My Cloud + Router / Firewall

I checked my router log and comfirmed that during MC install there were changes mad not by me!

The bolded entries were at the time of install, my userid = pfeiffep, desktop ip = 192.168.1.4

Port Forward.jpg787×125 19.5 KB

I’m upset that My Cloud install procedure can actually perform these steps without explictly requesting my permission.

I’m hoping to fully bypass WD authentication.

This is normal and expected. If you enable remote access in automatic mode and your router supports UPnP, the WD My Cloud will try to use ports 80 and 443 (If available) for remote access. 

Thanks for the reply,

Please elaborate on “normal”

1. If this is normal for a monitored MC install then that’s a problem with WD!
2. OTOH if this is normal for a router thmy issue is with Verizon / Actiontec!

In either case my router / firewall configuration should NOT be changed without my explicit approval.

BTW I just logged into my router and changed the settings concerning icmp then looked at the log - the action was logged as WBM user pfeiffep

the actions I detaild in OP were not made by me!

Regards,

Pete

This has been normal behavior for WD NAS devices since the WD My Book Live introduced WD2go remote access features in 2011. The “automatic” option does exactly that: It maps the ports automatically if your router supports UPnP. If user approval or configuration is needed, then it’s best to change remote access connection mode from automatic to manual in order to specify the ports to be used.

I’ll accept this as an UNACCEPTABLE solution wrt WD

PJPfeiffer wrote:

Thanks for the reply,

Please elaborate on “normal”

1. If this is normal for a monitored MC install then that’s a problem with WD!
2. OTOH if this is normal for a router thmy issue is with Verizon / Actiontec!

In either case my router / firewall configuration should NOT be changed without my explicit approval.

BTW I just logged into my router and changed the settings concerning icmp then looked at the log - the action was logged as WBM user pfeiffep

the actions I detaild in OP were not made by me!

Regards,

Pete

That is standard UPNP (universal pllug and play) behaviour. Its not just the MC. If you take a look at the UPNP section of your router, im sure you will see many other devices, e.g a PC with with certain windows apps themselves, will,open upnp ports as needed.

I studied the router BEFORE I connected the MC and insured that UPnP was disabled and still is by using this site. I’m not certain I understand exactly what you mean.

Regards,

Pete

I’m not sure which specific test you tried running on that website.  There is one called the UPnP Internet Exposure Test - but that test just ensures that the UPnP protocol isn’t available to the public Internet (it’s not supposed to be).

I just tried that test (and I know I have UPnP enabled on my router).  The website came back and said that the router did not respond to their UPnP probe (which it shouldn’t be able to).

Maybe if you give us the name and model of your router I can find the docs on how to confirm you actually have UPnP disabled?

Thanks swallman,

I ran the exposure test and the all lower # port scan and I agree that the router’s config was enabled INTERNALLY as I was not exposed to the internet. (Verizon fios Actiontec M1424wr gige) My main issue is the total disregard or respect shown to the individual be WD’s install procedure. I opened a case so I could determine if there was a reasonable solution they could suggest for internet access and there was none - “that’s the was it has to work” was the general answer.

But they did say that I could maintain full functionality (with NO internet access) by simply blocking the ports on the router or changing the network config on MC.

I have blocked internet access and will continue to use this solution as a single source backup for the computers in my houdehold. I now do truely have a personal PRIVATE cloud.

I was slightly swayed to WD solution since MC offered additional benefits that I will now not persue.

Since I’ve installed I’ve discovered that MC (3TB) and My Book Studio (4TB):

• fully backs up 2 Windows 7 computers
• fully backs up Mac Book Pro using Time Machine (after initial hard wired back uof 40 min, wifi now takes about 7)
• can be fully managed by either one of my Linux computers
• can be accessed by 2 iPhones (I haven’t tested out of home)
• MC automatically generates safepoints to the always connected My Book
• using SMB on Linux I can populate shares on the MC
• the only WD software I use is Smartware on Windows (I’ve dabbled with MyCloud desktop on Mac)
• provides my storage and flexibility than I’ve ever dreamed of

I’ll be experimenting with iTunes and other media sharing from WITHIN my home.

BTW - I purchased both these units directly from WD recertified - I don’t think that I could have found 7 TB for the $275 I paid. The hardware is pretty solid!

I decided to verify the full functionality aspect from the tech; also decided to watch my firewall as I made changes to MC using Dashboard. I confirmed my suspicion that WD’s software / firmware is programed to make changes to my firewall without any approval or warning. I caught the actions in the firewall security log.

Steps taken:

• on firewall confirm ports 80 & 443 forwarded WD2go
• disabled Cloud access on MC using Dashboard
• on firewall confirm ports 80 & 443 no longer forwarded
• enabled Cloud access on MC using Dashboard
• on firewall confirm ports 80 & 443 forwarded WD2go
• disabled Cloud access on MC using Dashboard

The message in M1424wr rev I router security log

“Mar 7 16:25:45 2015 Firewall Setup Configuration change WBM user Unknown (0.0.0.0) has changed security settings [repeated 3 times, last time on Mar 7 16:29:35 2015]”

An authenticated message:

“Mar 7 09:12:43 2015 Firewall Setup Configuration change WBM user pfeiffep (192.168.1.3) has changed security settings”

I have opened a case with Actiontec asking how to prevent unwanted changing of settings by WBM.

It sounds to me like it’s more of an issue with UPNP being enabled on your router, even though your router is indicating that it isn’t enabled.

Most routers now have automatic UPNP available, and the WD software is just doing exactly what UPNP is designed for - removing the headache of users not needing to know how to manually perform port forwarding when they want external access to a device on their internal network (which is what the WD needs for the cloud stuff to work externally).

Could the WD software do a better job of informing the user during install?  I imagine they could but if you truly have UPNP disabled in the router than the WD shouldn’t even be able to make any changes to your router.

Just as an add-on to this - I never installed ANY software on my PC when I got my WDMYCLOUD going - just connected it to the LAN and went to the user interface directly on the device.  There is an option in the device UI to enable cloud access via Auto (attempting to use UPNP), or Manual(meaning the user has to configure the ports to be forwarded manually).

As with any device that you would want full “Cloud” access to - somehow it needs to communicate to the outside world…

swallman wrote:

It sounds to me like it’s more of an issue with UPNP being enabled on your router, even though your router is indicating that it isn’t enabled.

Most routers now have automatic UPNP available, and the WD software is just doing exactly what UPNP is designed for - removing the headache of users not needing to know how to manually perform port forwarding when they want external access to a device on their internal network (which is what the WD needs for the cloud stuff to work externally).

Could the WD software do a better job of informing the user during install?  I imagine they could but if you truly have UPNP disabled in the router than the WD shouldn’t even be able to make any changes to your router.

Just as an add-on to this - I never installed ANY software on my PC when I got my WDMYCLOUD going - just connected it to the LAN and went to the user interface directly on the device.  There is an option in the device UI to enable cloud access via Auto (attempting to use UPNP), or Manual(meaning the user has to configure the ports to be forwarded manually).

As with any device that you would want full “Cloud” access to - somehow it needs to communicate to the outside world…

Thanks for your continued interest swallman> Since yesterday I’ve had cloud access disabled and here are the only ports forwarded

router.jpg781×431 45.3 KB

> All the traffic in my Firewall security log is NOW from my monitoring actions. Yes I agree that WD is leveraging the ,industry standard’ wrt consumer firewalls and UPnP. Maybe part of my mistrust originates from my years of internet security experience at the enterprise level coupled with the lack of direct knowledge of consumer products.> I’ll quote Sy Symms, a clothing marketier “an educated consumer is our best customer”. IMO the computer industry need to do a better job with the first 3 words of his slogan!