Backup *PULL* from QNAP to QNAP

[archaic0]

I have a QNAP at home with a static IP and firewall under my control that I can forward ports to as needed.
I have a QNAP that I would like to park at a random location where I do not have any control over incoming ports.

Home QNAP is: TS-832XU-RP with 8 SSD drives and 2 NVME cache drives with about 500G of data I want to sync
Remote QNAP is: TS-431X2 with 4 SSD drives

Testing various sync options with both QNAPS on my home 10G LAN, I noticed that any time I used a VPN to connect the remote QNAP to my main one, I topped out around 8MB/s(64Mb/s). Without a VPN, just using an HBS sync job to send to the remote QNAP however, I can get consistently around 400MB/s with the speed test without SSL and 20MB/s with SSL.

I should have a 100Mb/s(12.5MB/s) link between the two QNAPs, so I would like to get as much performance as I can out of this sync, but the obvious VPN route seems to be a huge limiting factor even on the same LAN. I presume this is being limited by the underlying hardware, so I would like to avoid the VPN route if possible.

Experimenting with Hybrid Backup & Sync options, I haven't been able to find a solution that would let me configure a job on the remote QNAP to PULL data from my main QNAP. All of the job types seem to be limited to pushing data from the unit with the job to the other unit.

I found an older thread that claimed to have a solution working, but I was not able to follow how they configured their jobs.

Can someone help me fill in the gaps? I don't have any preference for RTRR, RSYNC, FTP, CIFS, whatever... I just want the fastest performance I can get. Encryption on the link is preferred, and a 20MB/s performance limit would probably be ok as I'll be limited to 100M internet links, but the 8MB/s limit is a bit painful.

[dolbyman]

Do yourself a favour and terminate a VPN at the location you have full control over (best on the firewall if it has enough oomp for vpn encryption..the arm processors in your NAS are slow enough without VPN overhead..so spare them the cpu cycles)

Never expose your NAS to the open web by forwarding ports (malware)

HBS3 has a pull function..but it was named funny... 2 way sync or smth

[archaic0]

I have a MikroTik router at home so I can terminate the VPN there, but the remote QNAP would still be the VPN client, so would moving just one side of the tunnel really help?

I can appreciate your advice to not expose things to the internet, however, I run several web facing services from my home lab and provide some other services as a small MSP, so exposure in my case is unavoidable until I can create entirely cloud-based solutions. IDS/IPS strategies at the firewall like blacklisting IPs that probe ports I don't use as well as a blanket block on all non-US based IPs just out of the gate, source restricting where I can, and using the built-in security controls that block IPs and lock out accounts on the QNAP is the best I can do there other than of course keeping everything patched. In this case, I can source restrict whatever ports I end up using to the IP the remote QNAP is coming from. While that side would be DHCP, it wouldn't be terribly hard to 'chase' any IP changes that may happen along the way.

With security 'covered', I can experiment with moving one side of the VPN, but if the tunnel is still underperforming, I'd still be looking for a way to pull data from my main QNAP by way of a job running on the remote QNAP.

[dolbyman]

you could place a vpn appliance on the other side, e.g. a router with AES/SSL acceleration etc

exposing QNAPs is a dangerous game that many have paid with their data (cryptotrojan) or other infections (botnets,coin miners,etc) .. it should never be part of any professional operation..
There were at least 3 waves of infections this year so far, and there will be more (covid forces more people to work from home and small businesses exposing their qnaps will be lucrative targets for criminals)

if you run full external offline backups and monitor your traffic, you can mitigate I guess

[archaic0]

Like I said, source restricting would be the primary mitigation there. Followed by a robust backup strategy, of which this project is aiming to add a 3rd offsite copy of critical data.

Are you saying that you are not aware of any way to configure an HBS job that PULLs versus PUSHES? The topic from 2018 was using a CIFS/SMB share and the poster says they were pulling using an HBS job, but there are a couple details missing that leave me not able to follow how he had that working. Doing a CIFS/SMB share over the internet wouldn't be a plan I would like though, but he seemed to be saying that other methods could be used.

Maybe HBS has changed, but no version of the current options seem to allow me to choose a source that is a remote storage space with a target that is the local NAS. They mention the sync arrow switching at some point, but I haven't found an option that flips the arrow myself.

The old thread for reference:
viewtopic.php?t=139331

[dolbyman]

as I said further up...pull was an option...have to check tomorrow what it was called..something with sync (counterintuitive)

[dolbyman]

Ok I just checked

HBS3
Sync
Active Sync Job

Here you can choose the device to pull your backup from

[archaic0]

Ahh, I'll give that a shot, thank you!

I mentally blocked out the Active Sync option, thinking that option meant a live, two-way, sync.

[Narks]

archaic0, did you get your Active Sync (pull) working? I have just done this successfully over the Internet to a remote site that's using 4G mobile connection with dynamic IP address. Working fine! Happy to share config/approach

[Moogle Stiltzkin]

pull for qnap is called active sync aka pull.

Scenarios for Using Active Sync in HBS 3

Active synchronization transfers data from a remote location to a local location, in contrast to one-way sychronization which transfers data from a local location to a remote location.

In HBS 3, you can create active sync jobs to pull data to your NAS from cloud storage spaces, other NAS devices (via RTRR), or remote servers (via protocols such as rsync, FTP, SFTP, and CIFS/SMB). This tutorial presents some scenarios where active sync jobs can be useful.

https://www.qnap.com/en/how-to/tutorial ... c-in-hbs-3


*check the link they explain recommended ways for using active sync, so u can better understand in what kinds of scenario use case would u use that


if u point the initial location, it will pull from that location to your qnap when using active sync.

this is what i use for QNAP QTS to pull from a truenas rsync because i could not get the truenas rsync module to work fully with qnap so i had to use hybridbackupsync active sync in order to pull from the truenas which i use as my backup in order to do a recovery.

for a regular backup i just do a normal one way rsync/rtrr (aka a push) :}


as for doing this over the internet, best setup a vpn if you are worried about performance, wireguard supposedly tries to be the best performance possible for vpn. but if u opt not to use a vpn, and thus exposing your nas online, if u get your nas hacked, then u have nobody else to blame if u accept those risks (not worth it to me, but it's your call)

if u want the best performance, there is always the local lan backup route. but it's shortcoming is, is in case there is theft or some localized disaster like fire or whatever. some people they do both, a local lan backup, and another for remote