Hello every one
I recently add a NAS to my network which is at 192.168.11.100 and it use the default SMB port which is 445. but the problem is the router is behind the NAT and also connected to IKEV2 IPsec vpn and the router don’t have a static ip (public ip).
so, I want to have access to 192.168.11.100:445 from outside (internet) without connecting to the same vpn server as router (access without vpn (bypass the vpn)) and I want to use ip cloud (DDNS) cause router don’t have a static ip (public ip) and it’s also behind NAT.
I will appreciate any help
No, do it properly via VPN.
SMB SHOULD NOT be exposed to the internet.
I want to host few files for some people that why I want to give them access but I don’t want to give them access to my vpn because I run other things on that as well.
maybe something like this
/ip cloud set ddns-enabled=yes
/interface list
add name=WAN
/interface list member
add interface=ISP-eth1 list=WAN
add interface=ISP2-eth2 list=WAN
/ip firewall address-list
add address=TRUSTED_REMOTE_NETWORK list=Trusted
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=445 in-interface-list=WAN protocol=tcp src-address-list=\
Trusted to-addresses=192.168.11.100 to-ports=445
so if you have multiple ISP just add id to this
/interface list member
and ofcourse you need forward port on isp
445 to your Mikrotik IP (if mikrotik gets 192.168.0.11 from ISP that IP is to where you need to forward)
(if its fiber, you dont need to, this is enough)
Thanks man
are these settings are gonna bypass the vpn?
What is src-address-list=Trusted? I don’t know from what addresses users are gonna access this.
Yeah ISP gave me 192.168.0.104 on their modem
Router configuration :
gh.rsc (10.2 KB)
Another host for the botnet…
It's gonna give very limited access based of username and password and only for one folder.
There are thousands of free file sharing services on the internet…
You have to share something truly illegal to not want to use them.
If you share them “zipped” with a 100-digit password, no one will decrypt them who does not know the password …
It's not about the actual content, it's because the users have a very limited and slow internet connection inside that country to the outside so when they connect with vpn or other file sharing services on internet that's going to be very useless, so that's why it's a workaround over there because files are in large size but if I give them access without vpn and direct to the server which is in the same city as they are it's going to be super-fast and easy for them to connect because if both sides are using ips of that country isps are going to route the connection in something like intranet which is very fast.
i have told you that add in address list Trusted IPs that are public/private in your remote locations.
So if my house with public ip 20.10.9.8 want to access that smb, you will add in that address list that ip
/ip firewall address-list
add address=20.10.9.8 list=Trusted
are these settings are gonna bypass the vpn?
this is public access, there is no need for VPN.
Advantage is that you are allowing only ip from trusted interface list. Problem is if that remote locations have some CGNat from provider, than and others will have access.
Most secure solution is to use some VPN which is very easy to make on mikrotik and use it on Windows/Linux
I don’t know from which IPs they are going to connect to the smb server. I want it to be open so anyone can connect and then it will ask for username and password to access the files.
When router is connected to the vpn (IKEV2 ipsec) is this possible to also act as a vpn server just in order to give them access to the smb server but nothing else not even internet or anything just smb?
Uhm… 
The idea is to give that ddns address to a group of people (100~) in telegram (private group) with a username and password to connect to the smb server and I know they are all located in the same city as the smb server is.
up!
up!
Security concerns aside (I too think that it’s not the greatest idea to expose smb to the world, but it’s your choice), it boils down to whether you have public address or not. It doesn’t have to be static (DDNS takes care of that) and it doesn’t have to be directly on your router, but you must be able to forward port from it to your router. If you can do that, then go for it and enjoy. If not, you’re out of luck. Or am I missing something?
Thanks for your answer
I forward it and with VPN I was being able to connect to it but without vpn (with DDNS) not at all and I think it’s because the router is behind nat and I should have another port forwarding for that but I don’t know how and I need help for this part.
If you have problems with classic VPN for NAT, try to use ZeroTier or Tailscale.
Regards.