Remote access to the network storage
As a user that wants to make their NAS (Network Attached Storage) system available as a home server online, you face a core problem with IPv4-based networks. Unlike the new standard IPv6, the fourth version of this widely-distributed internet protocol is characterized by a strict separation of public and private address space. Your router is used as a mediating authority. Modern devices offer functions that compensate for the lack of end-to-end connection. However, several configuration steps are necessary.
A further hurdle is that your internet service provider (ISP) regularly disconnects automatically: home networks are usually connected to the internet through randomly-assigned IP addresses that change daily. But how do you access a network if its address is constantly changing? Here is the answer.
Basics: public and private IP addresses
Public and private addresses are kept separate since this acts as a reliable protection mechanism. Local devices on a home or company network are protected from unauthorized access to the internet. A major disadvantage, however, is that desired access is only possible with the correct router configuration, which is used as a link between the two address ranges.
- Public IP addresses: each router is assigned a public IP address from the respective ISP and this address connects the router to the internet and serves as a sender address for server requests. The public IP is usually dynamic for private users and most online businesses. This means that the address is randomly assigned to the router and only lasts for a certain period of time (around 24 hours). Since remote access from the internet requires a static address, methods such as dynamic DNS (DDNS) have been established and provide a way of linking dynamic IP addresses to unchangeable domains.
- Private IP addresses: if you look at the structure of a Local Area Network (LAN) that connects different devices to a home or company network, you can also find IP addresses there. However, these are used exclusively for internal communication in the LAN, are automatically allocated by a DHCP server (Dynamic Host Configuration Protocol) on the router, and connect the individual hardware components of the network such as PCs, tablets, smartphones, or home servers. These addresses are sometimes called LAN IPs. Since private IP addresses are not routable, it isn’t possible to obtain direct access to the IPv4 address of your network storage from the internet. Instead, the router (which is the only instance of the LAN to have a public IP address), must be configured in such a way that access to the NAS system is redirected to its private LAN IP. This works best when network devices acting as servers are assigned a static LAN IP address.
If a device from the LAN is to interact with the internet, this is done exclusively via the router. This accepts server requests (e.g. when a website is accessed) from the local network and sends them with its own public IP address to the corresponding destination on the world wide web. If a data packet is returned as a response to the request, the router ensures that this is redirected to the original client in the LAN. With IPv4, the distribution of IP packets in the local network is carried out via a component of the router known as NAT (Network Address Translation).
However, if a router registers incoming data packets that have not been explicitly requested by a device on the LAN, they are immediately discarded for security reasons. This also applies to external access to the network storage, provided that no port forwarding has been configured for this kind of access.
Set up remote access for your network storage in three steps
Three steps are essentially needed to overcome the hurdles described above so that you can make your network storage accessible on the internet. These are: determine the internal IP address of your NAS system, open appropriate ports for access from the internet, and use DDNS to ensure that your router remains accessible for requests from the internet despite the public IP address changing.
1. Determine the fixed IP address for the NAS system
The internal IP addresses of your network are assigned by the DHCP server of your router. Generally, each network device receives the same IP address. To do so, your router permanently stores the MAC address of the network device together with the first assigned IP. Allocating dynamic IP addresses within the local area network is normally only done when your home or work network has more network devices than IP addresses on the router.
To determine the IP address of your NAS system, you have to look it up in the network settings of your computer. In Windows, go to 'Control Panel', click on 'Network and Sharing Center', then click on 'Change Adapter Settings'. Right-click on the network connection icon and click 'status'. Click the "Details" button in the window that pops up. Another screen will then appear which will reveal the IP address of your computer, which is also the same IP address as your NAS device. If your NAS system is on a corporate network whose network devices exceed the number of internal IP addresses available on your router, it is advisable to explicitly prohibit the assignment of a new IP address for your network storage. This should be possible in the configuration interface of your router.
2. Open ports for remote access
A pre-requisite for remote access to your network storage is that you configure the firewall on your router so that it allows certain requests from the internet.
A packet filter works on your router in order to protect your home network from unwanted access attempts. In the default configuration, this packet filter only lets data packets through that have been requested by devices on your LAN. On the other hand, if you are on the go and want to access your NAS system to download data or to save them on the network storage, you have to define the exceptions – even these access attempts aren’t initiated internally and would otherwise be rejected by the router for security reasons. If you open the firewall for certain services such as FTP (File Transfer Protocol) or SSH (Secure Shell) this is known as port forwarding. You set this in the administration interface of your router. To do this, open the appropriate port for the desired service (e.g. FTP) and set up a redirect to the NAS system.
Modern network storage systems usually have an integrated FTP server, which – as long as it’s connected to the internet – can answer requests from FTP client programs such as FileZilla or WinSCP, thus enabling a convenient data exchange with various devices.
Theoretically, there are 65,536 ports available for network communication. Of these, ports 0 until 1023 have been reserved by the IANA (Internet Assigned Numbers Authority) as default ports for specific protocols or applications. The FTP server of your router, for example, generally accepts requests from the internet on port 21. To allow this, you must open the corresponding port on the surface and set up a redirect for incoming data packets to the network storage’s fixed LAN IP. For this purpose, you need to specify four settings in the administration interface of your router under the menu item 'Port forwarding' or 'Port mapping', depending on the router:
- The router’s port that is to be opened (known as 'Public Port' , 'External Port', or 'Inbound Service', depending on the device and manufacturer)
- The private IP address of the network device to which data packets are to be redirected (also 'Private IP' or 'Internal IP')
- The port on which the network device is to receive the data packets ('Private Port' or 'Internal Port')
- The protocol type to be used for data transmission ('Type')
To allow the FTP server of your NAS system to communicate via the internet, specify port number 21 for both the public port on the router, and the private port on the network storage. For the private IP address, use the fixed LAN IP that you determined in step 1 for your network storage. This instructs your router to automatically redirect requests and data packets from the internet that arrive at port 21 to your network storage’s port of the same name. However, to enable an interaction like this, client devices on the internet must know the address of your router. In step 3, therefore, it is important to define a consistent contact address.
3. Set up a dynamic DNS service
A dynamic DNS provides a proven method of making a router permanently accessible over the internet. This is an intermediary service, which is often offered free of charge by various providers on the internet. To use a dynamic DNS, register with a DDNS provider and set up a kind of pseudo-domain, which automatically redirects all requests to the current dynamic IP address of your router. The basic principle is the following: whenever your router is assigned a new dynamic IP address by the ISP, the router automatically reports the change of address to the DNS service. The current dynamic IP address is linked to the static pseudo domain. In order to access your network memory via the internet, you only need to know the static internet address and not the IP address that changes daily.