Bypass the VPN for SMB access from outside

jaxed8 · Thu Nov 18, 2021 11:53 am

Hello every one
I recently add a NAS to my network which is at 192.168.11.100 and it use the default SMB port which is 445. but the problem is the router is behind the NAT and also connected to IKEV2 IPsec vpn and the router don’t have a static ip (public ip).
so, I want to have access to 192.168.11.100:445 from outside (internet) without connecting to the same vpn server as router (access without vpn (bypass the vpn)) and I want to use ip cloud (DDNS) cause router don't have a static ip (public ip) and it's also behind NAT.
I will appreciate any help

Znevna · Thu Nov 18, 2021 12:23 pm

No, do it properly via VPN.
SMB SHOULD NOT be exposed to the internet.

jaxed8 · Thu Nov 18, 2021 12:37 pm

No, do it properly via VPN.
SMB SHOULD NOT be exposed to the internet.

I want to host few files for some people that why I want to give them access but I don't want to give them access to my vpn because I run other things on that as well.

tomislav91 · Thu Nov 18, 2021 12:54 pm

maybe something like this

/ip cloud set ddns-enabled=yes


/interface list
add name=WAN

/interface list member
add interface=ISP-eth1 list=WAN
add interface=ISP2-eth2 list=WAN


/ip firewall address-list
add address=TRUSTED_REMOTE_NETWORK list=Trusted

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=445 in-interface-list=WAN protocol=tcp src-address-list=\
    Trusted to-addresses=192.168.11.100 to-ports=445

so if you have multiple ISP just add id to this

/interface list member

and ofcourse you need forward port on isp
445 to your Mikrotik IP (if mikrotik gets 192.168.0.11 from ISP that IP is to where you need to forward)
(if its fiber, you dont need to, this is enough)

jaxed8 · Thu Nov 18, 2021 4:14 pm

maybe something like this
Code: Select all
/ip cloud set ddns-enabled=yes


/interface list
add name=WAN

/interface list member
add interface=ISP-eth1 list=WAN
add interface=ISP2-eth2 list=WAN


/ip firewall address-list
add address=TRUSTED_REMOTE_NETWORK list=Trusted

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=445 in-interface-list=WAN protocol=tcp src-address-list=\
    Trusted to-addresses=192.168.11.100 to-ports=445
so if you have multiple ISP just add id to this

/interface list member
and ofcourse you need forward port on isp
445 to your Mikrotik IP (if mikrotik gets 192.168.0.11 from ISP that IP is to where you need to forward)
(if its fiber, you dont need to, this is enough)

Thanks man
are these settings are gonna bypass the vpn?
What is src-address-list=Trusted? I don't know from what addresses users are gonna access this.
Yeah ISP gave me 192.168.0.104 on their modem

jaxed8 · Thu Nov 18, 2021 5:47 pm

Router configuration :

gh.rsc

jaxed8 · Thu Nov 18, 2021 7:25 pm

Screenshot 2021-11-18 205426.jpg

rextended · Thu Nov 18, 2021 7:30 pm

Another host for the botnet...

jaxed8 · Thu Nov 18, 2021 7:39 pm

Another host for the botnet...

It's gonna give very limited access based of username and password and only for one folder.

rextended · Thu Nov 18, 2021 7:45 pm

There are thousands of free file sharing services on the internet...
You have to share something truly illegal to not want to use them.
If you share them "zipped" with a 100-digit password, no one will decrypt them who does not know the password ...

jaxed8 · Thu Nov 18, 2021 8:09 pm

There are thousands of free file sharing services on the internet...
You have to share something truly illegal to not want to use them.
If you share them "zipped" with a 100-digit password, no one will decrypt them who does not know the password ...

It's not about the actual content, it's because the users have a very limited and slow internet connection inside that country to the outside so when they connect with vpn or other file sharing services on internet that's going to be very useless, so that's why it's a workaround over there because files are in large size but if I give them access without vpn and direct to the server which is in the same city as they are it's going to be super-fast and easy for them to connect because if both sides are using ips of that country isps are going to route the connection in something like intranet which is very fast.

tomislav91 · Thu Nov 18, 2021 8:18 pm

maybe something like this
Code: Select all
/ip cloud set ddns-enabled=yes


/interface list
add name=WAN

/interface list member
add interface=ISP-eth1 list=WAN
add interface=ISP2-eth2 list=WAN


/ip firewall address-list
add address=TRUSTED_REMOTE_NETWORK list=Trusted

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=445 in-interface-list=WAN protocol=tcp src-address-list=\
    Trusted to-addresses=192.168.11.100 to-ports=445
so if you have multiple ISP just add id to this

and ofcourse you need forward port on isp
445 to your Mikrotik IP (if mikrotik gets 192.168.0.11 from ISP that IP is to where you need to forward)
(if its fiber, you dont need to, this is enough)
Thanks man
are these settings are gonna bypass the vpn?
What is src-address-list=Trusted? I don't know from what addresses users are gonna access this.
Yeah ISP gave me 192.168.0.104 on their modem

i have told you that add in address list Trusted IPs that are public/private in your remote locations.
So if my house with public ip 20.10.9.8 want to access that smb, you will add in that address list that ip

/ip firewall address-list
add address=20.10.9.8 list=Trusted

are these settings are gonna bypass the vpn?

this is public access, there is no need for VPN.
Advantage is that you are allowing only ip from trusted interface list. Problem is if that remote locations have some CGNat from provider, than and others will have access.

Most secure solution is to use some VPN which is very easy to make on mikrotik and use it on Windows/Linux

jaxed8 · Thu Nov 18, 2021 8:27 pm

i have told you that add in address list Trusted IPs that are public/private in your remote locations.
So if my house with public ip 20.10.9.8 want to access that smb, you will add in that address list that ip

I don't know from which IPs they are going to connect to the smb server. I want it to be open so anyone can connect and then it will ask for username and password to access the files.

Most secure solution is to use some VPN which is very easy to make on mikrotik and use it on Windows/Linux

When router is connected to the vpn (IKEV2 ipsec) is this possible to also act as a vpn server just in order to give them access to the smb server but nothing else not even internet or anything just smb?

rextended · Thu Nov 18, 2021 8:29 pm

if both sides are using ips of that country isps are going to route the connection in something like intranet which is very fast.

I don't know from which IPs they are going to connect to the smb server.

Uhm......

jaxed8 · Thu Nov 18, 2021 8:46 pm

if both sides are using ips of that country isps are going to route the connection in something like intranet which is very fast.

I don't know from which IPs they are going to connect to the smb server.

Uhm......

The idea is to give that ddns address to a group of people (100~) in telegram (private group) with a username and password to connect to the smb server and I know they are all located in the same city as the smb server is.

jaxed8 · Fri Nov 19, 2021 7:18 pm

jaxed8 · Sat Nov 20, 2021 1:11 pm

Sob · Sat Nov 20, 2021 8:02 pm

Security concerns aside (I too think that it's not the greatest idea to expose smb to the world, but it's your choice), it boils down to whether you have public address or not. It doesn't have to be static (DDNS takes care of that) and it doesn't have to be directly on your router, but you must be able to forward port from it to your router. If you can do that, then go for it and enjoy. If not, you're out of luck. Or am I missing something?

jaxed8 · Sat Nov 20, 2021 8:42 pm

Thanks for your answer
I forward it and with VPN I was being able to connect to it but without vpn (with DDNS) not at all and I think it's because the router is behind nat and I should have another port forwarding for that but I don't know how and I need help for this part.

krafg · Sat Nov 20, 2021 8:58 pm

If you have problems with classic VPN for NAT, try to use ZeroTier or Tailscale.

Regards.

Sob · Sat Nov 20, 2021 9:18 pm

There's not much we can help you with, it's not something you can configure just on your MikroTik router, it depends entirely on your usptream router and whether you can change its config. And even that one is not guaranteed to have public address, it can be behind another NAT. It's pretty normal these days that users don't get any form of public address at all, and as a result can't have incoming connections from internet.

jaxed8 · Sat Nov 20, 2021 9:58 pm

It shows the public ip (which is dynamic) if it's going to pop-up some hope.

Screenshot 2021-11-20 232709.jpg

krafg · Sat Nov 20, 2021 10:32 pm

It says that you are behind NAT, if your ISP provide to you a private IP, there is nothing to do. Only way is use ZeroTier or Tailscale.

Regards.

jaxed8 · Sat Nov 20, 2021 10:40 pm

It says that you are behind NAT, if your ISP provide to you a private IP, there is nothing to do. Only way is use ZeroTier or Tailscale.

Regards.

It's not a private IP

Sob · Sat Nov 20, 2021 11:41 pm

It doesn't mean anything, that's what server sees and it's always public address, no matter behind how many other routers you are. What matters is whether you can forward ports from that address to your router.

Best case is that the address is "yours" and ISP is doing NAT 1:1, i.e. forwards all ports to your router. You can test it, if you add logging rule, e.g.:

/ip firewall nat
add chain=dstnat in-interface=<WAN> protocol=tcp dst-port=6666 action=log

Then find some online port tester and let it check selected port number on reported public address. If you see a packet logged every time you test it, then it's good news for you.

Other possibility is that you have access to upstream router which has this public address and you can configure port forwarding there. Your ISP would most likely tell you about it.

If it's neither, then too bad, you're out of luck.

krafg · Sun Nov 21, 2021 2:02 am

It says that you are behind NAT, if your ISP provide to you a private IP, there is nothing to do. Only way is use ZeroTier or Tailscale.

Regards.
It's not a private IP
Screenshot 2021-11-21 000958.jpg

Cloud always shows the public IP address. The information should be checked on IP -> addresses and see your WAN port.

Regards.

jaxed8 · Sun Nov 21, 2021 1:43 pm

It doesn't mean anything, that's what server sees and it's always public address, no matter behind how many other routers you are. What matters is whether you can forward ports from that address to your router.

Best case is that the address is "yours" and ISP is doing NAT 1:1, i.e. forwards all ports to your router. You can test it, if you add logging rule, e.g.:
Code: Select all
/ip firewall nat
add chain=dstnat in-interface=<WAN> protocol=tcp dst-port=6666 action=log
Then find some online port tester and let it check selected port number on reported public address. If you see a packet logged every time you test it, then it's good news for you.

Other possibility is that you have access to upstream router which has this public address and you can configure port forwarding there. Your ISP would most likely tell you about it.

If it's neither, then too bad, you're out of luck.

Thank you very much.
I checked this, at first it didn't work at all but then I call the ISP and they said we will turn on something called DMZ on their modem and then after that I got the logs.
Now what should I do?

Screenshot 2021-11-21 151256.jpg

Sob · Sun Nov 21, 2021 6:59 pm

Now you can forward ports to your server, see e.g. post #4. Next question is what exactly is your IPSec VPN doing and if it's going to interfere. If it's the kind that routes all your traffic through some remote server, it may. But I don't remember from top of my head how exactly it works.

jaxed8 · Sun Nov 21, 2021 7:54 pm

Thanks a lot everyone especially @Sob
After port forwarding it's worked very good but turned out windows doesn't accept domain address (DDNS address) for samba

, so ended up with using it for forwarding port 3389 to another one to use for direct remote desktop (personal use only).

Sob · Sun Nov 21, 2021 8:33 pm

I never tried with MikroTik DDNS specifically, but it's hostname like any other and Windows can use those for shares.

jaxed8 · Sun Nov 21, 2021 11:09 pm

Yeah but IDK what was wrong I tried a lot but didn't worked and since there is no other client program for samba on windows I don't know what to do in this case.

Sob · Mon Nov 22, 2021 12:16 am

At least you got incoming connections out of it, that's nice to have thing. You can experiment further, if you want. For example, make proper VPN for users, so they could connect to your router, and then access 192.168.11.100 directly. It would be nice and secure. Only depending on needed speeds and router's performace, there could be a bottleneck.

jaxed8 · Mon Nov 22, 2021 12:45 pm

At least you got incoming connections out of it, that's nice to have thing.

Yeah thanks to you guys.

You can experiment further, if you want. For example, make proper VPN for users, so they could connect to your router, and then access 192.168.11.100 directly. It would be nice and secure. Only depending on needed speeds and router's performace, there could be a bottleneck.

Yeah maybe, but for now I disabled the ip cloud cause not going to use it until setup the VPN on router.
Just a quick question: does the DMZ that ISP activated going to have any security drawbacks? should I call them to turn it back off?

krafg · Mon Nov 22, 2021 1:30 pm

DMZ is the ideal scenario for hackers/attackers. DMZ removes the protection of the device that was assigned. The only protection is that enabled on the device itself.

Regards.

jaxed8 · Mon Nov 22, 2021 2:49 pm

So it should be on or off? (it's on right now (ISP said today))
I think it should be off

krafg · Mon Nov 22, 2021 4:18 pm

Yes it can be enabled or disabled. On this case your ISP controls it.

Regards.

anav · Mon Nov 22, 2021 5:40 pm

Normally on an ISP controlled modem/router, where they provide you a private IP address, then the subscriber you, still has a very basic access to the ISP modem router.
Typically its so that you can forward a port (DMZ typically is not activated).
Thus suggest you try to access the ISP modem/router and if not possible then ask the ISP to ONLY forward the ports you need forwarded.
if they can only do DMZ, then that is what you are stuck with and will need it left open to do anything VPN or port forwarding anyway.

IS this bad, not really, in the sense that the MT router is a great firewall appliance and can do the job.

Now in terms of straight port forwarding, not a good idea in general to open up any ports behind the router (to the LAN) . We do often open ports TO the router (for initial connections to VPN).
Big difference on what we do this for!!

You should not forward ports that do not have some sort of encryption plus password, thats why there is encrypted FTP etc...........
Password protection alone is not good enough in the real world and this can get hacked, especially if the server being connected to has no way to prevent multiple/repeated attempts for entry.

However its your choice, and the best way to prevent the horror from easily occurring is as indicated.
A. USE A LIMITED ACCESS LIST!
B. LOG ACCESS and MONITOR IT!

There is no reason not to use an access list as there are two possibliities
a. USERS who have a fixed/static WANIP that they can give you.
b. USERS can use a dyndns name/url (domain type name) that they can give you.

Note: There are many free dyndns providers where one can get a DYDNS URL, to give you.

IP CLOUD NAME: Very useful as this gives everyone (resolves to) your actual PUBLIC IP which they will need to access your server.

The good thing about adding an address list to a dst-nat rule is that the port becomes invisible on port scans. Without a source address list, the port will appear visible on scans but closed.
One thing is to pick an obscure port in any case, something like 63289

With so many bots out there, its a matter of when not if.................... I hope I am not exaggerating the risk.

Sob · Mon Nov 22, 2021 6:17 pm

First, it's not real DMZ, that would be separate subnet isolated from others. But the term is also often used for forwarding all ports to selected host, which in this case is your router. The result is pretty much the same as if you had public IP address directly on your router. So how secure it is depends on how you configure your router's firewall. Yours is not too bad, input rules can be reordered a bit, but it's not insecure.

jaxed8 · Tue Nov 23, 2021 12:14 am

With so many bots out there, its a matter of when not if.................... I hope I am not exaggerating the risk.

Thanks for the deep explanation.
I called them and they gave me the access to the DMZ so I can turn it on and off. and I turn it off for now because I can't spend hours of time tightening the firewall of the router for it.

So how secure it is depends on how you configure your router's firewall. Yours is not too bad, input rules can be reordered a bit, but it's not insecure.

Any suggestion to make it more secure?

Sob · Tue Nov 23, 2021 12:36 am

Not really more secure, just small tweaks, for example in chain=input:

- you allow ports 500, 4500 and 1701, which would be for incoming L2TP/IPSec, but you don't seem to have that, so it's probably not needed
- dns rules with port 53 may not be required either, as access from internet is already blocked by last rule in chain
- if you need any such rule to allow something, it should be after the two rules that accept established & etc and block invalid

krafg · Tue Nov 23, 2021 12:50 am

If you want maximum security and forget DMZ, firewall rules, port forwarding and NAT problems, simply use ZeroTier or Tailscale (Best is use both, one of fail over). Is my best recommendation.

Regards.

jaxed8 · Tue Nov 23, 2021 4:13 pm

Not really more secure, just small tweaks, for example in chain=input:

- you allow ports 500, 4500 and 1701, which would be for incoming L2TP/IPSec, but you don't seem to have that, so it's probably not needed
- if you need any such rule to allow something, it should be after the two rules that accept established & etc and block invalid

Yeah, I used to have L2TP/IPSec then I change it to IKEV2/IPSec and forgot to remove those rules.
Like this:

Screenshot 2021-11-23 174352.jpg

If you want maximum security and forget DMZ, firewall rules, port forwarding and NAT problems, simply use ZeroTier or Tailscale (Best is use both, one of fail over). Is my best recommendation.

Regards.

Is there any guide how to setup it on mikrotik?

krafg · Wed Nov 24, 2021 3:21 am

You don't need any setup on your Mikrotik to use ZeroTier or Tailscale, both are programs that you can install under Windows, Mac, Linux, Android, iPhone, RaspberryPi and more devices.

Install on all the devices that you need share files, add to your ZeroTier network / Tailscale account, and simply use the IP's that the platform generates to your devices.

No configurations needed.

Regards.