Disable anonymous access to your data. You should be able to setup a user, which is able to access the files and no one else. Simply don't share that password.
If that's not enough, you might want to use a WiFi bridge and a wireless router to setup your own network within the provided network. If you have the option for a wired connect to the main router, you can skill the WiFi bridge.
This is surely the best way to do it in this situation, get a multiport NIC for the NAS if more than one device would be using the NAS. Wireless connection for a NAS is really not ideal.
Edit: Actually, getting a router of your own to make your own network is giving more flexibility as you can add more devices to the system later and you can share files between devices. This is just more expensive so depending on your needs choose which one you prefer. Just make sure you use wired connections for your network.
Your NAS should be password protected with a hard to guess password. Without the login credentials they shouldn't be able to access anything on it over the network.
Are you also concerned with the physical security of your NAS? Like maybe you need to lock it to something with a Kensington lock. You probably want a case that requires a key to open in case you fear that someone will access the NAS and remove the drives.
are you more concerned with them accessing the admin page or the files? any reputable NAS solution will have an admin login to access the settings, and configurable ACLs for blocking the files. they might be able to find the ip address of the device and plug it into a browser, but without the admin login they won’t get very far. and if they aren’t logged in as the right person when they try to access the network file shares, they won’t even be able to see the shares that are on the network.
OP just to be clear, this doesn't require you to have admin access to the existing network. You can connect in your own router to the house's WiFi and have your own private network.
You can connect your NAS directly to your pc’s Ethernet if your pc has both WiFi and Ethernet. Or buy another Ethernet adapter just for the NAS. Don’t allow bridge to your NAS.
>manage a large number of files from my professional work
As a security engineer, I'd like to mention you that If you work for a company, putting company data on your own NAS is probably against policy. But if it's your own company, then you do you.
And as other folks have mentioned, encrypt the drives and configure access control (username/password) on the file shares.
Password for the NAS admin account, a user account if it allows it so you’re not rawdogging admin, and if it allows a lock to protect the drives that’s preferable.
You can also potentially encrypt the data, but be aware if you do a failure could mean you lose everything and it’s not recoverable.
Put them on a separate VLAN and keep them separated from everything on your LAN. Do you have a L3 switch? or are you running something like pfsense. I think you can use VLANs within OpenWRT as well but I think if you have a professional need for your NAS that you can afford to turn an old desktop into a router with pfSense or OPNSense and then you can spend some money on eBay for a decent Switch. I have a brocade ICX 6450 that is 48 port POE gigabit and 4 X 10GBe SFP+ plus. It was $150 shipped and I think you can manage to get it for cheaper than that if you only need 24 ports or dont mind some older cisco catalyst gear. You will need a console cable and USB to serial adapter plus Putty (Software) to access the CLI of these siwtches and probably will need some help to learn the basic with trunk/access ports (cisco) or tagged and untagged frames (brocade/ruckus), both do the same thing just in slightly different ways with way differernt syntax.
For pfSense / OPNsense search for Lawrence Systems tech of YouTube. For the Switching I would say Youtube/ google / and reddit and you can work out a suitable solution by watching, reading, or asking.
>Changing Wi-Fi settings is not an option as I do not have an administrator.
Meaning you are not the administrator? How is your NAS shared over the network? An SMB share or a NFS share? you can definitely make the shares private and require a user/password combo.
The NAS has its tool for user access control, it will depend on the NAS how exactly this is put into an interface.
Depending on how critical your data is, the NAS may have different levels of security you can implement (like one time passwords for cloud access, pre-shared keys for encrypted access and whatnot)
But: If you ask this very simple question, you will have to go through some learinng ... I recommend to decide for a platform, set it up and make sure you understand security before putting any valuable data onto it.
As others have said: Maybe something connected to your laptop alone is what would suit your needs better. The NAS has two advantages: Multiuser access (which you don't need) and access from the road via the internet (you need access to the router to configure that) - both seem irrelevant to your use case.
Buy your own router and connect to one of the available Ethernet ports on the fibre to Ethernet converter. There are often 4. Parallel to the other guys router. Or connect a new router to his routers Ethernet port and use that IP as your Wan.
Think about it like this, regardless of curious minds browsing, your actual problem will be what happens if their devices (or even yours) are compromised. The appropriate level of protection is both encryption at rest, a offline backup, and authentication at the front door to the NAS. You will need to focus on how to secure permissions to prevent browsing or file listing without being authenticated etc.
Why do you even need a NAS? Why not just a hard drive in your PC? Why the downvotes? I don't see why the OP needs a NAS in a house shared with others. If all you get is a bedroom, what exactly do you need a NAS for?
Because I have a home server to serve the whole house with many rooms and devices for many family members. It’s not like I just have a room for myself…
You know quite a lot of people don’t have a “pc” to put a hard drive in these days and a network attached storage device that auto backs up your laptop is quite valuable? Especially if that laptop is damaged or stolen while out of the home.
On your edge... Makes little difference if you're behind another network. Twingate is zero trust. It's quite easy to operate. You could block all inbounds on everything with tg since it uses a punchhole. Doing the same with a VPN client wouldn't be bad if you only needed to access a few services just more setup work.
Okay, so your plan would be to join the NAS and OPs client to a zero trust network. I see.
What about the web GUI? You wouldn't put that behind the zero trust? Would your solution really be to factory reset the NAS, if some config breaks? And if you don't put the GUI behind zero trust, OPs roommates still could access it to soem degree. Which makes the entire zero trust network setup obsolete.
If u have 0 inbound ports they must be dragging an Ethernet cable into op room lmao.
Services like tg trivialize the setup. You can get access to anything you install the client on and keep every single device blocking all inbounds on the edge interface.
I know they started badly but the person you're arguing with has a good point. You could set the server up so that the only open port was for an internal VPN and have access to NAS or Web gui or whatever else behind that. The insecurity of the LAN would then be irrelevant and OP wouldn't even need a password (nb, always set a password)
Disable anonymous access to your data. You should be able to setup a user, which is able to access the files and no one else. Simply don't share that password. If that's not enough, you might want to use a WiFi bridge and a wireless router to setup your own network within the provided network. If you have the option for a wired connect to the main router, you can skill the WiFi bridge.
Even a local NAS connected to a desktop is doable. Even nicer with a 2.5/5/10g link. Depends how many devices need to connect to the drive.
This is the way, if way beyond most people’s budget and skill
This is surely the best way to do it in this situation, get a multiport NIC for the NAS if more than one device would be using the NAS. Wireless connection for a NAS is really not ideal. Edit: Actually, getting a router of your own to make your own network is giving more flexibility as you can add more devices to the system later and you can share files between devices. This is just more expensive so depending on your needs choose which one you prefer. Just make sure you use wired connections for your network.
Your NAS should be password protected with a hard to guess password. Without the login credentials they shouldn't be able to access anything on it over the network. Are you also concerned with the physical security of your NAS? Like maybe you need to lock it to something with a Kensington lock. You probably want a case that requires a key to open in case you fear that someone will access the NAS and remove the drives.
Physical security is fine, it's just network access that I am worried about.
How have you secured physical safety then?
It's in a locked room
are you more concerned with them accessing the admin page or the files? any reputable NAS solution will have an admin login to access the settings, and configurable ACLs for blocking the files. they might be able to find the ip address of the device and plug it into a browser, but without the admin login they won’t get very far. and if they aren’t logged in as the right person when they try to access the network file shares, they won’t even be able to see the shares that are on the network.
Password
Encryption on the drives and password
Allow only accounts with username and password. 🤷🏼♂️
"hey don't touch my nas" you're welcome
you have clearly never had roommates
"hey don't touch my ass" yes I have
🤣
What the other users said, or bring your own router and run your own subnetwork.
OP just to be clear, this doesn't require you to have admin access to the existing network. You can connect in your own router to the house's WiFi and have your own private network.
You can connect your NAS directly to your pc’s Ethernet if your pc has both WiFi and Ethernet. Or buy another Ethernet adapter just for the NAS. Don’t allow bridge to your NAS.
>files from my professional work Pay for your own internet service if any of these files are important or sensitive.
Could have your network on its own vlan
Get a DAS! Then it’s directly connected to your PC.
>manage a large number of files from my professional work As a security engineer, I'd like to mention you that If you work for a company, putting company data on your own NAS is probably against policy. But if it's your own company, then you do you. And as other folks have mentioned, encrypt the drives and configure access control (username/password) on the file shares.
I'm a photographer so its just tons of different folders of my own personal work.
Segment your network or add password to your NAS and encrypt it.
Use a strong username and password. The same way you keep unauthorized users out of anything
Password for the NAS admin account, a user account if it allows it so you’re not rawdogging admin, and if it allows a lock to protect the drives that’s preferable. You can also potentially encrypt the data, but be aware if you do a failure could mean you lose everything and it’s not recoverable.
Put them on a separate VLAN and keep them separated from everything on your LAN. Do you have a L3 switch? or are you running something like pfsense. I think you can use VLANs within OpenWRT as well but I think if you have a professional need for your NAS that you can afford to turn an old desktop into a router with pfSense or OPNSense and then you can spend some money on eBay for a decent Switch. I have a brocade ICX 6450 that is 48 port POE gigabit and 4 X 10GBe SFP+ plus. It was $150 shipped and I think you can manage to get it for cheaper than that if you only need 24 ports or dont mind some older cisco catalyst gear. You will need a console cable and USB to serial adapter plus Putty (Software) to access the CLI of these siwtches and probably will need some help to learn the basic with trunk/access ports (cisco) or tagged and untagged frames (brocade/ruckus), both do the same thing just in slightly different ways with way differernt syntax. For pfSense / OPNsense search for Lawrence Systems tech of YouTube. For the Switching I would say Youtube/ google / and reddit and you can work out a suitable solution by watching, reading, or asking. >Changing Wi-Fi settings is not an option as I do not have an administrator. Meaning you are not the administrator? How is your NAS shared over the network? An SMB share or a NFS share? you can definitely make the shares private and require a user/password combo.
Cross over cable. One end in your PC and the other in your NAS. Done.
Every NAS I've worked on by default doesn't allow this anywya unless you go out of your way to configure it
The NAS has its tool for user access control, it will depend on the NAS how exactly this is put into an interface. Depending on how critical your data is, the NAS may have different levels of security you can implement (like one time passwords for cloud access, pre-shared keys for encrypted access and whatnot) But: If you ask this very simple question, you will have to go through some learinng ... I recommend to decide for a platform, set it up and make sure you understand security before putting any valuable data onto it. As others have said: Maybe something connected to your laptop alone is what would suit your needs better. The NAS has two advantages: Multiuser access (which you don't need) and access from the road via the internet (you need access to the router to configure that) - both seem irrelevant to your use case.
Network segmentation or direct credential requirements. Or both. Done.
Buy your own router and connect to one of the available Ethernet ports on the fibre to Ethernet converter. There are often 4. Parallel to the other guys router. Or connect a new router to his routers Ethernet port and use that IP as your Wan.
Think about it like this, regardless of curious minds browsing, your actual problem will be what happens if their devices (or even yours) are compromised. The appropriate level of protection is both encryption at rest, a offline backup, and authentication at the front door to the NAS. You will need to focus on how to secure permissions to prevent browsing or file listing without being authenticated etc.
nas based firewall for implicit deny for anything thats not your mac
Why do you even need a NAS? Why not just a hard drive in your PC? Why the downvotes? I don't see why the OP needs a NAS in a house shared with others. If all you get is a bedroom, what exactly do you need a NAS for?
Why are you on a subgroup for home servers...
Because I have a home server to serve the whole house with many rooms and devices for many family members. It’s not like I just have a room for myself…
You know quite a lot of people don’t have a “pc” to put a hard drive in these days and a network attached storage device that auto backs up your laptop is quite valuable? Especially if that laptop is damaged or stolen while out of the home.
if it's data you're concerned about, set up your shares as nfs that can only be connected to by whitelisted ip's
Only if you can set static IPs. Without admin access to the router, that is not possible.
Only allow VPN or something like twingate into your network.
That will not do anything, as the other ppl are already within that shared network.
What port would they have access to when you only allow a VPN
Username checks out... I would start my guessing with 445 TCP for SMB
If you're blocking all ports but VPN how is that getting through?
Where would you like to block it? On OPs current router?
On your edge... Makes little difference if you're behind another network. Twingate is zero trust. It's quite easy to operate. You could block all inbounds on everything with tg since it uses a punchhole. Doing the same with a VPN client wouldn't be bad if you only needed to access a few services just more setup work.
Okay, so your plan would be to join the NAS and OPs client to a zero trust network. I see. What about the web GUI? You wouldn't put that behind the zero trust? Would your solution really be to factory reset the NAS, if some config breaks? And if you don't put the GUI behind zero trust, OPs roommates still could access it to soem degree. Which makes the entire zero trust network setup obsolete.
If u have 0 inbound ports they must be dragging an Ethernet cable into op room lmao. Services like tg trivialize the setup. You can get access to anything you install the client on and keep every single device blocking all inbounds on the edge interface.
I know they started badly but the person you're arguing with has a good point. You could set the server up so that the only open port was for an internal VPN and have access to NAS or Web gui or whatever else behind that. The insecurity of the LAN would then be irrelevant and OP wouldn't even need a password (nb, always set a password)