Set up external access to NAS.

[jsgossett]

Hello, I would like to try to set up external access to my DS418. My set up is like this:

I have an AT&T gateway/router (Pace 5268AC) on which I think I can set up in bridge mode (AT&T calls DMZ+) to allow my ASUS to have control. I would then have to set up port forwarding on it for the NAS, which is another challenge I'm struggling to understand just yet but will tackle next. My initial question is concerning the fact that I have a wired network switch that is in between the ISP router and my ASUS. That switch feeds other devices like my Living Room TV, cameras, etc., and a Google Wifi that acts as an extender on the other side of the house. If I bridge the ISP router, does that put those devices at risk? My ASUS is in another room ("office") where the NAS also resides. Should I move the ASUS so that it is right after the ISP router so that it protects everything else while the ISP router is in bridge mode? I hesitate to do that because the office is a more preferable location for getting the wireless signal around the house, and it's not in my bedroom, but I'll do what I have to do.
Thank you for any advice you can offer.

 

[EAZ1964]

From security perspective : setting the at&t in bridge mode is a very bad idea as it exposes your network.
I’d set the asus in bridge mode, your AT&T will take care for dhcp.

 

[Rusty]

Should I move the ASUS so that it is right after the ISP router so that it protects everything else while the ISP router is in bridge mode?

It will be fine the way you have it right now. The communication will still hit your router(s) before going out to the internet due to network configuration. It doesn't matter that your switch is there (its just splitting your single LAN port to multiple ones).

Regarding your configuration, maybe if bridge is not an option you can use that DMZ+ method that will essentially expose your Asus router as the main device that will need FW rules, port forward rules etc. It should work in this configuration, and again, you will handle all needed on the Asus device, while all your lan devices will run through it towards the net regardless if they are "before" or "after" the switch.

 

[OldAviator]

Just download Tailscale from the package center and give it a try. No open ports, no port forwarding, no DDNS, no network configuration at all. It is stunningly good and free. It is worth the 15 minutes it will take to try.

 

[LCNX]

I would recommend to invest in a decent firewall. What is provided as a standard by providers, is regarding security mostly useless and certainly not sufficient to manage external access in a reliable manner. Even in a home environment an investment like this is no longer a luxury, but a mere requirement. Opening private NAS data over VPN will result in significant risks that you can't even monitor. Once a firewall is in place, all of the configuration needs to happen in this device, not on your NAS. Evidently the latter needs to have the two-factor authentication deployed as an additional security layer. I based my own configuration on Ubiquity hardware which is even regarding investment quite affordable.