Port Forwarding question

Hello all. I’m new to this and I have a question: I have a FreeNAS install on a garage server. In that install I have SSH on, allowing password authentication, and set to port 8080. I’ve port forwarded 8080 to the IP for my FreeNAS on my modem. I also set up a firewall rule on the modem to allow in and out on port 8080. I can ssh into FreeNAS from my local computer using Putty. But, if I use a remote computer and try using the ip of my modem (checked at whatismyip.com) with :8080 appended I get nothing.

So, what am I doing wrong?

Did you create a NAT for this? Also, it is NOT a good idea to allow access to internal systems such as your NAS via a NAT/ACL. I highly recommend you setup remote access VPN (with MFA) and then access your NAS that way.

In my modem configuration NAT has two choices: enabled or disabled. There doesn’t appear to be anything to “set up.” I’ve been looking at VPNs but I’m massively cheap and doing this mostly just for access to home files. Are there decent free options available that have a good setup guide?

Use OpenVPN on a pfSense. That would be free. If you put your modem in bridge mode, then you can pass all traffic to the pfSense on it’s outside interface.

I hope this doesn’t turn out to be as dumb as it might be, but my FreeNAS server connects to my home network through a wireless access point. Would that make a difference in the port forwarding on the modem? In other words, do I need to forward the modem to the access point and the access point to the server? Thanks in advance for not eye-rolling or face-palming too hard.

Well, yep, I can save you all the trouble of telling me that. It is exactly that dumb. I went and got a long Cat5, plugged my server directly into my modem, and “poof!” connected straight through. Now all I have to do is figure out how to get through my access point. My wife is not overly fond of a cable running through 3 rooms of the house.

Generally any NAS solution would be on a wired network. I wouldn’t look to put it on a wireless network. But to answer your question, no it shouldn’t make a difference because at the end of the day it has an IP on a network. You will need to NAT your WAN interface to the port/IP of your NAS to get external access working. Again though, I HIGHLY recommend that you limit the public IPs that can access your NAS.

I swapped out the extender in the garage with another one I had and now everything works. I can remotely SSH or access NextCloud via web browser. Now I know this is incredibly insecure so I guess that’s my next question. You mentioned pfSense and OpenVPN. I looked at the pfSense website and honestly couldn’t tell what I needed. Are there some good guides out there for the technically challenged? And do you have other security recommendations that might be a bit more user friendly for the install? Thanks again for all your help.

Personally I run virtual instances of pfSense, but there are many hardware options as well. You should be able to go through the threads on this forum for those details. Once you get pfSense running as your firewall, then you can add OpenVPN as your remote access VPN solution on it. This would probably be the easiest setup for an in home install. If you have a virtual server or platform, you could spin up a VM and install pfSense on it. Then all you need to do is segment out your interfaces to different VLANs in the hypervisor and switch.

Just to reiterate – I would definitely hesitate to make FreeNAS available to the world. Its protected only by a name and password. You could setup a VPN definitely a possibility however I’ve always had bad luck with OpenVPN but its probably something I’m doing wrong in all honestly.

Another option, although probably not as secure would be to put an SSL terminating proxy in front of pfsense (like nginx), get yourself some SSL certs to install on the reverse proxy, and then stick some two factor authentication portal such as Authelia https://github.com/authelia/authelia that would require name/password with a two factor authentication mechanism (Google Authenticator, YubiKey, Duo Push).

In all honestly I’m not sure about your modem, however don’t you have a router plugged into the modem – either wired or wireless?

Yeah, I definitely don’t want to leave it open. I just wanted to get it working first. I’m basically learning everything as I go so it’s pretty rough sledding. My modem has a built-in router. My problem with port forwarding turned out to be my extender rather than my modem. Once I switched it out with a Netgear and could define IP, sub and gateway everything went right through.

So here’s my challenge: When you say, “put an SSL terminating proxy in front of pfsense” I might as well be reading Swahili. And I understand that not everyone’s inclined to share expertise for free. I get paid for mine as well. But could you either free-share or point me in the direction of docs that would spell that out to the nth degree? And thanks in advance for the help so far.

Ok – ssl terminating proxy.

Lets start with just thinking of a server. Your house/modem has one external IP address. But say you want to run multiple “servers” made available to the public. Each to the outside world has the same IP address. So the reverse proxy acts to “take the incoming traffic” and forward it to the appropriate internal server based on packet headers.

Another function of a reverse proxy is SSL management – specifically SSL termination.-- say your “internal server” really can’t do SSL encryption or has SSL capabilities. (Which is common in many web applications). So in this case you stick a reverse proxy in front of it with the SSL certs installed on the reverse proxy. The client from the outside world has encrypted communication up to the reverse proxy. The proxy then forwards the connection to the backend server unencrypted. The reverse proxy “terminates the SSL connection”.

So what I was talking about was installing a SSL terminating proxy – which for your backend server would first forward the connection through an authentication gateway. The gateway I was speaking about is known as authelia (however there are other similar applications). If you authenticate successfully, the gateway will then forward the connection to the backend. The most simple form of authentication using the reverse proxy could be the use of .htaccess files which are simply a name and password (which is one factor authentication). pfsense by itself kind of has one factor authentication since it requires a name and password to log into the GUI interface. Typically however you don’t need to access the FreeNAS GUI externally – its the Freenas jails, VMs or applications (which run in a jail) I’m guessing you need access to. So its possible you could actually reverse proxy to the actual application on FreeNAS rather than just FreeNAS itself.

It just kind of depends what you want to do. I’m guessing most people wouldn’t server any applications on FreeNAS that would accessible from the WAN. They would probably do more isolation. VPN’s are one method of isolation since you are creating a virtual private network with freenas only availabe on the private network. Others would have their external servers within a “DMZ”. It’s just how far you want to take your security.

Thank you. That gives me a lot to work with. As of now I’m at least using two-factor authentication on the NextCloud sign in. I’ll parse through the rest as time allows. Again, thanks for the time.

Another good reason for remote access VPN is that they are very mature and offer more security features such as MFA and NAC. Of course this depends on vendor too…