Stuck trying to setup NAS remote file access

Discussion in 'Networking & Security' started by She loved E, May 30, 2019.

  1. She loved E

    She loved E n00b

    Messages:
    62
    Joined:
    Dec 30, 2012
    Just got my DS1618+ going. Local setup was a breeze, but I am completely stuck getting remote access to work. Honestly I never thought it would be this complicated.

    Fair warning I am bad at this stuff and have no networking experience so please use small words and dumb everything down til even your three-year-old rolls his eyes.

    • DSM access is set. I can remote-in from anywhere.
    • SSL cert is done with Lets Encrypt on synology.me subdomain.
    • DDNS is setup and showing as 'normal' from DSM
    • I can get to my files on the DS File mobile app
    • QuickConnect is setup

    Now I would like to map network drives to my two storage directories on a remote Win10 computer. This was easy on the local network. Why is it so hard to do remote? I have tried and so far have failed...
    Because I can't connect with any of the above methods I'm starting to suspect I'm either inputting my credentials wrong or my port forwarding isn't set properly. I know another method would be VPN, but that's a can of worms I'd rather not open until I've exhausted all the above options.

    Appreciate any help anyone can provide!
     
  2. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,394
    Joined:
    Oct 4, 2007
    Honestly - VPN is the easiest and most secure way to do this. You should look into and learn how to do it. It's actually pretty easy. What kind of firewall/router do you have?
     
  3. IdiotInCharge

    IdiotInCharge [H]ardForum Junkie

    Messages:
    9,619
    Joined:
    Jun 13, 2003
    This, because 'port forwarding' literally means punching holes in your firewall for internet traffic to flow through, and hoping that said traffic is all between your remote computer and your local network.

    In this case, a 'VPN' means setting it up on your router. This connects your remote computer to your local network and gives it a local address- once set up, your NAS will be accessible the same as it is locally.
     
    She loved E likes this.
  4. She loved E

    She loved E n00b

    Messages:
    62
    Joined:
    Dec 30, 2012
  5. IdiotInCharge

    IdiotInCharge [H]ardForum Junkie

    Messages:
    9,619
    Joined:
    Jun 13, 2003
    So, we need to direct your attention to a different part of your network:

    Your router.

    Port forwarding, and VPN end-points, are done at the 'edge' of your network which is controlled by your router (and its firewall).

    If you forward a port on your router to your Synology, accessing your network remotely on that port will let you- and anyone- access the log in page of your Synology. The 'anyone' part is why this isn't a great idea; it works, but it's also an attack vector for malicious actors.

    Note that doing any of this on your Synology will only affect the Synology itself, and only on your local network. Your router (and its firewall) are preventing remote access by default, and that's a very good thing.


    To be of any more assistance, we'll need to know about your router. To a 'network person', these things all largely work the same way, but if you're not familiar with how they should work, setting up a VPN might be a bit of a challenge.



    [a note on VPNs: a 'VPN end-point' is a port on your router- not on the Synology- that you can access with software on your remote system to initiate a highly encrypted network session; once initiated, your remote system will appear to be 'on' your local network, and will be able to access all network resources as if it were on your wifi at home]
     
    Cmustang87 and She loved E like this.
  6. She loved E

    She loved E n00b

    Messages:
    62
    Joined:
    Dec 30, 2012
    Thank you, this is all starting to make sense.

    To set up my home network I used this thread for guidance: https://hardforum.com/threads/guide-what-router-should-i-get.1965547/ .More specifically this tutorial:

    So I believe my EdgeRouter is functioning as the router while the ISP router is in bridge mode. I'm not 100% sure on that since its been a while since I set it up. It sounds like this is something I need to sort out in order to get this working. I'll try to track down more info on that tonight when the hardware is in front of me and I can check settings for both devices.
     
    IdiotInCharge likes this.
  7. IdiotInCharge

    IdiotInCharge [H]ardForum Junkie

    Messages:
    9,619
    Joined:
    Jun 13, 2003
    There are guides to setting up an OpenVPN end-point on an Edgerouter- I've done it successfully myself in the past. It did involve terminal work, to include using SCP to move keys around.
     
    She loved E likes this.
  8. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,394
    Joined:
    Oct 4, 2007
    Here's the Ubiquiti document on installing OpenVPN server and configuring your OpenVPN client: https://help.ubnt.com/hc/en-us/articles/115015971688-EdgeRouter-OpenVPN-Server

    Basically, what happens on a VPN is your device will establish a session on your router's WAN interface. The router will respond and require authentication to the endpoint. You will authenticated with a certificate and a username/password (this is effectively 2FA, and the most secure way to do it). Once you are authenticated you will be placed into a "VPN Subnet" which may or may not be part of the LAN depending on how you configure it. If you want to learn more about routing and network segmentation, I always suggest putting your VPN users on another network so it's easier to track them. Now, you are on your home network and can communicate freely as if you were actually at home using a private IP address on your network.

    Keep in mind that port forwarding is not needed at all with this configuration, and as IdiotInCharge pointed out, is a much better solution from a security perspective. The only time port forwards are required for VPN access like this is if your VPN server is downstream from your perimeter NAT device (such as having a server terminating the VPN conncetions downstream from your firewall. You'd need to port forward the initial traffic to establish an auth session and all VPN traffic thereafter). Without a good firewall however, this isn't recommended because you're going to want to inspect this traffic as it's coming in.
     
    She loved E and IdiotInCharge like this.
  9. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,208
    Joined:
    Nov 16, 2009
    Never enable port forwarding...... You're directly exposing that device to the internet, with no way to filter the traffic. This exposes you to ALL kinds of shit if the device has hardcoded credentials, buggy firmware or crappy authentication. There are plenty of examples of why this is a bad idea, since most of these IOT manufacturers focus VERY little on security.

    Unless you really know what you are doing, and how to appropriately lock it down, Port Forwarding is ALWAYS a bad idea. You should always use a VPN to tunnel into your network any time you need to access internal devices.
     
    She loved E likes this.
  10. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,394
    Joined:
    Oct 4, 2007
    Ok I think we've hit 'em over the head with it enough by now :)
     
    She loved E likes this.
  11. God whale

    God whale n00b

    Messages:
    43
    Joined:
    Mar 18, 2019
    .... lol whut?
    port forwarding is great. You just have to understand what you're doing. Never port forward is what like dense security people would say.
    The internet works by ip and port. Every single application tries to connect to a specific port (unless they're multicast but that's another story). The only thing is that you have to have something listening on a port. So all you're doing is tunneling a specific port from the outside to a specific computer on the inside.
    Is it a security risk? it all depends on the application you have listening. Setting up a web server like apache on a non standard port and using port forwarding to be able to reach that isn't a security risk by itself if the web server is set up correctly. Same could be said for databases/remote desktop/ect as long as proper security is used. Sure there's exploits to lots of services out there and the more you expose the greater risk there will be, but i'm sure there are also router exploits out there as well so it's not as if you can ever be completely safe.

    It's much safer to use port forwarding to get access to internal network services can to set up a computer as a dmz :p
     
    She loved E likes this.
  12. IdiotInCharge

    IdiotInCharge [H]ardForum Junkie

    Messages:
    9,619
    Joined:
    Jun 13, 2003
    It's a security risk because you're relying on a system that isn't a firewall to work as an edge device.

    Among many other reasons.

    But perhaps the most important: you didn't head the part where the OP is not a network security expert. You're going to recommend that they open up a port to the internet?

    Are you hoping to hack the OP?
     
    Cmustang87 and She loved E like this.
  13. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,394
    Joined:
    Oct 4, 2007
    There is so much misinformation here it is absolutely staggering.
     
    She loved E likes this.
  14. She loved E

    She loved E n00b

    Messages:
    62
    Joined:
    Dec 30, 2012
    Ha thanks guys, message received.

    I'm changing plans a bit and will set this up at the office before configuring so that I only have to get the networking part dialled in once. Once I have a gameplan I'll share it so that you all can give me notes before I try again. Appreciate the feedback so far!
     
  15. God whale

    God whale n00b

    Messages:
    43
    Joined:
    Mar 18, 2019
    Sure. If it's a protocol that synology uses to share disk information that's already secured by a user and password with a captive portal like instance, why not?

    trying to hack the op? that's a stupid question. Even gaming consoles needed port forwards so that you could run online games because they typically used a shared hosting topology.

    You don't need to be a network security expert, you just need to know what you're doing. There are probably tens of thousands of nases that expose their services on the internet and somehow everyone that does that is at risk from a port scanner and hacking of said services?

    For someone like you, might as well air gap your router. Can't be too sure after all.
     
  16. God whale

    God whale n00b

    Messages:
    43
    Joined:
    Mar 18, 2019
    Care to point out what you disagree with?
     
  17. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,208
    Joined:
    Nov 16, 2009


    No you do not port forward on a gaming console..... You only forward ports for inbound connections, which is not require for anything other than people hosting their own game server or something. Outbound connections are allowed by default unless you have some severely restrictive firewall rules.

    Opening a port is literally poking a hole in your firewall, and then you're fully relying on the security of the exposed device. And most of these companies focus very little on security until a vulnerability comes out due to their shitty firmware, or some unchangeable hard-coded admin account. So now you have an insecure device directly exposed to the web, which will be found by bots doing port scans and now you're on the IOT search list of vulnerable devices that anyone can exploit....... Yes, you can directly expose something like apache or nginx to the internet, but that is still very bad practice and not acceptable in more enterprise environments, especially without proper planning/setup of a DMZ. All inbound traffic should go through an edge device, preferable with some kind of IDS/IPS application. Home users with no network experience should NEVER port forward as they don't understand the risk.


    And yes, those thousands of users exposing their NAS to the internet are at risk. Feel free to browse around here, which is basically google for vulnerable internet exposes IOT devices....
    https://www.shodan.io/
     
    FNtastic likes this.
  18. daglesj

    daglesj [H]ardness Supreme

    Messages:
    5,028
    Joined:
    May 7, 2005
    First thing I do when I setup a NAS is switch off or uninstall every internet/connection/remote service and app that isn't anti-virus and basic file sharing. So much junk on those things nowadays.
     
  19. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,208
    Joined:
    Nov 16, 2009
    Set it to a static IP, then add a firewall rule at the top of the list that blocks any request from that IP to the internet. It may still be trying to call home, even if you think you deleted everything.
     
  20. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,337
    Joined:
    Jul 6, 2013
    Layer 3 switch with ACL applied to VLAN for the win!
     
Tags: