Need advises for Load Balancer and Network Structure for our SB

[loweherzat]

Hi all,

So I’m an amateur self-learn IT who’s trying to save some cost by setting up our SB network myself (actually it’s because we’re lacking good IT advisors for SB in our local). It’s a little long but please bear with me as I need to provide the details info on the whole thing for better understanding. So:

- We have in total about 20-25 workstations that mostly do architecture design, each has its own windows 10 Pro, and all of them access files from the 2 NAS.
- The biggest working files are from Autodesk Revit & 3Ds Max & Photoshop, each range from 100MB to 600MB in size, sometimes almost 1GB.
- The workstations read/write these files to the NAS in a frequently manner, but writing to the NAS is a more prioritized task.
- NASes are running Windows Server 2012r2, and will be upgraded to WIndows Server 2016!
- Switch 1 is managed and has LACP/Nic Teaming
Please refer to the diagram below for better understanding of our situation.

The issues I’m facing now:

- We need to get access to the NAS from outside our network, as some of our staffs (3-4 people) will work from oversea. And by “access” i meant easily sync between the oversea remote workstations and the NAS, as fast as possible, since the working files are kind of big. It'd be best if I could Map the shared folder as windows's local drive w a letter in the remote workstation.

- Efficiency within the LAN, since there’re limitation on the devices (they’re not the super cheap components, but not the super high-grade one either)

So my questions are:

1. Is DirectAcess/VPN or WebDAV better suites our needs for accessing file from the NASes remotely?

2. Should I connect 1 of the NAS ethernet port directly to 1 or 2 of the modem for faster remote connection from outside? Does the OS (WS2016) support it that way???

3. Wifi Router: Should I set this up with new subnet, so that all the “less important devices” get separated to the subnet and get all the connections processed by the Wifi Router to reduce workload on the Load Balancer?

And if so, will the devices after the Wifi Router be able to “see” the NAS?

4. We’ll need a new Load Balancer, I’ve never used one before, you guys suggest any reliable one? Brand?

5. Connect Switch 1 and 2 to each other will improve connections between Workstation Group 2 to NAS 1? Reduce workload on the Load Balancer?

Thanks a bunch!

 

[bill001g]

A load balance is more used as a device to be placed in front of a group of servers.

Since you have so few devices I would buy a 48 port layer 3 switch and plug everything into that. Since it is using the backplane to connect everything you do not have to worry about the speeds of the connections between your switches. If you want to use different subnet for things the layer 3 part of the switch can accomplish that.

For remote access you need some form of firewall or appliance type box that can run vpn sessions. There are many on the market and it depends on how fast your internet connections are. You will need to select a device that can accommodate the number of session you have as well as keep up with your internet connection. It takes a lot of cpu to run vpn.

The ability to really load balance a internet connection is not something a small company can really do. You would have to be large enough to get things link BGP ASN numbers assigned to and have registered blocks of ip addresses. Even very large companies with thousands of machines have trouble getting these because of the shortage of ip. This type of load balancing is not even done with a so called load balancer it is done with a router.

Pretty much when you not a huge company your only options are to use the internet as primary/back or send certain machines on 1 connection and other machine on the other. You can not combine the 2 internet connections for higher bandwidth for a single session. You also have major issue if you send some of a machines traffic on connection 1 and other traffic on connection 2, some times the sessions are strongly related and no load balancer device can know those relationships.

If you REALLY want a load balancer look a company called F5. These are extremely expensive boxes. They also have a illustration of the type of application a load balancer really is used for. It is pretty much the reverse of what you want.

https://www.f5.com/services/resources/glossary/load-balancer

Now these boxes have massive capabilities so I suppose you could use them to share your internet connections. I know they are smarter than most and can identify applications so they work somewhat better.

 

[loweherzat]

Tks for the detailed answer, Bill!

However I think I need to follow up my questions a bit.

Apparently we have grown gradually from a 6-people team into 30-ish team in 1 year, so some of the old hardware remains and as we're not a tech company the budget for IT is not so much, hence the questions mostly relating to savaging what we already have and buying only the really necessary parts.

Currently, we already have all of the Components in the diagram, except for the Load Balancer.
Switch 1 is a 24-port managed
Switch 2 is a 16-port managed
Switch 3 is a cheap 8-port TP-link
NASes are File Server running WS2016 (already mentioned)

(for the Load Balancing, I'm actually looking at the Draytek Vigor2925FN, has session based, but never use a load balanceing devices before so kinda confused here)

Our budget is something like less than $500 for hardware, so if besides the Load Balancing device we definitely need to get, any other budget method to improve performance would be greatly appreciated!
So my questions are still the same:

1. Is DirectAcess/VPN or WebDAV better suites our needs for accessing file from the NASes remotely?

2. Should I connect 1 of the NAS ethernet port directly to 1 or 2 of the modem for faster remote connection from outside? Does the OS (WS2016) support it that way???

3. Wifi Router: Should I set this up with new subnet, so that all the “less important devices” get separated to the subnet and get all the connections processed by the Wifi Router to reduce workload on the Load Balancer?

And if so, will the devices after the Wifi Router be able to “see” the NAS?

4. We’ll need a new Load Balancer, I’ve never used one before, you guys suggest any reliable one? Brand?

5. Connect Switch 1 and 2 to each other will improve connections between Workstation Group 2 to NAS 1? Reduce workload on the Load Balancer?

 

[bill001g]

I guess what do you actually want to "load balance".

If you hook your switches together directly the only bottle neck would be the port between them.

You never want to hook your NAS externally on the internet. If you use VPN it then your traffic is on the inside anyway. Your vpn and/or your internet will likely cap your speed to the nas before anything else does.

The concept of subnets for performance is pretty much outdated. Before broadcast would have a negative impact on other devices in the subnet. The more devices you have the more broadcasts. Now days everything is so powerful that it does not matter.

The company I used to work for used to use /23 for the lan segments. This allows over 500 addresses. It was not uncommon to have 250 users active users some with multiple devices.

It just makes it more complicated so just put it all on one subnet unless you need to restrict traffic between the networks which is easier done at the ip level.

 

[loweherzat]

I guess what do you actually want to "load balance".

If you hook your switches together directly the only bottle neck would be the port between them.

You never want to hook your NAS externally on the internet. If you use VPN it then your traffic is on the inside anyway. Your vpn and/or your internet will likely cap your speed to the nas before anything else does.

The concept of subnets for performance is pretty much outdated. Before broadcast would have a negative impact on other devices in the subnet. The more devices you have the more broadcasts. Now days everything is so powerful that it does not matter.

The company I used to work for used to use /23 for the lan segments. This allows over 500 addresses. It was not uncommon to have 250 users active users some with multiple devices.

It just makes it more complicated so just put it all on one subnet unless you need to restrict traffic between the networks which is easier done at the ip level.

Yes, the "load balance" actually mostly be used for the "fail-over" function, and not the speed (though getting some increases in speed would be nice, too). It's the cheapest way to ensure the internet connections to be online all the time so that our oversea-staffs could get access to the NASes.


And you have my thanks, that answered a lot of questions.


So for question 2, I should just leave the NAS behind the LoadBalancer/Router/Switch and not let it exposed to the world unsecuredly (lol). Actually the only thing I'm afraid of is I also never setup a vpn before so let it be behind the load balancer would make getting to it harder (from outside, user'd have to get through the modem (also a router, cheap one so I could not just turn it off and using only the optic-fiber converter fuction), then the load balancer router, before reaching the NASes. I guess I'd have to research in doing port-forwarding twice?

Question 3, then I'd just use the wifi router as an access point, and not using the router function then.
Question 5, no connection between Switch 1 and 2 then!
Question 4, I guess with our budget the Draytek is the most logical choice then!

So that's left with question 1: Is VPN or WebDAV better suites our need, with our network structure setup like that?

Tks!

 

[bill001g]

In general a VPN connected machine looks exactly like a lan machine. There are some small gotchas where some broadcast messages but it mostly a home user problem. When you use doamin servers shares are done via that. In either case the worst is you have use the IP address of the device you want to access rather than some name.

3. It is always better to use AP, gets really nasty with NAT routers in the path....same port forwarding issues you find on internet connections.
5 You want to directly connect the switches. It may not matter it depends on how the 2 lan ports on the router/loadbalancer work. Many operate as a switch. Unless you have more than 1gbit of internet it really doesn't matter.
4. I can say nothing about the device. Dig though the specs it should tell your the VPN throughput of the device. Be sure that it does not limit you. Best would be if it was as fast as your internet connection but that gets hard if you have a very large internet session.

I don't know what webdav is but VPN is the standard enterprise solution to remote access. Well implemented it appear as though the users were on your network....obviously the latency will be there but you can't do much about that since it is caused by the distance.

 

[failboat]

I'd strongly recommend hiring for this. it/security controls and audit.
opening up for inbound connections is taking on a large risk.

 

[loweherzat]

Failboat, you mean hiring for the vpn part or which parts? Tks

 

[failboat]

vpn for sure, but someone should take a look at everything you do to find weaknesses.
security changes constantly so paying a firm who's up-to-date on best practices and familiar with your implementations can minimize your risk.
if you go that route they will probably suggest equipment they are familiar with.
taking your setup to the next level could costs tens of thousands. commercial remote office equipment isn't cheap.
ask to review their SOC report. having that will add a lot of value to you if you seek debt or equity investment.

https://meraki.cisco.com/solutions/branch-networking

 

[Corwin65]

Your IT expenses need to be factored into the cost of doing business. And a $500 budget seems ridiculously low and unreasonable. You have done some great work so far, but as failboat stated, I think you might be at the point where you need some outside help.