Storing data away from the DMZ?

Support
,
1

NethServer 7.9.2009
Nextcloud, Sogo… exc… Everything in Var/Lib/

Good Afternoon,

My company has mounted its NAS Raid storage Nodes to the nethserver and we are very pleased with the entirety of the application. And we are proud to be one of the first in the USA to gain accessibility to this infrastructure according to the deployment maps.

Firstly, We are needing to ensure all data aside from the nethserver interface (The DMZ) is stored into our NAS (LAN GREEN) we let Nethserver know it will be the DMZ and we need to config the server to store its file systems offsite into the NAS. We would prefer to have the Var/Lib go to mount (Our NAS). If not we want Nextcloud, SOGO, Asterisk, Possibly a few more to store its directories in our NAS.

Your experience and guidance in this inquiry is appreciated!

Kindly,

2

@Dbayn

Hi Dustin

And welcome to the NethServer Forum!

If your goal is to improve security and availability of your IT resources, NethServer among them.

A few questions, just so I get the right picture…

Is the NethServer the primary router between LAN and DMZ?
→ This isn’t the best security solution! A seperate box (firewall!) should seperate LAN from DMZ, and (optimally) another box between DMZ and WAN. A box with 3 NICs, one each for LAN, DMZ and WAN, would force all traffic to pass through it twice, slowing performance…
And hacking that single box gives an attacker access to ALL networks…

These firewalls can and should be in HA (High Availability) using two boxes for each connection, if possible. Part of the redundancy could include VM-firewalls…

The same redundanca thout also is valid for your NAS System. Major vendors like Synology, Qnap and others all have usable HA options…

NethServers internal data storage under /var/lib/nethserver can easily be symlinked to eg a NFS mounted NAS r a different disk. This works very stable and update secure, as long as hardware and components are of a certain quality! I would strongly suggest seperating individual NFS mounts, eg Mail, iBays, NextCloud. Non voluminous configuration stuff should be left in /var/lib/nethserver. Make sure you choose quality components!

To increase availability, I’d very strongly suggest using virtualization. It’s 2023 now, native installs are only for die-hard hardware freaks. Virtualization gives you so many advantages you otherwise don’t have:

  • Fast disaster recovery, ignoring any hardware incompatibilities. In 30 Minutes, I can install Proxmox on any suitable hardware. Restoring the Proxmox Backup from a PBS (Proxmox Backup Server) is very fast.
    Even AMD or Intel CPU won’t matter, not even for Windows Servers!
  • Fast Incremental Ba ckups of VMs, also Offsite Storage is fairly fast.
  • Fast Live Migration between nodes of a Cluster, even without High Availibility. Using a 1 GBE Cluster Link, a 16 GB RAM VM will migrate in about 90 seconds flat from one hardware to he next - all while running!
    Backups including full VM restores, but also individual files and flders from almost any system, but especially for Windows and Linux OSes, all included without extra costs…

→ Proxmox can run with or without paid support, just like NethServer!

These are just a few quick thoughts without knowing much. Then again, I have planned security for Swiss Banks, among others…

Send me a PM, if you need more hints on security, with less public exposure…

My 2 cents
Andy

3 Likes
3

Hey Andy,

We have a gateway unit and firewall unit separate from our edge unit that is running the Nethserver OS. We have net sheltered a Synology rack station and expansions with 500TB and scalable qualifying as our NAS with dedicated back ups. I’m going to take your advice and explore the deployment you mention. I will PM you!

1 Like
4

Andy,

You mentioned the/var/lib/ can easily symlinked to the NFS. Can you point me in the right direction on how we can perform this?

Thanks!

5

Hi Dustin

I can “see” you’re typing right now.
To make things simpler, I’d suggest a voice chat, either Skype or Telegram, as an International phone call is too expensive and I don’t own any Telco stock! :slight_smile:
I don’t touch anything by Zucki, so WhatsApp is out of the question.

My Skype handle:
andy_wismer

My Telegram handle:
@Andy_Wismer

My 2 cents
Andy

6

Andy,

No worries. Skype is fine. Let me know how to proceed!

Thanks!

7

Symlink:

I’d suggest mounting using NFS (I’m also a major Synology user), and Synology is Linux based, just as NethServer. Linux uses NFS, that uses the least overhead, and both NethServer and Synology work well together.

I’d mount each share from Synology under /mnt/SHARENAME.
The shares in NethServer are created in Cockpit, or by installing an App like Nextcloud (I’m also a major user of Nextclud). If the Share has any content, copy this aside to a temporary location first (!). If not, it’s much easier…
Move the structure on NethServer aside, for example a Share (iBay) called Data. You can temporary move this eg to top level, eg /Data. Then create a symlink on Linux (Midnite Commander if you’re unsure!), from your mounted share under /mnt/SHARE to NethServers /var/lib/nethserver/ibays/SHARE.
After that, move the temporary moved Share flder from top level to /mnt/SHARE, so the subfolders are kept as is.
Same would be valid for example for Nextcloud:
/var/lib/nethserver/nextcloud…

Important Note about NextCloud File Sharing:
I use NxtCloud file shareing intensively. If using NextCloud itself as Share-Location, everything is stored in the Database…

8

Devil advocate corner here…
Unless the connection between the server and the storage is redundand and at least at 10GBPs (copper, fiber, whatever), I don’t think that externalize from the system the storage might be a wise idea for performances and reliability.

At least with… network protocols.
I know that things like FibreChannel or NVMe-oF mostly rely on the similar kind of infratructures and media, sometimes ethernet switches and FC switches share most of the hardware but with different sofware. However: both SAN protocols don’t (all) rely on TCP/IP which introduces nice features but also increased latency and traffic overhead.

9

Andy,

Yesterday I backed everything up and I took your advice. ProxMox is now the base of our data center’s hierarchy.

I must say… I’m in heaven!!! :slight_smile:

This was so worth it!!! :smile:

2 Likes
10

Dude, we whipped the entire system, added an entire layer of the interface at the base, and deployed all our systems on VE overnight. No one even knew in the morning.

Screenshot 2023-01-12 at 7.05.10 PM
Screenshot 2023-01-12 at 7.05.10 PM1255×757 125 KB

2 Likes
11

I had the same experience in 2015, after using VMWare for more than 15 years, when I first tried Proxmox.
And the first attempt at using Proxmox own Backup Server PBS, was another déja-vu experience!

Proxmox is really the first step in moving to a SDN (Software Defined Network)!

It’s so amazing, that I can even run Novell Netware (Which just won’t boot on Proxmox with networking, but WILL work well in VMWare’s ESXi) completly in VMWare ESXi INSIDE of Proxmox. Cascaded Virtualization sounds so innocent!

Drop a line when you have time for a chat!

My 2 cents
Andy

PS: That’s a “decent” server for Proxmox you’re running there: 72 cores on 2 sockets, along with some 370 GB RAM… Just the storage seems a bit lacking, not quite on par with CPU & RAM levels…

1 Like
12

Sounds like a love story to me over here! :wink:

The power of sharing.