How To Properly Design And Setup Network Attached Storage
ฝัง
- เผยแพร่เมื่อ 31 ก.ค. 2024
- lawrence.video/storage
Synology Playlist
lawrence.video/synology
TrueNAS Playlist
lawrence.video/truenas
Creating Firewall Rules To Secure Your Synology NAS
• Creating Firewall Rule...
How To Lock Down And Secure TrueNAS
• How To Lock Down And S...
Synology VS TrueNAS 2023
lawrence.video/synology-vs-tr...
Why Are SMB File Transfers Slow Over A VPN?
• How Tailscale Makes Ma...
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag/
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 10% off your order at
🛒 www.techsupplydirect.com?aff=2
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
Time Stamps
00:00 - Storage Design
00:33 - Don't Route Your Storage
01:41 - Basic File Sharing With Windows Server
02:14 - When and How To Use Network Attached Storage
03:14 - Network Attached Storage & Moving To Virtualization
05:00 - Using NAS iSCSI to Windows VM Server
06:50 - Docker & Virtual Machine Storage
#networking #truenas #synology - วิทยาศาสตร์และเทคโนโลยี
At work we set up two switch stacks, one non-routed like vmotion, iscsi, nfs, etc. and the other for routed traffic. Each have dedicated distributed virtual swithes inside vmware. Anything needing access to storage gets a nic on one of the non-routed vlans. This setup keeps back-end traffic separated from user traffic and has worked well for us over the years.
I do the same
Fun fact, I was actually looking for a direction like this recently, many thanks!
These videos are so well done, it gets me thinking of all of the things I need (or event want) to do with our corporate network. So many great ideas and well explained as well!
I can certainly understand having storage on the same subnet for as fast as possible layer 2 communication to clients. However, for security, I usually will opt to having storage in it's own VLAN/subnet and either routed on a Layer 3 switch with ACLs, or a firewall (even better if the firewall is "Next Generation" so you can take advantage of deep packet inspection, antivirus, etc. providing the horsepower is there and it doesn't become a bottleneck). If it's hypervisor storage, definitely don't route it. But most other situations, servers are on another VLAN.
I also treat NAS devices like Synology as an IoT device though, so it doesn't have any access to any other subnets, and can only communicate outbound to Synology update servers for software updates. Inbound connections to the NAS storage from different subnets that can't talk to each other communicate to their specific shares on the NAS. I'm not a huge fan of the NAS having a connection to multiple subnets via different NICs (multi-homing) because in the extremely unlikely event that the NAS becomes compromised, there's a door open to other networks that bypasses the firewall or Layer 3 ACLs.
Awesome video. I actually have the iscsi to esxi setup in my home network, and it works great. Glad to see this video fortifies my initial thought process on how I setup my home network.
This came at a perfect time just as i am looking into changing my setup
Paused video at 02:00 so as not to forget to comment how I appreciate not only for your content, but also for the way you present it. Hope you reach 1M subs and more (and I am certain you will) Best regards from Greece! - Now let's resume the video!
Thanks!
Hey Tom. Excellent video about best practices. I'm always looking for high quality system design and integrations content and you don't disappoint.
Glad it was helpful!
Ditto. I was just drawing out my new network design on some A4 paper (not a pc 😅) as this video came out! Thankfully I was not far away from your recommendations, but great timing!
Great way to present it.. Good stuff!
Excellent video, very well explained. If you're looking for more video ideas, doing a similar video put on switches I think would be pretty cool.
Wow another great piece of information.
I had your recommend design in my mind. Many thanks for validation.
Respect from INDIA 🙏🏻
You read my mind, just finished building a truenas, and thinking on how best to present this to the network
Interesting ideas! I'm planning out my first TrueNAS Core home NAS and was planning on just having it connect to the "Server" subnet/interface on pfSense, and pfSense would route SMB to the "LAN" subnet/interface via firewall rules. Currently still on 1 Gig LAN but plans for 10 Gig copper and 25/100 fiber in the future so building a TrueNAS Core server with 4+ NICs might be faster? I'll watch your other videos you linked...
This video is great. A tad too late for me because I had 10TB vm disk on zfs and wont boot and had no backup. Readonly mode also didnot work. If i saw this video a while ago, then I definitely would not setup a 10TB VM and lose all my data. This way if the data is corrupted due to power loss, I would only lose a few files instead of the whole VM. But great video and truly appreciated.
Great video! I have a question about a specific scenario: Suppose there's a client device that regularly switches between different subnets, such as moving between subnets for wireless and wired devices. Since the IP address of the server changes depending on which subnet the client’s in, how would you ensure that the client can connect to the server without remapping the drive each time the client switches subnet? Would you use a separate DNS server for each subnet to resolve the server's hostname to its corresponding IP on that subnet?
Hi Tom, we use a Synology NAS are our company's main file server. We store all critical user and department shared files there and since it works like a network drive, we use SMB to connect each computer to the folders (permissions based on user). Is that the way it is intended to be used? I have also implemented a schedule sync with MS365 sharepoint as online backup every few days.
I have a remote Synology that VPN's back in to my home, many states away. It syncs with my local storage. This does get routed through 2 firewalls, but I haven't had any issues once I fine tuned everything.
Edit: Home Lab/User
Thank you for the amazing video! We connects NAS to ESXi as datastore and create VMs and data drive on VMs in datastore directly. But we backup these drives and VMs using VEEAMs to optimize the data and backup efficiency. In this sense, can we eliminates the needs of a separate connection from NAS to VMs in your design please? Does our design include all benefits your design has to provide please? Thank you!
I had to fix a NAS a few years ago that was two units linked together with 2 vdevs that spanned both devices. It was great until the 2 units stopped talking to each other.
I spent a New Years Eve and New Years Day fixing the storage with some help from an HP engineer.
Don’t span VDEVs across more than one device.
You needed a 3rd to allow erasure encoding. Going back to single point of failure ain't the answe
How would you setup NAS storage for multiple VLANs, if route between network is not ideal? Having multiple NICs? In our network, the AD controller is located in server network, so if AD controller as file server, the client still need to route the network in order to talk to the AD controller. Did I misunderstand something?
I would like some elaboration on "don't route" is there some specific reason? If it's all on common local media and your router has the oomph to do it i don't see the problem with jumping vlans.
Still running pfs for my office, been running untangle at home for about a year.
If I have to pay, untangle is much nicer to use...
Please a video about TrueNas Recycle Bin
Ready to sign under every word.
LXC btw if unprivileged, can't mount nfs shares.
I have more backup data on my NAS boxes than I do actual data files. It's crazy!
If you're using redundant, wire speed, layer three switches in your network core it isn't a problem to route file sharing.
A bit surprised to hear people actually put ALL the storage in to a virtual disk image. I'm just a computer hobbyist and TB vdis seems crazy to me. I do not do VM for my backup, but my backups are on dedicated physical disks I could easily move.
First of all, thanks for the video! Always appreciate your insight, Tom. This time I have a question, though.
I could use an elaboration on the first point, don't quite get what the use cases are. And I'm not quite sure I understand what "don't route" in this particular context really means.
Is it basically about the least privilege principle? Like, keeping the storage network on a separate switch connected only to the storage itself and the hypervisors' designated storage NIC's? That kind of 'unrouteability'?
If so, that seems like a bit too specific a case for such a general-sounding rule. Can't help but feel like I missed the point.
I think he means having the NAS/SAN on a different subnet. If your users and NAS/SAN are on separate subnets, when a user requests something from the file server, that traffic will have to pass through the router/firewall to get to its destination. whereas both being on the same subnet means it would be L2 traffic and would not need to traverse the router. its one less hop and also doesn't have to be processed by the firewall to apply any relevant rules. Anyone that knows better can correct me if I'm wrong.
Routing is a lot more costly than switching when you're doing high performance networking. For gigabit networking it's probably fine.
What I am saying is put the interface that is serving the SMB/iSCSI/NFS on the same subnet as the devices connecting to it and not passing that traffic through the firewall. As mentioned in the video I have a video for Synology and TrueNAS on the topic of locking them down.
@@LAWRENCESYSTEMS Oh, crap, missed the notification.Thank you for the response!
I guess the main source of confusion was my attempt to apply the advice to an existing design when the video is more applicable to designing a new network layout from scratch.
SMB was mentioned and it's not too uncommon to have users on different subnets using common shares, so it wasn't exactly clear how to not route that kind of traffic. Overly complicated things came to mind.
I think an example of when the design works best (on what scale, for instance) would probably help to steer the dummies like me into the right direction and overall convey the point better.
Anyway, again, thanks a lot for what you're doing. Really appreciate the videos and moreso you taking time to write responses!
2 questions, 1 truenas related the other not so much, but maybe someone here would know.
1. My truenas has a notice saying "freenas_default has expired" what's this mean and hiw do I fix it, it persisted through a reboot and update.
2. Again I know you're a Truenas guy, but maybe someone can help me. How do I specify what vlan I want a VM to run on in Unraid, with that should I put my unraid on my ubiquitis "default" network or will it pickup the different vlans if I have it on my home vlan (10) with the rest of my PCs? If I move it to the default, how will that effect my adguard docker (and others that may be dhcp and not static)?
Interesting thought experiment, we've always done a user-VLAN and a separate server-VLAN, so all traffic gets routed and filtered at the firewall, because I've read windows is kinda messy with multiple IPs on multiple interfaces, with DNS record could be mixed up in DNS server. I am not sure if it has any merit?
Second question would be backup. We use Synology ABB to backup a windows file server VM on a Hyper-V host. When reading the docs of ABB, I remember it says it won't backup any iscsi connected disks. If Synology presents iScsi to file server VM, doesn't that mean they will get snapshoted at different schedules? File server VM snapshots via Hyper-V, and virtual disk snapshots via Synology snapshot, would that create inconsistency problem?
You would not backup the iSCSI connected to Windows from Windows, you would back the NAS presenting the iSCSI.
Hey Tom! What is more common, to attach ISCSI to Windows VM inside VM OS or to a host and then attach it to VM? Also how do you handle situation when storage needs exceed one ISCSI box, do you add another box and LVM them together in VM? Thanks four your wonderful content.
More common and better solution is people using a NAS. For iSCSI when they outgrow it we sell them another box and moved data to the bigger box
@@LAWRENCESYSTEMS What if they outgrow even the biggest single box solution? Putting demanding high random IOPS workloads like database on something like Gluster or Ceph seems out of question since AFAIK they add latency and can only reach certain level of IOPS.
Building an all-flash NVMe TrueNAS server right now for a client, to go alongside their Hyper-V all-flash server. VMs run on the Hyper-V server with local VHDXs on it. The TrueNAS server will essentially be for the file sharing of large architecture project files (CAD, Revit, etc), and not really used as an iSCSI target for the VMs because the project files need to be available directly from the ZFS pool of mirrors on TrueNAS (for accelerating file speed access, metadata acceleration, and ZFSs checksum/bitrot/scrub protections).
But one problem is Revit Server, which is loaded on a Windows VM and dishes out project files to workstations through the VM itself. It requires that the VM see the files through a mapped drive, pulls the files from that, and then back out from the VM to workstations. Sort of acting like a database server.
In that instance, the VM would benefit by accessing the files on TrueNAS through an iSCSI link, but then I'd lose the other benefits from ZFS by not having the files directly shared from the TrueNAS?
TrueNAS serving up iSCSI still benefits from ZFS performance because the blocks that make up the iSCSI are still still stored there. But while the ARC may cache the blocks the meta data indexing is probably less effective.
@LAWRENCESYSTEMS I'll be putting a 100Gb direct link from VM server to TrueNAS server just for any iSCSI or backup functions, and keep a separate 100Gb link for file sharing to the primary LAN subnet that the VMs and workstations see. I'll get a good balance out of that with the way Revit Server acts.
How do you deal with broadcast traffic? Surely you can't put all the clients and servers on one segment, if that's what you mean by subnet?
If you have a thousand or more clients then you hopefully would be breaking them down into different subnets and installing multiple NIC in the NAS system.
Why shouldn't i Route the Storage? If i want to strictly seperate my devices i have to, haven't i? Like Storage VLAN, Client VLAN and e.g. Server VLAN. An i want to connect from my PC in the Client VLAN to the Synology in the Storage VLAN. Am i missing something?
Yes, routing NFS/SMB/iSCSI storage through a firewall is a performance and potentially a stability issue. Multiple NIC interfaces on the NAS is far better solution.
@@LAWRENCESYSTEMS Okay so that the NAS ist part of every needed VLAN but split to each NIC of the NAS? So Port 1 on the NAS Client VLAN and Port 2 Server VLAN and so on?
That is the more optimal way to implement storage connectivity.
@@LAWRENCESYSTEMS Thanks
And could you make another video about how to pick the right hardware for a diy firewall. I want to use Sophos XG Home and since today i planned it to support 10G speed for the Storage. The Reference where Sophos and pfsense Appliances.. but since i do not need that 10G speed with your approach to setting up Storage what should i scale or watch out for?
While I like the idea of where you are trying to go over high level design of storage.
Seems dated, especially for VMware and Hyper-V clients mapping VMs with direct iscsi hasn't been a best practice in a long time as backup integration is lost.
Speaking of backups between change block tracking and/or integrated to mine SAN storage for backups have been in products like Veeam, CommVault or Acronis, etc for years.
Personally I would have focused more on understanding connections to modern storage and why more bandwidth is needed for servers, containers and apps today.
These setup are still extremely common in the small business setup and there are about 33 million small businesses in the US, which account for 99.9 percent of all US businesses.
Can’t find the link to the disadvantage of vpn
th-cam.com/video/bcRVkoeSN0E/w-d-xo.htmlsi=0D80CZsjiM8Ouei-
Why not also use Microsoft Storage Service (server) as a 3rd option?
TrueNAS is a far better solution than Windows Storage Services.
@@LAWRENCESYSTEMS Maybe so, but I would have to spend a lot of money to get it going on TrueNAS, most SMB's won't spend the kind of money that is required.
@andrewenglish3810
After using TrueNAS Core for storage for 3 years now I can not see anything else for storage. I set up on 1 mine and 4 in my friends offices, I am so happy with it.
It is almost like fit and forget.
Thanks to Tom for the knowledge you have shared through your videos. 🙏🏻
I wish I could get internship at his office. 😅
@@VirendraBG One of things I don't like about TrueNAS is the lack of information on what hardware is and isn't supported. Take for instance, we have a Dell R540 with a Boss M.2 card, I know our PERC H730P is supposedly not supported but I have seen a tiny bit of information were people have managed to convert it into iT Mode but not fully explained how, and like I said there is very little to no informaton on people using the R540 with TrueNAS. I guess these servers are in such a demand with Windows OS's not too many people have converted them.
You seem to be arguing against converged servers/infrastructure in its entirety. Any particular reason why?
How so?
The whole reason iSCSI beat out HyperSCSI and ATA over Ethernet is because people insist on routing block storage. That being said, a SAN is not a NAS.
i dont agree with the topology [Users to Nas] butif its a home set up thats fine. Enterprise thats an absolute no. Put that behind a firewall, please......
Nope! As I said in the video, bind only the services needed to an interface in the same subnet.
He is using a user access port on the NAS and a separate server-to-server port in another VLAN. ACLs could also do this work much faster than a FW rule.
do people really route smb iscsi nfs through firewall ☠☠☠☠☠☠
So much so I had to make this video about it.