Connection of NAS ONLY to Hetzner Storage Box from my network

korg · October 21, 2025, 10:20am

Hello community,

i would like to enable internet connectivity from and to my NAS device from my local network in order to enable daily backup via rsync to the Hetzner Storage box.

Is there a way of not exposing my NAS to a ‘general internet’ to increase security? FW entries?

Tx for any help

Korg

BartoszP · October 21, 2025, 3:58pm

Hi,

If you have SOHO device with default configuration and your NAS is the originator of rsync connection to the cloud storage, then there is no need to bother. The default configuration blocks external traffic preatty good.

korg · October 22, 2025, 8:06am

Tx for your answer, but… to do this, I need to enable NAS to have a connection to the internet, resp. NAS would be exposed on the internet. So, I am looking for the ‘solution’ on the MT to ‘allow’ only the Hetzner Storage box to access the NAS. All other connections from outside (hackers, ….) should be dropped.

erlinden · October 22, 2025, 8:29am

If the Storage box has its own IP address, you can filter on that. Not completely secure, but better than making it available to the whole world. Alternatively there might be an option to create a tunnel between the Storage box and the NAS. But I'm not familiar with the Hetzner solution. Have you asked Hetzner about secure options for this?

jaclaz · October 22, 2025, 8:41am

The idea is that if the connection is started from within the LAN it can cross (outwards) the firewall and - since the connection is "established", also the return traffic of that connection (and only the return traffic of that connection) can cross back (inwards) the firewall.
Any attempt to initiate the connection from WAN is instead dropped.

To make the backup you run rsync to the Hertzner account on port 23 and supply your username and password, the connection is initiated by you, not from outside.

The default firewall drops anything coming from WAN, unless it is the return traffic for an already established connection.

korg · October 23, 2025, 9:27am

Ok, but if i manually enter DNS data into NAS (or automatic DNS entry) i am exposing my device to the internet. Which i do not want. To do this, i will need to ‘make FW’ entries not to expose it on the public. Not completely sure, but i think i will need to make some FW entries to enable internet connectivity from/to NAS only for Hetzner Storage Box. Am i right?

erlinden · October 23, 2025, 9:32am

Depending on which device is initiating the connection: from the Hetzner Storage Box...true, from the NAS...false. Assuming your NAS has Internet access?

korg · October 23, 2025, 9:46am

Ok…. but what about ‘different’ IP addresses trying to conenect/searching NAS devices in order to … ‘crack’?

erlinden · October 23, 2025, 10:00am

They are (by default) blocked by the firewall.

korg · October 23, 2025, 10:16am

You mean, FW default settings, input chain? or.. which one?

erlinden · October 23, 2025, 10:38am

Input chain handles access to the router itself, the forward chain handles i.e. Internet access, port forward, etc.

jaclaz · October 23, 2025, 3:36pm

Please note that we are talking of the UNTOUCHED, DEFAULT, WHOLE SET of firewall rules of a SOHO Mikrotik device, if you changed or disabled even only one of them (or added your own ones) your device and network may (or may not) be more exposed to the internet access.

BartoszP · October 23, 2025, 6:49pm

Why and how? What do you mean stating "exposing to the Internet"?
Nothing can connect to the NAS from outside until you allow that on the firewall (forwarding traffic to the NAS).
If NAS establishes connection to the Internet to make a copy, then it closes it immediately when the copy is done.
You can "fool" NAS setting the router as the target (no need for DNS, just static IP) and the router makes NATting to connect to the Cloud. Na matter how you connect to the cloud, it's not exposing NAS to the Internet unless Heatzner would try to fiddle with the connection. What they can do on rsync connection?

korg · October 25, 2025, 6:36am

I see, i never use the default FW setup .. i always try to make a custom setup according to the customer's needs. thats why i started this topic in the first place.

So, lets say, NAS is on 192.168.100.100 and my network is accordingly on 192.168.100.0/24 subnet. What do i need to setup in the FW to ‘protect’ connections to NAS from ‘outside’?

Tx

erlinden · October 25, 2025, 8:46am

I'm a bit worried about your customers...really.

The safest rule there is in regards to protecting all clients behind NAT:

/ip firewall filter
add action=drop chain=forward comment="Drop everything"

Please explain to me what this rule does...just to show your knowledge on firewalls...

jaclaz · October 25, 2025, 9:36am

Chesterton's fence:
https://en.wikipedia.org/wiki/G._K._Chesterton#Chesterton's_fence

In the matter of reforming things, as distinct from deforming them, there is one plain and simple principle; a principle which will probably be called a paradox. There exists in such a case a certain institution or law; let us say, for the sake of simplicity, a fence or gate erected across a road. The more modern type of reformer goes gaily up to it and says, "I don't see the use of this; let us clear it away." To which the more intelligent type of reformer will do well to answer: "If you don't see the use of it, I certainly won't let you clear it away. Go away and think. Then, when you can come back and tell me that you do see the use of it, I may allow you to destroy it.

korg · October 26, 2025, 11:58am

Many tx to all