A business environment is not the same as home and there are many risk factors that need to be considered before deciding to do something "just because it is technically possible to do it".

At present there has been a decision to place the NAS where it is and to allow the current connectivity to it. You should review what consideration resulted in the current situation and decide if they are maintained by adapting the network routing (just enough to all office file sharing/File Station access), or if the original reasons still hold true.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Good that it is working! No, it is not a security risk. It will automatically use the stored credentials...
Replies
12
Views
848
  • Question
Yes, Omada is TP-Link's management system. Have set a reserved IP range and have put the NAS into that -...
Replies
2
Views
597
Those metrics are over the internet without VPN. I wanted to get some baseline numbers before adding VPN...
Replies
2
Views
583
  • Question
Just thought about another location to change IP if you have a specific app NAS control panel - Login...
Replies
1
Views
740
That sounds weird. Is there any port isolation feature on the LAN ports? If you have a network switch...
Replies
5
Views
1,126
  • Question
For the time being I 'm concentrating on getting things back to working condition with the the BT line -...
Replies
13
Views
3,818

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top