Cloud Server network design best practices

[ezekiel.incorrigible]

I am tasked with designing the network and setting up a NAS / Cloud storage system for a few dozen users in a small office. We would like to have automated synchronisation from everybody's workstations to the storage server, group file shares and both local and remote access to those shares.

My loose plan is:

- FreeNAS / ZFS as the base system - then it will be easy to manage the storage pool through the webGUI and capitalise on all the nice ZFS features like snapshotting, data integrity, transparent compression etc. And also to periodically backup the whole system by transmitting snapshots to another, off-site ZFS system.

- Nextcloud in a jail on top of FreeNAS - running using application level encryption and 2FA

- Placing the server in the DMZ, accessible remotely and locally via a VPN (using external port forwarding / NAT-loopback).

Would love to hear comments, critiques, suggestions on the best way to do this, like... maybe there isn't much point in putting the server in the DMZ if most machines on the LAN will be in a VPN with it anyway?

[disclaimer: I posted this in spiceworks already but didn't get any answers, except 'use onedrive', thought the FreeNAS folks would likely have some insights.]

 

[Chris Moore]

FreeNAS / ZFS as the base system - then it will be easy to manage the storage pool through the webGUI and capitalise on all the nice ZFS features like snapshotting, data integrity, transparent compression etc. And also to periodically backup the whole system by transmitting snapshots to another, off-site ZFS system.

Did you want specific hardware suggestions?

- Placing the server in the DMZ, accessible remotely and locally via a VPN

I would suggest having a separate computer running the nextcloud inthe DMZ with someone doing some vetting of the data just as a precaution against being hacked. We have data that is available outside copied over to the DMZ and someone is responsible to virus scan and otherwise verify the data being received is safe before it comes inside. It is a bit of a manual process but it is better for safety of the network than to have your actual file server for the local network also available in the DMZ where it might be subjected to attack from the internet.

I posted this in spiceworks already but didn't get any answers, except 'use onedrive', thought the FreeNAS folks would likely have some insights.

Spiceworks is very Microsoft and online services oriented. Not usually very helpful if you actually want to do it in-house.

 

[Hpb256632]

Create a second freenas system off site and use the backup feature to store the info there as well and connect using the truenas setup.