Problem: I want to give all LAN devices full access (including FTP, SSH) to the WD My Cloud. I want to block ANY user from WAN (Internet) from having ANY access to the WD My Cloud.
After some exchanges with WD support, I’m informed that it cannot be done.
I’m told that the only way to turn off access from the Internet is Settings > General > Cloud Access > Remote Access Off. However, this turns off not only Internet access, it also turns off access from mobile devices, even if they’re on the LAN.
This makes the WD My Cloud an utterly insecure device. You only defence is your data not being important enough for someone to want to access it.
I suppose the only solution is to configure the network services filter on the router to block all TCP and UDP from the WDMC to any IP outside the LAN range. I haven’t tried this before, and I’m not sure how feasible it is.
If I understand correctly you want ftp/ssh/webdav access only within your LAN environment and absolutely no outside WAN access?
In WD Dashboard settings, enable ssh/ftp/remote access but set the remote access incoming ports to “manual” and give it any spoofed value eg, http=8888, https=9999. This will ensure WDMyCloud will not try open up those ports in your router via upnp. After this, no external WAN access is possible including wd2go.com (you’ll see wdmycloud complaining about port forwarding) but you can still access within LAN using ftp/ssh and mobile apps.
Just in case, note that you can’t access ssh port 22 and ftp port 21 externally from WAN because they don’t do upnp. Same goes to other ports eg http/s on ports 80/443. But unless of course you’ve forwarded those ports on your router to the nas, the app was allowed to use upnp service on your router or worst case your router is DMZing to the nas.
Ensure remote access is enabled, you’ll see “Configure »”.
Thanks, now I see. FWIW, similar advice was offered by WD tech support (of course, with the caveat that they don’t support it). I find it very disappointing having to go through such gymnastics for what should be a basic security feature. I guess users have no idea just how vulnerable they are.
Alexiadis wrote:> Thanks, now I see. FWIW, similar advice was offered by WD tech support (of course, with the caveat that they don’t support it). I find it very disappointing having to go through such gymnastics for what should be a basic security feature. I guess users have no idea just how vulnerable they are.
No problem. I’m very sorry but IMHO (not siding WD in anyway), the device’s name, “CLOUD” says it all which obviously the “In Thing” nowadays. So users should expect the device to be accessible from the Internet.
In vulnerability point of view, security is also the responsibility for each user. As long as strong non-sharing passwords being enforced, this device should be safe facing the Internet with only webDav forwarded to the WAN.
FYI I have mycloud 24/7 open to the Internet since I got it. On top of the existing HTTP/HTTPS/FTP/SSH ports facing the WAN, it’s also have been modified to run FTPS/MySQL/SMTP/POP3 servers for several private virtual domain/MX hostings.
So help someone who is not as smart as he should be out…!
I don’t want any WAN access to the MyCloud, so I have remote access disabled. I presume that with this setting, uPnP and port forwarding don’t matter, the Internet can’t try to talk to the MyCloud no matter how those are set in the router. Correct?
I have uPnP enabled right now, but I don’t wish it to be. Also, ports are forwarded (temporarily) as a troubleshooting measure. But I guess I just don’t understand. From what I see here, right now as configured with cloud/remote access off, someone with a mobile device won’t be able to see the drive via the LAN? Seems odd. Explain?
Also, what should I ultimately do with ports and uPnP? I want access only from inside the LAN, from computers and DLNA-enabled devices. Can I turn uPnP off and unforward the ports? Is there a speed penalty for doing this?
And secondarily, suppose I did sometime want a mobile device to be able to get a tune from the LAN? Can anyone provide just a little more clarity on what to do?
So help someone who is not as smart as he should be out…!
I don’t want any WAN access to the MyCloud, so I have remote access disabled. I presume that with this setting, uPnP and port forwarding don’t matter, the Internet can’t try to talk to the MyCloud no matter how those are set in the router. Correct?
I have uPnP enabled right now, but I don’t wish it to be. Also, ports are forwarded (temporarily) as a troubleshooting measure. But I guess I just don’t understand. From what I see here, right now as configured with cloud/remote access off, someone with a mobile device won’t be able to see the drive via the LAN? Seems odd. Explain?
Also, what should I ultimately do with ports and uPnP? I want access only from inside the LAN, from computers and DLNA-enabled devices. Can I turn uPnP off and unforward the ports? Is there a speed penalty for doing this?
And secondarily, suppose I did sometime want a mobile device to be able to get a tune from the LAN? Can anyone provide just a little more clarity on what to do?
Read from the 1st post! Then point out which part of it you didn’t understood, if any?
I DID read from the first post, and I am asking for clarification on the specific questions I asked. I want to understand the implications of various configurations. Those questions specifically state what I don’t understand. I’m sorry, but when it comes to networking, I am just not as smart as some of you folks. I need a little bit of context and a little bit of tutorial in order to understand better. Could you please answer my questions?
It is not task of the MyCloud (as any other device) to prevent access from outside. The router/firewall do it. Close the ports on the router and disable uPNP, that’s all.
So help someone who is not as smart as he should be out…!
I don’t want any WAN access to the MyCloud, so I have remote access disabled. I presume that with this setting, uPnP and port forwarding don’t matter, the Internet can’t try to talk to the MyCloud no matter how those are set in the router. Correct?
Correct.
I have uPnP enabled right now, but I don’t wish it to be. Also, ports are forwarded (temporarily) as a troubleshooting measure. But I guess I just don’t understand. From what I see here, right now as configured with cloud/remote access off, someone with a mobile device won’t be able to see the drive via the LAN? Seems odd. Explain?
See the last paragraph.
Also, what should I ultimately do with ports and uPnP? I want access only from inside the LAN, from computers and DLNA-enabled devices. Can I turn uPnP off and unforward the ports? Is there a speed penalty for doing this?
Just turn them off if you don’t want external access to any of your devices. Your router manage all these. If the external ports are off, then why would you be asking about speed penalty? Internally? These ports are determined by your router and doesn’t affect speed. But if you have port forwarding and upnp off, some of your apps might not work ie. hosting online games or torrenting.
And secondarily, suppose I did sometime want a mobile device to be able to get a tune from the LAN? Can anyone provide just a little more clarity on what to do?
If you have your remote access off, internally you still can access from existing mobile device. But you can’t connect newer mobile device internally because it can’t communicate to authenticate between the nas and wd2go.com.
I previously suggested the OP to enable remote access but don’t use upnp, instead fake the open ports on the nas. This is because when I first got the nas, while poking around, think I noticed the remote access was automatically turned on when a new internal device tries to connect for the 1st time. Maybe a glitch or bug but I don’t really investigate further as I need the remote access to be turned on.
See above. No worries, networking is simple. Just need to get hold of the fundamentals.
Thank you. The external ports are currently on. This network is a bunch of boxes running XP, Vista and 7. I was made to understand that I needed to forward the ports because there would speed penalties on the XP boxes if I did not. I’m delighted to turn those ports and uPnP off.
I’m really just not a network guy, so this is why I asked. Thanks again.
Edit: And why can’t a newer mobile device communicate and authenticate? What’s the difference between a newer device and an older device?
I was made to understand that I needed to forward the ports because there would speed penalties on the XP boxes if I did not.
Who told you this? Probably this person doesn’t understand how port works. I’m telling you from more than a decade of experience programming with sockets.
MrPink wrote:
Edit: And why can’t a newer mobile device communicate and authenticate? What’s the difference between a newer device and an older device?
Existing mobile devices already authenticated with wd2go.com so both cloud and mobile device are made known to the security token. Where else newer mobile devices doesn’t have this security token. You have to generate it from the cloud to use it on newer mobile devices.
Existing mobile devices already authenticated with wd2go.com so both cloud and mobile device are made known to the security token. Where else newer mobile devices doesn’t have this security token. You have to generate it from the cloud to use it on newer mobile devices.
Sorry, still confused. I’ve never used wd2go.com and have not set up a MyCloud account, so I presume that no mobile device has a token. Suppose we do a hypothetical. User Jones shows up at my house and wants to be able to stream music from the MyCloud with his mobile device. Twonky is running. Does Jones (or I) need to do something special to be able to make that happen? I can’t test this because I don’t need and don’t own a mobile device. I would presume that anything in the public folder can be had by anyone who can connect to the network.
