Use UPnP (Universal Plug and Play) port mapping to allow access from the WAN to services you select on the NSA. It is recommended that you place the NSA behind an Internet gateway firewall device to protect the NSA from attacks from the Internet (see RAID and Data Protection on page 167 for firewall type suggestions). Many such Internet gateways use UPnP to simplify peer-to-peer
DNS DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. If you have the IP address(es) of the DNS server(s), enter them.
Dynamic Select the option to have the NSA get a DNS server address automatically.
Static Select this option to choose a static DNS server address. Type the DNS server IP address(es) into the fields below.
Primary DNS
Server Type a primary DNS server IP address.
Secondary DNS
Server Type a secondary DNS server IP address.
HTTP (Web Configurator) Enable Another Web Configuration Port
Select this to configure an additional HTTP port for accessing the web configurator.
Specify a number in the Port Number field.
Jumbo Frames Jumbo frames improve network performance. You must have a 1 Gbps (Gigabit Ethernet) network that supports jumbo frames. Select the largest size of frame that all of your network devices (including computer Ethernet cards and switches, hubs, or routers) support.
When enabled, you can choose between 4 KB, 8 KB, and 9 KB frame sizes.
Note: If you enable jumbo frames on the NSA in a network that does not support them, you will lose access to the NSA. If this occurs, you will have to restore the factory default configuration. Push the RESET button on the NSA’s rear panel and release it after you hear a beep.
Network Diagnostic Tool
Use this section to test the network connection to a particular IP address or domain name. Select an address or type it into the field. Then click Ping to have the NSA send a packet to test the network connection.
• Successfully pinged host - The NSA is able to “ping” the host, the network connection is OK.
• Unable to ping host - The NSA is able to “ping” the selected host.
Apply Click this to save your TCP/IP configurations. After you click Apply, the NSA restarts.
Wait until you see the Login screen or until the NSA fully boots and then use the NAS Starter Utility to rediscover it.
Reset Click this to restore your previously saved settings.
Table 29 Network > TCP/IP (continued)
LABEL DESCRIPTION
network connectivity between devices. UPnP can automatically configure the Internet gateway’s firewall and Network Address Translation (NAT) to allow access to the NSA from the Internet.
Figure 83 UPnP for FTP Access
In the above example, UPnP creates a firewall rule and NAT port forwarding mapping to send FTP traffic (using TCP port number 21) from the public IP address a.b.c.d to the NSA’s private IP address of 192.168.1.20.
Use the NSA’s UPnP Port Mapping screen to configure the UPnP settings your Internet gateway uses to allow access from the WAN (Internet) to services you select on the NSA. You can also set which port Internet users need to use in order to access a specific service on the NSA.
Note: To use UPnP port mapping, your Internet gateway must have UPnP enabled.
If your Internet gateway supports Port Address Translation (PAT is sometimes included with a port forwarding feature), you can have the Internet users use a different TCP port number from the one the NSA uses for the service.
Figure 84 UPnP Port Address Translation for FTP Example
In the above example, the Internet gateway uses PAT to accept Internet user FTP sessions on port 2100, translate them to port 21, and forward them to the NSA.
8.5.1 UPnP and the NSA’s IP Address
It is recommended that the NSA use a static IP address (or a static DHCP IP address) if you will allow access to the NSA from the Internet. The UPnP-created NAT mappings keep the IP address the NSA had when you applied your settings in the UPnP Port Mapping screen. They do not automatically update if the NSA’s IP address changes.
Note: WAN access stops working if the NSA’s IP address changes.
For example, if the NSA’s IP address was 192.168.1.33 when you applied the UPnP Port Mapping screen’s settings and the NSA later gets a new IP address of 192.168.1.34 through DHCP, WAN access stops working because the Internet gateway still tries to forward traffic to IP address 192.168.1.33. Since you can no longer access the NSA from the WAN, you would have to access
TCP: 21
the NSA from the LAN and re-apply your UPnP Port Mapping screen settings to update the Internet gateway’s UPnP port mappings.
Figure 85 UPnP Using the Wrong IP Address
8.5.2 UPnP and Security
UPnP’s automated nature makes it easier to use than manually configuring firewall and NAT rules, but it is also less secure. Using UPnP may make your network more susceptible to snooping and hacking attacks.
8.5.3 The NSA’s Services and UPnP
This section introduces the NSA’s services which an Internet gateway can use UPnP to allow access to from the Internet.
BitTorrent
BitTorrent is a distributed peer-to-peer file-sharing protocol that the NSA’s download service can use. Using UPnP port mapping for BitTorrent lets BitTorrent work faster.
CIFS (Windows File Sharing)
Common Internet File System (CIFS) is a standard protocol supported by most operating systems in order to share files across the network. Using UPnP port mapping for CIFS allows users to connect from the Internet and use programs like Windows Explorer to access the NSA’s shares to copy files from the NSA, delete files on the NSA, or upload files to the NSA from the Internet.
If you configure UPnP port mapping to allow CIFS access from the WAN but cannot get it to work, you may also have to configure the Internet gateway to also allow NetBIOS traffic. See Section 6.3 on page 151 for more on CIFS.
FTP
File Transfer Protocol is a standard file transfer service used on the Internet. Using UPnP port mapping for FTP allows remote users to use FTP from the Internet to access the NSA’s shares. A user with read and write access to a share can copy files from the share, delete files from the share, or upload files to the share. See Section 9.4 on page 182 for more on FTP. If you use UPnP to allow FTP access from the WAN, you may want to use a different WAN port number (instead of the default of port 21) to make it more secure. Remember to tell the remote users to use the custom port number when using FTP to access the NSA.
192.168.1.34
a.b.c.d
192.168.1.33
HTTP (Web Configurator)
You can use UPnP port mapping to allow access to the NSA’s management screens. If you use UPnP to allow web configurator access from the WAN, you may want to use a different WAN port number (instead of the default of port 80) to make it more secure. Remember to use the custom port number when accessing the NSA’s web configurator from the Internet.
HTTP (Web Published Shares)
This is the NSA’s web publishing feature that lets people access files using a web browser without having to log into the Home screens. Use UPnP port mapping to allow access to these files from the Internet without having to enter a user name or password. See Section 9.7 on page 200 for more on web publishing.
8.5.4 Configuring UPnP Port Mapping
Click Network > UPnP > Port Mapping to display the UPnP Port Mapping screen.
Use this screen to set how the Internet gateway’s UPnP feature configure’s the Internet gateway’s NAT IP address mapping and port mapping settings. These settings allow Internet users connected to the Internet gateway’s WAN interface to access services on the NSA. You can set which port Internet users need to use to access a specific service on the NSA.
Note: Some Internet gateways will delete all UPnP mappings after reboot. So if the Internet gateway reboots, you may need to use this screen again to re-apply the UPnP port mapping.
Figure 86 Network > UPnP > Port Mapping
The following table describes the labels in this screen.