windows sharing over internet

mahmoudxp · October 14, 2015, 4:51pm

Hi all
hope any one can help me with this
my config is
Mikrotik 5.18
wan 1 : 41.41.x.x static users from (2 : 191) can go through it
wan 2 : 41.69.x.x dynamic users from (193 : 254) can go through it
lan : 192.168.1.x
share server is 192.168.1.20

currently I have port forward for RDP enabled so I can access share server remotely from anywhere, but now I need to access shared data like I’m in the office (mount drive in my computer for shared folder) , it worked with real IP with the server connected direclty to the router but of course not secure , I need it through mikrotik

I copied the rule for RDP & modified it with smb port but didn’t work for me here it is

chain=dstnat action=dst-nat to-addresses=192.168.1.20 to-ports=139 protocol=tcp dst-address=41.41.x.x in-interface=wan1 dst-port=139

any ideas

also hope you generous enough to give me WORKING codes/rules that will secure my MT & enhance it’s firewall

gustavomam · October 14, 2015, 6:52pm

Hi.

You need to establish a VPN network between your computer and your MikroTik router, you can do it with PPTP, L2TP, OPVN in order to complete that.

Only you have to follow this steps: http://wiki.mikrotik.com/wiki/PPTPServer

Then create a PPTP interface client in your computer.

If you have active directory maybe you should put your WIN servers, and DNS servers in the profile

Regards.

mahmoudxp · October 16, 2015, 8:33am

thanks for answer
is there any simpler way through firewall to do that just like allowing rdp
i don’t need vpn

CyberTod · October 16, 2015, 10:03am

With VPN it’s far more secure. You can redirect port 445 in firewall, but this is asking for trouble.

mahmoudxp · October 16, 2015, 5:56pm

please just go with me now , forget all about security , don’t need this right now or forever
employees in my firm are dum enough they won’t understand how to use/establish vpn connections, well not on their own and it’ll be a real headache for me to guide them by phone every time the need it

just need to use an on-demand sharing connection that will be disabled by default & will be enabled only when a remote user needs something urgently from my file server beside they will have to authenticate to my DC before accessing it

so please just give me a rule that will open direct access to my share server & WILL USE IT ON MY OWN RISK
my external ip is 41.41.x.x
gateway MT 5.18 ip 192.168.1.1
my share ip 192.168.1.20

chechito · October 16, 2015, 6:11pm

is not only about security, many ISP block or restrict 445 port because its attacked very often

rmmccann · October 16, 2015, 7:55pm

As other have stated, this is bad practice and a lot of ISPs block these ports to prevent abuse. As for the bolded statement, this can easily be circumvented by you. You can establish a VPN tunnel (IPSec, PPTP, SSTP, GRE, etc) between your routers that you can either leave on all the time or only establish as needed. This way the employees in your firm never need to dial a connection (you’d do that for them on the router) and you’d still have some security in place.

Otherwise, you just need to create a DST-NAT rule for your fileserver and TCP ports and create an allow rule in your firewall filter. SMB is going to use TCP ports 139 and 445 and UDP ports 137 and 138.

mahmoudxp · November 13, 2015, 2:52pm

sorry for delay was too busy with another long term tasks
thanks to your advises I’ve managed to create vpn connection to my server through the MT router & can browse network shares in my office using domain credentials
had a small issue that my connection to the internet is dropped if established VPN connection (can browse shares but no internet) !!! but gladly solved it by disable using remote gateway in VPN connection properties

again thank you very much