It should be so simple.. How can I access my files outside my LAN

[Keyakinan]

Hello! I'm not very good with servers but to just connect (securely) to the internet and use Freenas as a NAS folder for my backups shouldn't be THIS hard..

I have a pool(volume) and I can access it through windows ( great success! ).
Now I ONLY want to access it outside of my LAN so I can make backups every day with all my devices!
I've read SO many things (and understand more and more). But there is always something that just doesn't work for me.

What I use:
- upgraded to 11.2 since yesterday (FreeBSD is 11.1?)
- HP ProLiant Gen 8
- Router that supports port forwarding

Does anyone have a good, and above all SAFE solution/ source so I can finally put this to rest?

Thanks so much in advance!

 

[Chris Moore]

What are you trying to backup that is not on your own home network?

Sent from my SAMSUNG-SGH-I537 using Tapatalk

 

[Keyakinan]

What are you trying to backup that is not on your own home network?

Sent from my SAMSUNG-SGH-I537 using Tapatalk

My NAS is at my mother's house. So she can backup there. My laptop, mobile, pc are not there ( because I don't live there).

 

[kdragon75]

Use a VPN tunnel. That or portforward SMB to the NAS and get hacked.

 

[danb35]

shouldn't be THIS hard

Why shouldn't it be hard? What you're asking for is fundamentally hard. Exposing any portion of your network to the Internet is a risk. There are lots of bad actors out there, and they have lots of tools at their disposal. If you do not take reasonable steps to secure yourself, your network is likely to be attacked, and used as an attack vector to other networks.

The best answer is probably a VPN connection. To do that right, your mother probably needs a different router, one that's capable of acting as a VPN server.

 

[Chris Moore]

This router has VPN capability:
https://www.newegg.com/Product/Product.aspx?Item=9SIA8N25XX7941
You could put one at your place, one at her place, establish a tunnel between the two, then the two networks would behave as if they are one network. You would be able to access the NAS as if it were local to you except that the data rate will be limited by your internet speed.

 

[Keyakinan]

Why shouldn't it be hard? What you're asking for is fundamentally hard. Exposing any portion of your network to the Internet is a risk. There are lots of bad actors out there, and they have lots of tools at their disposal. If you do not take reasonable steps to secure yourself, your network is likely to be attacked, and used as an attack vector to other networks.

The best answer is probably a VPN connection. To do that right, your mother probably needs a different router, one that's capable of acting as a VPN server.

I know my router at my own home is capable of doing that. So I guess maybe I can switch routers and then make it to work ( the server is better placed at my mothers house).

This router has VPN cpability:
https://www.newegg.com/Product/Product.aspx?Item=9SIA8N25XX7941
You caould put one at your place, one at her place, establish a tunnel between the two, then the two networks would behave as if they are one network. You would be able to access the NAS as if it were local to you except that the data rate will be limited by your internet speed.

Thanks! It seems I should look further into that! I Already have a router that can do that, do I still need 2 routers to make it work?
Also with this solution only on 2 places I will be able to reach the NAS right?

 

[kdragon75]

Network like a boss: https://www.netgate.com/solutions/pfsense/sg-3100.html. Just know you will need separate WIFI

 

[danb35]

Network like a boss:

Yeah, something like pfSense, OPNSense, etc. is probably the best answer, but probably a bit complicated for a n00b.

 

[Chris Moore]

Thanks! It seems I should look further into that! I Already have a router that can do that, do I still need 2 routers to make it work?

Not all routers that support VPN are actually able to establish a LAN-to-LAN tunnel. My router is not able to do it even though it supports connecting to a single, paid, VPN service that is intended to anonymize my internet browsing. The thing you want to do is a bit special and I would say that most routers don't support it.

Also with this solution only on 2 places I will be able to reach the NAS right?

I am not sure what you are asking. You will need to configure the two routers to work in concert with one another, for example, you will have your router serving one pool of DHCP addresses and her router on a different range or you will end up with IP conflicts. It isn't a simple thing to configure and if you want it to work well, you need the right hardware.

 

[Chris Moore]

Network like a boss: https://www.netgate.com/solutions/pfsense/sg-3100.html. Just know you will need separate WIFI

I only used pFsense for about a year, but I don't remember it having a feature for LAN-to-LAN tunneling.

 

[danb35]

I don't remember it having a feature for LAN-to-LAN tunneling.

https://www.netgate.com/docs/pfsens...-a-site-to-site-pki-ssl-openvpn-instance.html
https://www.netgate.com/docs/pfsense/vpn/ipsec/configuring-a-site-to-site-ipsec-vpn.html

 

[kdragon75]

It has a full strongswan and openvpn setup. site to site, site to multisite, etc... And when 2.4.4 drops, full routed IPSec!

 

[Keyakinan]

Network like a boss: https://www.netgate.com/solutions/pfsense/sg-3100.html. Just know you will need separate WIFI

Thats a tad too expensive :p

I have a https://tweakers.net/pricewatch/313228/asus-rt-ac66u-zwart.html at home I think for vpn server that is enough ( but i think i need 2 routers that support vpn tunneling)

 

[kdragon75]

I think Asus supports a VPN server and client. Also has the wifi built in.

 

[Turgin]

You'll also need to be concerned with the public IP for at least one of the sites (probably both). A site to site VPN pretty much depends on at least one side knowing the IP of the other to initiate the tunnel. Static addressing on both ends is preferrable. You don't mention what type of internet service you have at your or your mother's house but I suspect they use public DHCP addresses which will break your tunnel when/if the public IP changes.

You may be able to use a public DDNS service like namecheap or something and then use a DDNS client on your firewalls to keep that updated as your public IP changes.

I concur with everyone else that this isn't a simple thing to do if you want it reasonably secure.

 

[Keyakinan]

It's DHCP at my mother's, at my own house(read: dorm room) its prob static but I'm not even sure! Now I think of it, they provide internet for about 1100 students, every room their own router. I wonder how they do it!

I know it isn't easy, but that's the whole point. If there was a good step by step tutorial or some easier documentation that was easy to follow newbies like me would be much more secure. Of course there is no "one" best way but there must be some prefered way (like VPN as I read here!).

 

[kdragon75]

If each dorm room has its own router, I would be surprised if you all had public WAN IPs. But I cant say as my old school had public IPs on EVERYTHING. For some reason they have a class 2 public network...

 

[Redcoat]

A quick search for VPN on the forums here showed 3,616 hits, lots of them with your questions(s) and some answers. If I were you I read some of them to become somewhat familiar with the topic and then go talk to the admin for your dorm's network. I'll bet he'll have some ready made answers for you - they might even be polite and helpful if it is clear that you've done some homework...

 

[icsy7867]

It is really a question about what you are comfortable with and your technical expertise level. managing and setting up an openvpn tunnel and managing the routes from your place to another might not be the easiest thing in the world.

Backups can be handled in many different ways. You could setup a nextcloud server and backup to that.

Another solution may be a third party backup solutions. Something like:
https://www.urbackup.org/
or
https://burp.grke.org/
or
https://www.duplicati.com/

And potentially opening a single service port. Crashplan use to have a server you could install to run your own backups, but i think they might have discontinued this. But if you are just looking at performing backups, running one of these backup applications might be the easiest way to go.

I am assuming your mother's house has a dedicated public IPv4 address? I am in an unfortunate situation where I do not have a public IPv4 address on my WAN and I have to use ipv6 addresses. Hopefully you are not in this boat.