Community discussions

MikroTik App
 
Bolo
just joined
Topic Author
Posts: 11
Joined: Tue Jan 17, 2023 10:31 pm

Proxy to my home services

Tue Nov 26, 2024 7:08 pm

Hi there!
I have a routerboard as my router at home. I have to subnets, one for my lab e the other for smart devices. The smart devices network can’t accesso to my lab network where I have my true as server with storage and some services.
From time to time I would need to get access to services from outside and I’m using wireguard to do that.
However there’s a problem: I would like to add a proxy server which redirects requests to the right service port on truenas. How can I do that? And what if I’d like to access the services without using wireguard?
Any documentation or example I can take a look to?
Sorry for the confusion but I’m pretty new in networking.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21818
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Proxy to my home services

Tue Nov 26, 2024 7:21 pm

First off, well done, the safest way to access home servers is coming in on VPN and then accessing the server from behind the router.

Second, if your request was to do something similar using standard port forwarding, a proxy server would not be required.

For example, if you wanted users to come in on port 5555 and your truenas server port was 6666
Its a simple port translation:

add chain=dstnat action=dst-nat dst-address=staticWANIP dst-port=5555 protoocol=tcp to-address=ServerIP to-ports=6666

There is no requirement to do this coming in wireguard in most circumstances, is there a reason to do so in your case????

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Why would you want to enter the router for servers through the WAN port, if you have a secure vpn method of doing so??

+++++++++++++++++++++++

What I dont know is possible is dstnating lan traffic so to speak to achieve same incoming thru wireguard
perhaps something like ( but no idea if its legit )

add chain=dstnat action=dst-nat dst-address=ServerIP src-address=wireguardSubnet dst-port=5555 protoocol=tcp to-address=ServerIP to-ports=6666 ???????
 
Bolo
just joined
Topic Author
Posts: 11
Joined: Tue Jan 17, 2023 10:31 pm

Re: Proxy to my home services

Wed Nov 27, 2024 11:59 pm

First off, thanks so much Anav for your reply.
What I'd like to achieve is to have some home-hosted services to substitute the traditional google drive, dropbox and so on.
I give some additional details to explain what I would like to achieve. Consider that I'm pretty new in either networking and server management.

I have the following setup: a studio subnet 192.168.x.0/24 (completely wired) and a wifi and iot device subnet 192.168.y.0/24.
I have a Truenas machine in the studio subnet with address 192.168.x.z. I have a couple of SMB shares on truenas and a few services. Unfortunately nowadays it is not possible to have apps in truenas (docker container) as dhcp clients or even with a static given IP. They use the internal docker network and services are exposed only by their specific port number. For example Adguard uses port 53, so the serice is available at 192.168.x.z:53 and so my nextcloud and postgres database for davinci resolve.

I've set up my firewall in order block any attempt from the IOT and wifi subnet to connect to studio subnet

I can access to my shares by VPN and this is perfect, however there are a couple of thing I'd like to do.
1. having a home hosted nextcloud and use it to upload my mobile phone photos ets. without using Google Photo or similar. It seems I can't use the nextcloud app on my mobile via VPN.
2. Use the Adguard home service in both my studio and IOT networks.

Therefore I was wondering the best way to expose these service ports in a secure way.

Does this make any sense?
 
optio
Forum Veteran
Forum Veteran
Posts: 915
Joined: Mon Dec 26, 2022 2:57 pm

Re: Proxy to my home services

Thu Nov 28, 2024 1:09 am

Therefore I was wondering the best way to expose these service ports in a secure way.
To have NGFW in front of the service ports, but there is no NGFW in ROS.
Regarding proxy, each reverse proxy can work only for same protocol, usually is used for HTTP(S) protocol services, but there are other protocols which can be handled similar to reverse proxy, like SSH jump host. In case of HTTP reverse proxy, it can provide some security for case when web service is exploited and over same port exposed port is tried to expose some malicious non HTTP service, like shell access, in such case reverse proxy will not accept any non HTTP(S) communication and web service host will be safe. But this is just for such case, there are other attacks over HTTP which just reverse proxy cannot prevent, like SQL injections or other attacks specific for targeted service.

Without NGFW if you need to have exposed service, just keep it up to date and be careful how is configured, router firewall will do the rest if is properly configured. HTTP reverse proxy is just a bonus but not guarantee for safety. HTTP reverse proxy is also convenient for having same service port exposed for multiple services, but that is not related to security.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21818
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Proxy to my home services

Thu Nov 28, 2024 4:22 am

Therefore I was wondering the best way to expose these service ports in a secure way.
This leads me to thinking you may want to try Zerotier, which basically joins participants as if they were in a layer 2 network ( my simpleton view ).
Another thought is cloudflare zero trust, which is a way to have port forwarding to your servers but without exposing ports on the public WWW.
 
Bolo
just joined
Topic Author
Posts: 11
Joined: Tue Jan 17, 2023 10:31 pm

Re: Proxy to my home services

Thu Nov 28, 2024 12:05 pm

Thanks to both of you.
@Anav: what you suggest is way ahead to what I may achieve in the small amount of time I have to work on it.
@optio: could you suggest a good firewall rule to open a port on the web (I have a static IP from my ISP) for nextcloud?
 
optio
Forum Veteran
Forum Veteran
Posts: 915
Joined: Mon Dec 26, 2022 2:57 pm

Re: Proxy to my home services

Sat Nov 30, 2024 3:18 am

Use NAT rule for port forward as @anav mentioned in post #2
For additional security is better to isolate service host from LAN, if you using containers separate bridge will do, for external hosts you can setup VLAN for it or use firewall rules for that, but VLAN is preferable, allow only connections from LAN to service host for service management. Also it is good to drop unneeded connections to WAN from service host (outbound connections) and allow only which are needed for service functionality it there are ones, like for eg. "call home" for licence check.

Who is online

Users browsing this forum: No registered users and 32 guests