Author Topic: LinkStation Mini Firewall Configuration Problem  (Read 5539 times)

lmstone510

  • Calf
  • *
  • Posts: 5
LinkStation Mini Firewall Configuration Problem
« on: November 02, 2008, 12:36:22 PM »
   

We have a LinkStation Mini with the latest 1.05 firmware update behind a SonicWall TZ-190 configured to do one-to-one NAT.  We have allocated one of our ISP-provided fixed IP addresses to the LinkStation Mini.  We have also set up an A record in public DNS space.  The SonicWall's firewall has port 9000 open from the WAN to the LAN.

 

At this point, the LinkStation Mini is accessible from the LAN via https://privateIP:9000/, https://publicIP:9000/ and also via https://fqdn:9000/.

 

From the WAN however, there is no access at all; a web browser pointed to https://publicIP:9000/ and also to https://fqdn:9000/ just eventually times out.

 

If, however, we allow all ports:protocols from the WAN to the LAN, we can access the LinkStation Mini from the WAN just fine.  But that of course is not secure; we just want the web interface to access files.

 

So, it sounds like there are missing ports:protocols we need to open to get this to work, but the documentation mentions only the TCP port 9000 as being required.

 

What ports:protocols do we need to open to make this work please?  Also, please note that port forwarding is not an option for us; the WAN IP of the SonicWall is different than the WAN IP of the LinkStation Mini.

 

TIA,

Mark


Matt_M

  • Buffalo
  • ***
  • Posts: 116
Re: LinkStation Mini Firewall Configuration Problem
« Reply #1 on: November 03, 2008, 03:35:37 PM »
If you go into the interface for the Linkstation mini, under the Web Access section is it showing the external port as 9000 here? The reason I ask is because Web Access uses port 9000 as well as whatever is in that external port field.

lmstone510

  • Calf
  • *
  • Posts: 5
Re: LinkStation Mini Firewall Configuration Problem
« Reply #2 on: November 03, 2008, 04:17:23 PM »
   

Hi Matt,

 

Thanks for the reply.

 

This is our first LinkStation Mini, so maybe I have read the documentation wrong, but are you saying the little box (which does indeed have 9000 there) should be saying something else?

 

Thanks,

Mark


Matt_M

  • Buffalo
  • ***
  • Posts: 116
Re: LinkStation Mini Firewall Configuration Problem
« Reply #3 on: November 03, 2008, 07:27:45 PM »
No, it should just be showing 9000, but you can configure this to about any port you want. As a test here, try setting that to 9001 instead and allow both 9000 and 9001 to go through. If this returns the same results add 80 to the list as well since it does also use 80 to connect to the web config.

lmstone510

  • Calf
  • *
  • Posts: 5
Re: LinkStation Mini Firewall Configuration Problem
« Reply #4 on: November 03, 2008, 09:27:02 PM »
   

Hi Matt,

 

Thanks again for the follow up.  I'll change the port in the LM's Admin Console > Web Services to 9001 and open both 9000 and 9001 on the firewall.

 

We cannot open port 80 on the firewall; we don't want to give anyone on the public Internet access to the Admin Console. 

 

I'll report back tomorrow when I am back behind the firewall and can make and test these changes.

 

Thanks again,

Mark


lmstone510

  • Calf
  • *
  • Posts: 5
Re: LinkStation Mini Firewall Configuration Problem
« Reply #5 on: November 04, 2008, 10:23:22 AM »
   

Hi Matt,

 

The test failed, but the unit is now working.  We set the port in the Buffalo's web services admin console back to 9000 from 9001.  This wound up regenerating the ssl cert again and then, with no changes to the firewall, the unit was reachable through the firewall.  Weird. 

 

So, I'm a little reluctant to mark this thread as "Solved" since we don't know why regenerating an ssl certificate would make the unit work. We maintain a lot of Linux Apache servers, so my skeptical nature tends to think there is some bug in the Buffalo's Apache configuration scripts.  Of course, we can't see those scripts, so it's not fair to point a finger in that direction.  But if we can do anything to help Buffalo to better isolate this issue, we would be glad to do so.

 

Thanks again for all your help here!

 

With best regards,

Mark


davo

  • Really Big Bull
  • VIP
  • *
  • Posts: 6149
Re: LinkStation Mini Firewall Configuration Problem
« Reply #6 on: November 04, 2008, 06:28:51 PM »
   

Its definatly a port forwarding issue, the fact that it works from your LAN indicates this. You say that you have forwarded port 9000 from WAN to LAN but have you forwarded it to the specific IP address of the linkstation?

 

Edit: Just saw the part about the router having a different WAN IP. Given your setup i dont think you will be able to get it to work. However if you do then let me know as i would be interested to see your solution.

Message Edited by davo on 11-04-2008 06:31 PM
PM me for TFTP / Boot Images / Recovery files  LSRecovery.exe file.
Having network issues? Drop me an email: info@interwebnetworks.com and we will get it fixed!

lmstone510

  • Calf
  • *
  • Posts: 5
Re: LinkStation Mini Firewall Configuration Problem
« Reply #7 on: November 05, 2008, 08:04:06 AM »
   

Thanks to all for your help.

 

The permanent (one day so far...) solution was to configure the firewall to do port forwarding instead of one-to-one NAT. 

 

We were able to get the unit to work sporadically on port 9000 with the firewall configured to do NAT, but after some period of time the device would become unreachable.  Since this seemed to be an upstream issue we reached out to our ISP (cable company), as the ISP has been busy upgrading their systems to support packet shaping, and also because we have had networking issues with DOCSIS 2.0 cable modems before.  We were told by a senior engineer at the ISP that they have seen a number of problems on their cable (not their fibre) network with firewalls doing NAT. 

 

Once we reconfigured the firewall yesterday afternoon to do port forwarding, and also changed the LinkStation's public DNS A record to point to the firewall's WAN IP (instead of one of the four other fixed IPs provided by the ISP), acessing the unit over the publi Internet has been flawless.

 

We like one-to-one NAT because it enables us to run multiple servers of the same type behind one firewall, for example multiple web and mail servers, without having to reconfigure service ports on each server.  In this location we don't have multiple LinkStations (and presumably we could just change their web service ports if we did), so we are OK using port forwarding.

 

Since we can't get inside the LinkStation to see the configs, I don't think we can say exactly what the cause is here.  But, going forward we will be configuring firewalls to do port forwarding, rather than NAT, for these devices.

 

Hope this helps someone else.

 

All the best,

Mark


der-yeti

  • Calf
  • *
  • Posts: 1
Re: LinkStation Mini Firewall Configuration Problem
« Reply #8 on: December 29, 2008, 08:23:20 AM »
   

 I had some similar probs with the webaccess of my ls pro duo. While I tried to forward the chosen external port of the webaccess to internal port 80 (cause of http(s)), the webaccess always uses port 9000 in your lan. So you simply have to forward the chosen external port to internal port 9000 and everything works fine. Regards, Philip