Hi.
First I want to say I'm new to OPNSense! :)
The case:
I have a NAS server on my network. :)
I can fine go to my NAS server by using the local IP (192.168.1.x:5001) 8)
But if I try to go to "mynas.mitsite.dk:5001" from my PC - it doesn't work! It simply doesn't load the page. :o
If I connect from outside my network on a phone, it works fine. :) (The phone is not connected to my wifi or local network )
So how can I fix it so I can use: "mynas.mitsite.dk:5001" from my local network? 8)
I hope it makes sense! ;D
EDIT-1: I have used this guide to open the ports on opnsense: https://www.wundertech.net/how-to-port-forward-in-opnsense/ :)
EDIT-2: Please explain in a NOOB-friendly way! :o
EDIT-3: I have a-record that point to my static wan IP
// Thomas
What you need is called NAT port reflection. Do not rely on arbitrary guides from the internet, use the official documentation: https://docs.opnsense.org/manual/how-tos/nat_reflection.html
There are some pitfalls to this if you already enabled some more advanced features. If you search the forum for "NAT reflection", you will find such cases, e.g. with geoip blocking (https://forum.opnsense.org/index.php?topic=35280).
Of course there are better ways to make a service like that available (https://forum.opnsense.org/index.php?topic=23339.0), especially if you want to expose more than one of them in a secure manner.
Hi :)
After some reading about "Nat reflection" I got it to work!
Thanks for pointing me in the right way!
// Thomas
Please remember what @meyergru mentioned:
This is not a safe way and the NAS GUI is reachable for anyone (this includes hackers / botnets). This is probably a Synology NAS I am not really firm with, so I don't know how much attacks are running to those devices... Having a QNAP NAS your data will be lost within a few months or weeks, depending on how intense attacks are run.
Quote from: tiermutter on April 16, 2024, 07:23:07 PM
Please remember what @meyergru mentioned:
This is not a safe way and the NAS GUI is reachable for anyone (this includes hackers / bonets). This is probably a Synology NAS I am not really firm with, so I don't know how much attacks are running to those devices... Having a QNAP NAS your data will be lost within a few months or weeks, depending on how intense attacks are run.
To add to the above, which is 100% correct (and based on your port it sounds like it's a Synology device), you might want to use something user-friendly like Tailscale (see https://tailscale.com/kb/1131/synology) to connect to your NAS from outside your network.
This allows you to access everything, without opening it up to the world.
Also, instead of NAT reflection, you can override the DNS for that host with 'Services: Unbound DNS: Overrides : Host Overrides'.
Overall wundertechs guides are okay for overall implementation, he is a good dude and explains things good, but as mentioned you need to consider what FW/Router you do have and do appropriate adjustments and best practices that apply to your use case.
In regards of the fix, as was described either Reflection NAT or if you have a DNS you can locally do an A entry pointing to the local IP.
In regards of security, what you do is very very bad. You expose DSM (Synology NAS) to internet under the default port. This is inherently wrong and major red flag, funny enough Wundertech did test this, he exposed one of his synologies to Public internet and confirmed he has seeing a lot of attacks trying to connect to DSM under the default port and with the default admin account (which should be disabled). Even if they can not access the DSM its still bad that somebody tries to penetrate the login just because they know is synology (due to the default port).
Regards,
S.
Hi
Thanks for your replys. :)
I have created a rule on my NAS server, so it's only can be accessed from the LAN network!
I have also changed the ports the NAS server runs on.
// Thomas
Denying access directly from WAN is good and a change of ports is not nessacary. However, changing ports when it is accesible from WAN will not give much more security...