Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Securely allow single wireless client access to QNAP Time Machine on LAN

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JimmyJerry
      last edited by

      Hi,

      I have a pfsense setup with three interfaces - WAN, LAN and Wireless.

      The LAN can access only WAN and the WIRELESS can access only WAN. Rules forbid any traffic going between Lan and Wireless.

      I have the Time Machine application running on QNAP, and want a single Wireless client to be able to access it.

      I tried to set it up so that the wireless client could access the QNAP ip and only port 548 (ARP port) and this works great. The problem is the Wireless Client also has access to the QNAP file server which I don't want.

      I have the rule locked down to the wireless client static ip and I could also use MAC Address to lock down rule further, but I am wondering are there any reasonably secure ways to allow a single wireless client (and only that client) to access a file server on another subnet? Or is this dangerous and only complete airgaps are the way to go?

      I could set up authentication for the folders on the QNAP, but I would rather not as this complicates matters on my LAN. Or should I just trust in WPA and assume if someone breaks that they will probably break across the subnet to my LAN eventually anyway?

      The only other setup I can think of is plugging in my wireless client to the LAN from time to time to do backups.

      I hope this makes sense, and any ideas  or discussion are much appreciated!

      1 Reply Last reply Reply Quote 0
      • H
        Harvy66
        last edited by

        Unless you can trust your IP and MAC addresses, you cannot "Securely" limit access to the QNAP via just the firewall rules. Your best bet is to setup a VPN, so the client must log in and authenticate, so you KNOW it's the correct user, then allow access from the VPN to the QNAP.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          548 TCP = Apple Filing Protocol (AFP) over TCP so not sure where you go the ARP from?

          If you give it access to AFP, then yeah would have access to AFP ;)  What are you wanting it to access but not your file shares?

          As to security - is this a DOD facility and your storing launch codes on this file share ;)  Or is this a home setup..  WPA2 if used with secure PSK is more than secure enough for what it sounds like your doing.  Keeping your guest or other wireless devices you allow on to your wireless network.. This firewall rule would keep those out..  If you want to get anal about it - setup static arp and if some unwanted device got on your wlan, to get to your share they would have to have the IP you allow and the mac..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.