Search

How to Set Up Airgap+ to Protect Your HBS Backups

Last modified date: 2025-12-02

Applicable Products

NAS

  • All NAS models
  • Operating systems:
    • QTS 5.2.x and later
    • QuTS hero h5.2.x and later
  • Applications: Hybrid Backup Sync (HBS3) 25 and later

Routers

  • QHora-321
  • QHora-322
  • Operating system: QuRouter 2.4.2 and later

Switches

  • QSW-M3216R-8S8T
  • QSW-M3212R-8S4T
  • QSW-M3224-24T
  • QSW-M7308R-4X
  • Operating systems:
    • QSS 4.3 and later
    • QSS Pro 4.3 and later

Introduction

Airgap+ is QNAP's solution to creating offline backups for enterprise-level data protection. 

By connecting your QNAP NAS devices to a QNAP router or switch that supports Airgap+, you can create a private network where the router/switch only allows connections between the NAS devices when HBS (Hybrid Backup Sync) is running a backup or sync job. The router or switch rejects all other connection requests to the backup NAS at other times, isolating and safeguarding your backup data.

This tutorial provides a step-by-step guide for setting up an Airgap+ environment for your HBS backups.

Airgap+ Options and Requirements


Standard Airgap+Advanced Airgap+
QNAP Router
  • An Airgap+ router (QHora-321 or QHora-322)
  • The router must run QuRouter 2.4.2 or later
QNAP Switch
  • An Airgap+ switch
    • QSW-M3216R-8S8T
    • QSW-M3212R-8S4T
    • QSW-M3224-24T
    • QSW-M7308R-4X
  • The switch must run QSS or QSS Pro 4.3.0 or later
QNAP NAS Operating System
  • QTS
  • QuTS hero
QNAP NAS ApplicationHBS 3 (Hybrid Backup Sync) version 25 or later
QNAP NAS Devices

At least two NAS devices:

  • A source NAS which runs HBS jobs
  • A backup NAS

At least three NAS devices:

  • A source NAS
  • A backup NAS
  • A bridge NAS which runs HBS jobs
  • The NAS devices are in a private network connected through the Airgap+ router or switch. 
  • The source NAS is also connected to a public network and is the primary device that runs services.
Airgap RestrictionThe router or switch only allows connections in the following situations:
The source NAS is transferring data to the backup NAS via HBS.The bridge NAS is transferring data from the source NAS or to the backup NAS via HBS.
Advantages
  • Less equipment
  • Fewer configuration steps
  • Extra layer of isolation for the backup NAS
  • Conserves system resources on the source NAS for other important tasks and services
Important

You can deploy Airgap+ using either a router-based or switch-based setup, depending on the network device you have and how you prefer to build your airgapped network. Airgap+ functions most reliably when all NAS devices use static IP addresses, regardless of which setup you choose.

  • Router-based setups: Routers support DHCP reservation, which helps keep IP assignments consistent. Using this feature reduces the chances of communication issues during Airgap+ operations.
  • Switch-based setups: Switches do not support IP reservation, even when they include a DHCP server. This can cause inconsistent IP assignments, which may interrupt Airgap+ communication. If you use a switch-based setup, it is strongly recommended to configure static IP addresses on all NAS devices to maintain stable connectivity during HBS jobs.

Setting Up Airgap+ with a Router-Based Network

Standard Airgap+

In the standard Airgap+ setup, the source and backup NAS devices are connected to the same Airgap+ router. While the source NAS is connected to a public network, it is also in a private network with the backup NAS through the router. 

In this private network, the router only allows the source NAS to access the backup NAS when the source NAS is running an HBS job.

How standard Airgap+ works

Normally, only the source NAS has access to the router. The backup NAS is completely isolated.

When the source NAS runs a backup job in HBS, the router allows data to be transferred from the source NAS to the backup NAS.

Standard Airgap+ Setup Instructions

To set up a standard Airgap+ environment, you need to configure the Airgap+ router and both NAS devices before you can create HBS jobs to start backing up your data.

Tip
Prepare a text editor or pen and paper. The following instructions require copying and entering information between different devices and applications.

A. Configure the router

  1. Connect the source NAS and the backup NAS directly to the Airgap+ router to create a private network.
    Important

    We highly recommend configuring a static IP address for the backup NAS. This ensures the Airgap+ settings on all devices remain valid over time.

    • To configure a static IP address for the backup NAS network adapter that is connected to the router, see one of the following:
    • If you choose to use a DHCP server to assign IP addresses, make sure to reserve the backup NAS IP address on the router LAN port that is connected to the backup NAS.
      For configuration details, see "Configuring local area network (LAN) interface settings" ("Reserved IP Table" setting) in the QuRouter for QHora Routers User Guide.
  2. Enable mutual TLS connection on the router.
    1. Log in to the router operating system, QuRouter.
    2. Go to System > Access Control > Access Control Settings.
    3. Enable Mutual TLS (mTLS).
  3. Obtain the IP address of your backup NAS in the private network.
    1. In QuRouter, go to Connected QNAP Devices.
    2. Identify the backup NAS device.
    3. Copy the backup NAS IP address.
      Note
      • The NAS may have more than one IP address listed. Copy the IP address that is in the same IP range as the router.
        In our example, the IP address is 192.168.102.100.
      • Use this IP address in steps B-2c and D-1e.
  4. Obtain the LAN port IP address on the Airgap+ router that is connected to the backup NAS.
    1. In QuRouter, go to Network > Physical Interface Settings > LAN.
    2. Identify the router LAN port that is connected to the backup NAS.
    3. Under IP Address, copy the IP address.
      Note
      Use the last octet of the IP address in step B-2e.
      In our example, the last octet of the IP address 192.168.102.1 is 1.
    4. Under IP Address, copy the subnet mask.
      Note
      Specify this subnet mask in step B-2d.
      In our example, the subnet mask is /24.

B. Configure the source NAS

  1. Identify the source NAS adapter that is connected to the Airgap+ router.
    1. On the source NAS, open Network & Virtual Switch.
    2. Go to Network > Interfaces.
    3. Identify the adapter that is connected to the Airgap+ router.
      Note
      Use this adapter in step B-2f.
      In our example, adapter 2 is connected to the Airgap+ router.

    4. Copy the IP address of the adapter.
      Note
      Use the first three octets in the IP address in step B-2e.
      In our example, the first three octets of the IP address 192.168.100.100 are 192.168.100.
  2. Create a static route rule on the source NAS for connecting to the backup NAS.
    1. In Network & Virtual Switch, go to Network > Route
    2. Under Static Route, click Add.
      The Static Route (IPv4) window opens.
    3. Next to Destination, specify the IP address of the backup NAS (see step A-3c).
    4. Next to Netmask, specify the subnet mask for the router LAN port that is connected to the backup NAS (see step A-4d).
    5. Next to Gateway, specify the first three octets of the IP address for the source NAS adapter that is connected to the router (see step B-1d), followed by the last octet of the IP address for the router LAN port that is connected to the backup NAS (see step A-4c).
      Note
      In our example: 
      • Step B-1d provides the first three octets of the IP address (192.168.100).
      • Step A-4c provides the last octet of the IP address (1). 
      Join the two to obtain 192.168.100.1. Enter this address in the Gateway field.
      Also use this address in step D-1j.
    6. Next to Interface, select the source NAS adapter that is connected to the router (see step B-1c).
    7. Click Apply.
      Network & Virtual Switch adds the static route rule.

C. Configure the backup NAS

  1. On the backup NAS, enable the RTRR server.
    This allows HBS jobs on the source NAS to use the backup NAS as a backup destination.
    1. On the backup NAS, open HBS.
    2. Go to Services > Remote NAS (RTRR Server).
    3. Next to Status, click the toggle button to enable the RTRR server.
    4. Configure the RTRR server settings.
      For details, see Configuring the RTRR server.
      Note
      • Copy the port number specified on this page and enter it in step D-1f.
      • Remember the account access method and credentials configured here and use them in steps D-1g and D-1h.
    5. Click Apply.
      HBS enables the RTRR server with the configured settings.

D. Create an HBS job on the source NAS

  1. In HBS on the source NAS, create a storage space for the backup NAS.
    This allows you to save the connection settings of the backup NAS and enable an Airgap+ connection between the source NAS and the backup NAS.
    1. On the source NAS, open HBS.
    2. Go to Storage Spaces.
    3. Click Create, and then click Remote NAS.
      The Create a Storage Space window opens.
    4. Enter a name to identify the backup NAS.
    5. Enter the backup NAS IP address (see step A-3c).
    6. Enter the backup NAS RTRR server port number (see step C-1d).
    7. Select an account access method you configured in the RTRR server settings on the backup NAS (see step C-1d).
    8. Enter the credentials for the account access method (see step C-1d).
    9. Select Use Airgap+ to protect data on remote NAS.
    10. Select Router as the Airgap+ device.
    11. Enter the gateway IP address from the static route rule you created (see step B-2e).
    12. Enter the port number.
    13. Enter the router management account credentials.
    14. Click Create.
      HBS creates the storage space and adds it to the storage space list.
      You should see "Protected by Airgap+" at the top of the storage space entry.
  2. Create a backup job on the source NAS.
    1. In HBS, go to Backup & Restore.
    2. Click Backup Now and then click New backup job.
      Note
      If you have created a backup job before, click Create and then click New backup job.
      The Create a Backup Job wizard opens.
    3. Follow the steps in the wizard.
      For details, see Creating a backup job.
  3. After the backup job is created, verify that the Airgap+ link has been established on the router.
    1. In QuRouter, go to Network > Physical Interface Settings > LAN.
    2. Identify the LAN port that is connected to the backup NAS.
    3. Under Link Status, verify there is an Airgap+ tag for the LAN port.

You can now run the Airgap+ protected HBS backup job on the source NAS.

Advanced Airgap+

In the advanced Airgap+ setup, the source, backup, and bridge NAS devices are connected to the same router. While the source NAS is connected to a public network, it is also in a private network with the backup and bridge NAS devices through the router. 

In this private network, the router only allows the bridge NAS to access the source and backup NAS devices when the bridge NAS is running an HBS job. 

Because the bridge NAS runs all the HBS jobs, the source NAS can conserve and allocate more system resources for other important tasks and services.

How advanced Airgap+ works

Normally, only the bridge NAS has access to the router. The backup NAS is completely isolated.

When the bridge NAS runs an active sync job in HBS, the router allows the data you want to back up to be transferred from the source NAS through the router to the bridge NAS, while the backup NAS remains isolated.

After completing the active sync job, the bridge NAS then runs a backup job, and the router allows the backup data to be transferred from the bridge NAS through the router to the backup NAS, while the source NAS is blocked from accessing the private network.

Advanced Airgap+ Setup Instructions

To set up an advanced Airgap+ environment, you need to configure the Airgap+ router and all the NAS devices before you can create HBS jobs to start backing up your data.

Tip
Prepare a text editor or pen and paper. The following instructions require copying and entering information between different devices and applications.

A. Configure the router

  1. Connect the source, bridge, and backup NAS devices directly to the Airgap+ router to create a private network.
    Important

    We highly recommend configuring static IP addresses for the source and backup NAS devices. This ensures the Airgap+ settings on all devices remain valid over time.

    • To configure static IP addresses for the backup and source NAS network adapters that are connected to the router, see one of the following:
    • If you choose to use a DHCP server to assign IP addresses, make sure to reserve the backup and source NAS IP addresses on the router LAN ports that are connected to the NAS devices.
      For configuration details, see "Configuring local area network (LAN) interface settings" ("Reserved IP Table" setting) in the QuRouter for QHora Routers User Guide.
  2. Enable mutual TLS connection on the router.
    1. Log in to the router operating system, QuRouter.
    2. Go to System > Access Control > Access Control Settings.
    3. Enable Mutual TLS (mTLS).
  3. Obtain the IP addresses of your source and backup NAS devices in the private network.
    1. In QuRouter, go to Connected QNAP Devices.
    2. Identify the source and backup NAS devices.
    3. Copy the source NAS IP address.
      Note
      • The NAS may have more than one IP address listed. Copy the IP address that is in the same IP range as the router.
        In our example, the IP address is 192.168.100.100.
      • Use this IP address in steps B-2c and D-1e.
    4. Copy the backup NAS IP address.
      Note
      • The NAS may have more than one IP address listed. Copy the IP address that is in the same IP range as the router.
        In our example, the IP address is 192.168.102.100.
      • Use this IP address in steps B-3c and D-2e.
  4. Obtain the LAN port IP addresses on the Airgap+ router that are connected to the source and backup NAS devices.
    1. In QuRouter, go to Network > Physical Interface Settings > LAN.
    2. Identify the LAN ports on the router that are connected to the source and backup NAS devices.
    3. Under IP Address, copy the IP address for the LAN port connected to the source NAS.
      Note
      Use the last octet of the IP address in step B-2e.
      In our example, the last octet of the IP address 192.168.100.1 is 1.
    4. Copy the subnet mask for the LAN port connected to the source NAS.
      Note
      Specify the subnet mask in step B-2d.
      In our example, the subnet mask is /24.
    5. Copy the IP address for the LAN port connected to the backup NAS.
      Note
      Use the last octet of the IP address in step B-3e.
      In our example, the last octet of the IP address 192.168.102.1 is 1.
    6. Copy the subnet mask for the LAN port connected to the backup NAS.
      Note
      Specify the subnet mask in step B-3d.
      In our example, the subnet mask is /24.

B. Configure the bridge NAS

  1. Identify the bridge NAS adapter that is connected to the Airgap+ router.
    1. On the bridge NAS, open Network & Virtual Switch.
    2. Go to Network > Interfaces.
    3. Identify the adapter that is connected to the Airgap+ router.
      Note
      Use this adapter in steps B-2f and B-3f.
      In our example, adapter 5 is connected to the Airgap+ router.

    4. Copy the IP address of the adapter.
      Note
      Use the first three octets of the IP address in steps B-2e and B-3e.
      In our example, the first three octets of the IP address 192.168.104.100 are 192.168.104.
  2. Create a static route rule on the bridge NAS for connecting to the source NAS.
    1. On the bridge NAS, go to Network & Virtual Switch > Network > Route.
    2. Under Static Route, click Add.
      The Static Route (IPv4) window opens.
    3. Next to Destination, specify the IP address of the source NAS (see step A-3c).
    4. Next to Netmask, specify the subnet mask of the router LAN port that is connected to the source NAS (see step A-4d).
    5. Next to Gateway, specify the first three octets of the IP address for the bridge NAS adapter that is connected to the router (see step B-1d), followed by the last octet of the IP address for the router LAN port that is connected to the source NAS (see step A-4c).
      Note
      In our example:
      • Step B-1d provides the first three octets of the IP address (192.168.104).
      • Step A-4c provides the last octet of the IP address (1).

      Join the two to obtain 192.168.104.1. Enter this address in the Gateway field.
      Also use this address in step D-1j.

    6. Next to Interface, select the bridge NAS adapter that is connected to the router (see step B-1c).
    7. Click Apply.
      Network & Virtual Switch adds the static route rule.
  3. Create a static route rule on the bridge NAS for connecting to the backup NAS. 
    1. On the bridge NAS, remain in Network & Virtual Switch > Network > Route.
    2. Under Static Route, click Add.
      The Static Route (IPv4) window opens.
    3. Next to Destination, specify the IP address of the backup NAS (see step A-3d).
    4. Next to Netmask, specify the subnet mask of the router LAN port that is connected to the backup NAS (see step A-4f).
    5. Next to Gateway, specify the first three octets of the IP address for the bridge NAS adapter that is connected to the router (see step B-1d), followed by the last octet of the IP address for the router LAN port that is connected to the backup NAS (see step A-4e).
      Note
      In our example:
      • Step B-1d provides the first three octets of the IP address (192.168.104).
      • Step A-4e provides the last octet of the IP address (1).

      Join the two to obtain 192.168.104.1. Enter this address in the Gateway field.
      Also use this address in step D-2j.

    6. Next to Interface, select the bridge NAS adapter that is connected to the router (see step B-1c).
    7. Click Apply.
      Network & Virtual Switch adds the static route rule.

C. Configure the source and backup NAS devices

  1. Enable the RTRR server on the source NAS.
    This allows HBS jobs on the bridge NAS to use the source NAS as a sync source.
    1. On the source NAS, open HBS.
    2. Go to Services > Remote NAS (RTRR Server).
    3. Next to Status, click the toggle button to enable the RTRR server.
    4. Configure the RTRR server settings.
      For details, see Configuring the RTRR server.
      Note
      • Copy the port number specified on this page and enter it in step D-1f.
      • Remember the account access method and credentials configured here and use them in steps D-1g and D-1h.
    5. Click Apply.
      HBS enables the RTRR server on the source NAS.
  2. Enable the RTRR server on the backup NAS.
    This allows HBS jobs on the bridge NAS to use the backup NAS as a backup destination.
    1. On the backup NAS, open HBS.
    2. Go to Services > Remote NAS (RTRR Server).
    3. Next to Status, click the toggle button to enable the RTRR server.
    4. Configure the RTRR server settings.
      For details, see Configuring the RTRR server.
      Note
      • Copy the port number specified on this page and enter it in step D-2f.
      • Remember the account access method and credentials configured here and use them in steps D-2g and D-2h.
    5. Click Apply.
      HBS enables the RTRR server on the backup NAS.

D. Create HBS jobs on the bridge NAS

  1. In HBS on the bridge NAS, create a storage space for the source NAS.
    This allows you to save the connection settings of the source NAS and enable an Airgap+ connection between the source NAS and the bridge NAS.
    1. On the bridge NAS, open HBS.
    2. Go to Storage Spaces.
    3. Click Create, and then click Remote NAS.
      The Create a Storage Space window opens.
    4. Enter a name to identify the source NAS.
    5. Enter the source NAS IP address (see step A-3c).
    6. Enter the source NAS RTRR server port number (see step C-1d).
    7. Select an account access method you configured in the RTRR server settings on the source NAS (see step C-1d).
    8. Enter the credentials for the account access method (see step C-1d).
    9. Select Use Airgap+ to protect data on remote NAS.
    10. Select Router as the Airgap+ device.
    11. Enter the gateway IP address from the static route rule on the bridge NAS for connecting to the source NAS (see step B-2e).
    12. Enter the port number.
    13. Enter the router management account credentials.
    14. Click Create.
      HBS creates the storage space and adds it to the storage space list.
  2. In HBS on the bridge NAS, create a storage space for the backup NAS.
    This allows you to save the connection settings of the backup NAS and enable an Airgap+ connection between the bridge NAS and the backup NAS.
    1. On the bridge NAS, stay in HBS.
    2. Go to Storage Spaces.
    3. Click Create, and then click Remote NAS.
      The Create a Storage Space window opens.
    4. Enter a name to identify the backup NAS.
    5. Enter the backup NAS IP address (see step A-3d).
    6. Enter the backup NAS RTRR server port number (see step C-2d).
    7. Select an account access method you configured in the RTRR server settings on the backup NAS (see step C-2d).
    8. Enter the credentials for the account access method (see step C-2d).
    9. Select Use Airgap+ to protect data on remote NAS.
    10. Enter the gateway IP address from the static route rule on the bridge NAS for connecting to the backup NAS (see step B-3e).
    11. Enter the router management account credentials.
    12. Click Create.
      HBS creates the storage space and adds it to the storage space list.
      After both storage spaces are created, you should see "Protected by Airgap+" at the top of the storage space entries in HBS > Storage Spaces.
  3. Create an active sync job on the bridge NAS to transfer backup data from the source NAS to the bridge NAS.
    1. On the bridge NAS, go to HBS > Sync.
    2. Click Sync Now and then click Active Sync Job.
      Note
      If you have created a sync job before, click Create and then click Active Sync Job.
      The Create a Sync Job wizard opens.
    3. Follow the steps in the wizard.
      For details, see Creating an active sync job.
  4. Create a backup job on the bridge NAS to transfer the backup data to the backup NAS.
    1. On the bridge NAS, go to HBS > Backup & Restore.
    2. Click Backup Now and then click New backup job.
      Note
      If you have created a backup job before, click Create and then click New backup job.
      The Create a Backup Job wizard opens.
    3. Follow the wizard to select the source and destination folders.
      Important
      Make sure the source folder in this backup job is the same as the destination folder in the active sync job you just created.
    4. On the Schedule page, select Run after job, and then select the active sync job you just created.
      This allows the backup job to automatically run every time the active sync job finishes, completing the backup data transfer to your backup NAS.
    5. Follow the remaining steps in the wizard.
      For details, see Creating a backup job.
  5. After the active sync job and backup job are created, verify that the Airgap+ links have been established on the router.
    1. On the router, go to QuRouter > Network > Physical Interface Settings > LAN.
    2. Identify the LAN ports that are connected to the source and backup NAS devices.
    3. Under Link Status, verify there are Airgap+ tags for the LAN ports.

You can now run the HBS active sync job on the bridge NAS to transfer the data you want to back up.
After the active sync job finishes transferring the backup data from the source NAS to the bridge NAS, the backup job will automatically run and transfer the backup data from the bridge NAS to its final destination, the backup NAS. The entire process is now protected by Airgap+.

Setting Up Airgap+ with a Switch-Based Network

Standard Airgap+

In a switch-based Airgap+ setup, both the source NAS and the backup NAS connect to the same isolated switch. The source NAS also maintains a connection to the public network, but the backup NAS stays inside the private network created through the switch.

Within this isolated network segment, the switch permits communication from the source NAS to the backup NAS only during an active HBS backup task, preventing any other access outside of the scheduled job.

How standard Airgap+ works

Under normal conditions, only the source NAS has network access beyond the switch. The backup NAS remains fully isolated within the private network segment.

When the source NAS starts an HBS backup task, the switch temporarily enables traffic between the two NAS devices, allowing data to flow from the source NAS to the backup NAS for the duration of the job.

Standard Airgap+ Setup Instructions

To configure a standard Airgap+ environment using a switch, you must set up the Airgap+ switch and both NAS devices before creating HBS backup jobs.

Note
Prepare a text editor or pen and paper. The following instructions require copying and entering information between different devices and applications.

A. Configure the switch

  1. Connect the source NAS and the backup NAS directly to the Airgap+ switch to create a private network.
    Important

    It is recommended to configure a static IP address for the backup NAS to ensure that the Airgap+ settings on all devices remain valid over time.

    To configure a static IP address for the backup NAS network adapter that is connected to the switch, see one of the following:

  2. Obtain the IP address of your backup NAS in the private network.
    1. Open Qfinder Pro.
    2. Identify the backup NAS device.
    3. Copy the backup NAS IP address.
      Note
      • The NAS may have more than one IP address listed. Copy the IP address that is in the same IP range as the switch.
        In our example, the IP address is 192.168.102.100.
      • Use this IP address in steps B-2c and D-1e.
  3. Obtain the LAN port IP address on the Airgap+ switch that is connected to the backup NAS.
    1. Log in to QSS or QSS Pro.
    2. Go to System > IP Configuration > IPv4 Interface Settings.
    3. Under IP Address, identify the IPv4 address of the network adapter that is connected to the NAS.
    4. Copy the switch LAN port IP address.
      Note
      Use the last octet of this IP address in step B-2e. If the IP address is 192.168.102.1, the last octet of the IP address is 1.
    5. Under Subnet Mask, copy the subnet mask.
      Note
      Specify this subnet mask in step B-2d. In our example, the subnet mask is /24.

B. Configure the source NAS

  1. Identify the source NAS adapter that is connected to the Airgap+ switch.
    1. On the source NAS, open Network & Virtual Switch.
    2. Go to Network > Interfaces.
    3. Identify the adapter that is connected to the Airgap+ switch.
      Note
      Use this adapter in step B-2f.
      In our example, adapter 2 is connected to the Airgap+ switch.

    4. Copy the IP address of the adapter.
      Note
      Use the first three octets in the IP address in step B-2e.
      In our example, the first three octets of the IP address 192.168.100.100 are 192.168.100.
  2. Create a static route rule on the source NAS for connecting to the backup NAS.
    1. In Network & Virtual Switch, go to Network > Route
    2. Under Static Route, click Add.
      The Static Route (IPv4) window opens.
    3. Next to Destination, specify the IP address of the backup NAS (see step A-2c).
    4. Next to Netmask, specify the subnet mask for the switch LAN port that is connected to the backup NAS (see step A-3e).
    5. Next to Gateway, specify the first three octets of the IP address for the source NAS adapter that is connected to the switch (see step B-1d), followed by the last octet of the IP address for the switch LAN port that is connected to the backup NAS (see step A-3e).
      Note
      In our example: 
      • Step B-1d provides the first three octets of the IP address (192.168.100).
      • Step A-3c provides the last octet of the IP address (1). 
      Join the two to obtain 192.168.100.1. Enter this address in the Gateway field.
      Also use this address in step D-1j.
    6. Next to Interface, select the source NAS adapter that is connected to the switch (see step B-1d).
    7. Click Apply.
      Network & Virtual Switch adds the static route rule.

C. Configure the backup NAS

  1. On the backup NAS, enable the RTRR server.
    This allows HBS jobs on the source NAS to use the backup NAS as a backup destination.
    1. On the backup NAS, open HBS.
    2. Go to Services > Remote NAS (RTRR Server).
    3. Next to Status, click the toggle button to enable the RTRR server.
    4. Configure the RTRR server settings.
      For details, see Configuring the RTRR server.
      Note
      • Copy the port number specified on this page and enter it in step D-1f.
      • Remember the account access method and credentials configured here and use them in steps D-1g and D-1h.
    5. Click Apply.
      HBS enables the RTRR server with the configured settings.

D. Create an HBS job on the source NAS

  1. In HBS on the source NAS, create a storage space for the backup NAS.
    This allows you to save the connection settings of the backup NAS and enable an Airgap+ connection between the source NAS and the backup NAS.
    1. On the source NAS, open HBS.
    2. Go to Storage Spaces.
    3. Click Create, and then click Remote NAS.
      The Create a Storage Space window opens.
    4. Enter a name to identify the backup NAS.
    5. Enter the backup NAS IP address (see step A-2c).
    6. Enter the backup NAS RTRR server port number (see step C-1d).
    7. Select an account access method you configured in the RTRR server settings on the backup NAS (see step C-1d).
    8. Enter the credentials for the account access method (see step C-1d).
    9. Select Use Airgap+ to protect data on remote NAS.
    10. Select Switch as the Airgap+ device.
    11. Enter the gateway IP address from the static route rule you created (see step B-2e).
    12. Enter the port number.
    13. Enter the switch management account credentials.
    14. Click Create.
      HBS creates the storage space and adds it to the storage space list.
      You should see "Protected by Airgap+" at the top of the storage space entry.
  2. Create a backup job on the source NAS.
    1. In HBS, go to Backup & Restore.
    2. Click Backup Now and then click New backup job.
      Note
      If you have created a backup job before, click Create and then click New backup job.
      The Create a Backup Job wizard opens.
    3. Follow the steps in the wizard.
      For details, see Creating a backup job.
  3. After the backup job is created, verify that the Airgap+ link has been established on the switch.
    1. Log in to QSS or QSS Pro.
    2. Go to System > Port Management > Airgap+.
    3. Under Action, click .
      The Paired QNAP Device Details window appears.
    4. Next to Link Status, verify that the status is Up.

You can now run the Airgap+ protected HBS backup job on the source NAS.

Advanced Airgap+

In a switch-based advanced Airgap+ configuration, the source NAS, backup NAS, and bridge NAS all connect to the same isolated switch. The source NAS remains connected to the public network, while the bridge and backup NAS devices stay within the private network through the switch.

Within this secure segment, only the bridge NAS is allowed to communicate with both the source NAS and backup NAS, and only when it is actively running HBS tasks. Since all backup and synchronization workloads are handled by the bridge NAS, the source NAS can conserve resources for other essential operations and services.

How Advanced Airgap+ Works

Under normal circumstances, only the bridge NAS has any allowed communication on the private network segment. The backup NAS remains fully isolated.

When the bridge NAS initiates an Active Sync job in HBS, the switch temporarily permits data transfer from the source NAS to the bridge NAS. During this time, the backup NAS remains isolated.

After the sync job finishes, the bridge NAS runs a Backup job. The switch then allows data to flow from the bridge NAS to the backup NAS, while blocking the source NAS from accessing the private network.

Advanced Airgap+ Setup Instructions

To deploy an advanced Airgap+ environment using a switch, you must configure the Airgap+ switch and all NAS devices (source, bridge, and backup) before creating HBS jobs. Once the network and device settings are complete, you can begin building the synchronized and backup workflows in HBS.

A. Configure the switch

  1. Connect the source, bridge, and backup NAS devices directly to the Airgap+ switch to create a private network.
    Important

    It is recommended to configure a static IP address for the backup NAS to ensure that the Airgap+ settings on all devices remain valid over time.

    To configure a static IP address for the backup NAS network adapter that is connected to the switch, see one of the following:

  2. Obtain the IP address of your backup and source NAS in the private network.
    1. Open Qfinder Pro.
    2. Identify the source NAS device.
    3. Copy the source NAS IP address.
      Note
      • The NAS may have more than one IP address listed. Copy the IP address that is in the same IP range as the switch.
        In our example, the IP address is 192.168.100.100.
      • Use this IP address in step B-2c and D-1e.
    4. Identify and copy the backup NAS IP address.
      Note
      • The NAS may have more than one IP address listed. Copy the IP address that is in the same IP range as the switch.
        In our example, the IP address is 192.168.102.100.
      • Use this IP address in step B-3c and D-2e.
  3. Obtain the LAN port IP addresses and subnet masks on the Airgap+ switch for ports connected to the source and backup NAS devices.
    1. In QSS, go to System >IP Configuration > IPv4 Interface Settings
    2. Identify the IPv4 interface addresses that's connected to the NAS.
    3. Under IP Address, copy the IPv4 address for the LAN port connected to the source NAS.
      Note
      Use the last octet of the IP address in step B-2e. In our example, the last octet of the IP address 192.168.100.1 is 1.
    4. Copy the subnet mask for the LAN port connected to the source NAS.
      Note
      Specify the subnet mask in step B-2d.
      In our example, the subnet mask is /24.
    5. Copy the IP address for the LAN port connected to the backup NAS.
      Note
      Use the last octet of the IP address in step B-3e.
      In our example, the last octet of the IP address 192.168.102.1 is 1.
    6. Copy the subnet mask for the LAN port connected to the backup NAS.
      Note
      Specify the subnet mask in step B-3d.
      In our example, the subnet mask is /24.

B. Configure the bridge NAS

  1. Identify the bridge NAS adapter that is connected to the Airgap+ switch.
    1. On the bridge NAS, open Network & Virtual Switch.
    2. Go to Network > Interfaces.
    3. Identify the adapter that is connected to the Airgap+ switch.
      Note
      Use this adapter in steps B-2f and B-3f.
      In our example, adapter 5 is connected to the Airgap+ switch.

    4. Copy the IP address of the adapter.
      Note
      Use the first three octets of the IP address in steps B-2e and B-3e.
      In our example, the first three octets of the IP address 192.168.104.100 are 192.168.104.
  2. Create a static route rule on the bridge NAS for connecting to the source NAS.
    1. On the bridge NAS, go to Network & Virtual Switch > Network > Route.
    2. Under Static Route, click Add.
      The Static Route (IPv4) window opens.
    3. Next to Destination, specify the IP address of the source NAS (see step A-2c).
    4. Next to Netmask, specify the subnet mask of the switch LAN port that is connected to the source NAS (see step A-3d).
    5. Next to Gateway, specify the first three octets of the IP address for the bridge NAS adapter that is connected to the switch (see step B-1d), followed by the last octet of the IP address for the switch LAN port that is connected to the source NAS (see step A-3c).
      Note
      In our example:
      • Step B-1d provides the first three octets of the IP address (192.168.104).
      • Step A-3c provides the IP address of the switch LAN port connected to the source NAS. Use the last octet from this address (1).

      Join the two to obtain 192.168.104.1. Enter this address in the Gateway field.
      Also use this address in step D-1j.

    6. Next to Interface, select the bridge NAS adapter that is connected to the switch (see step B-1c).
    7. Click Apply.
      Network & Virtual Switch adds the static route rule.
  3. Create a static route rule on the bridge NAS for connecting to the backup NAS. 
    1. On the bridge NAS, remain in Network & Virtual Switch > Network > Route.
    2. Under Static Route, click Add.
      The Static Route (IPv4) window opens.
    3. Next to Destination, specify the IP address of the backup NAS (see step A-2d).
    4. Next to Netmask, specify the subnet mask of the switch LAN port that is connected to the backup NAS (see step A-3f).
    5. Next to Gateway, specify the first three octets of the IP address for the bridge NAS adapter that is connected to the switch (see step B-1d), followed by the last octet of the IP address for the switch LAN port that is connected to the backup NAS (see step A-3e).
      Note
      In our example:
      • Step B-1d provides the first three octets of the IP address (192.168.104).
      • For this route, use the last octet (1) of the IP address of the switch LAN port connected to the backup NAS (see step A-3e).

      Join the two to obtain 192.168.104.1. Enter this address in the Gateway field.
      Also use this address in step D-2j.

    6. Next to Interface, select the bridge NAS adapter that is connected to the switch (see step B-1c).
    7. Click Apply.
      Network & Virtual Switch adds the static route rule.

C. Configure the source and backup NAS devices

  1. Enable the RTRR server on the source NAS.
    This allows HBS jobs on the bridge NAS to use the source NAS as a sync source.
    1. On the source NAS, open HBS.
    2. Go to Services > Remote NAS (RTRR Server).
    3. Next to Status, click the toggle button to enable the RTRR server.
    4. Configure the RTRR server settings.
      For details, see Configuring the RTRR server.
      Note
      • Copy the port number specified on this page and enter it in step D-1f.
      • Remember the account access method and credentials configured here and use them in steps D-1g and D-1h.
    5. Click Apply.
      HBS enables the RTRR server on the source NAS.
  2. Enable the RTRR server on the backup NAS.
    This allows HBS jobs on the bridge NAS to use the backup NAS as a backup destination.
    1. On the backup NAS, open HBS.
    2. Go to Services > Remote NAS (RTRR Server).
    3. Next to Status, click the toggle button to enable the RTRR server.
    4. Configure the RTRR server settings.
      For details, see Configuring the RTRR server.
      Note
      • Copy the port number specified on this page and enter it in step D-2f.
      • Remember the account access method and credentials configured here and use them in steps D-2g and D-2h.
    5. Click Apply.
      HBS enables the RTRR server on the backup NAS.

D. Create HBS jobs on the bridge NAS

  1. In HBS on the bridge NAS, create a storage space for the source NAS.
    This allows you to save the connection settings of the source NAS and enable an Airgap+ connection between the source NAS and the bridge NAS.
    1. On the bridge NAS, open HBS.
    2. Go to Storage Spaces.
    3. Click Create, and then click Remote NAS.
      The Create a Storage Space window opens.
    4. Enter a name to identify the source NAS.
    5. Enter the source NAS IP address (see step A-2c).
    6. Enter the source NAS RTRR server port number (see step C-1d).
    7. Select an account access method you configured in the RTRR server settings on the source NAS (see step C-1d).
    8. Enter the credentials for the account access method (see step C-1d).
    9. Select Use Airgap+ to protect data on remote NAS.
    10. Select Switch as the Airgap+ device.
    11. Enter the gateway IP address from the static route rule on the bridge NAS for connecting to the source NAS (see step B-2e).
    12. Enter the port number.
    13. Enter the switch management account credentials.
    14. Click Create.
      HBS creates the storage space and adds it to the storage space list.
  2. In HBS on the bridge NAS, create a storage space for the backup NAS.
    This allows you to save the connection settings of the backup NAS and enable an Airgap+ connection between the bridge NAS and the backup NAS.
    1. On the bridge NAS, stay in HBS.
    2. Go to Storage Spaces.
    3. Click Create, and then click Remote NAS.
      The Create a Storage Space window opens.
    4. Enter a name to identify the backup NAS.
    5. Enter the backup NAS IP address (see step A-2d).
    6. Enter the backup NAS RTRR server port number (see step C-2d).
    7. Select an account access method you configured in the RTRR server settings on the backup NAS (see step C-2d).
    8. Enter the credentials for the account access method (see step C-2d).
    9. Select Use Airgap+ to protect data on remote NAS.
    10. Enter the gateway IP address from the static route rule on the bridge NAS for connecting to the backup NAS (see step B-3e).
    11. Enter the switch management account credentials.
    12. Click Create.
      HBS creates the storage space and adds it to the storage space list.
      After both storage spaces are created, you should see "Protected by Airgap+" at the top of the storage space entries in HBS > Storage Spaces.
  3. Create an active sync job on the bridge NAS to transfer backup data from the source NAS to the bridge NAS.
    1. On the bridge NAS, go to HBS > Sync.
    2. Click Sync Now and then click Active Sync Job.
      Note
      If you have created a sync job before, click Create and then click Active Sync Job.
      The Create a Sync Job wizard opens.
    3. Follow the steps in the wizard.
      For details, see Creating an active sync job.
  4. Create a backup job on the bridge NAS to transfer the backup data to the backup NAS.
    1. On the bridge NAS, go to HBS > Backup & Restore.
    2. Click Backup Now and then click New backup job.
      Note
      If you have created a backup job before, click Create and then click New backup job.
      The Create a Backup Job wizard opens.
    3. Follow the wizard to select the source and destination folders.
      Important
      Make sure the source folder in this backup job is the same as the destination folder in the active sync job you just created.
    4. On the Schedule page, select Run after job, and then select the active sync job you just created.
      This allows the backup job to automatically run every time the active sync job finishes, completing the backup data transfer to your backup NAS.
    5. Follow the remaining steps in the wizard.
      For details, see Creating a backup job.
  5. After the active sync job and backup job are created, verify that the Airgap+ links have been established on the switch.
    1. Log in to QSS or QSS Pro.
    2. Go to System > Port Management > Airgap+.
    3. Under Action, click .
      The Paired QNAP Device Details window appears.
    4. Next to Link Status, verify that the status is Up.
    5. You can now run the HBS active sync job on the bridge NAS to transfer the data you want to back up.
      After the active sync job finishes transferring the backup data from the source NAS to the bridge NAS, the backup job will automatically run and transfer the backup data from the bridge NAS to its final destination, the backup NAS. The entire process is now protected by Airgap+.

Further Reading

Was this article helpful?

Yes. No.
75% of people think it helps.
Thank you for your feedback.

Please tell us how this article can be improved:

If you want to provide additional feedback, please include it below.

Teknik Özellik sSçin

      Daha fazla göster Daha az

      Diğer ülkelerde/bölgelerde bu site:

      open menu
      back to top