MyCloud.Zyxel can't detect my NSA325-v2

13»

All Replies

  • Tomalamix
    Tomalamix Posts: 56  Ally Member
    First Comment Friend Collector Third Anniversary
    edited November 2021
    Hello again,

    After strongly struggle with the router I think it's not capable of port translation. The support to it is very limited since the hardware is provided by my ISP and also the loaded firmware is made by them. So, after all I coulnd't access the router because this does not work for this router, Im using straight 443 -> 443 and 21 -> 21 forwards.

    I've created some technical tickets in the customer support area but i got stuck with people asking why do I want to translate the port to another target. I've quited on this front for now until I have more patience.

    Now, about my NAS being exposed to all the web, can I disable the admin account from exterior access? I'm very reluctant in leaving the hardware "available" to all the world. So for now I've created a dedicated user with access only to 2 or 3 paths, just enough to do what I want. The goal here is clear, everything I want to config must be done between my home walls avoiding any dangerous access to administrate my unit.

    Another question, is there a way to access the paths directly when I'm outside home in an environment similar to the one we usually use with Windows Explorer, navigating in some internal network location paths like its our local HDD ?

    Thanks!
  • Mijzelf
    Mijzelf Posts: 2,788  Guru Member
    250 Answers 2500 Comments Friend Collector Seventh Anniversary
    OK, a few things. My Tweaks package gives you the possibility to change the IP address where the https service runs. It also has some tweaks for FTP, but not changing ports, as far as I remember, so I think the firmware webinterface has that option, as it would have been an easy tweak.
    is there a way to access the paths directly when I'm outside home in an environment similar to the one we usually use with Windows Explorer, navigating in some internal network location paths like its our local HDD ?
    For FTP you can use explorer itself, at least it could when I last used windows. (Which is some time ago).
    You can have a look at WinSCP which can utilize an SSH connection. Problem with this is that the data will be send encrypted, which is quite a burden for the NAS' CPU. You shouldn't expect more than 1.5~2MB/sec.
    You could use the same SSH connection to tunnel the webinterface though a SOCKS proxy.

  • Tomalamix
    Tomalamix Posts: 56  Ally Member
    First Comment Friend Collector Third Anniversary
    When you say "change the IP address where the https service runs" you mean port instead of IP address, right? I've found that tweak, I think I will use it to choose some other less obvious port number.

    About the SSH connection, it's OK, the files are small enough to work with, although this is not valid for video if I want to watch something, I have to think about it. Im not that good with network so I have to ask: the SSH is valid for both HTTPs and FTP or just for FTP because HTTPs already does that for HTTP ?

    Can i disable the admin/root accounts for connections from WAN ? To be safer to have the server exposed to the WAN
  • Mijzelf
    Mijzelf Posts: 2,788  Guru Member
    250 Answers 2500 Comments Friend Collector Seventh Anniversary
    Tomalamix said:
    When you say "change the IP address where the https service runs" you mean port instead of IP address, right?
    Yes, right.
    About the SSH connection, it's OK, the files are small enough to work with, although this is not valid for video if I want to watch something,
    You'll have to try. 1MB/sec is more than enough for video. Think about it. 1MB/sec for 90 minutes is 5.5GB. I don't think your movie files are that big. But I don't know if SFTP (which is the actual protocol used) performs well in streaming.
    the SSH is valid for both HTTPs and FTP or just for FTP because HTTPs already does that for HTTP ?
    I'm not sure what you mean. Your SSH server also supports SFTP (or SCP, on older implementations) which is a filetransfer protocol just like FTP, but has further nothing to do with it. Further SSH supports tunneling, which gives the opportunity to tunnel HTTP (or HTTPS, but if I had the choice I would use HTTP, as the S is alread provided by SSH, no need for double encryption). You can also tunnel FTP, but that is less convenient, as you need to create a tunnel for each port, the command port and all data ports.
    While the S in SSH and HTTPS means about the same, there is one big difference between HTTPS and HTTP over SSH; for SSH you'll have to login. Which adds an extra layer of protection. To get access to the webinterface you'll have to login on SSH to create the tunnel.
    Can i disable the admin/root accounts for connections from WAN ? To be safer to have the server exposed to the WAN
    Not that I'm aware of.
  • Tomalamix
    Tomalamix Posts: 56  Ally Member
    First Comment Friend Collector Third Anniversary
    edited December 2023

    Hello Mijzelf,

    So, I got back to this, after a looonng time. eheh!

    The Web interface is working, I could manage to do the port translation using another router, my ISP provided me an older version hardware and now I can do it, so I connect from the exterior to HTTPS 8443 and here in my LAN that is converted to 443 to my NSA325-2 IP in the LAN, all works smoothly.

    The FTP I quit at the time because I wasnt able to open those pool data ports (i tested 5000-5050) but now I can do that port forwarding but something is messed up and I really dont know what it is.

    What I´m trying to do is to connect from the exterior to FTP 821 and here in my LAN that is converted to 21 to my NSA325-2 IP in the LAN, and this is working since I can put my login and password, but after two things happens:

    1 - This error shows up ALWAYS and I cant get out of this loop:

    Status:

    Resolving address of mydns.serverip.de

    Status:

    Connecting to XXX.XXXX.XXX.XXXX:821...

    Status:

    Connection established, waiting for welcome message...

    Status:

    Initializing TLS...

    Status:

    TLS connection established.

    Status:

    Logged in

    Status:

    Retrieving directory listing...

    Status:

    Server sent passive reply with unroutable address. Using server address instead.

    Command:

    MLSD

    Error:

    The data connection could not be established: ECONNREFUSED - Connection refused by server

    I've read about this error and this is related somehow with that port forward I need to do, but is not working, I think I am not doing it properly. Are those TCP ports? UDP? Other? I dont know.

    2 - After trying a few times this FTP connection the NSA325-v2 becomes unresponsive and I need to hard reset it, I cant access it remotely to do it, i need to press the button.

    Thank you again!

  • Mijzelf
    Mijzelf Posts: 2,788  Guru Member
    250 Answers 2500 Comments Friend Collector Seventh Anniversary

    That log shows the client cannot access the data port which is assigned by the server for that data transfer. So either you failed in configuring a limited block of data ports in the server, or you didn't forward that block in your router, or the router is faulty. They are TCP ports.

    the NSA325-v2 becomes unresponsive

    I have no explanation for that. Unless the FTP server keeps open the data ports when accessing fails, runs out of data ports, and does something nasty.

    You could investigate that by having an ssh shell open, and run

    netstat -ltp
    

    Before, after and between each FTP connect attempt. It shows all listening ports.

  • Tomalamix
    Tomalamix Posts: 56  Ally Member
    First Comment Friend Collector Third Anniversary

    So, in the server, in the FTP page configuration I set ports 5000 to 5100.

    Then I went to the router and I forward incoming connections from that ports to go to ports 5000 to 5100 to the NAS IP on the same ports - I believe that this should work since for other port forward settings are working, including this one that translates the 821 to the internal 21 in the NAS IP.

    I am trying to access the FTP from another PC that is behind a router too. Do you think that this 2nd router, where I'm trying to access, can block connections to be established on those ports and I cant connect? If yes how should I set the router? to forward to the computer with the FTP app installed the same ports?

    Thanks

  • Mijzelf
    Mijzelf Posts: 2,788  Guru Member
    250 Answers 2500 Comments Friend Collector Seventh Anniversary

    Do you think that this 2nd router, where I'm trying to access, can block
    connections to be established on those ports and I cant connect?

    Yes. Any router running a firewall can block any port/ip address/… . But it's not very common for outgoing connections. Only the router with incoming connections (the one in front of your NAS) should need a special setup, which you already did.

    You can test if the ports are properly forwarded, by having something listen on one of the ports, and see if you can connect. (Or do an open port detection, with Shields Up! )

    You can let telnetd listen with

    telnetd -p <port>
    

  • Tomalamix
    Tomalamix Posts: 56  Ally Member
    First Comment Friend Collector Third Anniversary

    Hello Mijzelf,

    Good 2024 to you and family!

    So, back to buisness. The port forward is there but this router, I dont know why, required me to open ports in another menu, I dont know why is this necessary since if I want them forward is because I need those.

    Well, after that all is done, the Shields Up! made the difference on the moment to test because it saved me a lot of time switching PCs to test the connection from another PC with an external IP from my home network,

    Now is all fine! Thank you for pointing to the right direction! Now I will follow your tips on my other post about the VPN server running on this NAS.

Consumer Product Help Center