NS7 vs NS8 requirements based on hosted cloud VPS only

Hi all,

Now that NS8 is the new star at the horizon, I am wondering how it can replace the complete and trusty old NS7 functionality based on Hosted cloud VPS only. I am not affiliated with anybody but tend to use Contabo.com VPS products, so that would be my comparison platform.

NS7:

1 single server
Firewall/Gateway
VPN + Virtual Interface (Dummy interface)
Wordpress
Asterisk
Dokukwiki
Nextcloud

NS8 basics:
1 x VPS as Node 1
1 x VPS as Node 2
1 x Virtual Network (10.x.x.x.x)
1 x VPS as Nethsecurity

Next to the costs, a total setup based on NS8 would be completely different and maybe even tricky.

Can we create/share and co-write a drawing for this based on draw.io or something accessible to all?

TIA!

2 Likes

Hi @LayLow

Please compare apples with applles!

For NS7, you did not need two nodes, why do you now need 2 nodes AND a third node for NethSecurity?

On NS7, you could have also splitted it up, with heavy use modules on a second or third VPS besides the main VPS running eg AD and Mailā€¦

NS8 can run all modules (besides NethSecurity) on a single node. Iā€™m using / testing this at home now, and it works. I do not use NethSecurity, I have a working OPNsense hardware firewall, which I do not intend to change.

A VPN between two hosts in the Internet is usually not something billed additionally. Unless your hoster blocks two hosts from communicating with another, which would work if they were at diferent hosters. This is not a specific NS7 / NS8 problem, this is a billing issue your hoster (may) have.

As to ā€œrequiringā€ a firewall like NethSecurity (Or OPNsense for that matterā€¦): Most hosters provide a ā€œfront-endā€ firewall to protect hosts from Internet attacks (In their own interest, and they know that most users / clients canā€™t handle real firewallingā€¦). VPN can be handled by NethServer (NS7, and to some extant also NS8).

This is comparing apples with pears!

My 2 cents
Andy

PS:

Pear-PC was once an open-source emulation running on Intel based chips, to emulate a Power-PC, which is what then Apples were running on. It barely worked, at about 1 hundredth of the native speed of the CPUā€¦ Not really usable. And Apple still makes usable Desktops. (They can also run Windows or Linux Desktop OSā€¦)

:slight_smile:

Having multiple nodes is using the capabilities on the NS8 design, not strictly required but holding off on that is not wise. the portfolio of services of the various cloud providers vary a lot, Contabo will charge for a virtual network between nodes. Nethsecurity is an essential part of the comparison and required. I do not have a at home setup. Hence the title.

NS7 also had these ā€œcapabilitiesā€ and design options, as the illustration above shows. OK, you need a full ā€œrootā€ server, not a VPS, but itā€™s easily possible with NS7 - and also with NS8!

Splitting stuff up was already around in Mainframe times - as was virtualization.

Do you mean it is required for the VPN?

Yes an external VPN service could be needed as long as NS8 has no integrated VPN server today.

But it is possible to build a VPN server module for NS8, so the things can change in the future.

Supporting or not such scenario depends also on this thread discussion.

No, as a firewall for NS8 nodes/setup like NS7 as built in (server/gateway)? (AFAIK)?

:slight_smile: I only have hosted VPS cloud servers

The VPN is intended for road warriors and home users connecting to 1 of the NS8 nodes and have full access to all services provided by NS8 and modules. VPN as in Wireguard.

If you wanted multi node, you could easily have chosen a full root server, Contabo also offers these.

Now you just need more VPSs when you choose a VPS and want multi nodeā€¦

Itā€™s also a choice dictated by budget constraints (And no, I have not won Euro Billions or any such Jackpot :slight_smile: ) which anyone can and does have.

Thatā€™s why I used the word ā€œneedā€ā€¦ Itā€™s not a requirement from your side at the moment, just nice to haveā€¦

That would not be an option for an adding VPSā€™s as nodes is WAY much easier and WAY cheaper then adding full root/bare metal servers/nodes. Also adding a storage VPS for use with e.g. Nextcloud is MUCH easier and cheaper.

I did say budget constraintsā€¦

So you basically comparing:

Before, I drove a small Datsun car called NS7.

Now, as Electric is more consience positive, I ā€œneedā€ a Teslaā€¦

Not really a ā€œcongruentā€ comparison Matrixā€¦ !!!

A single bare metal Hypervisor like Proxmox can easily run 10-20 VMs (nodes) on a single host, but just as easily on 2 or three hosts, depending on load. VPS you need severalā€¦

:slight_smile:

Nah, just trying to see how I can achieve the same as I have now on NS7 with NS8. And next to that see how this works out architecture wise, budget wise and additional benefits.

Not a big to ask I guess, especially since NS7 will fade away, so just prepping here.

Spotted that out right away!

But back to the question at hand, anybody please?

A NS8 cluster does not need to run behind a firewall device.

More specifically, if I want to run AD + File Server, I use a local node, not a cloud one. If I really must do it, a VPN for Windows clients is needed.

1 Like

Thanks, so I can run a NS8 cluster (like a NS7 server) in the cloud ā€˜as isā€™ no additional features required to provide services to the public internet without specific firewall (NS7 gateway mode) ? And the NS8 cluster is fully secure/protected? If so, what is the added value to NS8 of Nethsecurity pls?

Yes.
NS8 has a built-in firewall that is used to expose only relevant ports to the public network: Firewall ā€” NS8 documentation

Yes.

Itā€™s an UTM firewall and you can use it as any other firewall in your network, itā€™s just up to you.
Apart from this, NS8 can host NethSecurity controller and can collect metrics and logs from all connected firewall.
We also have some plans to integrate more NS8 and NethSecurity using other tools like an IPS or a SIEM.

6 Likes

I am reviving this topic since I think more people are having a VPS ONLY situation.
I would like some thoughts on best practices to install and run NS8 on a VPS.
Especially having security and massive attempts and probes for open ports etc.

I would restrict this to a SINGLE node. I guess no dedicated firewall is possible then.
Is it also not possible to enable a firewall on the hosting OS (in my case Debian 12)?

1 Like

Hi @robb

A few thoughts to using a VPSā€¦

Most hosting providers / hosters will provide a firewall, some basic, some better. This is one option.

This has been explictly discouraged installing anything (especially firewall) besides very basic on the OS.

Croudsec is available and does provide protection. It isnā€™t a firewall, thoughā€¦

My 2 cents
Andy

Exact item on my wishlist