How To Properly Design And Setup Network Attached Storage

At work we set up two switch stacks, one non-routed like vmotion, iscsi, nfs, etc. and the other for routed traffic. Each have dedicated distributed virtual swithes inside vmware. Anything needing access to storage gets a nic on one of the non-routed vlans. This setup keeps back-end traffic separated from user traffic and has worked well for us over the years.

Fun fact, I was actually looking for a direction like this recently, many thanks!

These videos are so well done, it gets me thinking of all of the things I need (or event want) to do with our corporate network. So many great ideas and well explained as well!

I can certainly understand having storage on the same subnet for as fast as possible layer 2 communication to clients. However, for security, I usually will opt to having storage in it's own VLAN/subnet and either routed on a Layer 3 switch with ACLs, or a firewall (even better if the firewall is "Next Generation" so you can take advantage of deep packet inspection, antivirus, etc. providing the horsepower is there and it doesn't become a bottleneck). If it's hypervisor storage, definitely don't route it. But most other situations, servers are on another VLAN.
I also treat NAS devices like Synology as an IoT device though, so it doesn't have any access to any other subnets, and can only communicate outbound to Synology update servers for software updates. Inbound connections to the NAS storage from different subnets that can't talk to each other communicate to their specific shares on the NAS. I'm not a huge fan of the NAS having a connection to multiple subnets via different NICs (multi-homing) because in the extremely unlikely event that the NAS becomes compromised, there's a door open to other networks that bypasses the firewall or Layer 3 ACLs.

Awesome video. I actually have the iscsi to esxi setup in my home network, and it works great. Glad to see this video fortifies my initial thought process on how I setup my home network.

This came at a perfect time just as i am looking into changing my setup

Paused video at 02:00 so as not to forget to comment how I appreciate not only for your content, but also for the way you present it. Hope you reach 1M subs and more (and I am certain you will) Best regards from Greece! - Now let's resume the video!

Hey Tom. Excellent video about best practices. I'm always looking for high quality system design and integrations content and you don't disappoint.

Ditto. I was just drawing out my new network design on some A4 paper (not a pc 😅) as this video came out! Thankfully I was not far away from your recommendations, but great timing!

Great way to present it.. Good stuff!

Excellent video, very well explained. If you're looking for more video ideas, doing a similar video put on switches I think would be pretty cool.

Wow another great piece of information.
I had your recommend design in my mind. Many thanks for validation.
Respect from INDIA 🙏🏻

You read my mind, just finished building a truenas, and thinking on how best to present this to the network

Interesting ideas! I'm planning out my first TrueNAS Core home NAS and was planning on just having it connect to the "Server" subnet/interface on pfSense, and pfSense would route SMB to the "LAN" subnet/interface via firewall rules. Currently still on 1 Gig LAN but plans for 10 Gig copper and 25/100 fiber in the future so building a TrueNAS Core server with 4+ NICs might be faster? I'll watch your other videos you linked...

This video is great. A tad too late for me because I had 10TB vm disk on zfs and wont boot and had no backup. Readonly mode also didnot work. If i saw this video a while ago, then I definitely would not setup a 10TB VM and lose all my data. This way if the data is corrupted due to power loss, I would only lose a few files instead of the whole VM. But great video and truly appreciated.

Great video! I have a question about a specific scenario: Suppose there's a client device that regularly switches between different subnets, such as moving between subnets for wireless and wired devices. Since the IP address of the server changes depending on which subnet the client’s in, how would you ensure that the client can connect to the server without remapping the drive each time the client switches subnet? Would you use a separate DNS server for each subnet to resolve the server's hostname to its corresponding IP on that subnet?

Hi Tom, we use a Synology NAS are our company's main file server. We store all critical user and department shared files there and since it works like a network drive, we use SMB to connect each computer to the folders (permissions based on user). Is that the way it is intended to be used? I have also implemented a schedule sync with MS365 sharepoint as online backup every few days.

I have a remote Synology that VPN's back in to my home, many states away. It syncs with my local storage. This does get routed through 2 firewalls, but I haven't had any issues once I fine tuned everything.
Edit: Home Lab/User

Thank you for the amazing video! We connects NAS to ESXi as datastore and create VMs and data drive on VMs in datastore directly. But we backup these drives and VMs using VEEAMs to optimize the data and backup efficiency. In this sense, can we eliminates the needs of a separate connection from NAS to VMs in your design please? Does our design include all benefits your design has to provide please? Thank you!

I had to fix a NAS a few years ago that was two units linked together with 2 vdevs that spanned both devices. It was great until the 2 units stopped talking to each other.
I spent a New Years Eve and New Years Day fixing the storage with some help from an HP engineer.
Don’t span VDEVs across more than one device.

How would you setup NAS storage for multiple VLANs, if route between network is not ideal? Having multiple NICs? In our network, the AD controller is located in server network, so if AD controller as file server, the client still need to route the network in order to talk to the AD controller. Did I misunderstand something?

I would like some elaboration on "don't route" is there some specific reason? If it's all on common local media and your router has the oomph to do it i don't see the problem with jumping vlans.

Still running pfs for my office, been running untangle at home for about a year.
If I have to pay, untangle is much nicer to use...

Please a video about TrueNas Recycle Bin

Ready to sign under every word.
LXC btw if unprivileged, can't mount nfs shares.

I have more backup data on my NAS boxes than I do actual data files. It's crazy!

If you're using redundant, wire speed, layer three switches in your network core it isn't a problem to route file sharing.

A bit surprised to hear people actually put ALL the storage in to a virtual disk image. I'm just a computer hobbyist and TB vdis seems crazy to me. I do not do VM for my backup, but my backups are on dedicated physical disks I could easily move.

First of all, thanks for the video! Always appreciate your insight, Tom. This time I have a question, though.
I could use an elaboration on the first point, don't quite get what the use cases are. And I'm not quite sure I understand what "don't route" in this particular context really means.
Is it basically about the least privilege principle? Like, keeping the storage network on a separate switch connected only to the storage itself and the hypervisors' designated storage NIC's? That kind of 'unrouteability'?
If so, that seems like a bit too specific a case for such a general-sounding rule. Can't help but feel like I missed the point.

2 questions, 1 truenas related the other not so much, but maybe someone here would know.
1. My truenas has a notice saying "freenas_default has expired" what's this mean and hiw do I fix it, it persisted through a reboot and update.
2. Again I know you're a Truenas guy, but maybe someone can help me. How do I specify what vlan I want a VM to run on in Unraid, with that should I put my unraid on my ubiquitis "default" network or will it pickup the different vlans if I have it on my home vlan (10) with the rest of my PCs? If I move it to the default, how will that effect my adguard docker (and others that may be dhcp and not static)?

Interesting thought experiment, we've always done a user-VLAN and a separate server-VLAN, so all traffic gets routed and filtered at the firewall, because I've read windows is kinda messy with multiple IPs on multiple interfaces, with DNS record could be mixed up in DNS server. I am not sure if it has any merit?
Second question would be backup. We use Synology ABB to backup a windows file server VM on a Hyper-V host. When reading the docs of ABB, I remember it says it won't backup any iscsi connected disks. If Synology presents iScsi to file server VM, doesn't that mean they will get snapshoted at different schedules? File server VM snapshots via Hyper-V, and virtual disk snapshots via Synology snapshot, would that create inconsistency problem?

Hey Tom! What is more common, to attach ISCSI to Windows VM inside VM OS or to a host and then attach it to VM? Also how do you handle situation when storage needs exceed one ISCSI box, do you add another box and LVM them together in VM? Thanks four your wonderful content.

Building an all-flash NVMe TrueNAS server right now for a client, to go alongside their Hyper-V all-flash server. VMs run on the Hyper-V server with local VHDXs on it. The TrueNAS server will essentially be for the file sharing of large architecture project files (CAD, Revit, etc), and not really used as an iSCSI target for the VMs because the project files need to be available directly from the ZFS pool of mirrors on TrueNAS (for accelerating file speed access, metadata acceleration, and ZFSs checksum/bitrot/scrub protections).
But one problem is Revit Server, which is loaded on a Windows VM and dishes out project files to workstations through the VM itself. It requires that the VM see the files through a mapped drive, pulls the files from that, and then back out from the VM to workstations. Sort of acting like a database server.
In that instance, the VM would benefit by accessing the files on TrueNAS through an iSCSI link, but then I'd lose the other benefits from ZFS by not having the files directly shared from the TrueNAS?

How do you deal with broadcast traffic? Surely you can't put all the clients and servers on one segment, if that's what you mean by subnet?

Why shouldn't i Route the Storage? If i want to strictly seperate my devices i have to, haven't i? Like Storage VLAN, Client VLAN and e.g. Server VLAN. An i want to connect from my PC in the Client VLAN to the Synology in the Storage VLAN. Am i missing something?

While I like the idea of where you are trying to go over high level design of storage.
Seems dated, especially for VMware and Hyper-V clients mapping VMs with direct iscsi hasn't been a best practice in a long time as backup integration is lost.
Speaking of backups between change block tracking and/or integrated to mine SAN storage for backups have been in products like Veeam, CommVault or Acronis, etc for years.
Personally I would have focused more on understanding connections to modern storage and why more bandwidth is needed for servers, containers and apps today.

Can’t find the link to the disadvantage of vpn

Why not also use Microsoft Storage Service (server) as a 3rd option?

You seem to be arguing against converged servers/infrastructure in its entirety. Any particular reason why?

The whole reason iSCSI beat out HyperSCSI and ATA over Ethernet is because people insist on routing block storage. That being said, a SAN is not a NAS.

i dont agree with the topology [Users to Nas] butif its a home set up thats fine. Enterprise thats an absolute no. Put that behind a firewall, please......

do people really route smb iscsi nfs through firewall ☠☠☠☠☠☠