Help with CCR1036-8G-2S+ and Isolating a VPN

Current setup

The CCR is doing the routing and switching and the cisco switches are functioning as level 2.

I have a server that connects thru a VPN to a different country and it connects directly to the CCR ethernet port. VPN is setup at the router level. I keep traffic on this VPN isolated from my home network. The VPN server itself has dual 1GbE NICs. Currently if I have to move data off of the VPN server onto my storage server, I have use teamviewer or trek to the basement with a USB drive. I’m not a fan of teamviewer for this as the files are typically 30 - 50 Gb in size and my understanding is that the data leaves my intranet, goes over the TV servers and then back to my other TV computer. This takes a long time and half the time the file transfer fails. I did have both NICs setup where one was on the home network with intranet access only and the other to the VPN connection.(VPN NIC1 192.168.x.x range with subnet mask 255.255.0.0, and intranet NIC 2 on the 10.0.x.x range with subnet mask 255.255.0.0. and blank default gateway). However I am concerned that “someone” could gain access to my home network thru the VPN connection into the switch or server and learn my true IP location. Teamviewer has a intranet only mode so this was used to transfer files from the server by connecting to NIC 2 from my storage server. It was much faster.

I’m thinking about installing a SFP+ card (single port for the VPN server and dual port for the storage server) which should obviously speed up transfers. I would make a direct connect network between the VPN and storage server and use teamviewer in LAN mode or use the Krusader docker on unraid to mount the VPN server data drive on the storage server (NFS or SMB but that’s a different discussion?). I’m just trying to ascertain the security risk of this. If someone was to gain access to my VPN server computer, would they be able to see the other SFP+ direct connection. If they then got on the storage server then thru the second SFP+ on that computer then the individual could access my whole network., I’m concerned about ransomware. The second SFP+ on the storage server would connect to the cisco SG350XG switch for a 10GbE backbone.

Someone on another forum suggested dual-homed Storage server which would have one port in my home network and one in “vpn” network. I would have to change the current SFP+ connections from the CCR: one to the SG350XG and the other to the storage server and dedicate it to the VPN network (intranet only). The second storage SFP+ would connect to the SG500X sfp+ and the SG500X would also connect to the second SFP+ on the SG350XG. Then connect the same NFS or SMB share to both the home client and VPN server. For extra security, could block internet access from the storage server??. This way you won’t be able to jump from VPN server (if compromised) to storage server. I don’t quite understand the last part I need my storage server to have internet access for plex pass. Maybe he means block internet access on the port going to the VPN and keep it intranet only??

Basically I’m looking for away to move files between two servers over SFP+ along with protecting the anonymity of my home network. Storage server is being upgraded to unraid. I don’t think it makes sense to run the VPN server as a VM in unraid. All the data that is currently downloaded over the VPN server is virus checked and malware scanned before physically moving onto my storage server. If I combined both boxes with a windows 10 VM, I believe I put all the data on the server and my home network at risk of malware/viruses/etc. Plus when trying to access the internet for plex pass seeding there will be two incoming/outgoing internet connections on one box and I don’t know how to tell unraid to use the home network for plex pass data.

Just for fun, I’m thinking about adding a CRS326-24S+2Q+RM between the CCR and SG350X for more SFP+ ports. I would like to bond (not sure which type) the two SFP+ from the CCR to the CRS as well as bond the 2 SFP+ from the SG350X to the CRS. The internet access for the VPN server will not need 10GbE so I will keep it as connected via 1GbE ethernet. If I bond the CCR to the CRS then there is no open SFP+ on the router to connect the Storage server for the dual home as explained above. I wound need to connect the SFP+ from the VPN server to the CRS and both SFP+ from the storage server to the CRS - one for home network access and the other for connection to the VPN server for data transfer. Would I have to set rules or VLAN to isolate the VPN server SFP+ port on the CRS to prevent access to the home network? I still need it to be able to transfer data with one of the SFP+ connections from the storage server.

I’m sure I’m overthinking this and making it much more complicated then it needs to be. Looking forward to your replies.

This takes a long time and half the time the file transfer fails

CCR1036 has all its ports directly connected to the CPU. This device is a Router not a switch…!
No hardware offload is available or used since there is no switch chip.You can as well see the diagram for that.
So first you should be thinking on fixing that for start…
Also what type VPN you use ?
Have you configured your firewall ?

If I understand you right, there’s a small subnet (green colour between CRS and VPN server) and that one is tunneled through VPN tunnel, terminated on CRS?

Here’s my thinking: if someone breaks into VPN server, then whatever data available there can be read by attacker. Indeed second LAN interface is quite an obvious one, but even if you manage to hide that, attacker might inspect whatever scripts, cron (scheduled) jobs etc. If there’s nothing like that, then let’s say you’ve hidden LAN from VPN. Now … CCR is not hidden from VPN server (it’s default gateway), but I trust CCR’s firewall is air-tight regarding VPN server.
So you could actually allow a tiny connection possibility from VPN server to Storage server (just make a tiny hole in your firewall). Surely that should be as secure protocol as possible which rules out FTP, FTPS and SFTP (the last one, being piggy-backed on ssh, would potentially allow interactive access to LAN which is a no-no). I’m not an expert on file transfer protocol security, so I can’t say which is safer, SMB or NFS. Being *nix guy, I’d choose NFS, but YMMV. But, again, Storage Server space should not be permanently mounted on VPN server, because that would reveal potential attacker presence of such device. You’d have to mount it (and type the storage server’s address or name interactively without storing it to some script or config file) when needed, copy data, and unmount it when done.

But the other way around would actually be much safer: export local storage of VPN server to (from VPN server’s perspective) whole world, and allow mounting it from Storage server (or some other LAN server) by creating appropriate restrictive allow rule on CCR. Then you’d be able to fetch files from or push files to VPN server’s local storage … even if VPN server attacker would notice some SMB/NFS/… connection established from LAN, but even knowing that CCR’s firewall would block any attempt to connect to LAN device.
And this idea actually goes hand in hand with idea of DMZ … which network segment with VPN server actually is: connections from internet are allowed to DMZ but not LAN. Connections from LAN are allowed both to internet and DMZ (but subject to firewall rules). Connections from DMZ are generally not allowed at all (only explicitly required internet connections), specially not to LAN (both internet and DMZ are considered the same with regard to LAN).

I did not set this up. I have a home automation system and their system engineer did. Are you saying that I should only be using the CCR as a router. My cisco switches are just passing thru the DHCP and static IPs created in the CCR. Should this be done on my cisco switch instead? The firewall is configured within the CCR itself.