Access to the NAS from the outside without a public IP

Question

Hello, I know there have been topics like this before, but I didn't understand much reading them, besides, everyone's situation is different. Hardware description: at home I have an asus router with asuswrt uploaded. The router is connected to the internet via cable. The operator is KOBA...

IC_Current · Accepted Answer

Either way, you'll have to pay. Either for a public IP address or for VPS hosting or for a VPN proxy server.
Probably best to pay for a public IP address. Of course, you don't put the NAS outside, because that would be hardcore. If you have a public IP, then you put a VPN server on the router. Then you connect from Android to the VPN server on the router to establish a secure connection. Once you have set up a VPN connection, you connect to the NAS server.

KOCUREK1970 · Accepted Answer

@noel200 The public IP address is not everything, because this one is most often variable, so each time you change this IP, you lose the server over the Internet (you have to reconfigure the link with the correct IP and it will work, and so every time the IP changes). It would have to be a public permanent IP address, then the problems mentioned above fall away. And additionally, what is your upload (sending to the Internet)?

IC_Current · Accepted Answer

So very decent This problem is solved by using Dynamic DNS. There are many services that provide paid or free DDNS services. Client issue on the router. On the stock firmware it is for sure, on DD-WRT too. How on this asuswrt I do not know, but rather it will be.

KOCUREK1970 · Accepted Answer

I know people who have a public dynamic IP and have had the same IP for several years (they do not turn off the opa router), I know people whose dynamic IP changes when op does something in their network and I know people who at least once a week the public IP changes and it doesn't matter what they do on the web - there is no rule what op is a different philosophy and approach. Nice, but divide it by 8 and you have real transfer - it's +/- 5.2MB of real transfer. You must remember that he will not allocate all the up in your network to you, so in reality it will be less. You also need to remember that the upload decreases when someone is downloading something at home, and you in town will want to hit the server. You want to go to the server on your mobile, and there will not always be fast LTE and logging in to the server may be difficult, not to mention the transfer from the server. It seems to be trivial and individually unrelated, but it creates a chain of mutual dependencies and has an impact on the whole.

takijasiu · Accepted Answer

Since you managed to successfully redirect TCP/80 from the router's WAN to the NAS interface, it's probably cool, right?

Now check what kind of access the software on the phone you use to view photos needs - in short, what port it connects to the NAS on your local network - there may be more than one port, although this is unlikely.

Once you find the port you need, forward it on your router as you forwarded port 80.

In general, it may be that the ISP allows access only to a set of ports by default - e.g. 80, 443 - and if the NAS uses some unusual port, then this port may not be reachable from the outside despite active redirection on the Cb router. In this case, you can test redirect this unusual port to port 80 on the router - then you will connect from the outside and check if it works this way.

Oh - and the port is just a number, but 80 will be actively scanned by all kinds of Internet scanners - it's also best to put these services on unusual ports - avoid 80, 443 and other typical ones. And in the configuration of the clients on the phone, just specify the port numbers.

Regarding the revelation that in order to receive traffic coming to a given public IP, you must have it on the interface, I recommend my colleagues to familiarize themselves with such technology as DNAT / SNAT. In short - by setting DNAT and/or SNAT from a given private address in the local network to a certain public address, the router serving the local network (in this case, the router of the ISP operator) changes the destination (DNAT) or source (SNAT) IP address in the routed packet. As a result, a given packet either reaches a specific private IP, although it was directed to a different IP (DNAT) or leaves the router towards another network (e.g. public) with a source IP address, e.g. from this network, although it reached the router with the source address on the local network (SNAT).

noel200 · Answer

Ah, I think I understand. Public IP is PLN 5 / month, so there is no tragedy. As long as they do not block anything in traffic and this address will not change often, because then it makes no sense.
Upload is about 50mb.

jarek7714 · Answer

The address as above was written by colleagues - public / does not have to be static, DDNS solves the problem of change, there is certainly a client on AsusWRT (it should be on the WAN interface of the router). 50Mbps upload speed is pretty cool (as far as real you can verify, I had a connection from a local ISP, I gave it up - well, a dozen or so Mbps with great pings on the light, as in an encrypted connection, only unstable few Mbps - until I discovered it, I blamed main router and clients that it was probably too weak / TV stream in SD could cut ...).

noel200 · Answer

I checked my transfer on speedtest.pl/net by choosing different servers outside the province and even outside the country and the values are sufficient for me.
So I will be in touch next week about the public IP. And when I receive it, I will write here and with your help I hope I will be able to set everything up.

noel200 · Answer

Welcome back. I already have a public IP address. I guess. This is what my ISP says, although the public address is different than the one given to the WAN on the router.
They have a NAT redirect, right?
The address supposedly changes sometimes but they gave me a free dyndns straight away which always stays the same.
Now how to configure the router to access NAS openmediavault disks via ftp?
Regards.

KOCUREK1970 · Answer

It should be the same on the WAN of the router and on the checking pages. Is the same?:

noel200 · Answer

No, it's different. But just from a phone with WiFi turned off, I was able to access the NAS configuration page using the DynDNS they gave me.
Using the address as it has the WAN port, I can access my network. Just something else to put? any port forwarding?
And what do I type in the browser to get a specific network drive or, for example, an ip camera connected to my network?

I can only access the NAS OMV configuration page. Probably because by default it is on port 80. In the router I have enabled forwarding to port 80 to the router's address and that's why it works. But I enabled Ftp on port 21, enabled port 21 forwarding on the router to our address and it doesn't work. I guess. I type in the browser ftp://xxxxdyndns.koba.pl:21 Okay?
Regards.

noel200 · Answer

I have now managed to set up the router so that I have an external connection to its configuration page with an encrypted connection.
But for these services on OMV, I still don't know how to do it. I set up redirects and it doesn't work, I don't know what to do next.

noel200 · Answer

That's what I did and I managed to install cloud commander via docker and it's ok. Now I need to get a more multimedia program so that others can also watch. Valuable note, thank you.

przeqpiciel · Answer

- embs - plex - jellyfin

noel200 · Answer

Oh, thanks for the hint. I will definitely check

voxck · Answer

Try zerotier.com Works great even when there is no public IP and above all very easy to configure. That's all you need

noel200 · Answer

Installed, enabled, configured, added folders to the library. This is it cool thanks. I read, watched, tried to connect the phone to the PC for a test. I don't understand what this is about. Can you somehow briefly explain in Polish in simple words how it works?

voxck · Answer

Take a look here Fairly well explained.

Anonymous · Answer

Did I understand correctly that this needs to be installed on every device we want to access?

voxck · Answer

Well, there's no other way. As with a traditional VPN, you also need to configure it on each device.

noel200 · Answer

And really packets from our devices don't go through some central server somewhere in barbados? Nobody's going to pick up on this?

Anonymous · Answer

Not true. VPN server (not the VPN client) you install on the router, configure the routes accordingly and have access to the entire network and to all devices without having to install anything on them. In the need to install on each device solution, there is always the problem of system differences, and for small devices, space in the device's memory. In addition, the external proxy server is also burdened with additional load: e.g. periodic lack of access to the services of this server. It is true that a VPN server on a router is also not a trifle because it requires an appropriate router, sometimes also knowledge and public IP. Nevertheless, this solution (VPN server on the router) is the most universal and gives access to all devices (also printers, cameras, recorders) and not only to selected devices and does not require any proxy server because the role of this server is taken over by the VPN server installed (running ) on the router. ps there are routers (also in the SOHO class) that have a built-in VPN server. It is enough to turn it on and provide a few details (e.g. logins and passwords for users).

voxck · Answer

But there is no central server here. You connect directly to your device

Anonymous · Answer

From a technical point of view, this is impossible. Either a VPN server or a VPN client is installed on the device. A VPN server requires a public IP and a lot of memory and of course installation options (space for it, appropriate operating system). The VPN client needs a proxy server to log in to. [edit] Even in the link that a colleague sent us we read: My bolds. So, however, there is an intermediary server and we do not connect directly to our own device, but we connect indirectly.

noel200 · Answer

Ah, cool. Exactly. I have such a VPN server tab in the asus router on AsusWrt. Us with OMV set, ports forwarded and it works. Can I turn off port forwarding and set up a VPN connection on devices from which I want to connect to my network and connect to my network only with an encrypted tunnel connection? Equipment at home would be safer, right?

Anonymous · Answer

Dude is 100% right. Since there is a VPN server, it should work exactly as the colleague described.

Purely theoretically (I don't know the configuration of this AsusWRT) if my colleague has a public address on the router, it should be possible to configure it in such a way that after connecting to the VPN server, the colleague should have access via IP addresses to each device without any dangerous redirections. By simply connecting from the outside "the computer virtually appears inside the network" as if it were physically connected to it.

noel200 · Answer

I will pursue the topic in my free time. Thanks.

Anonymous · Answer

There's nothing to get carried away with here: Since my friend already has a configured VPN server (as I understood), the links above are enough and within a few minutes you can check it on your phone (of course with WiFi turned off to be out of your network). [edit] The colleague in the subject has no public IP and I clearly wrote that the VPN server requires a public IP. Without a public IP, the connection must be made in the other direction, i.e. an intermediary server is required. There must be only ONE public IP. The client connects to a public IP. So either Colleague will connect to the VPN server at home or from home to outside.

noel200 · Answer

I do not have it yet. I have a tab in my router. I will read and try to do this because: I already have a public IP and a permanent dyndns address.

Access to the NAS from the outside without a public IP

Post #1

Post #2

Post #3

Post #4

Post #5

Post #6

Post #7

Post #8

Post #9

Post #10

Post #11

Post #12

Post #13

Post #14

Post #15

Post #16

Post #17

Post #18

Post #19

Post #20

Post #21

Post #22

Post #23

Post #24

Post #25

Post #26

Post #27

Post #28

Post #29

Post #30

Topic summary