Quick NAS network question (probably Synology DS1819+)

Kadarin · February 25, 2021, 10:30pm

Hi Folks,

After digging a bit I haven’t yet been able to definitively answer the question: Does Synology (or anyone else) who has multiple NICs support different networks on those NICs, with different GWs? Follow up question: If so, can you set up access such that one network sees certain volumes but has no access to others (IoT security cam video feed, for example), and a separate network (lab/admin) can see access to everything? I’ll want a NAS that either has 2 10G NICs, or 4 1G, where I’d LACP 2 and 2 for each network.

Alternatively, if I can put 2 separate networks on one 10G NIC, that might work also.

I assume the answer is probably yes, but I see plenty of language like “supports link aggregation” and “supports failover”, both of which are great, but not the same thing I’m asking about.

Apologies if I’m asking a noob question

chris · February 26, 2021, 6:12am

What is the use-case?

What do you mean with “volumes”?

neogrid · February 26, 2021, 9:39am

Yeah with my QNAP I have 4 NICs the CAMs are on their on own subnet, and record to the NAS. The CAMs can only read/write to the share for the video footage based on the user permission.

Two NICs are on a LACP to my switch, so it does LAGG too.

Kadarin · February 26, 2021, 3:41pm

My apologies, my skills lie more in network engineering rather than storage, so “volume” may be an incorrect term here. Basically, the use case is the NAS will be used by security cameras to dump footage, and also used in different vlans by anyone wanting to store stuff on the NAS. Ideally, anyone in the IoT network can only see one folder/share/volume/whatever, and the office vlan sees a different share. But both shares should not be visible to the IoT network.

As for the network aspect, it looks like you can indeed add multiple ip addresses to a Bond, using vlan tagging. Someone’s guide on how to do it: How To Configure Multiple VLANs on one Synology Bond | Frank @ MyBenke.org

Kadarin · February 26, 2021, 3:42pm

Based on what I’m seeing so far, it looks like setting proper user permissions is the way to do it. Thank you for your reply!

garethw · February 27, 2021, 9:32am

I think (but am not sure) that if you want a public / guest / no authentication required SMB share then you are going to struggle to limit that to being visible on 1 of the interfaces however as @neogrid said and as it looks like you have worked out, you absolutely could do it by user / group based ACL.

Presumably your cameras have the ability to do some form of auth as will the devices on your office lan so maybe just a “public” share for the IoT stuff. It would mean that all shares could be seen from all networks but would only have read / write when authenticated.