Hi.
In the office where I work, we have an internal LAN network and a Mikrotik router as a firewall. We have a Synology NAS drive with a local private IP address and we can access it from any terminal inside the office’s local network. We would like to transfer some files from an outside network via SFTP but we haven’t found a way to manage this. We have enabled SFTP protocol on our Synology NAS drive, on port 22 and I tried to set the Mikrotik router to forward the traffic from the specific outside IP of the outside user who wants to transfer the files to port 22 of the NAS drive using the following rule:
IP → Firewall → NAT → Add new On General tab
Chain: dst-nat
Src. Address:(the outside IP from which the external user wants to transfer the files)
Dst.Address:(our public IP address)
Protocol:6(tcp)
Dst port:22 On Action Tab
Action:dst-nat
To addresses:(the private IP of the NAS drive)
To ports:22
It doesn’t seem to work, the outside user still can’t have access to our NAS drive. What are we doing wrong? Which is the right way to give SFTP access to NAS drive from outside network,without a VPN?
Without seeing your rules as many are related, its hard to say.
In general you need only one firewall rule for all port forwardings.
Each port forwarding details are allocated in the applicable dstnat rule.
In other words you can have users come in a different port if necessary and then have the router translate to 22 (as many bots scan for common ports).
By using the generic in-interface-list=WAN that prevent local users from accessing the SFTP server via the WANIP but you access it directly via LANIP within the router so no issues there.
Finall comment is that you should really add a source address list to your dstnat rule. This makes the port invisible on scans and limits who can access your FTP server so should look like this
add chain=forward action=accept in-interface-list=WAN dst=port=123456
protocol=tcp to–addresses=private IP to-ports=22 src-address-list=Authorized
In other words, users must either have a fixed static public IP they can give you, OR a dyndns URL. There are many free providers of dyndns names so there is no excuse not to provide you with the proper identifying information if they want access to the server.