Draytek 2925 port forwarding

I am trying to forward port 80 to NAS drive, I have changed the ports in the management setup and added port forwarding rule in NAT/port redirection but 80 still remains closed, has anyone had this problem?

i would strongly advise against using port 80, use https 443,

in port redirect src port 8443 dest port 443 on all interfaces for https

or

in port redirect src port 8080 dest port 80 on all interfaces for http

to access from the outside world, use https://{public ip}:8443 or http and :80 for http

That won't work if you still access the DrayTek web admin on port 80.
But as said above opening port 80 is not good and ideally https access should be used.

Thanks
Dan

I have changed the web admin to 8080 and SSH to 4433 so in theory the redirects on 80 to local ip:80 and 443 to local ip:443 should work but they don't

I use a Wireguard VPN for remote access. The client runs on my Windows 10 laptop. More secure than port forwarding.

Try a port above 1024.

I'm not sure how to explain it not working on port 80, but do you need to disable or redirect SSL VPN as well for port 443?

Also, presume you have set it to TCP, and to All WAN connections within the NAT rule. Made sure you are up to date with the Firmware just in case?

I also presume from your PC connection (internal to the NAS) that connection to the management pages is fine?

Silly question, but you are on a fixed IP on your WAN side that doesn't use anything like CGNAT etc etc? Or you have DDNS setup etc?

Got anything else forwarding using NAT, so you know all is well with the router?

By default the SSl VPN is on port 443 so have changed to 4433
Firmware is the latest.
Ports are open on NAS drive
Fixed IP address
No other ports forwarded
It worked on aTP Link router but have changed as all IPv6 is open on the internet

I would strongly advise not publishing the WebGUI of your NAS to the public internet. It's a far more secure solution to VPN into your Draytek and access your NAS.

If you wish to proceed anyway, your Draktek will be using the most of the standard ports so you'll need to publish a non-standard port. You'll also want to use the Firewall to restrict who can access that port once open. For example, block all Countries except the country you reside in would be a great place to start. Lock it down further if you can.

In reply to a post by nofappingway:

IYou'll also want to use the Firewall to restrict who can access that port once open. For example, block all Countries except the country you reside in would be a great place to start.

Not possible to use a firewall to bock by country. The internet is not organised in that way.

Country block lists are indeed a thing. I use them

In reply to a post by DFScale:

Not possible to use a firewall to bock by country. The internet is not organised in that way.

Oh no! Better stop doing that then.

In reply to a post by nofappingway:

Country block lists are indeed a thing. I use them

So when I’m at work, in an office in central London, my internet appears to be from the USA. The internet connection routes into LINX at Telehouse, but the IP address is owned by our head office in US. Too many websites (including Google maps) think we are in the USA, and others deny access.

Geo-IP is mostly a guessing game

It is indeed imperfect......but it stops over 99% of the noise from bad actors in 'those countries'

Infected computers on broadband… it just about helps. Email industry decided to “very low score” all broadband IPs to try and solve one problem.

In reply to a post by nofappingway:

Country block lists are indeed a thing. I use them

They might exist and you might use them. But it is still not possible to use a firewall to bock by country. The internet is not organised in that way.

You are just using some snake oil with no idea of your false positives and false negatives.

The draytek can easily block by country,

https://www.draytek.co.uk/support/guides/kb-firewall...

In reply to a post by andew:

The draytek can easily block by country,

https://www.draytek.co.uk/support/guides/kb-firewall...

Well, yes, it is easy to set up. But the internet is not organised by country, so it cannot be fully doing what it purports to do. Plus, with VPN's, you can choose to have your traffic appear to come from anywhere in the world you choose. It's delusion, firstly that the country blocklist is even relatively free of false positives and negatives and secondly that an IP address for a whitelisted country is not a VPN front for a blacklisted country.

It is false comfort.

It isn't false comfort. By blocking by "country" you are able to exclude a large percentage of hackers from Russia and China. Some will still get in. Some people in allowed countries will not be able to access. But, as a blunt tool it can help in giving a level of protection that is probably about 80-90% accurate.

I have done a similar configuration in the past, but to a rpi instead of a NAS.

80 and 443 redirect to the rpi, and my 2925's web interface is on 8080.

Used NAT | Open Ports and had an entry for 80 TCP/UPD to the static IP of the rpi
WAN interface: WAN1
Source IP: Any

repeated for 443

Personally for incoming connections I'd rather just block everything by default then create an IP allow list consisting of addresses and networks I manage or know about.

Other than that incoming access (particularly for private storage or content) is by (keypair-based) VPN only.

It's all rather tangential to the OP's question anyway but for the sake of technical correctness, the most dangerous sources are those controlled under botnets which by definition are not tied to any single geographical regions.

In reply to a post by ian72:

It isn't false comfort. By blocking by "country" you are able to exclude a large percentage of hackers from Russia and China. Some will still get in. Some people in allowed countries will not be able to access. But, as a blunt tool it can help in giving a level of protection that is probably about 80-90% accurate.

That's false comfort exemplified.

In reply to a post by prlzx:

It's all rather tangential to the OP's question anyway but for the sake of technical correctness, the most dangerous sources are those controlled under botnets which by definition are not tied to any single geographical regions.

Exactly.

I disagree. It is providing a level of protection - it is by no means perfect but it will reduce risk to some extent. Some mitigation is better than none.

Agreed. No one is stating using Country Blocks is the silver bullet but it does absolutely reduce the surface area of attack considerably.

Edited by nofappingway (Tue 16-Jul-24 17:36:26)