DDNS problem
Hi,
I'm a Netgear Orbi to TP-Link Deco convert so this is new to me. I set up DDNS using No-IP. All looks good but when I try to go to the domain I get a blank web page with this error:
Forbidden
Rected request from RFC1918 IP to public server address
What am I doing wrong or missing?
My first post here after 12 years of Netgear so bear with me!
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi, welcome to the community.
Do you try to use the No-IP DDNS to access the web UI of Deco or a local LAN server?
If it is for the Deco web interface, the remote access of the Deco web interface is disabled by default and you might need to use the Deco APP to remotely control the Deco.
network.
Thank you very much and wait for your reply.
- Copy Link
- Report Inappropriate Content
David-TP wrote
Hi, welcome to the community.
Do you try to use the No-IP DDNS to access the web UI of Deco or a local LAN server?
If it is for the Deco web interface, the remote access of the Deco web interface is disabled by default and you might need to use the Deco APP to remotely control the Deco.
network.
Thank you very much and wait for your reply.
@David-TP I was hoping to be able to accesss a NAS connected to the my Deco system at home. Is that possible, and if so how do I do it?
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
cdysthe wrote
David-TP wrote
Hi, welcome to the community.
Do you try to use the No-IP DDNS to access the web UI of Deco or a local LAN server?
If it is for the Deco web interface, the remote access of the Deco web interface is disabled by default and you might need to use the Deco APP to remotely control the Deco.
network.
Thank you very much and wait for your reply.
@David-TP I was hoping to be able to accesss a NAS connected to the my Deco system at home. Is that possible, and if so how do I do it?
@cdysthe Not sure if you ever got this figured out. I'm setting up a server cluster at home, so I've been messing around with this lately, and might be able to offer some help because the documentation provided for this feature is not very extensive or explanatory. I want to say that I'm not sure what you're trying to do is the best idea from a security standpoint, but I'll talk about that later. First, you should know that the DDNS feature on the router only communicates to the DDNS provider what your current public IP address is. The router does not by default serve any content if you don't tell it to. Essentially, all that is going on is that the router says to the domain host "My current public IPv4 address is <EXTERNAL IP>," and the domain host says, "Ok, unless you tell me that changes, I will point <NO-IP DOMAIN> to <EXTERNAL IP>." It would be the same as if you put http:// <EXTERNAL IP> (or https:// for SSL) into your browser and said "go!" Your machine would then query port 80 (or 443 for SSL) at <EXTERNAL IP> as if you had typed in <EXTERNAL IP>:80 for HTTP request, and response. If you do not have port 80 and/or 443 open, the request gets no response, and you generally get a "page cannot be displayed error" because there is no page. Since you don't have those ports open, your browser is telling you it looked for a webpage there, but the server refused the request (because it has nothing to serve, and the firewall is likely set to drop those requests, thus it is "forbidden").
So to get to your question I'm going to have to make some assumptions because I'm working with limited info on your setup, but regardless, you have to open some port (doesn't have to be 80 or 443, but those are the standard HTTP/S ports) in order for the browser to be able to connect. This might be slightly different depending on the router, but you should be able to access this from your Deco App under Advanced > NAT Forwarding > Port Forwarding where you can add a rule. More info in articles titled "How to set up Port Forwarding feature on the Deco" "Why port forwarding feature is not working on my Wi-Fi router or Deco?" and "General Troubleshooting For DDNS on a TP-Link Wi-Fi Router, LTE Gateway Router, or Deco Router". I'm assuming your NAS has some sort of web GUI that you're hoping to be able to access outside of your home network. You're going to need to find out the local IP of your NAS on your home network (<INTERNAL IP>), and what port(s) it uses to display that interface that you use. You want to do this because exposing all ports is a bad idea, and dangerous, so you should limit it to only the port(s)/port range that you need. It is most likely serving them on port 80 and 443 for ease of access, but you should check the documentation for your NAS, or the OS you're running on your NAS to find what ports it uses. There are other ways, but start with the documentation as it should specify. What you're wanting to do is to bind those ports that are open on your NAS to open ports on the router by creating a rule. So, for example, if you wanted port 80 from your NAS to be accessible at your No-IP domain, you would want to bind <INTERNAL IP>:80 to <EXTERNAL IP>:80 so now when a browser asks for HTTP content from <NO-IP DOMAIN>, your router sends the request to your NAS at port 80, and your NAS responds with the web based GUI interface just like it would if you accessed it on your local network (in theory anyway, but there are a number of things that could prevent this from actually working). Now, you can bind whatever port to whatever you want. These are the default ports, but you could bind port 80 from your NAS to port 33333, and then you would access it by accessing <NO-IP DOMAIN>:33333, and your browser would try to access that port for the HTTP request, but without that port number (33333) on the end of the address, it would query port 80 dy default, and no webpage would be displayed.
KEEP IN MIND: this is not a great idea. Assuming I'm understanding what you're trying to do correctly, you're potentially creating a huge security risk for the sake of convenience. (Keep in mind, I'm trying to warn you, not admonish you. There have been plenty of times I've done something I think is reasonable only to find out I have not at all taken the appropriate precautions.) If you go through with this set up, even if you limit the ports you expose, and even if you put it on some random port so that it's less easily accessible, you're still opening part of your private network, specifically your NAS GUI, to the entire internet. It is routine for servers (for both legitimate, and malicious purposes) to routinely scan IP addresses to see if they respond to requests on certain ports, or any open port. When anybody goes to your domain, they will get served the same page you get. I assume the landing page for your NAS is some sort of login/authentication page, but a lot of hardware like that is put out assuming you aren't just opening it up directly to the whole internet, so you're relying on whatever security that software provides against any intrusion attempt on the web. It might be rock solid security that's regularly updated, or it might have known flaws that can be exploited with the last update released years ago. It's up to you as to how comfortable with that you are, but you would be risking data loss, and data theft along with any number of network intrusions that might be able to result from someone ending up with unrestricted access to your NAS, and from there, your entire home network. You could create firewall rules that only allow connections from certain external IP addresses to somewhat mitigate this, but that's not foolproof, and you would only be able to access it from the whitelisted IP addresses. It would be more ideal for you to set up a VPN (article called "How to set up The VPN Server/VPN Client Feature on a Deco Mesh Wi-Fi Router") so you can have a secure tunnel that puts whatever computer you're on partially inside your home network, and then you could access the NAS that way. It looks like this functionality is built into your router, and takes a little setup, but would provide a higher level of security.
Alternatively, you could set up a reverse proxy server with strong authentication protocols, and have that server be what's exposed on the router to the wider internet. You could run this on a separate machine if you have one laying around, or use Docker, or some other virtualization platform to run it off of an existing (always on) machine if you have that capability since the reverse proxy server shouldn't require a lot of resources depending on your setup and use. (You want to use a separate machine, or a virtualized container/machine because you want to segregate this server from other resources so it only has access to itself, and the resources on your network you give it access to.) You might look into NGINX, which has reverse proxy server functionality built in if you decide to go this route. The reverse proxy server would then make you authenticate before granting access, and then at that point, it would handle communication between your NAS and the internet as an additional firewall/barrier. It could then forward you to your NAS to login like normal just like you would if you were on your home network. This solution is somewhat complex, but there are a lot of tutorials and forums online that can help you through it.
Your best bet would probably be to set up the VPN, and work through that process for security reasons, and it should be relatively straight forward since it's a built in functionality of your router.
Hope this helps. Best of luck!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 932
Replies: 4
Voters 0
No one has voted for it yet.