0

I'm new here, I hope I'm in the right place. I'm also new to networking at this level of complexity and this might be a stupid question, so sorry in advance. For reasons, I have a nas (synology) with ethernet only which I cannot connect to the wired network of the place where it is, so I'm setting up a raspberry pi to act as a router/internet connection sharing device to bring the nas on the network via wifi. This is the setup:

workplace(wifi) <---> rpi(wifi, dhcp)---rpi(dhcp server, firewalld)---rpi(ethernet) <---> nas(ethernet, dhcp)

I have managed to configure both wifi and ethernet connections properly, set up the dhcp server properly (on eth0), and enable masquerading on firewalld so that the nas can get to the internet. The nas is supposed to host, among other things, a web server, so I need to forward ports 80 and 443 directly to the nas. Here is where my problems start. How firewalld is configured right now:

  • both wlan0 and eth0 are in the public zone (default zone)
  • masquerading enabled for the public zone
  • services http and https enabled for the public zone

As soon as I forward port 80 this way:

firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=80:toaddr=NAS_IP

The NAS webserver is visible from other machines in the workplace network, but the nas itself doesn't have internet access anymore, as any http request is redirected to its own webserver, rather than the internet. If I remove the port forward the connectivity comes back, but of course I cannot access the webserver anymore.

I know that an easy solution would be to move the webserver to a different port, but I really want to keep it on port 80 to make things easy for the users. I've read this bug report that looks like the issue I'm having, but it also looks like it's been solved already (although the version installed on the system is 0.6.3, so I'm not entirely sure about that). I would like to know if this is a bug in the program, or if I've just been dumb with my configuration (e.g. the two interfaces are not supposed to be in the same zone, or something similar). Thanks for any help provided.

iacchi
  • 1
  • 1

1 Answers1

0

You put the NAS in the public zone, whereas it should be in a different zone. You can choose an existing zone or create a new one.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Thank you, I will try that. Quick question though: should the port forward be set up in the public zone, the new one or both? What about enabling the services and enabling masquerading? – iacchi Sep 01 '20 at 20:25
  • @iacchi That depends on the network setup of that firewall machine, which you didn't elaborate on. Typically the WAN-facing interface will be in the `public` zone and the internal network(s) will be in one or more other zones. – Michael Hampton Sep 01 '20 at 20:26
  • I didn't elaborate on because I didn't think it was necessary. It's a standard university network (I don't know all the details with precision). IT doesn't want to whitelist the NAS, so I'm trying to find other ways to do so. I understand that the WAN-facing interface (wlan0) will have to go in the public interface and the other one (eth0) in the other one (e.g. the trusted one?). What I'm not sure about is in which of the two (or if both) I should setup the port forward, the masquerading and where to enable the services. – iacchi Sep 01 '20 at 21:01
  • @iacchi Those go on the public zone. – Michael Hampton Sep 01 '20 at 21:02
  • Ok, thank you! Tomorrow I'll try all that we said today. – iacchi Sep 01 '20 at 21:27
  • (sorry for not pinging, it looks like i cannot) As all masquerading, port forwards and needed services were already enabled in the public zone, I have tried to just move eth0 from public to trusted. The nas can access the internet as long as I don't forward ports 80 and 443, but once the forwards are in place internet access stops again. I'll try to update firewalld by taking packages from testing if I don't run into dependency hell, and see if the newer version fixes the problem (maybe now this is really related to the bug that I mentioned before) – iacchi Sep 02 '20 at 10:05
  • No dice. I've managed to install version 0.8.3 from the testing repos, but the service fails to start. – iacchi Sep 02 '20 at 12:21
  • @iacchi Can you show your entire firewalld setup? `firewall-cmd --list-all-zones` – Michael Hampton Sep 02 '20 at 14:45
  • Here's the output (at the moment forward of port 80 and 443 is disabled, but it would go together with the others already active): https://pastebin.com/2CmkNxSB – iacchi Sep 03 '20 at 08:57