Router Firewall help?

[MuseChaser]

Just wondering if anyone here has the time, expertise, and inclination to help me figure out how to set up a firewall on my router. I've got firewalls on all of my computers, but I'm considering building and installing an OMV ("OpenMediaVault") based NAS using a Pi3 that would be connected to my router via LAN cable. Since, in addition to using it as a media server, I'd like to use it as a place for local backups too, there's be things on it that I wouldn't want to expose to the internet; tax returns, etc. Since it's connected directly to the router, it obviously wouldn't be proteced by the various computers' firewalls.

I know the IPs and MAC addresses of all of my equipment, and have figured out enough about my router's settings to get my various computers, Rokus, Pi streamers, etc., all hooked up and playing together nicely, but I confess I don't really understand a lot of it.. ports, DNS, subnet mask, DHCP server/client... that stuff makes my head hurt, although I have a VAGUE notion of what it all is.

I've attached a screen shot of the firewall setup screen on my router, but I confess I don't know exactly what to put in the fields. My goal is to set it up so my computers, Rokus, and Pi streamers have access to the internet and the future NAS, but that the NAS is NOT visible or accessible from outside my local home network. I don't have any need to access anything on my home network while away from home, either. As another level of security, perhaps there's a way to specify some settings in the shares or permssions within OMV that would only allow specific computers on my network to access it? I confess again, a lot of the fields and vocabulary associated with setting up OMV baffles me.

Can anyone help demystify the experience for me? Every article I read about this stuff seems to be written for folks who already understand all of it.

Thanks..

Barry

[Gunman]

Far from an expert here....I have the router's firewall on, and then use port forwarding to allow certain access to my NAS from the outside. I also changed the ports used, ie instead of using the standard 21 for my FTP, I use something else.

[MuseChaser]

Thanks, Gunman. This place is the greatest.

I've been staring at a couple of the screens, trying to make sense of it. I had created a bunch of firewall "rules" when I first setup this network a while ago, but probably unnecessarily. There's a default rule that would seem to deny access to the LAN from anywhere outside (WAN?). Is that already doing what I was asking about in my original post?

I've attached a screenshot of the various rules. You can see I've deactivated the three "rules" I had previously created, and doing so doesn't seem to have had any effect on my network. I've blocked out the IP ranges and other info, just in case.. no offense. I have no idea if that could be used against me or not by the few less than savory folks out there.

[bcj]

I always set my routers to deny setting changes over wireless. Ethernet hardwire connection only.

I set up the MAC control list to deny any device other than the ones I own or phones and tablets of friends that will need to connect.
You have to get the device numbers and add them individually to the MAC allowed list.
0a:0b:0c:34:2f:00
for example. It will be on each devices' info page for phones and tablets.
From a windows terminal use "ipconfig /all" to find "Physical Address ...." That's the device MAC.
Linux uses "ifconfig". I don't know what apple products are currently doing.

Most newer routers will have dual bands available (2.5 or 5.0) and different channels for each. MAC addresses lists will need to be set up for each band.
Devices that only have 2.5 wireless have to go on the MAC list for that. No need to put it on the 5.0 MAC.

Get a WIFI analyzer app to see which channels are currently in use around your location. Set yours to use the least used spectrum nearby.

A bit of faffing about having to get the wire out and hook up to the router.

[MuseChaser]

Thanks, BCJ. I've used MAC filters on my network since day one, as you suggest, and feel pretty good about having my wireless access locked down. When I have guests who, for some reason, feel they need to be connected all the time rather than actually just enjoy some time visiting, they can never connect to or even find my network. When they ask for the password, I mumble about having to add mac addresses and reconfigure.. and pretty soon they glaze over and forget about it. GOOD!

My concern is more on the other side of the router; I want to prevent any access to the NAS (connected directly the router via cable) from the WAN/outside internet through my modem and router.

Thanks again for the reply.

[bcj]

Ok. Yeah. Don't broadcast SSID and obscure ID with complex password.

I have not used NAS, so I'm not as versed there as I could be.
I've got a 2TB USB drive that I only plug in to do backups.

Theoretically, if the router rejects everything but your mac lists it won't be letting other devices in to begin with.

Typically the router/NAS connection is on the INside of your network.
I don't know if your router has options to make that public or not.
If you gave me model/brand info I probably wouldn't know what sense to make of it

They're all different. Even the same make/model can have differing chips internally.