Stuck trying to setup NAS remote file access

She loved E

Weaksauce
Joined
Dec 30, 2012
Messages
67
Just got my DS1618+ going. Local setup was a breeze, but I am completely stuck getting remote access to work. Honestly I never thought it would be this complicated.

Fair warning I am bad at this stuff and have no networking experience so please use small words and dumb everything down til even your three-year-old rolls his eyes.

  • DSM access is set. I can remote-in from anywhere.
  • SSL cert is done with Lets Encrypt on synology.me subdomain.
  • DDNS is setup and showing as 'normal' from DSM
  • I can get to my files on the DS File mobile app
  • QuickConnect is setup

Now I would like to map network drives to my two storage directories on a remote Win10 computer. This was easy on the local network. Why is it so hard to do remote? I have tried and so far have failed...
Because I can't connect with any of the above methods I'm starting to suspect I'm either inputting my credentials wrong or my port forwarding isn't set properly. I know another method would be VPN, but that's a can of worms I'd rather not open until I've exhausted all the above options.

Appreciate any help anyone can provide!
 

IdiotInCharge

NVIDIA SHILL
Joined
Jun 13, 2003
Messages
14,712
Honestly - VPN is the easiest and most secure way to do this. You should look into and learn how to do it. It's actually pretty easy. What kind of firewall/router do you have?

This, because 'port forwarding' literally means punching holes in your firewall for internet traffic to flow through, and hoping that said traffic is all between your remote computer and your local network.

In this case, a 'VPN' means setting it up on your router. This connects your remote computer to your local network and gives it a local address- once set up, your NAS will be accessible the same as it is locally.
 

IdiotInCharge

NVIDIA SHILL
Joined
Jun 13, 2003
Messages
14,712
So, we need to direct your attention to a different part of your network:

Your router.

Port forwarding, and VPN end-points, are done at the 'edge' of your network which is controlled by your router (and its firewall).

If you forward a port on your router to your Synology, accessing your network remotely on that port will let you- and anyone- access the log in page of your Synology. The 'anyone' part is why this isn't a great idea; it works, but it's also an attack vector for malicious actors.

Note that doing any of this on your Synology will only affect the Synology itself, and only on your local network. Your router (and its firewall) are preventing remote access by default, and that's a very good thing.


To be of any more assistance, we'll need to know about your router. To a 'network person', these things all largely work the same way, but if you're not familiar with how they should work, setting up a VPN might be a bit of a challenge.



[a note on VPNs: a 'VPN end-point' is a port on your router- not on the Synology- that you can access with software on your remote system to initiate a highly encrypted network session; once initiated, your remote system will appear to be 'on' your local network, and will be able to access all network resources as if it were on your wifi at home]
 

She loved E

Weaksauce
Joined
Dec 30, 2012
Messages
67
Thank you, this is all starting to make sense.

To set up my home network I used this thread for guidance: https://hardforum.com/threads/guide-what-router-should-i-get.1965547/ .More specifically this tutorial:

So I believe my EdgeRouter is functioning as the router while the ISP router is in bridge mode. I'm not 100% sure on that since its been a while since I set it up. It sounds like this is something I need to sort out in order to get this working. I'll try to track down more info on that tonight when the hardware is in front of me and I can check settings for both devices.
 

IdiotInCharge

NVIDIA SHILL
Joined
Jun 13, 2003
Messages
14,712
There are guides to setting up an OpenVPN end-point on an Edgerouter- I've done it successfully myself in the past. It did involve terminal work, to include using SCP to move keys around.
 

Cmustang87

Supreme [H]ardness
Joined
Oct 4, 2007
Messages
4,497
Here's the Ubiquiti document on installing OpenVPN server and configuring your OpenVPN client: https://help.ubnt.com/hc/en-us/articles/115015971688-EdgeRouter-OpenVPN-Server

Basically, what happens on a VPN is your device will establish a session on your router's WAN interface. The router will respond and require authentication to the endpoint. You will authenticated with a certificate and a username/password (this is effectively 2FA, and the most secure way to do it). Once you are authenticated you will be placed into a "VPN Subnet" which may or may not be part of the LAN depending on how you configure it. If you want to learn more about routing and network segmentation, I always suggest putting your VPN users on another network so it's easier to track them. Now, you are on your home network and can communicate freely as if you were actually at home using a private IP address on your network.

Keep in mind that port forwarding is not needed at all with this configuration, and as IdiotInCharge pointed out, is a much better solution from a security perspective. The only time port forwards are required for VPN access like this is if your VPN server is downstream from your perimeter NAT device (such as having a server terminating the VPN conncetions downstream from your firewall. You'd need to port forward the initial traffic to establish an auth session and all VPN traffic thereafter). Without a good firewall however, this isn't recommended because you're going to want to inspect this traffic as it's coming in.
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
Never enable port forwarding...... You're directly exposing that device to the internet, with no way to filter the traffic. This exposes you to ALL kinds of shit if the device has hardcoded credentials, buggy firmware or crappy authentication. There are plenty of examples of why this is a bad idea, since most of these IOT manufacturers focus VERY little on security.

Unless you really know what you are doing, and how to appropriately lock it down, Port Forwarding is ALWAYS a bad idea. You should always use a VPN to tunnel into your network any time you need to access internal devices.
 

God whale

n00b
Joined
Mar 18, 2019
Messages
50
.... lol whut?
port forwarding is great. You just have to understand what you're doing. Never port forward is what like dense security people would say.
The internet works by ip and port. Every single application tries to connect to a specific port (unless they're multicast but that's another story). The only thing is that you have to have something listening on a port. So all you're doing is tunneling a specific port from the outside to a specific computer on the inside.
Is it a security risk? it all depends on the application you have listening. Setting up a web server like apache on a non standard port and using port forwarding to be able to reach that isn't a security risk by itself if the web server is set up correctly. Same could be said for databases/remote desktop/ect as long as proper security is used. Sure there's exploits to lots of services out there and the more you expose the greater risk there will be, but i'm sure there are also router exploits out there as well so it's not as if you can ever be completely safe.

It's much safer to use port forwarding to get access to internal network services can to set up a computer as a dmz :p
 

IdiotInCharge

NVIDIA SHILL
Joined
Jun 13, 2003
Messages
14,712
Is it a security risk?

It's a security risk because you're relying on a system that isn't a firewall to work as an edge device.

Among many other reasons.

But perhaps the most important: you didn't head the part where the OP is not a network security expert. You're going to recommend that they open up a port to the internet?

Are you hoping to hack the OP?
 

Cmustang87

Supreme [H]ardness
Joined
Oct 4, 2007
Messages
4,497
.... lol whut?
port forwarding is great. You just have to understand what you're doing. Never port forward is what like dense security people would say.
The internet works by ip and port. Every single application tries to connect to a specific port (unless they're multicast but that's another story). The only thing is that you have to have something listening on a port. So all you're doing is tunneling a specific port from the outside to a specific computer on the inside.
Is it a security risk? it all depends on the application you have listening. Setting up a web server like apache on a non standard port and using port forwarding to be able to reach that isn't a security risk by itself if the web server is set up correctly. Same could be said for databases/remote desktop/ect as long as proper security is used. Sure there's exploits to lots of services out there and the more you expose the greater risk there will be, but i'm sure there are also router exploits out there as well so it's not as if you can ever be completely safe.

It's much safer to use port forwarding to get access to internal network services can to set up a computer as a dmz :p

There is so much misinformation here it is absolutely staggering.
 

She loved E

Weaksauce
Joined
Dec 30, 2012
Messages
67
Ha thanks guys, message received.

I'm changing plans a bit and will set this up at the office before configuring so that I only have to get the networking part dialled in once. Once I have a gameplan I'll share it so that you all can give me notes before I try again. Appreciate the feedback so far!
 

God whale

n00b
Joined
Mar 18, 2019
Messages
50
It's a security risk because you're relying on a system that isn't a firewall to work as an edge device.

Among many other reasons.

But perhaps the most important: you didn't head the part where the OP is not a network security expert. You're going to recommend that they open up a port to the internet?

Are you hoping to hack the OP?
Sure. If it's a protocol that synology uses to share disk information that's already secured by a user and password with a captive portal like instance, why not?

trying to hack the op? that's a stupid question. Even gaming consoles needed port forwards so that you could run online games because they typically used a shared hosting topology.

You don't need to be a network security expert, you just need to know what you're doing. There are probably tens of thousands of nases that expose their services on the internet and somehow everyone that does that is at risk from a port scanner and hacking of said services?

For someone like you, might as well air gap your router. Can't be too sure after all.
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
Sure. If it's a protocol that synology uses to share disk information that's already secured by a user and password with a captive portal like instance, why not?

trying to hack the op? that's a stupid question. Even gaming consoles needed port forwards so that you could run online games because they typically used a shared hosting topology.

You don't need to be a network security expert, you just need to know what you're doing. There are probably tens of thousands of nases that expose their services on the internet and somehow everyone that does that is at risk from a port scanner and hacking of said services?

For someone like you, might as well air gap your router. Can't be too sure after all.



No you do not port forward on a gaming console..... You only forward ports for inbound connections, which is not require for anything other than people hosting their own game server or something. Outbound connections are allowed by default unless you have some severely restrictive firewall rules.

Opening a port is literally poking a hole in your firewall, and then you're fully relying on the security of the exposed device. And most of these companies focus very little on security until a vulnerability comes out due to their shitty firmware, or some unchangeable hard-coded admin account. So now you have an insecure device directly exposed to the web, which will be found by bots doing port scans and now you're on the IOT search list of vulnerable devices that anyone can exploit....... Yes, you can directly expose something like apache or nginx to the internet, but that is still very bad practice and not acceptable in more enterprise environments, especially without proper planning/setup of a DMZ. All inbound traffic should go through an edge device, preferable with some kind of IDS/IPS application. Home users with no network experience should NEVER port forward as they don't understand the risk.


And yes, those thousands of users exposing their NAS to the internet are at risk. Feel free to browse around here, which is basically google for vulnerable internet exposes IOT devices....
https://www.shodan.io/
 

daglesj

Supreme [H]ardness
Joined
May 7, 2005
Messages
5,306
First thing I do when I setup a NAS is switch off or uninstall every internet/connection/remote service and app that isn't anti-virus and basic file sharing. So much junk on those things nowadays.
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
First thing I do when I setup a NAS is switch off or uninstall every internet/connection/remote service and app that isn't anti-virus and basic file sharing. So much junk on those things nowadays.

Set it to a static IP, then add a firewall rule at the top of the list that blocks any request from that IP to the internet. It may still be trying to call home, even if you think you deleted everything.
 

FNtastic

[H]ard|Gawd
Joined
Jul 6, 2013
Messages
1,419
Set it to a static IP, then add a firewall rule at the top of the list that blocks any request from that IP to the internet. It may still be trying to call home, even if you think you deleted everything.
Layer 3 switch with ACL applied to VLAN for the win!
 
Top