private network with some public access?

FTP Server, File Server, DDNS, SAMBA, AFP, NFS
Post Reply
gdgross
Starting out
Posts: 27
Joined: Tue May 11, 2021 8:06 am
Location: Los Angeles
Contact:

private network with some public access?

Post by gdgross »

Hi all, I had my TS-453D NAS set up to be accessible over the internet so that I could share files with colleagues, etc.

Unfortunately I got hit by the ransomware attack last month, and lost almost everything in the NAS, including the folders I had sync'd to box and dropbox. Quite disappointing, but fortunately the bot seemed to have left alone all *.wav files, which is the only silver lining. (I'm a musician and share production files frequently), so the only truly valuable thing I lost was band pictures.)

Since then, at QNAPs recommendation, I've wiped the NAS, reinstalled the OS, and basically started over. I also now have a 14TB external HDD on which I can back up the entire NAS, which I didn't have before. Had i had that in place I could have recovered my files (as long as the backups weren't automatic). I have a couple questions. I set it up initially last week on a call with QNAP support to be accessible on the internet, but he also installed a firewall for US only IP addresses, which I didn't have before.

Can I change the NAS to be private, and still create specific links to share specific files with people? Or is that not possible? If that's not possible, I may do this anyway, and just use dropbox/etc as my file sharing place. Or perhaps it is possible to have only certain folders on the NAS accessible to the internet? Losing my entire NAS last month was pretty bad, and I never want that to happen again. Thank god the bot didn't affect wav files for whatever reason.

The second question is this: I like automatic backups, since I don't have to remember to do them, but if I had had auto backups, i think the backups would have just been encrypted as well. Is there a way to get around this? Perhaps something like apple's time machine, where i could restore the device to a previous state? Or comparing a folder before backing up and skipping if the file extensions have changed?

Thanks all, I'm an EE by trade, but new to networking and IT things. This is my first foray into setting up a home network. Apologies if this is posted in the wrong section of the forum as well.

Thanks!
Geoff
User avatar
dolbyman
Guru
Posts: 35021
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: private network with some public access?

Post by dolbyman »

They attacked your NAS not your folders, so no matter what you share, the attack surface will always be there

- Remove manual port forwards to your NAS from your router
- Disable uPnP on your router

from then on only use sharehosters (as you said dropbox,etc) to share files with external users

you can use hybridmount to replicate an SMB share to and from dropbox(and others), that way you can share it without exposing your NAS
https://www.qnap.com/en/software/hybridmount
gdgross
Starting out
Posts: 27
Joined: Tue May 11, 2021 8:06 am
Location: Los Angeles
Contact:

Re: private network with some public access?

Post by gdgross »

Thanks dolby -

My router is a motorola MB7420 - I'll have to look up how to connect to it and disable those; I've never touched the settings for it.

Good idea with the hybridmount, I like the idea of as many accessing from as many machines as I want, too :-)
User avatar
dolbyman
Guru
Posts: 35021
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: private network with some public access?

Post by dolbyman »

Had a quick google and the MB7420 is a modem only, so there must be a router in your setup as well
gdgross
Starting out
Posts: 27
Joined: Tue May 11, 2021 8:06 am
Location: Los Angeles
Contact:

Re: private network with some public access?

Post by gdgross »

Sorry, the MB7420 has a ethernet port on it, which is connected to my switch, (A netgear GS305) which is connected to the NAS and the rest of the network. There is a wifi router too, a linksys WHW0102.

Thanks!
User avatar
dolbyman
Guru
Posts: 35021
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: private network with some public access?

Post by dolbyman »

the modem should go into the WHW0102 and a LAN port of the WHW0102 then into your GS305

The modem should NOT be directly plugged into your switch
gdgross
Starting out
Posts: 27
Joined: Tue May 11, 2021 8:06 am
Location: Los Angeles
Contact:

Re: private network with some public access?

Post by gdgross »

Oh, ok! I didn't know that, thanks.

what's the reasoning behind this? Firewall in the router or something?
User avatar
dolbyman
Guru
Posts: 35021
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: private network with some public access?

Post by dolbyman »

You don't want to mix public and private on the same switch (I know private ranges would not be routable .. but still)

WAN <> Router <> LAN

the upnp setting should then be in your linksys mesh router
gdgross
Starting out
Posts: 27
Joined: Tue May 11, 2021 8:06 am
Location: Los Angeles
Contact:

Re: private network with some public access?

Post by gdgross »

got it, uPNP now disabled. Looks like there was no port forwarding set up anyway.

Turns out I actually did have the router in between the modem and the switch, as advised!
gdgross
Starting out
Posts: 27
Joined: Tue May 11, 2021 8:06 am
Location: Los Angeles
Contact:

Re: private network with some public access?

Post by gdgross »

Now that that's all done, how do I change my NAS to be not accessible from the web?
User avatar
dolbyman
Guru
Posts: 35021
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: private network with some public access?

Post by dolbyman »

without port forwards or upnp, your NAS is not direct exposed anymore
gdgross
Starting out
Posts: 27
Joined: Tue May 11, 2021 8:06 am
Location: Los Angeles
Contact:

Re: private network with some public access?

Post by gdgross »

hah, ok. I certainly don't understand how all this works then.

It seems I can still access my NAS through myQNAPcloud, but it's not exposed to the broader internet?

Thanks for your patience with me :-)
User avatar
dolbyman
Guru
Posts: 35021
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: private network with some public access?

Post by dolbyman »

without port forwards the only way you could access your NAS would be cloudlink
https://www.qnap.com/solution/myqnapcloud-link/en-us/

As it Tunnels the traffic through QNAP servers .. I don't know if you set that up
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: private network with some public access?

Post by Toxic17 »

gdgross wrote: Thu May 13, 2021 5:06 am hah, ok. I certainly don't understand how all this works then.

It seems I can still access my NAS through myQNAPcloud, but it's not exposed to the broader internet?

Thanks for your patience with me :-)
its worth checking your connection to the internet to make sure no ports are open.

https://www.grc.com/x/ne.dll?bh0bkyd2
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
gdgross
Starting out
Posts: 27
Joined: Tue May 11, 2021 8:06 am
Location: Los Angeles
Contact:

Re: private network with some public access?

Post by gdgross »

Thanks for that link, toxic, seems like i'm good? the test reported that the equipment at my IP address didn't respond to its pings.
Post Reply

Return to “File Sharing”