best way to share a nas between a DMZ and Office lan

Currently reading
best way to share a nas between a DMZ and Office lan

50
17
NAS
RS819
Due to some budget constraints I would like to share my NAS between the machines on the DMZ (a proxmox cluster) and my office lan. I currently have a RS819 with 2 ports (soon to be upgraded to the RS1820+ with 4 1Gb ports and 2 10G ports).

On the proxmox cluster the volumes are mounted using ISCSI. The Office is using actually the File application.

The network is like this:

Code:
       INTERNET
              |
              |
         CORE ROUTER
          |        \ (Fiber)
          |         \
        SWITCH     OFFICE Gateway (Nat)  --- LAN
          |
          |
   PROXMOX CLUSTER

I can see 4 possibilities to share the NAS:

  • 1 ports plugged to the DMZ, 1 another to the office network, then the connection is physically isolated. But i lost the possibility in the proxmox cluster to use the 2 ports in // using ISCSI Multipath
  • 2 ports plugged to the DMZ. use a tunnel/vpn to connect to the proxmox cluster
  • 2 ports plugged to the DMZ, and minimise routing to the IP when it comes from the office gateway (not sure how to do it though)
  • Plug the nas to a switch, create 2 subnets in 2 vlans and connect the 2 ports to it, and then connect the DMZ and the the LAN each to one isolated port of the switch.

Thoughts? What are the good patterns for it (beside having 2 distincts NAS ;) ?
 

fredbert

Moderator
NAS Support
Subscriber
1,695
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Today, where is the NAS on the diagram? Connected to the switch between core router and proxmox cluster?

What is stopping access from office gateway <-> core router <-> switch <-> NAS ? Assuming firewall policies and ACLs are correct.

What's protecting the proxmox DMZ from the Internet? I'm guessing 'Internet' on the diagram is not the next hop from core router, but rather indicates generally where the Internet is in relation to this.
 
50
17
NAS
RS819
@fredbert the nas need to be accessible from the proxmox cluster and the network behind the office gateway. So either connected to the switch between the core router and the cluster or connected to this switch and on a switch in the office network.

What is stopping access from office gateway <-> core router <-> switch <-> NAS ? Assuming firewall policies and ACLs are correct.
well the the office gateway is in its own subnet on a different port of the router. maybe the is a way to connect them directly using a firewall rule ?

What's protecting the proxmox DMZ from the Internet? I'm guessing 'Internet' on the diagram is not the next hop from core router, but rather indicates generally where the Internet is in relation to this.

The proxmox cluster is in its own subnet on one port not connected to others. The firewall on the router ensure to connect it directly to internet and it has no relation with other subnets.
 

fredbert

Moderator
NAS Support
Subscriber
1,695
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
@fredbert the nas need to be accessible from the proxmox cluster and the network behind the office gateway. So either connected to the switch between the core router and the cluster or connected to this switch and on a switch in the office network.
Ok, but what I asked was: where is the NAS today? Connected to the switch?

well the the office gateway is in its own subnet on a different port of the router. maybe the is a way to connect them directly using a firewall rule ?
Routers route traffic between subnets, provided that they have been configured to do that. Even if the subnets are within different VRFs you can use the router to bridge two VRFs and pass traffic between them (subject to configuration etc).

So I'm not sure why being in different subnets is an issue when you have the office gateway (which will have routing capabilities, plus the NAT you identify) and a core router. You would need to add ACLs to the core router to permit office LAN traffic (hidden behind the office gateway's NAT IP) to router to the NAS in the proxmox cluster's subnet. And back, if the router works at packet level and not session.

If you just connect the NAS directly to each subnet then you are relying on the NAS not to bridge the two subnets in ways that are undesirable. While each subnet's devices can access the NAS, the NAS's services can likewise access each subnet... and today that's not the case and wouldn't be if you adapt your network's routing and security configurations. Why have a proxmox DMZ if you bridge it?
 
50
17
NAS
RS819
Last edited:
Ok, but what I asked was: where is the NAS today? Connected to the switch?


Routers route traffic between subnets, provided that they have been configured to do that. Even if the subnets are within different VRFs you can use the router to bridge two VRFs and pass traffic between them (subject to configuration etc).

So I'm not sure why being in different subnets is an issue when you have the office gateway (which will have routing capabilities, plus the NAT you identify) and a core router. You would need to add ACLs to the core router to permit office LAN traffic (hidden behind the office gateway's NAT IP) to router to the NAS in the proxmox cluster's subnet. And back, if the router works at packet level and not session.

If you just connect the NAS directly to each subnet then you are relying on the NAS not to bridge the two subnets in ways that are undesirable. While each subnet's devices can access the NAS, the NAS's services can likewise access each subnet... and today that's not the case and wouldn't be if you adapt your network's routing and security configurations. Why have a proxmox DMZ if you bridge it?
until now i didn't have the split with the core router. I only had the UDM Pro and the nas in the lan. Sorry to not have made it that clear...

If I understand correctly you suggest toxonnect the nas only in the dmz and let the core router handle the routes between the udm pro and dmz subnet?
 

fredbert

Moderator
NAS Support
Subscriber
1,695
692
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
It would seem better to adapt routing. But there are still things you need to consider:
  • security policy that dictates interaction and controls between LAN segments of different use types: are there restrictions to expose to the Internet; business criticality of devices and data; intellectual property of data; data access restrictions.
  • should devices on the different subnets actually have access to the same NAS? Is it the same data for both; Why is the NAS being used for different data.
  • by allowing office LAN to route to the proxmox LAN will there be an increased risk (if proxmox LAN doesn't currently have the same external accesses as the office LAN).
These are just off the top of my head. A business environment is not the same as home and there are many risk factors that need to be considered before deciding to do something "just because it is technically possible to do it".

At present there has been a decision to place the NAS where it is and to allow the current connectivity to it. You should review what consideration resulted in the current situation and decide if they are maintained by adapting the network routing (just enough to all office file sharing/File Station access), or if the original reasons still hold true.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top