Search

How to Set Up Airgap+ to Protect Your HBS Backups

Release date: 2024-12-18

Applicable Products

  • NAS model: All QNAP NAS
  • NAS OS: QTS, QuTS hero
  • NAS application: HBS 3 Hybrid Backup Sync version 25 or later
  • Router model: QHora-321 or QHora-322
  • Router OS: QuRouter 2.4.2 or later

Introduction

Airgap+ is QNAP's solution to creating offline backups for enterprise-level data protection. 

By connecting your QNAP NAS devices to a QNAP router that supports Airgap+, you can create a private network where the router only allows connections between the NAS devices when HBS (Hybrid Backup Sync) is running a backup or sync job. The router rejects all other connection requests to the backup NAS at other times, isolating and safeguarding your backup data.

This tutorial provides a step-by-step guide for setting up an Airgap+ environment for your HBS backups.

Airgap+ Options and Requirements

You can choose between two setup options depending on your needs and preferences:


Standard Airgap+Advanced Airgap+
QNAP Router
  • An Airgap+ router (QHora-321 or QHora-322)
  • The router must run QuRouter 2.4.2 or later
QNAP NAS Operating SystemQTS, QuTS hero
QNAP NAS ApplicationHBS 3 (Hybrid Backup Sync) version 25 or later
QNAP NAS Devices

At least two NAS devices:

  • A source NAS which runs HBS jobs
  • A backup NAS

At least three NAS devices:

  • A source NAS
  • A backup NAS
  • A bridge NAS which runs HBS jobs
  • The NAS devices are in a private network connected through the Airgap+ router. 
  • The source NAS is also connected to a public network and is the primary device that runs services.
Airgap RestrictionThe router only allows connections in the following situations:
The source NAS is transferring data to the backup NAS via HBS.The bridge NAS is transferring data from the source NAS or to the backup NAS via HBS.
Advantages
  • Less equipment
  • Fewer configuration steps
  • Extra layer of isolation for the backup NAS
  • Conserves system resources on the source NAS for other important tasks and services

Standard Airgap+

In the standard Airgap+ setup, the source and backup NAS devices are connected to the same Airgap+ router. While the source NAS is connected to a public network, it is also in a private network with the backup NAS through the router. 

In this private network, the router only allows the source NAS to access the backup NAS when the source NAS is running an HBS job.

How standard Airgap+ works 

Normally, only the source NAS has access to the router. The backup NAS is completely isolated.

When the source NAS runs a backup job in HBS, the router allows data to be transferred from the source NAS to the backup NAS.

Standard Airgap+ Setup Instructions

To set up a standard Airgap+ environment, you need to configure the Airgap+ router and both NAS devices before you can create HBS jobs to start backing up your data.

Tip
Prepare a text editor or pen and paper. The following instructions require copying and entering information between different devices and applications.
A. Configure the router.
  1. Connect the source NAS and the backup NAS directly to the Airgap+ router to create a private network.
    Important

    We highly recommend configuring a static IP address for the backup NAS. This ensures the Airgap+ settings on all devices remain valid over time.


    • To configure a static IP address for the backup NAS network adapter that is connected to the router, see one of the following:
    • If you choose to use a DHCP server to assign IP addresses, make sure to reserve the backup NAS IP address on the router LAN port that is connected to the backup NAS.
      For configuration details, see "Configuring local area network (LAN) interface settings" ("Reserved IP Table" setting) in the QuRouter for QHora Routers User Guide.
  2. Enable mutual TLS connection on the router.
    1. Log in to the router operating system, QuRouter.
    2. Go to System > Access Control > Access Control Settings.
    3. Enable Mutual TLS (mTLS).
  3. Obtain the IP address of your backup NAS in the private network.
    1. In QuRouter, go to Connected QNAP Devices.
    2. Identify the backup NAS device.
    3. Copy the backup NAS IP address.
      Note
      • The NAS may have more than one IP address listed. Copy the IP address that is in the same IP range as the router.
        In our example, the IP address is "192.168.102.100".
      • Use this IP address in steps B-6c and D-8e.
  4. Obtain the LAN port IP address on the Airgap+ router that is connected to the backup NAS.
    1. In QuRouter, go to Network > Physical Interface Settings > LAN.
    2. Identify the router LAN port that is connected to the backup NAS.
    3. Under IP Address, copy the IP address.
      Note
      Use the last number of the IP address in step B-6e.
      In our example, the last number of the IP address "192.168.102.1" is "1".
    4. Under IP Address, copy the subnet mask.
      Note
      Specify this subnet mask in step B-6d.
      In our example, the subnet mask is "/24".
B. Configure the source NAS.
  1. Identify the source NAS adapter that is connected to the Airgap+ router.
    1. On the source NAS, open Network & Virtual Switch.
    2. Go to Network > Interfaces.
    3. Identify the adapter that is connected to the Airgap+ router.
      Note
      Use this adapter in step B-6f.
      In our example, adapter 2 is connected to the Airgap+ router.

    4. Copy the IP address of the adapter.
      Note
      Use the first three numbers in the IP address in step B-6e.
      In our example, the first three numbers of the IP address "192.168.100.100" are "192.168.100".
  2. Create a static route rule on the source NAS for connecting to the backup NAS.
    1. In Network & Virtual Switch, go to Network > Route
    2. Under Static Route, click Add.
      The Static Route (IPv4) window opens.
    3. Next to Destination, specify the IP address of the backup NAS (see step A-3c).
    4. Next to Netmask, specify the subnet mask for the router LAN port that is connected to the backup NAS (see step A-4d).
    5. Next to Gateway, specify the first three numbers of the IP address for the source NAS adapter that is connected to the router (see step B-5d), followed by the last number of the IP address for the router LAN port that is connected to the backup NAS (see step A-4c).
      Note
      In our example: 
      • Step B-5d provides the first three numbers of the IP address ("192.168.100").
      • Step A-4c provides the last number of the IP address ("1"). 
      Join the two to obtain "192.168.100.1". Enter this address in the Gateway field.
      Also use this address in step D-8j.
    6. Next to Interface, select the source NAS adapter that is connected to the router (see step B-5c).
    7. Click Apply.
      Network & Virtual Switch adds the static route rule.
C. Configure the backup NAS
  1. On the backup NAS, enable the RTRR server.
    This allows HBS jobs on the source NAS to use the backup NAS as a backup destination.
    1. On the backup NAS, open HBS.
    2. Go to Services > Remote NAS (RTRR Server).
    3. Next to Status, click the toggle button to enable the RTRR server.
    4. Configure the RTRR server settings.
      For details, see Configuring the RTRR server.
      Note
      • Copy the port number specified on this page and enter it in step D-8f.
      • Remember the account access method and credentials configured here and use them in steps D-8g and D-8h.
    5. Click Apply.
      HBS enables the RTRR server with the configured settings.
D. Create an HBS job on the source NAS.
  1. In HBS on the source NAS, create a storage space for the backup NAS.
    This allows you to save the connection settings of the backup NAS and enable an Airgap+ connection between the source NAS and the backup NAS.
    1. On the source NAS, open HBS.
    2. Go to Storage Spaces.
    3. Click Create, and then click Remote NAS.
      The Create a Storage Space window opens.
    4. Enter a name to identify the backup NAS.
    5. Enter the backup NAS IP address (see step A-3c).
    6. Enter the backup NAS RTRR server port number (see step C-7d).
    7. Select an account access method you configured in the RTRR server settings on the backup NAS (see step C-7d).
    8. Enter the credentials for the account access method (see step C-7d).
    9. Select Use Airgap+ to protect data on remote NAS.
    10. Enter the gateway IP address from the static route rule you created (see step B-6e).
    11. Enter the router management account credentials.
    12. Click Create.
      HBS creates the storage space and adds it to the storage space list.
      You should see "Protected by Airgap+" at the top of the storage space entry.
  2. Create a backup job on the source NAS.
    1. In HBS, go to Backup & Restore.
    2. Click Backup Now and then click New backup job.
      Note
      If you have created a backup job before, click Create and then click New backup job.
      The Create a Backup Job wizard opens.
    3. Follow the steps in the wizard.
      For details, see Creating a backup job.
  3. After the backup job is created, verify that the Airgap+ link has been established on the router.
    1. In QuRouter, go to Network > Physical Interface Settings > LAN.
    2. Identify the LAN port that is connected to the backup NAS.
    3. Under Link Status, verify there is an Airgap+ tag for the LAN port.

You can now run the Airgap+ protected HBS backup job on the source NAS.

Advanced Airgap+

In the advanced Airgap+ setup, the source, backup, and bridge NAS devices are connected to the same router. While the source NAS is connected to a public network, it is also in a private network with the backup and bridge NAS devices through the router. 

In this private network, the router only allows the bridge NAS to access the source and backup NAS devices when the bridge NAS is running an HBS job. 

Because the bridge NAS runs all the HBS jobs, the source NAS can conserve and allocate more system resources for other important tasks and services.

 How advanced Airgap+ works 

Normally, only the bridge NAS has access to the router. The backup NAS is completely isolated.

When the bridge NAS runs an active sync job in HBS, the router allows the data you want to back up to be transferred from the source NAS through the router to the bridge NAS, while the backup NAS remains isolated.

After completing the active sync job, the bridge NAS then runs a backup job, and the router allows the backup data to be transferred from the bridge NAS through the router to the backup NAS, while the source NAS is blocked from accessing the private network.

Advanced Airgap+ Setup Instructions

To set up an advanced Airgap+ environment, you need to configure the Airgap+ router and all the NAS devices before you can create HBS jobs to start backing up your data.

Tip
Prepare a text editor or pen and paper. The following instructions require copying and entering information between different devices and applications.
A. Configure the router.
  1. Connect the source, bridge, and backup NAS devices directly to the Airgap+ router to create a private network.
    Important

    We highly recommend configuring static IP addresses for the source and backup NAS devices. This ensures the Airgap+ settings on all devices remain valid over time.


    • To configure static IP addresses for the backup and source NAS network adapters that are connected to the router, see one of the following:
    • If you choose to use a DHCP server to assign IP addresses, make sure to reserve the backup and source NAS IP addresses on the router LAN ports that are connected to the NAS devices.
      For configuration details, see "Configuring local area network (LAN) interface settings" ("Reserved IP Table" setting) in the QuRouter for QHora Routers User Guide.
  2. Enable mutual TLS connection on the router.
    1. Log in to the router operating system, QuRouter.
    2. Go to System > Access Control > Access Control Settings.
    3. Enable Mutual TLS (mTLS).
  3. Obtain the IP addresses of your source and backup NAS devices in the private network.
    1. In QuRouter, go to Connected QNAP Devices.
    2. Identify the source and backup NAS devices.
    3. Copy the source NAS IP address.
      Note
      • The NAS may have more than one IP address listed. Copy the IP address that is in the same IP range as the router.
        In our example, the IP address is "192.168.100.100".
      • Use this IP address in steps B-6c and D-10e.
    4. Copy the backup NAS IP address.
      Note
      • The NAS may have more than one IP address listed. Copy the IP address that is in the same IP range as the router.
        In our example, the IP address is "192.168.102.100".
      • Use this IP address in steps B-7c and D-11e.
  4. Obtain the LAN port IP addresses on the Airgap+ router that are connected to the source and backup NAS devices.
    1. In QuRouter, go to Network > Physical Interface Settings > LAN.
    2. Identify the LAN ports on the router that are connected to the source and backup NAS devices.
    3. Under IP Address, copy the IP address for the LAN port connected to the source NAS.
      Note
      Use the last number of the IP address in step B-6e.
      In our example, the last number of the IP address "192.168.100.1" is "1".
    4. Copy the subnet mask for the LAN port connected to the source NAS.
      Note
      Specify the subnet mask in step B-6d.
      In our example, the subnet mask is "/24".
    5. Copy the IP address for the LAN port connected to the backup NAS.
      Note
      Use the last number of the IP address in step B-7e.
      In our example, the last number of the IP address "192.168.102.1" is "1".
    6. Copy the subnet mask for the LAN port connected to the backup NAS.
      Note
      Specify the subnet mask in step B-7d.
      In our example, the subnet mask is "/24".
B. Configure the bridge NAS.
  1. Identify the bridge NAS adapter that is connected to the Airgap+ router.
    1. On the bridge NAS, open Network & Virtual Switch.
    2. Go to Network > Interfaces.
    3. Identify the adapter that is connected to the Airgap+ router.
      Note
      Use this adapter in steps B-6f and B-7f.
      In our example, adapter 5 is connected to the Airgap+ router.

    4. Copy the IP address of the adapter.
      Note
      Use the first three numbers of the IP address in steps B-6e and B-7e.
      In our example, the first three numbers of the IP address "192.168.104.100" are "192.168.104".
  2. Create a static route rule on the bridge NAS for connecting to the source NAS.
    1. On the bridge NAS, go to Network & Virtual Switch > Network > Route.
    2. Under Static Router, click Add.
      The Static Route (IPv4) window opens.
    3. Next to Destination, specify the IP address of the source NAS (see step A-3c).
    4. Next to Netmask, specify the subnet mask of the router LAN port that is connected to the source NAS (see step A-4d).
    5. Next to Gateway, specify the first three numbers of the IP address for the bridge NAS adapter that is connected to the router (see step B-5d), followed by the last number of the IP address for the router LAN port that is connected to the source NAS (see step A-4c).
      Note
      In our example:
      • Step B-5d provides the first three numbers of the IP address ("192.168.104").
      • Step A-4c provides the last number of the IP address ("1").

      Join the two to obtain "192.168.104.1". Enter this address in the Gateway field.
      Also use this address in step D-10j.

    6. Next to Interface, select the bridge NAS adapter that is connected to the router (see step B-5c).
    7. Click Apply.
      Network & Virtual Switch adds the static route rule.
  3. Create a static route rule on the bridge NAS for connecting to the backup NAS. 
    1. On the bridge NAS, remain in Network & Virtual Switch > Network > Route.
    2. Under Static Router, click Add.
      The Static Route (IPv4) window opens.
    3. Next to Destination, specify the IP address of the backup NAS (see step A-3d).
    4. Next to Netmask, specify the subnet mask of the router LAN port that is connected to the backup NAS (see step A-4f).
    5. Next to Gateway, specify the first three numbers of the IP address for the bridge NAS adapter that is connected to the router (see step B-5d), followed by the last number of the IP address for the router LAN port that is connected to the source NAS (see step A-4e).
      Note
      In our example:
      • Step B-5d provides the first three numbers of the IP address ("192.168.104").
      • Step A-4e provides the last number of the IP address ("1").

      Join the two to obtain "192.168.104.1". Enter this address in the Gateway field.
      Also use this address in step D-11j.

    6. Next to Interface, select the bridge NAS adapter that is connected to the router (see step B-5c).
    7. Click Apply.
      Network & Virtual Switch adds the static route rule.
C. Configure the source and backup NAS devices.
  1. Enable the RTRR server on the source NAS.
    This allows HBS jobs on the bridge NAS to use the source NAS as a sync source.
    1. On the source NAS, open HBS.
    2. Go to Services > Remote NAS (RTRR Server).
    3. Next to Status, click the toggle button to enable the RTRR server.
    4. Configure the RTRR server settings.
      For details, see Configuring the RTRR server.
      Note
      • Copy the port number specified on this page and enter it in step D-10f.
      • Remember the account access method and credentials configured here and use them in steps D-10g and D-10h.
    5. Click Apply.
      HBS enables the RTRR server on the source NAS.
  2. Enable the RTRR server on the backup NAS.
    This allows HBS jobs on the bridge NAS to use the backup NAS as a backup destination.
    1. On the backup NAS, open HBS.
    2. Go to Services > Remote NAS (RTRR Server).
    3. Next to Status, click the toggle button to enable the RTRR server.
    4. Configure the RTRR server settings.
      For details, see Configuring the RTRR server.
      Note
      • Copy the port number specified on this page and enter it in step D-11f.
      • Remember the account access method and credentials configured here and use them in steps D-11g and D-11h.
    5. Click Apply.
      HBS enables the RTRR server on the backup NAS.
D. Create HBS jobs on the bridge NAS.
  1. In HBS on the bridge NAS, create a storage space for the source NAS.
    This allows you to save the connection settings of the source NAS and enable an Airgap+ connection between the source NAS and the bridge NAS.
    1. On the bridge NAS, open HBS.
    2. Go to Storage Spaces.
    3. Click Create, and then click Remote NAS.
      The Create a Storage Space window opens.
    4. Enter a name to identify the source NAS.
    5. Enter the source NAS IP address (see step A-3c).
    6. Enter the source NAS RTRR server port number (see step C-8d).
    7. Select an account access method you configured in the RTRR server settings on the source NAS (see step C-8d).
    8. Enter the credentials for the account access method (see step C-8d).
    9. Select Use Airgap+ to protect data on remote NAS.
    10. Enter the gateway IP address from the static route rule on the bridge NAS for connecting to the source NAS (see step B-6e).
    11. Enter the router management account credentials.
    12. Click Create.
      HBS creates the storage space and adds it to the storage space list.
  2. In HBS on the bridge NAS, create a storage space for the backup NAS.
    This allows you to save the connection settings of the backup NAS and enable an Airgap+ connection between the bridge NAS and the backup NAS.
    1. On the bridge NAS, stay in HBS.
    2. Go to Storage Spaces.
    3. Click Create, and then click Remote NAS.
      The Create a Storage Space window opens.
    4. Enter a name to identify the backup NAS.
    5. Enter the backup NAS IP address (see step A-3d).
    6. Enter the backup NAS RTRR server port number (see step C-9d).
    7. Select an account access method you configured in the RTRR server settings on the backup NAS (see step C-9d).
    8. Enter the credentials for the account access method (see step C-9d).
    9. Select Use Airgap+ to protect data on remote NAS.
    10. Enter the gateway IP address from the static route rule on the bridge NAS for connecting to the backup NAS (see step B-7e).
    11. Enter the router management account credentials.
    12. Click Create.
      HBS creates the storage space and adds it to the storage space list.
      After both storage spaces are created, you should see "Protected by Airgap+" at the top of the storage space entries in HBS > Storage Spaces.
  3. Create an active sync job on the bridge NAS to transfer backup data from the source NAS to the bridge NAS.
    1. On the bridge NAS, go to HBS > Sync.
    2. Click Sync Now and then click Active Sync Job.
      Note
      If you have created a sync job before, click Create and then click Active Sync Job.
      The Create a Sync Job wizard opens.
    3. Follow the steps in the wizard.
      For details, see Creating an active sync job.
  4. Create a backup job on the bridge NAS to transfer the backup data to the backup NAS.
    1. On the bridge NAS, go to HBS > Backup & Restore.
    2. Click Backup Now and then click New backup job.
      Note
      If you have created a backup job before, click Create and then click New backup job.
      The Create a Backup Job wizard opens.
    3. Follow the wizard to select the source and destination folders.
      Important
      Make sure the source folder in this backup job is the same as the destination folder in the active sync job you just created.
    4. On the Schedule page, select Run after job, and then select the active sync job you just created.
      This allows the backup job to automatically run every time the active sync job finishes, completing the backup data transfer to your backup NAS.
    5. Follow the remaining steps in the wizard.
      For details, see Creating a backup job.
  5. After the active sync job and backup job are created, verify that the Airgap+ links have been established on the router.
    1. On the router, go to QuRouter > Network > Physical Interface Settings > LAN.
    2. Identify the LAN ports that are connected to the source and backup NAS devices.
    3. Under Link Status, verify there are Airgap+ tags for the LAN ports.

You can now run the HBS active sync job on the bridge NAS to transfer the data you want to back up.
After the active sync job finishes transferring the backup data from the source NAS to the bridge NAS, the backup job will automatically run and transfer the backup data from the bridge NAS to its final destination, the backup NAS. The entire process is now protected by Airgap+.

Was this article helpful?

Yes. No.
75% of people think it helps.
Thank you for your feedback.

Please tell us how this article can be improved:

If you want to provide additional feedback, please include it below.

Válassza ki a specifikációt

      Mutass többet Kevesebb

      Ez a webhely más országokban / régiókban:

      open menu
      back to top