Home NAS server

[Constantin]

GitHub - danb35/letsencrypt-routeros: Let's Encrypt certificates for RouterOS / Mikrotik

Let's Encrypt certificates for RouterOS / Mikrotik - danb35/letsencrypt-routeros

github.com

Gotcha, that’s the script I have been using from inside a jail. I misread your message as you having a script that could execute by itself on a given MikroTik switch vs. transferring them from a Linux machine.

 

[danb35]

Ah, no, nothing like that. It'd be cool if it were possible, but I'm not aware of a way to run arbitrary shell commands in the Mikrotik environment. There are a few systems I still have to manage this way--get the certs in a container (a LXC container under Proxmox, in my case) and then deploy them from there to the target system: my Ruckus WiFi access point, iDRAC on my PowerEdge R630, and IPMI on my NAS motherboard.

 

[darkness]

Ok so for basic/learning purpose 10gbit backbone:

Switch: Mikrotik CRS305-1G-4S+IN
NI: HP X520-DA2 NC560SFP+ 2-Port 10Gbit SFP+ High profile
Cable: 2x DAC Arista 2M 10Gb SFP+

I have given up on Realtek 2.5 drivers on MacOs, maybe they work better for other platforms. I’m transitioning everything that is not fast enough on WiFi 6e to 10GbE fiber. (Qnap and sonnet make SFP+ / Thunderbolt cages that are decent. Arguably the QNAP is now the better one on account of the Thunderbolt 3 cable being replaceable).

What solution you used to wifi 6e?

I have mikrotik with wifi 6 and 2.5gbe port. Already is connect with 1gbe port. Is worth to buy transmitter to CRS305, make one 2.5gb port and connect it with mikrotik access point?

Ah, no, nothing like that. It'd be cool if it were possible, but I'm not aware of a way to run arbitrary shell commands in the Mikrotik environment. There are a few systems I still have to manage this way--get the certs in a container (a LXC container under Proxmox, in my case) and then deploy them from there to the target system: my Ruckus WiFi access point, iDRAC on my PowerEdge R630, and IPMI on my NAS motherboard.

FTP not work to that task?

 

[Constantin]

I use Ubnt access points for WiFi. The power edge switch from UBNT provides POE power and a 2.5GbE connection. The poweredge Connects via SFP+ to my main switch.

You can certainly put a 2.5GbE transceiver into the 305, last time I looked they were not available, just $$$ and hot copper transceivers that start at 10GbE that can shift down to 2.5GbE. I would stay away from those due to power and heat, if possible.

SSH works just fine to deploy certifications. That’s not the issue. In an ideal world, each appliance / switch / whatever would auto-update the SSL resources of itself automagically. That eliminates a single point failure potential and also makes them easier to maintain. But OEMs still do not take this seriously, especially in the SOHO space.

 

[danb35]

FTP not work to that task?

Even if I were OK using insecure FTP to transfer private keys--which I'm not, even on my own LAN--no, none of those systems has a mechanism to let you FTP over a key/cert and use it.

 

[danb35]

But OEMs still do not take this seriously, especially in the SOHO space.

...or, really, even in the Enterprise space. Dell makes it reasonably straightforward to put a new cert onto iDRAC (it's a few racadm commands), but it isn't integrated. With Supermicro's IPMI, it's kind of a hacky script, but it works (with X10 and later boards). Mikrotik supports it all through their CLI--better than SM, not as good as Dell. HPE doesn't have any way of automating it for iLO that I've seen.

 

[Constantin]

They all seem to rely 100% on VLANs or segregated management ports to limit access to management nodes? I’d like both to enable defense in depth. But then again, I’m likely over-thinking just how ambitious my kids might be re hacking.

 

[Etorix]

Or you're aware that your kids had an excellent IT teacher…

 

[Constantin]

None are terribly interested ATM and that’s fine. Keeping my kids on segregated VLANs also helps ensure that any computer-related STD outbreaks are limited re scope to systems I care less about.

 

[darkness]

This is my second day testing and I had few issues. I do it as learning purpose now, not 'production'.

1. I lost access to IPMI so I have to learn how restore it from server - I make debian minimal install and use IPMICFG to reset.
2. I fight with fan because they work on full RPM. I didn't know that 3 pins fans (which are in case) can't be control via PMW - so I lost few hours on it.. CPU fan is 4 pin so I learn how use ipmitool to change it to lower values and now works ok. So already work only CPU fan. I disable case fans.
3. I create stripped mirror ( or I think I did it )
4. I create SAMBA share and play with ACL ( I think that ACL sometimes not work as should.

Today will be more :D

question 1: It's okay to run only cpu fan in long term? already RPM of fan CPU is 300 and temp is 30-35 degress. What about disks, should have cooler?
question2: it's stripped mirror ?;D

question3: In stripped mirror - what if f.e. whole MIRROR2 failover (disks ada2, ada3)? or mix (f.e. ada1 and ada3) etc.
question4: What backup can you recommend on start? I'll make old PC as proxmox server and it be router with 10gbs and another vms with network stuff.. Should I use it as backup or make another machine for this purpse? What about cold backup?

 

[danb35]

What about disks, should have cooler?

As long as you're keeping them below 40°C, and better yet below 35°C, you're fine.

it's stripped mirror ?

Yes, it is.

In stripped mirror - what if f.e. whole MIRROR2 failover (disks ada2, ada3)?

If an entire vdev fails, your entire pool is lost.

 

[darkness]

If an entire vdev fails, your entire pool is lost.

So in stripped mirror:
udev = mirror(2xtb) - (f.e. ada0 and ada1)?
pool = 2 mirror(2xtb + 2xtb)?

 

[Davvo]

You are using the Fractal Node 804 which has a fan controller on the back, right over the exaust fan of the motherboard chamber: use that to control the case's fans to cool the HDD drives while leave the CPU's cooling to the motherboard. The fan controller only requires SATA power and doesn't need a connection to the motherboard, you can control the fans' speed by the selector (low, medum, high).

Show : Speed Selector

If you have a pool made of two vdevs in a two-way mirror (ada0 and ada1 make VDEV1, ada2 and ada3 make mirror 2) and you lose both drives of either VDEV (so ada0 and ada1 or ada2 and ada3) your whole pool is lost.​

 

[danb35]

udev = mirror(2xtb) - (f.e. ada0 and ada1)?

vdev, not udev, but yes.

 

[darkness]

You are using the Fractal Node 804 which has a fan controller on the back, right over the exaust fan of the motherboard chamber: use that to control the case's fans to cool the HDD drives while leave the CPU's cooling to the motherboard. The fan controller only requires SATA power and doesn't need a connection to the motherboard, you can control the fans' speed by the selector (low, medum, high).
​

I just finished cable rearranging, thx. I wanted to control fans thorugh motherboard (less cable etc.) but nevermind now working with controler.

it's time to play with truenas and I up question about backup :)

What backup can you recommend on start? I'll make old PC as proxmox server and it be router with 10gbs and another vms with network stuff.. Should I use it as backup or make another machine for this purpse? What about cold backup?

 

[Davvo]

it's time to play with truenas and I up question about backup :)

What backup can you recommend on start? I'll make old PC as proxmox server and it be router with 10gbs and another vms with network stuff.. Should I use it as backup or make another machine for this purpse? What about cold backup?

I'm not understanding your first question.

Generally you want an easily accessibile backup of your data and a offsite backup on a different location (in order to prevent data loss in case of catastrophic events, from house fires to earthquakes and floods).

 

[Constantin]

Ayup. Doesn’t even have to be a full flood. Just enjoyed a pre-Christmas spectacular here thanks to sewer main collapse in street. Fun times trying capture over 20 gallons of glop under pressure, post blowout cleanup, etc. Thankfully it happened while we were in the house and the basement flood alarm got us out of bed in a hurry.

 

[darkness]

I'm not understanding your first question.

Generally you want an easily accessibile backup of your data and a offsite backup on a different location (in order to prevent data loss in case of catastrophic events, from house fires to earthquakes and floods).

Generally speaking yes.. For now it can be easilly accessible backup in same location. Already I just have 2 usb disk and from time to time I do backup (just cold backup).

It could be nice to know how you do that:)

What come to my mind is do other machine with f.e. 2 way mirror and turn on it only for backup puprpose. Or as I wrote above, use my proxmox server to store backup and only on/off for this task.

It's needed/recommended truenas machine too? Or can be qnap/nas? SSD/HHD disks? should work 24/7 or only when it's needed?

First of all I want to learn how to do this job well and make good habits.


BTW. Truenas working well, I do some datasets, play with accounts and ACL. Set Syncthing on proxmox server and synch android folders with NAS datasets. Plex works well to on proxmox :) And I'm really happy that I have standalone Truenas machine not virtualized.

Next goals are: secure it, 10gbs network, backups and ups :)

 

[Constantin]

Backups can come in many forms. You can use drives mounted in an external enclosure and ZFS send snapshots just as you can to a distant server.

Ideally, rotate physical backups offsite in case the remote server option is not possible / in budget. I back up my data in non-ZFS form to maintain a format that my home machine could read. However, I would really recommend the remote server option be ZFS as well as the ZFS send mechanism is super efficient and very quick to execute compared to other options.

Scheduling is an option with servers, ie schedule the remote one to turn on at 2AM, then shut it down at some reasonable hour or at the end of the send.

 

[darkness]

Hi folks!
Server works great. I haven't any issue with Truenas on that build ! (yet). Temperatures are fine, disks are fast and it's pretty silent (my laptop fans are louder than server). I install pluigins with syncthing, plex and all togheter works fine.

Now, time has come to do some backups..

Arwen have nice option: How to: Backup to local disks
^ I conside it but as second option..

I have old HP server with ddr3 (max 8gb ram). What do you think, to install Truenas on it.. make this machine offline.. only turn on when backup needed.. Disks will be in case and just unplug cables to rotate them. On start I buy one 4tb disk, and I have 1 Tb old disk for rotate.

Backup will be done with replication tasks.

What do you think?