Forwarding port 443 to my NAS?

jramskov · January 25, 2017, 11:31am

Hi.

I have a Synology NAS which I use as a photo station. I have made port forwardings (using the LUCI interface) of port 80 and port 443 to the NAS. I can access the photostation on my NAS remotely through HTTP, but not HTTPS.

A friend suggested the cause could be httpd on the router using port 443? How do I change that? I don’t need to access my Turris router from the WAN side.

radekpribyl · January 25, 2017, 1:07pm

Do you have troubles with forwarding from WAN or from within LAN?

jramskov · January 25, 2017, 2:15pm

It’s from WAN to LAN. I have port forwarded other ports. Port 5001 is used to access the webinterface of my NAS through HTTPS (https://url:5001). That works fine. The photo station is https://url/photo. It works on my local network, but not from an external IP.

I used an ASUS router before and I tried to re-create the same port forwards I had on the ASUS router. As mentioned above, the other port forwards I’ve created seem to work.

Maxmilian_Picmaus · January 25, 2017, 2:40pm

So you need to make portforward rule from some of yours randomly picked port 123456 (wan) to 5001(lan) and open correspond port on firewall. That should work for http, if you want https you have to take care for 443 port as well.

Generally, having NAS accessible this way is a bit dangerous for me. Opening it to world means you have real trust in that device.

update: and yes 443port on wan might be used by honey/minipot processes (check Foris/DataCollection what you have enabled and what ports are occupied by that) … so as example 22 is open on wan, but it is honeypot in fact, meanwhile same port from lan is your router sshd ; as 443 is generic for tls-https it might be the case you are feeding your own honeypot trying to access it.

jramskov · January 25, 2017, 3:54pm

Maxmilian_Picmaus:

So you need to make portforward rule from some of yours randomly picked port 123456 (wan) to 5001(lan) and open correspond port on firewall. That should work for http, if you want https you have to take care for 443 port as well.[/quote]

To be more accurate, I have port 5000 and 5001 open for the NAS administration interface. Port 5000 is for HTTP and 5001 is for HTTPS. The NAS is configured to automatically redirect HTTP to HTTPS.

Generally, having NAS accessible this way is a bit dangerous for me. Opening it to world means you have real trust in that device.

I agree, but if I want to provide access to the photo station on the NAS remotely (from their iPad apps and on the web), I don’t see any other ways?

[quote]update: and yes 443port on wan might be used by honey/minipot processes (check Foris/DataCollection what you have enabled and what ports are occupied by that) … so as example 22 is open on wan, but it is honeypot in fact, meanwhile same port from lan is your router sshd ; as 443 is generic for tls-https it might be the case you are feeding your own honeypot trying to access it.

I do have data collection enabled, but from what I understand it shouldn’t make a difference:
“One of uCollect’s features is emulation of some commonly abused services. If this function is enabled, uCollect is listening for incoming connection attempts to these services. Enabling of the emulated services has no effect if another service is already listening on its default port (port numbers are listed below).”

However, it only mention HTTP (port 80), not HTTPS (port 443). I have just disabled it just to make sure it didn’t make a difference and it didn’t.

radekpribyl · January 25, 2017, 4:37pm

Can you pls post the configuration of the port forwarding / redirection?

The lighttpd server for Foris/Luci shouldn’t conflict as it shouldn’t expose the ports on wan interface. To be on the safe side you may try to rename file /etc/lighttpd/conf.d/sss-enalble.conf to e.g. ss-enable.old (it shouldn’t end with .conf) and then restart lighttpd.

Maxmilian_Picmaus · January 25, 2017, 4:47pm

It depends what actually ‘provide access’ means (read,write,edit …sync?) and what ‘app’ is used and what protocol is behind. I have minidlna, vsftpd, ircd,transmission, samba services accesible via openvpn on my TO and all services read data from several devices or containers. There is no central NAS. On a side i have Plex.tv as another server with remote access enabled (paid per device) just to test it (like own netflix :D).

Update: Maybe you can make Plex.tv running on your NAS : NAS Compatibility List | Plex Support

jramskov · January 25, 2017, 5:50pm

Here’s the configuration:

jramskov · January 25, 2017, 5:53pm

The photostation service is a website/webservice running on the NAS.

Maxmilian_Picmaus · January 25, 2017, 6:25pm

So basically webserver serving each user its own library of pictures and some public/shared ones. And i assume you are using (and want to use) user management on that NAS to handle users-vs-rights. Making that same on TO is too much effort, so now i understand your approach.

radekpribyl · January 25, 2017, 11:20pm

That seems correct. Can you try to run something like curl --head -k https://192.168.1.1 where instead of the ip address put your https://url/photo curl should show you http header and you might get at least indication of which server is responding. E.g. outcome of the command on my TO is:

HTTP/1.1 200 OK
X-Frame-Options: DENY
Content-Length: 2142
Content-Type: text/html; charset=UTF-8
Set-cookie: beaker.session.id=4cf32eb51dbc4a9c871e9fb49a04f3f9; httponly; Path=/
Date: Wed, 25 Jan 2017 23:14:16 GMT
Server: lighttpd/1.4.42

And you can see that the response came from lighttpd/1.4.42 server. At least some indication.

jramskov · January 26, 2017, 8:03am

Test done from a remote IP:
curl: (7) Failed to connect to my.url/photo/ port 443: Connection refused

However, if I test the webadministration interface that I’ve got on port 5001 I get:
HTTP/1.1 301 Moved Permanently
Date: Thu, 26 Jan 2017 07:57:51 GMT
Server: Apache
Cache-control: no-store
Location: https://my.url:5001/webman/index.cgi
Content-Type: text/plain

Test done from a internal IP:
HTTP/1.1 301 Moved Permanently
Date: Thu, 26 Jan 2017 08:00:58 GMT
Server: Apache
Location: https://my.url/photo/
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1

The port is blocked, but why?

radekpribyl · January 26, 2017, 9:04am

It might be a stupid question but as it is not obvious from the screenshot I ask - do you have the rule for 443 enabled? Also I assume that it worked for you with old router and therefore your ISP is not blocking it, right?

jramskov · January 26, 2017, 9:08am

Yes, it’s marked as enabled in the LUCI interface. I expect I can check it through the command line somehow as well?

Yes, it worked with my previous router.

radekpribyl · January 26, 2017, 9:13am

try to run iptables -t nat -L | grep HTTPS and post the result

jramskov · January 26, 2017, 9:19am

SNAT tcp – 192.168.1.0/24 192.168.1.150 tcp dpt:https /* HTTPS (reflection) / to:192.168.1.1
SNAT udp – 192.168.1.0/24 192.168.1.150 udp dpt:https / HTTPS (reflection) / to:192.168.1.1
DNAT tcp – 192.168.1.0/24 dhcp-5-186-71-60.ip.fibianet.dk / HTTPS (reflection) / to:192.168.1.150:443
DNAT udp – 192.168.1.0/24 dhcp-5-186-71-60.ip.fibianet.dk / HTTPS (reflection) / to:192.168.1.150:443
DNAT tcp – anywhere anywhere tcp spt:https / HTTPS / to:192.168.1.150:443
DNAT udp – anywhere anywhere udp spt:https / HTTPS */ to:192.168.1.150:443

radekpribyl · January 26, 2017, 9:29am

I see one difference against my entries for the middle ones:

DNAT tcp -- 192.168.1.0/24 dhcp-5-186-71-60.ip.fibianet.dk /* HTTPS (reflection) */ to:192.168.1.150:443
DNAT udp -- 192.168.1.0/24 dhcp-5-186-71-60.ip.fibianet.dk /* HTTPS (reflection) */ to:192.168.1.150:443

I’m missing tcp (or udp) dpt:https when comparing with my setup.

could you check the entry in /etc/config/firewall file? My looks like:

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'dmz'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '192.168.1.130'
        option dest_port '443'
        option name 'HTTPS to DMZ'

jramskov · January 26, 2017, 9:36am

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option dest_ip '192.168.1.150'
option name 'HTTPS'
option src_port '443'
option dest_port '443'

radekpribyl · January 26, 2017, 9:42am

I’m running out of ideas - last one would be to delete the rule, restart the firewall, create the rule again and restart the firewall once again. It looks to be configured properly to me.

radekpribyl · January 26, 2017, 12:41pm

The port 443 is indeed not opened to WAN. I tried to scan your IP and this is the result:

Starting Nmap 7.12 ( https://nmap.org ) at 2017-01-26 11:52 CET
Nmap scan report for dhcp-5-186-71-60.ip.fibianet.dk (5.186.71.60)
Host is up (0.042s latency).
Not shown: 992 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
25/tcp   filtered smtp
80/tcp   open     http
445/tcp  filtered microsoft-ds
873/tcp  open     rsync
4242/tcp open     vrml-multi-use
5000/tcp open     upnp
5001/tcp open     commplex-link

Interesting are the ports 25 & 445 as they are not listed on your screenshot above. Did you allow them somewhere else?