More Synology Backups, Updates and Security Hygiene plus Unifi Cellular Failover
Well, this replication stuff sure does work, so now from a Synology, here is a backup strategy that is pretty good for me:
Synology Redundancy and UPS
Well, this isn’t really back up, but to increase the reliability of any disks, you really want them RAID protected. That is when you write to the disk you make multiple copies. And you really want UPS protection as well so that in the event of failure, you get a graceful shutdown.
With Synology, this is pretty easy, get a UPS and then plug the USB cable that signals power failure into the USB port of the Synology. So for DSM 6.2, then you can choose local UPS support so if you have just one, go to Control Panel > Hardware & Power > General and select Restart Automatically after a power failure and you can recover.
Then if you are doing this for just one NAS, in Control Panel > Hardware & Power > UPS, you can select Enable UPS Support and how many minutes before the Safe Mode begins. I set this for 5 minutes in case there is a brief power outage, but the UPS I use has a 30 minute backup time, so that is plenty.
If you have more than one of these, then if each has its own separate UPS which is, by the way, a good idea, you set this, but if you have just one, then you can “share” the UPS shutdown notification with enable network UPS server to allow the relay.
Note that if you want to spend a little more money, the APC Smart-UPS 1500 for instance has an Ethernet port and if you guy the optional network card, you don’t need USB, it will publish its status over the Ethernet. Of course, that presumes that your network devices are on the UPS since obviously if the power is failing, the LAN has to stay up. I got mine as an APC Smart-UPS 1500VA Tower, but having rackmount actually makes way more sense if you haven’t gotten one already, but incredibly that network card costs $600 for enterprises, but you should have a SmartConnect Ethernet port for management (as well as a serial port!).
I actually connected the port and was hoping it would just light up a web server, but no joy there.
Well, the rule is what is called 3:2:1 backup that is to have three copies of everything, so you end up with two locally and then have one in the cloud. So here is how I’m protecting stuff:
Encrypted Backup to Google Drive via Hyperbackup
Well, there is a lot of data like tax forms and things that shouldn’t be seen by anyone, so I put these so I have Hyperbackup of encrypted blocks to Google Drive and that is going to take some time.
Visible Sync Copies with Snapshot Replication, Synology Drive and Cloud Sync
There is some data that I do want to be able to view and use for instance photos and videos are in that category. Here, using the Synology Drive works very well. I’m right now using this to with lots of different tools
- Snapshot Replication locally and to a different Synology server. Then I do btrfs snapshot replication to another storage pool on the same system and also to another btrfs partition on a different drive. So in total, that is two Synology and then Google Drive with hyperbackups
- Synology Drive. Sync the data to an older Drobo Pro and also to a MacBook running a RAID 1 Thunderbolt array for additional backup of personal files. Vlad gave me good advice to use different architecturs for backup.
- Cloud Sync. Yes yet another tool, but this let’s me see visible things like photos up in the cloud
- iCloud Photos. While iCloud is too expensive for saving terabytes, i do backup all my photos into the the iCloud for view everywhere
Synology Security Advisor, 2FA and QuickConnect
OK, some of the other hygiene things you should deploy are to minimize the surface area of attack, but the Synology Security Scan is a great tool that:
- Synology Security Advisor. You definitely want to load this and have it run daily. The fact is that if this is valuable data, you don’t want to get hacked and ransomware requests as you lose access to all your photoes. As an aside that’s why it’s important to do all that replication offsite. You do want to change the default ports like SSH 22 and the Web interface port defaults which are 5000 and 5001. While this won’t prevent all attacks, it will make it just that much harder. It does some other good things like recommend that you alwasy redirect http to https (way more secure) for the Synology DSM interface. I would definitely turn it on pretty high and set it to business scanning so that you are really safe. You can always turn it down later to personal. The main difference is that the business setting is much tighter for things like ports and so forth. There are some really obscure things like disabling HTTP compression in Control Panel > Security > Advanced > Enable ÓTTP compres
- Synology Password Settings. Minimize the number of accounts on the Synology system and store the passwords in 1Password. You particularly, you want to make sure that the password strength is set high so there are at least 16 and probably 20 characters and that they are random. Also get rid of accounts like admin and guest which are easy to hack. As an aside this applies to both your local passwords and your Synology account. Then for things that are truly going to need access, create a dedicated account for them so for instance if you are using Kodi, then you can’t use.
- Disable Guest Requires SMB Local Master Browser off. Yes, this is obscure, but for SMB service there is a default at Control Panel > File Services > SMB/AFP/NFS > SMB Advanced Settings > Enable Local Browser master needs to be off. And also while we are talking about this minimize your attack surface area by only enabling SMB
- Synology 2-Factor Authentication. Yes it’s a pain, but you have to turn this on so even if an account is hacked they will need your authentication device as well.
- Email for Admin and Push Notifications to DS Finder. Yes, this is another one that is hard to find, but you want to set notifications pretty high and have it automagically send email. For this to work, you need a Gmail account (that you don’t care about, for then connect it to your synology machines. in Control Panel > Notification > Email > Enable email notifications. YOu can also set this SMS notifications but the choices I see do cost money which is sad. But you can load DS Finder on your phones and that can be used for phone notifications in Control Panel > Notification > Push Service > Enable mobile device notifications.
- QuickConnect and DDNS. You can also have a forwarding service so that if you type a URL from anywhere in the world, you can access your NAS. As an aside, I would *not* do this unless you have really locked down your system. That is, if you have done everything above, but you can enable this at Control Panel > QuickConnect where you get an address at quickconnect.to and also in Control Panel > External Access > DDNS where you can add a Synology provider and get an address at synology.me. The QuickConnect id is really useful with DS Finder which despite its name is really a mini administration system that is way better than the mobile web site I’ve been using.
- Antivirus Essential. Yes, you can get a free antivirus service at Main Menu > Package Center > Antifirus Essential. Definitely reocmmend it.
Upgrade to DSM 7.0
OK, our 10 years old DS1812+ finally has fallen off the upgrade list, so you won’t see DSM 7.0 running on that box, it has DSM 6.2 and they are still doing updates which are good.
The slightly younger DS2413+ is the last year to get the DSM 7.0 updates and requires a manual update from the download server. But basically, you go to the download center, type in your hardware model, and then what version you have. You then get a .pat file which in the Control Panel > Upgrade, you select manual install and then upload it. Note that you should make sure your hyperbackups and things are done as well as snap shot replication because you upgrades are always a little scary.
However, newer devices like the DS216+ get an automatic upgrade to that version.
Unifi UDM Pro WAN Failover to Cellular with SFP+
Since we are on the topic of reliability, one thing that I’ve been working on is to setup the system so that there is automatic failover. The Unifi Dream Machine Pro has an Ethernet port, but you can also configure one of the SFP ports with an Ethernet connection. Then you can connect that to a Wireless router and so if your cable modem or whatever primary connection fails, you get cellular backup.
GEtting the SFP+ module to latch is the big trick
My problem is that the 10Gb SFP+ to Ethernet just does not seem to work in the Unifi Dream Machine Pro. If I plug in an optical connector then it works. If I plug the same SFP+ board into the 48-port switch it works. I don’t get a light on at all. It might be a hardware problem because I can latch into all the other ports except Port 10. There is a little gold buckle you pull it down to remove and push up to latch and this is not documented anywhere.
It turns out the latch trick has to do with tolerances. There is a small metal spring that’s below and on the Unifi Dream Machine Pro this is just a little low. So when you insert the SFP+ 10Gb RJ45 you have to push it gently down and it will latch. This is important so you don’t accidentally pull it out. All of this stuff is hotplug by the way which is nice.
The main thing is that I think without the latching pressure, the board does not really engage, but really I don’t think that is the root use
Getting the port to be recognized, turn off autonegotiation
OK, the second, not obvious trick is that auto-negotiation does not seem to work, so in the Unifi portal, you have to go to Device > UDM Pro > Settings > Port, and this set it to 1Gb or 10Gb and then the light goes on. It is white for 10Gb and green for 1Gb.
But I think that unlike the Ubiquiti Switch 48 which turns on immediately, with the Dream Machine Pro, you have to have the latch down and then a cable plugged in.
Configuring the Unifi to have WAN failover
I think the software is right and I did all the steps below to get it to work.
Turns out there is actually a Web UI Load Balancing section for this. So to get there go to the Web interface and choose Network > Settings > Internet and click on BAckup (WAN2) and make sure the settings are right. The defaults actually look pretty good to me.
Now you go to the port section in Network > Unifi Devices > _Your Dream Machine_ > Settings > Ports. The map should show eight regular ports and then three special ones. The upper right one should have a globe and it is WAN2, the lower left is WAN and is called port 9. And it should all just work as soon as you get your cellular router up. I use the Netgear Nighthawk M1100 4G LTE Mobile Router. You operate it by pushing the power on button and then each push gets you to a new screen
The thing is pretty handy, you get a battery in it, and it is pretty easy to setup. You stick a mini SIM underneath the battery, plug in the MIMO antenna in the RS-9 ports on the side. Plug it into a USB C charger and then on the front, you will get the WiFi Network it is broadcasting. There’s even a Netgear mobile application taht you can use to manage it or just browse to
http:192.168.1.1 on that network and you can type in the default user name of admin and the password