I admit it, I got spoiled. For the past six years I’ve been able to indulge myself with a /29 subnet of static IPs to connect my three NAS devices to. But now, after two rate hikes within the past year coupled with a lowered income and inflation, I’ve got to cut it loose. My new service has a single dynamic IP. How best to maintain access to the NAS machines from WAN?
I’ve seen an article on configuring another computer running Apache or Nginx, probably my spare Raspberry Pi, as a reverse proxy server. But I see that Mikrotik has a proxy function, which I’ve never used. Is it possible to set that up to direct incoming traffic to the proper device based on host name?
I have to further admit that I find the Mikrotik documentation rather opaque. So be gentle, please!
Editing To Add: I’ve already configured Dynamic DNS through ClouDNS. Just need to figure out how to direct traffic once it gets to the router.
Three devices behind a reverse proxy is a load-balancing situation, and I’m pretty sure you don’t want your disk I/O distributed round-robin among the NAS boxes.
(And if you do, there are distributed filesystems that solve that problem without local use of baling wire and bubblegum.)
There are two far simpler ways to get the effect you want:
One is dstnat, where each NAS gets a different public TCP port number, which distinguishes incoming connections to the back-end NAS box. You can map a connection to TCP port 10001 to the file transfer port on NAS 1, 10002 to NAS 2, 10003 to NAS 3.
The other is to set up any of RouterOS’s many VPN options, then connect to the VPN before making local connections to each NAS. This will likely be far more secure, since you aren’t exposing oft-exploited file-sharing protocols naked to the Internet.
as far as I know, nginx can proxy by domain or url, it’s need set up a web site in your LAN, and port mapping nginx to WAN port. just like IDC doing.
but you didn’t mention, what kind service is on your NAS, which is need access from internet. if i remember correctly, nginx need listen the port which is you want other host work. I mean ,when you config nignx on your Raspberry Pi, to proxy SMB protocol, the Pi can not run an other SMB service, at the same time.
Access from internet depands on what kind service you running on your NAS. maybe VPN is a solution.
There are some reverse proxy solutions (hint: HAproxy), which can do either L7 reverse proxy (i.e. http / https where one IP is used for number of different domain names and proxy selects appropriate backend server according to that. At the same time it can do load-balancing, which works for any TCP protocol … proxy will persistently use same backend for same connection … this works well as long as L7 protocol is not too smart imposing inter-connection dependency.
Using apache or nginx to do http/https reverse proxy is fine, but these two are basically web servers (optimized to do that) and can’t proxy other protocols. And they aren’t really efficient at doing that. HAproxy, OTOH, was built expressly as reverse proxy / load balancer and does it extremely well.
Fair enough. Here’s a very rough rendering of the physical network topology that I’m aiming for. Yes, it’s condensed, the down-line items on the switches won’t be daisy-chained but plugged into separate ports. Also, I haven’t had success yet with VLANs but This Time I Shall Make It Work!
The RB4011 router, NetVanta switch (used; I couldn’t find the MikroTik equivalent at such an attractive price point!), and the Raspberry Pi I intend to use as a reverse proxy and DNS server are co-located in my central data cabinet, with the other Routerboards scattered around the property. Connections are Cat 6 Ethernet, and I have ports for three fiber links; one will go from the RB4011 to the RB3011 and one will run from the NetVanta to the Workroom RB2011. I’m slowly building out my garage apartment for additional space; when I do I’ll add another RB2011 up there with another fiber link to the NetVanta. I plan to back up the fiber links (actually, all of the trunk line links) with an Ethernet connection and use link aggregation.
For the purposes of this question, I want to be able to access the cloud drive functions (Synology apps, Drive, Photos, Video Station, Audio Station) of NAS 1 and NAS 2 while ‘on the go’, perhaps using a guest computer at a hotel or similar…a setting where a VPN couldn’t be set up. But this will be 1 percent (or less) of the use, so I don’t want to kneecap my data throughput any more than necessary. I don’t want to forego the external access altogether, though, because sometimes I need to use a computer at my day job where I’m not allowed to install a VPN client (and I’m also not allowed to specify port numbers!). So I need the WAN access to my two NAS machines. Oh, and did I mention up-thread that my new ISP doesn’t support IPv6? I was put out when I discovered that, but for budget reasons I need to make this work. Let’s just say that I’m making a lot less now than when I bought most of the hardware…
Some other notes:
I’m open to suggestions on VLAN topology. My first thought was to create an “admin” VLAN for the switches and routers, a “NAS” VLAN for the machines I want to make WAN accessible, a “general” VLAN for the PCs and printers, and a “restricted” VLAN for the items I don’t want freely communicating with the Internet, such as cameras and the Windows XP computers. Possibly an “IoT” WLAN for Wi-fi thermostats and such, as well. But I know that much of that is Out Of Scope for this question.
The Windows XP computers cannot be upgraded without breaking their function. They run now-obsolete hardware and software which was, frankly, the best ever built for working with legacy NTSC video and I use them to capture old VHS tapes and similar. The upgrade to Vista broke the drivers which the hardware requires to work. I don’t have any personal data on them, save perhaps some high scores from Railroad Tycoon, and right now they’re air-gapped; I sneakernet the data back and forth to my production computers and NAS for post-processing. It would be convenient to put them on local intranet, at least, to simplify transfer of data, but I want to double-firewall it to keep from tempting the script kiddies.
I haven’t done much with wireless yet. I’m wanting to learn to configure CAPSMAN and create a central Wi-fi network with the three Wi-fi capable routers. Again, Out Of Scope for this question.
@ehbowen Thank you; an excellent start; let’s elaborate specifics as needed.
I believe I see a wireless upstream ISP, and Carrier-grade NAT is often use by such carriers. https://en.wikipedia.org/wiki/Carrier-grade_NAT
Let’s establish the IPv4 subnet characteristics between your equipment and upstream ISP.
In particular can any global IPv4 address route and connect to your WAN edge device?
@ehbowen You mention IPv6 in passing and as an aspiration. IMO it’s the simplest technical solution.
IPv6 tunnels work well but require semi-stable public IPv4 address.
Please describe what role IPv6 had in past network operations, if any.
Please describe key locations and their current IPv6 state.
I had not used IPv6 on my LAN before at all as I was unsure as to how best to secure it. I was going to try it with this complete revamp of my LAN, but…well, not supported. But I’d certainly be willing to use a tunnel for the critical services on the NAS devices.
As far as IPv4 routing: I specifically requested a business-class IP which was routable. It was actually supposed to be a (single) static IP, but T-Mobile apparently has a strange definition of ‘static’ because it’s changed three times in the past two weeks. My gateway device is an Inseego FX2000, connected directly to ether1 of my RB4011. I’ve also installed HaProxy on the Raspberry Pi which I intend to use as a reverse proxy server, but I’m still struggling with proper configuration. A pointer to a good reference would be appreciated.
@ConradPino What I was shopping for (and still have an eBay alert posted for) was a CRS-112-8P-4S-IN. I want the 8 PoE ports (which the Netvanta 1531P has) and I need the small footprint (restricted space in my data ‘closet’, which is actually a Leviton structured media cabinet). Most of what will be connected to the NetVanta is cameras and IP phones, so not a huge amount of data throughput (save on the fiber SFP ports).
If anyone from MikroTik is listening…how about a CRS-112-8P-4S+-IN at a similar price point to the current model, hmmm?
I have admin access to the FX2000, and had to change the default configuration to my APN settings to b2b.static in order to establish connectivity. I also tried changing the PDP setting to dual IPv4/IPv6, but that didn’t make a difference…the restriction is upstream. And no, right now I’m not using the FX2000’s WiFi; it’s disabled. I want to use the MikroTik Wi-fi capable routers and CAPSMAN for my long-term wireless setup.
Download Inseego FX2000 User Guide https://inseego.com/download/FX2000_user_guide.pdf
Some gateway devices have “bypass” mode which I didn’t see in this manual.
I do see “IP Passthrough” in several places. Where are you with that?
IP Passthrough is selected and the RB4011 is seeing and routing the outside IP address. I also do have IPv6 activated in the FX2000 and I’m showing a ‘Link-Local’ address, but it seems that nothing downstream is obtaining an IPv6 address through the router. But possibly I have something set incorrectly on my end in the routers/switches.
Look T-Mobile For Business has IPv6: https://solutions.t-mobile.com/support/ipv6
Let’s pursue this first; it restores global end-point connectivity enjoyed with public /29 static subnet.
I couldn’t do anything with this on IPv6 or IPv4. I believe it requires a login and I’ve had difficulty establishing one. My service is very new and my account rep has encountered ‘issues.’ Perhaps tomorrow after the holiday I might be able to log in. Any other suggestions for testing/evaluating? If I can get IPv6 working then my major issue is solved.
