QLocker, new updates, QuFirewall + Remote Access

[Bob Zelin]

Hello boys and girls -
this is to just entertain you. This has been one heck of a last 2 weeks for me.

Well, no matter what you say, MY clients want remote access to their QNAP's (safety be damned !) - and so I have been frantically been doing all the QTS 4.5.3 updates, with all the App updates for Hybrid Backup Sync, Multimedia Console, Malware Remover, and NOW - QuFirewall.

So here we are with the new wonderful QuFirewall (with no documentation). So I blindly install a bunch of updates, and my clients call back to complain "I can't VPN into my QNAP". And sure enough QVPN, with the lovely open port of 1194 UDP (or occationally 1195 or 1196) is blocked. OH NO ! - what will I do ? So after my panic (how could this not be working anymore) - I say "ok - what's different, what's changed" - and of course QuFirewall
has changed.

So I am still playing with it, but if you disable the defaults in the Basic Firewall settings, then QVPN starts to work. I randomly started to click things back on, and then APPLY, and it was still working, but if you click them all on, and hit APPLY, then QVPN (OpenVPN) stops working. So tomorrow, I need to figure out which EXACT check boxes are stopping QVPN from getting an external user to remote access the QNAP - because its at least ONE of those check boxes in QuFirewall.

And for those that say "what are you - an idiot - didn't you just live thru this nightmare - why are you still opening ports to remote access your QNAP" - I received TWO emails today from new clients that said "hey - I hear that you know how to do remote access on the QNAP, can you help us".

So I can either say "no - you moron - do you know how dangerous this is" - and not make any money - or I can say "yes sir - of course I can help you" - and run all the updates, manually open just the ports I need, and pray a lot (and make money).

Bob Zelin

[Skwor]

Hello boys and girls -
this is to just entertain you. This has been one heck of a last 2 weeks for me.

Well, no matter what you say, MY clients want remote access to their QNAP's (safety be ** !) - and so I have been frantically been doing all the QTS 4.5.3 updates, with all the App updates for Hybrid Backup Sync, Multimedia Console, Malware Remover, and NOW - QuFirewall.

So here we are with the new wonderful QuFirewall (with no documentation). So I blindly install a bunch of updates, and my clients call back to complain "I can't VPN into my QNAP". And sure enough QVPN, with the lovely open port of 1194 UDP (or occationally 1195 or 1196) is blocked. OH NO ! - what will I do ? So after my panic (how could this not be working anymore) - I say "ok - what's different, what's changed" - and of course QuFirewall
has changed.

So I am still playing with it, but if you disable the defaults in the Basic Firewall settings, then QVPN starts to work. I randomly started to click things back on, and then APPLY, and it was still working, but if you click them all on, and hit APPLY, then QVPN (OpenVPN) stops working. So tomorrow, I need to figure out which EXACT check boxes are stopping QVPN from getting an external user to remote access the QNAP - because its at least ONE of those check boxes in QuFirewall.

And for those that say "what are you - an idiot - didn't you just live thru this nightmare - why are you still opening ports to remote access your QNAP" - I received TWO emails today from new clients that said "hey - I hear that you know how to do remote access on the QNAP, can you help us".

So I can either say "no - you moron - do you know how dangerous this is" - and not make any money - or I can say "yes sir - of course I can help you" - and run all the updates, manually open just the ports I need, and pray a lot (and make money).

Bob Zelin

Dollars is always > than sense

[Moogle Stiltzkin]

i did a reinitialize just the other day. enabled qufirewall, with rule set local lan subnet. defaults.

then i get connectivity issues for no reason..... at this point i just disable it. i don't understand why it would cause connectivity issues for me when i use the default settings that supposedly allows local lan connections on same subnet, but sometimes it just has issues that pops up that causes connectivity issue to the qnap.

So I can either say "no - you moron - do you know how dangerous this is" - and not make any money - or I can say "yes sir - of course I can help you" - and run all the updates, manually open just the ports I need, and pray a lot (and make money).

guess that works till it doesn't
https://www.youtube.com/watch?v=pbr5T5w63c4

https://www.youtube.com/watch?v=NkUhRn2YZCU


once the customer says he will only pay you if you can guarantee results with his bad security behaviour.... at that point, that is just impossible.

do you ever get customers like this? lel

[Guapo81]

So I am still playing with it, but if you disable the defaults in the Basic Firewall settings, then QVPN starts to work. I randomly started to click things back on, and then APPLY, and it was still working, but if you click them all on, and hit APPLY, then QVPN (OpenVPN) stops working. So tomorrow, I need to figure out which EXACT check boxes are stopping QVPN from getting an external user to remote access the QNAP - because its at least ONE of those check boxes in QuFirewall.

I was struggeling with the same settings, since my PPTP VPN stopped working when QuFirewall was enabled, and you're right QuFirewall more or less came out of nowhere and documentation is quite sketchy...at best...

Strangely enough in my case with basic safety enabled in QuFirewall it has (I believe these settings came standard when enabling QuFirewall) 2 rules on IP range to allow 10.8.0.0/24 and 10.8.0.2, which is OpenVPN...
If I disable OpenVPN in QVPN app, these 2 settings get an exclamation mark next to them, which makes sort of sense since OpenVPN is then disabled, but looking at the other VPN possibillities, so PPTP or QBelt (their own VPN protocol!!) there are no standard rules in the QuFirewall app nor do they get added or removed when you turn on or off these VPN servers in QVPN.

So to get the PPTP VPN connection through the firewall I had to manually add rules for IP range 10.0.0.0/24 and for Qbelt I guess you'd have to manually add 10.6.0.0/24.

Though this also means I still have 2 forwarded ports to my main NAS, which are TCP 1723 for PPTP VPN and TCP 32400 for Plex... Next to that I've done all other things recommended to keep my boxes safe.
Let's just hope (or prey) this is enough (for now...).

[dolbyman]

Bob, remote access should be no problem with VPN. There is products on the market that make deployment of VPN easy for Win or MAC users (e.g. Sophos Connect for XG Firewall) .

Unless you want to write-up a guide and setup routine for whatever OpenVPN or IPSec client you want to use with a cheaper/free VPN Server/appliance.


This way all remote workers just have to enter user username and password when they initialize the VPN connection in the morning.. takes only seconds. But when the next malware hits exposed units, you can lean back and be certain that your customers are not getting hit.

All my clients use VPN for remote work and it works fine.

[AlastairStevenson]

That's good, sound advice.

[QNAPDanielFL]

So I am still playing with it, but if you disable the defaults in the Basic Firewall settings, then QVPN starts to work. I randomly started to click things back on, and then APPLY, and it was still working, but if you click them all on, and hit APPLY, then QVPN (OpenVPN) stops working. So tomorrow, I need to figure out which EXACT check boxes are stopping QVPN from getting an external user to remote access the QNAP - because its at least ONE of those check boxes in QuFirewall.

I was struggeling with the same settings, since my PPTP VPN stopped working when QuFirewall was enabled, and you're right QuFirewall more or less came out of nowhere and documentation is quite sketchy...at best...

Strangely enough in my case with basic safety enabled in QuFirewall it has (I believe these settings came standard when enabling QuFirewall) 2 rules on IP range to allow 10.8.0.0/24 and 10.8.0.2, which is OpenVPN...
If I disable OpenVPN in QVPN app, these 2 settings get an exclamation mark next to them, which makes sort of sense since OpenVPN is then disabled, but looking at the other VPN possibillities, so PPTP or QBelt (their own VPN protocol!!) there are no standard rules in the QuFirewall app nor do they get added or removed when you turn on or off these VPN servers in QVPN.

So to get the PPTP VPN connection through the firewall I had to manually add rules for IP range 10.0.0.0/24 and for Qbelt I guess you'd have to manually add 10.6.0.0/24.

Though this also means I still have 2 forwarded ports to my main NAS, which are TCP 1723 for PPTP VPN and TCP 32400 for Plex... Next to that I've done all other things recommended to keep my boxes safe.
Let's just hope (or prey) this is enough (for now...).

It might be worth making a support ticket to see if it is just that the wrong settings were chosen or if you ran into a Bug. I am not sure which it is. But Tech support should be able to verify.

[Bob Zelin]

Hi Daniel -
this has been quite a week (or almost 2 weeks now) -
QuFirewall is amazing - if you want to totally restrict full access to your QNAP. QNAP loves making videos. They should make a little horrible boring video on QuFirewall, and how to use it or configure it - since they
make videos about everything else !

The positive impact that QNAP has made with QuTS, has been negated with QLocker - this has been devastating. QuFirewall is a VERY important program - unlike many of the QNAP "Apps". In my opinion, there should
be a little video on how to properly configure this. And I don't need to tell you - there needs to be the ability to UNINSTALL Multimedia Console !!!

Thanks - and talk soon
Bob Zelin

[Trexx]

QNAP loves making videos. They should make a little horrible boring video on QuFirewall, and how to use it or configure it - since they
make videos about everything else !

Bob Zelin

Since you asked nicely Bob.. just for you

https://live.qnap.com/en/video/show/5758


Sent from my iPad using Tapatalk

[Cbrad01]

Bob, I have moved vpn off of the NAS to the router or a dedicated device depending on the situation.
Completely understand that I can’t tell the customer no, as they will go somewhere else and I loose.
Happy to share any experience with you.


Sent from my iPhone using Tapatalk