- Aug 25, 2001
- 56,570
- 10,203
- 126
Here's what I want to do. I currently have some D-Link web-managed switches, and a mixtures of un-managed switches. What I'm planning on doing, is replacing the switches on the NAS and the workstation end with Zyxel 12-port (8x 1GbE-T, 2x 2.5GbE-T, and 2x 10GbE SFP+) switches, and I'm leaning towards getting the web-managed version for $200+, so that I can (hopefully) implement this.
I want my multiple NAS units, each (mostly) with multiple NICs, to be isolated to a "NAS VLAN", which the workstations would have access to, as well as having the workstations access to the internet connection (Gigabit WAN). The workstations currently have both a 2.5GbE-T and a 1GbE-T (one on USB3.0, because the onboard LAN burned out).
I plan on having a separate sub-net for each VLAN as well (which, in theory, could be enough, but I'm concerned enough about access issues that I want them actually VLAN'ed off at the switches as well).
I also want the ability to (temporarily) bridge the "internet" VLAN with the "NAS VLAN", to allow the NAS units to pull firmware updates. This may necessitate enabling the secondary 1GbE-T LAN connection on each NAS, allowing it to obtain an IP and gateway, and then do a search for firmware updates, or possibly, I could actually physically plug in a cable to bridge the VLANs (if port-based on switch), or possibly, I could simply bridge the two connections on my main workstation (temporarily), allow the NAS units to do firmware updates, and then disconnect the bridge.
Note that my NAS units were previously hacked through DNS hi-jacking of their (otherwise presumably local) domain names, and the data exfiltrated, so I want to enact some stricter policies in place to prevent that ever happening again.
Note that QNAP and Asustor have "helper apps" that run on the workstation, that can assist in configuration, and firmware updates (at least for QNAP, haven't checked Asustor), that could, in theory, if they pull the firmware version from the NAS (on the separate NAS VLAN, that the secondary adapter on the workstation has access to), and compare it with the "current release" firmware version (that would presumably go out on the "internet VLAN" on the workstation to check, and could then download and (with the proper password applied in the program) do the firmware update to the NAS semi-remotely.
Even if that "helper app" could ALERT the admin to a new firmware version being available, and then link to download it, and then allow the admin to manually connect to the NAS via the "NAS VLAN" and NIC, and upload/install the firmware that way, that would be acceptable too, and I wouldn't have to bridge the VLANs, even temporarily. That would probably be the BEST solution.
Assuming that scenario, in which the NAS units were: 1) on a separate subnet, with static IPs, and 2) on a separate NAS VLAN (hence no need for a default gateway or DHCP server either), how hard would that be to set up?
Just consider the default VLAN to be the "internet VLAN", and set up a VLAN ID for the "NAS VLAN", and assign those physical ports that the NAS NIC(s) are plugged into, to the NAS VLAN?
I need to have my two Zyxel managed switches "trunked" together over a 10GbE-T link to each other, and then have similar port-based VLANs assigned, for the two physical NICs in my workstations, the 2.5GbE-T NIC getting assigned to the "NAS VLAN", and the other 1GbE-T NIC set to the default VLAN and connecting to my router and DHCP server?
I want my multiple NAS units, each (mostly) with multiple NICs, to be isolated to a "NAS VLAN", which the workstations would have access to, as well as having the workstations access to the internet connection (Gigabit WAN). The workstations currently have both a 2.5GbE-T and a 1GbE-T (one on USB3.0, because the onboard LAN burned out).
I plan on having a separate sub-net for each VLAN as well (which, in theory, could be enough, but I'm concerned enough about access issues that I want them actually VLAN'ed off at the switches as well).
I also want the ability to (temporarily) bridge the "internet" VLAN with the "NAS VLAN", to allow the NAS units to pull firmware updates. This may necessitate enabling the secondary 1GbE-T LAN connection on each NAS, allowing it to obtain an IP and gateway, and then do a search for firmware updates, or possibly, I could actually physically plug in a cable to bridge the VLANs (if port-based on switch), or possibly, I could simply bridge the two connections on my main workstation (temporarily), allow the NAS units to do firmware updates, and then disconnect the bridge.
Note that my NAS units were previously hacked through DNS hi-jacking of their (otherwise presumably local) domain names, and the data exfiltrated, so I want to enact some stricter policies in place to prevent that ever happening again.
Note that QNAP and Asustor have "helper apps" that run on the workstation, that can assist in configuration, and firmware updates (at least for QNAP, haven't checked Asustor), that could, in theory, if they pull the firmware version from the NAS (on the separate NAS VLAN, that the secondary adapter on the workstation has access to), and compare it with the "current release" firmware version (that would presumably go out on the "internet VLAN" on the workstation to check, and could then download and (with the proper password applied in the program) do the firmware update to the NAS semi-remotely.
Even if that "helper app" could ALERT the admin to a new firmware version being available, and then link to download it, and then allow the admin to manually connect to the NAS via the "NAS VLAN" and NIC, and upload/install the firmware that way, that would be acceptable too, and I wouldn't have to bridge the VLANs, even temporarily. That would probably be the BEST solution.
Assuming that scenario, in which the NAS units were: 1) on a separate subnet, with static IPs, and 2) on a separate NAS VLAN (hence no need for a default gateway or DHCP server either), how hard would that be to set up?
Just consider the default VLAN to be the "internet VLAN", and set up a VLAN ID for the "NAS VLAN", and assign those physical ports that the NAS NIC(s) are plugged into, to the NAS VLAN?
I need to have my two Zyxel managed switches "trunked" together over a 10GbE-T link to each other, and then have similar port-based VLANs assigned, for the two physical NICs in my workstations, the 2.5GbE-T NIC getting assigned to the "NAS VLAN", and the other 1GbE-T NIC set to the default VLAN and connecting to my router and DHCP server?
Last edited:
Facebook
Twitter