Isolate NAS and Backup Pools

TrueNAS General
, ,
1

We recently implemented TrueNAS SCALE to replace an aged Windows based NAS and provide a S3 target for our backups. Our plan to deploy a server for each of these roles was shot down in Finance, leaving us with one well-equipped server.

  • The NAS and server management are meant to take place over our corporate network (10.4.10.0/24). The backup volume should not be accessible from here.
  • The volume and/or datasets that we use for backup should be accessible across the backup vlan (10.5.10.0/24) only.
  • We have four NICs in the server. The first two were used to create a bond and were setup with an IP on the corporate network (10.4.10.0/24). The last two were bonded but an IP hasn’t been assigned.
  • The backup server and current target live in VLAN and have 10.5.10.x IP addresses.

My (hopefully achievable) goal is to isolate the NAS and most management duties to the corporate network and isolate the backup volume and related management tasks to the backup network.

My vision is that when I login to manage TrueNAS on the corporate network I don’t see the backup volume and when I login to TrueNAS from the IP on the backup network I only see the backup volume.

I need a combination of things that include setting specific permissions, and isolating the networks used for each task. Is this possible?

Thank you,

MJ

2

You keep mentioning NAS and manage TrueNAS verses backups.

If you just want the GUI on one sub-net and the backups available on another, with no overlap, perhaps that is possible.

Or is it the S3 target what you want on the 10.5.10.0/24 sub-net?
And the rest of the NAS, GUI & Shares, on the 10.4.10.0/24 sub-net?

With some clarification perhaps someone can answer your questions.

3

@Arwen thank you for the fast reply!

Below is my effort to summarize what I am looking to do. Perhaps I should’ve started here with just a brief overview. My apologies, I tend to be wordy. I hope what I’ve written below better explains what I’d like to do.

Objective: Configure one TrueNAS server to function like two separate servers

Server 1 - File server (NAS) on our corporate network
Server 2 - Target for backups on the backup network.

  1. Backup traffic between my backup server and the “backup” zvol to go over 10.5.10.0/24.
  2. SMB traffic to happen on the 10.4.10.0/24 network.
  3. SysAdmins should have unadultered access to TrueNAS with the exception of everything that pertains to our backup environment (zvol, datasets, local users and groups).
  4. Backup Admin should only have access to the backup related parts of our TrueNAS server.

#1 above, I need a little assistance with how to restrict access to the “backup” zvol to the 10.5.10.0/24 network only. I have two free NICS I can use.
#2 is done
#3 & #4 I suspect this is done with user/group permissions, at least in part.

Please let me know what additional information I can provide. Again, thank you.

MJ

4

I can’t answer some of those questions.

However, I don’t think at present you can isolate SysAdmins and Backup Admins to their respective sides. Of course, I could be wrong.

As for isolating normal GUI & normal SMB shares to one sub-net, and isolating the backups to a different sub-net, I do think that is possible.

Perhaps someone with more knowledge can answer the overall isolation question.