Hi All,

I have been recently introduced to the forum and channel and I got completely hooked on the level of detail and simplicity in which all the topics are exposed.

With this in mind, I think this would be the best place to search for help and guidance on my journey to self-host journey.

Goal

The end goal of the solution would be to a NAS and Websites exposed to the internet while not compromising my local, all rack mounted, so I don’t have stacks of hardware somewhere

Scenario 1

The first scenario would be to go the “simpler” way and use all Ubiquiti for example managing my networks, firewall, and AP.

Diagram:

[Fiber Optic Line]
              |
[UISP Fiber Instant]
              |
[Unifi Dream Machine Pro]
              |
[UniFi Switch]___________________________
       |                                |                                      |
[Access Points] [Server with Proxmox] [Wired Devices]

Explanation

In this use case, I would have (if my ISP plays nice) the inbound fiber directly to the Unifi dream machine, if not I would have the router in bridge mode.

The referred server that would virtualize the NAS and a k8 environment.
I would use as base my current hardware
1x AMD Ryzen 7 5700G 8-Core 3.8
1x Motherboard Micro-ATX Asus TUF Gaming B5
1x Corsair RM850
2x Crucial Ballistix Gaming 32G
1x Corsair iCUE 220T RGB Airflow
1x Corsair 1200RPM SP140 RG
1x WD SSD SN750 1 TB NVMe WD BLACK M.2 PCIE
1x WD SSD SN750 500 GB NVMe WD BLACK M.2 PCI.

Discarding:
1x Corsair iCUE 220T RGB Airflow
1x Corsair 1200RPM SP140 RG

Adding:
1x 2U UK-2129 ATX
1x Noctua NH-L9a AM4 Chromax Black
3x Noctua NF-R8 Redux PWM 1800
1x SFP+ 10 GB NIC ** Need Recommendation **
4x Seagate SkyHawk 4 TB 5900rpm 256 MB SATA III

All the ubuquiti hardware would also be acquired with one or two AP (2 story brick wall)

The server would be connected to the switch by a DAC cable.

Scenario 2

This scenario would involve a 2nd server with OPNSense or Running Proxmox with OPNSense and PiHole.

Diagram:

[Fiber Optic Line]
              |
[OPN Server with GPON CPE]
              |
[Managed/Unmanaged switch]_______________
       |                                |                                      |
[Access Points] [Server with Proxmox] [Wired Devices]

Explanation

In this use case, I would have (if my ISP plays nice) the inbound fiber to an SPF+ GPON CPE, if not I would have the router in bridge mode.
For this, server, my preselected hardware is the following:

1x 2U UK-2129 ATX
1x RYZEN 3 3200G
1x Gigabyte B550M-K
1x Corsair Kit 16 GB (2 × 8 GB) DDR4 3200MHz Vengeance LPX White CL16
1x MSI MPG A650GF 650W 80+ Gold
2x M.2 ADATA XPG SX6000 Pro 256 GB
1x Noctua NH-L9a AM4 Chromax Black
3x Noctua NF-R8 Redux PWM 1800
1x SFP+ 10 GB NIC ** Need Recommendation **

So beside the extra hardware I had previously mentioned in the previous scenario for the NAS server, I would also have to acquire the above hardware.
The second SSD would be to have the VM of OPNSense ready to run from boot if proxmox decided to die (Safeguard to avoid people yelling without internet )

The OPN Server would connect to the switch with a DAC such as from the switch to the server with the NAS, etc.

In this use case, I would need a recommendation on the Managed/Unmanaged switch and also on the Access Points, since currently I’m using 3 X50 deco AP and the signal between them is lousy.

Ending

What would be the scenario you would mostly recommend (I’m not “scared” of managing the OPNSense).

And what would you use for the NIC’s, Switch (scenario 2)?

Assuming scenario 1 if I should Install OPNSense directly on the bare metal or virtualize it and run side by side with PiHole

Or if you would go any other route/hardware.

Thank you all in advance

EDIT: Forgot one important information, I’m based on EU so any recommendation if could be sourced here would be awsome

The easiest solution is to put both the web server and NAS in the DMZ.

Just something I’d be concerned about…

• NAS as in your personal, important data? Don’t expose it to the internet directly. EVER.
• Skyhawk for NAS? Make sure to check exact model and datasheet. Some of those are SMR and you should not use those.
• Breaking out of the hypervisor is a thing, just look at the list of known vulnerabilities here. I’d keep anything I expose to the internet directly on a separate machine, isolated from the rest of my network. Maybe one of those N100/Ryzen mini PCs.

Hum

Wouldn’t that be more complex due to a need for more network components

image1230×1034 83.6 KB

For examples 2 firewalls and 3 routers to correctly define the public internal network for the access points and then another for the DMZ and then a second firewall to isolate a private internal network?

Remember that setting your DMZ is all virtual rather than physical. So while you network map is technically correct, a lot of that configuration is in software.

Also port forward, don’t DMZ.
DMZ will expose you to all nasty vulnerabilities you have, port forward what you need and your web server does not have exposed SSH port.

Hi,

The NAS would be to replace “OneDrive” “Google Drive” and such. To have auto-synch, for example using photosynch. Security is indeed a concern and is one of the things I’m thinking about on how to access, but then again have “zero trust” for me to access my area, my wife hers and so on.

Regarding the use of SkyHawk for NAS, I would have to check the exact EAN, since there are SMR and CMR in the wild.

The idea would be to have also virtualized on the server a nginx to reverse proxy the NAS and Web Servers.
Maybe I’m overcomplicating things

In that case I would definitely look into VPN, or overlay network for access. No way in Hell I’d expose it to the internet.

Even commercial solutions with whole teams working on security have multiple vulnerabilities every month, for example QNAP or Synology, so you are not going to be on top of that 100%.

Second, RAID is not backup. Have a backup of your NAS some place other than your house. One good lightning strike and poof, data gone.

For that application I would look into NextCloud and port forward via a internet domain and cloudflare.

That would be the second step, 2 backup servers connected through VPN in near me and another with geographical redundancy.
I have lost too many things already due to the “I will back up this later”

That is my first option for the Container inside the proxmox server.

Why not start small and build on top of that?
Have an isolated network segment for your family and NAS thay can use, figure out how to backup, separate printers, cameras, and other IOT crap in their own segment, than figure out how securely access NAS from outside… Do you need everything ASAP?

No, I wanted to have the overall idea of what could technically be the end goal and use case and then start working going that route, without wasting resources or changing route midway. Let say buy some ubiquiti switches and then go for OPNSense route (for what I have read so far, they do now play well together.)

One thing that is grated, I need to see what to do to my current AP (probably going to use MoCa to connect them).

Hi @Focalor, the only advice I could add here is as follows: If you do decide to go with any Ubiquiti product, I purchase a Unifi Dream Machine Pro or Dream Machine SE (I have the Dream Machine SE and one of their old L2 switches you can’t buy anymore) an Unifi Pro switch and Unifi 6 Ap. There isn’t anything wrong with Opense, but the trouble with combining Opensense with any Ubiquiti product is that it can be hard to connect any Ubiquiti product to Opensense, as that was the case when I ran Pfsense (which I believe is a fork of Pfsense). Also, Ubiquiti products have a more straightforward web interface than Opensense; at least, that is my opinion.

I have included a link to the Unifi Design Center if you go the Unifi route.

Thank you for the feedback and advice

Furthermore, thank you, @vivante and @TeamTux

This is the main reason why I like to discuss things sometimes I tend to do overengineer stuff, and also why I resort to the forum to ear the advice of more knowledgeable people on these topics.