Disclaimer:This resource is not meant to be a complete in-depth tutorial on how to set up reverse proxy or port forwarding, although it will have some examples. This is not a narrow tutorial explaining the quickest, best way to create a specific feature. There are plenty of tutorials out there that can explain how to do things far better and quicker than I can. Instead, I’m hoping that this tutorial series reads as more of a story that is based on my growth in understanding how a personal NAS network should be developed. My goal is to try and tie together some other user’s existing tutorials into a more cohesive picture that is a little easier for a newbie to understand. The newbie can then reference the source tutorials and threads to get into the nitty gritty. If you happen to find any factual errors, please let me know and I’ll try to correct them as soon as possible.
Preface:I’m a complete Newbie at this as my name makes clear. The information to follow is not my own; I have simply tried to do my best to compile info from several threads that will be linked into the story as their time comes. Credit for the actual knowledge in this tutorial series needs to go to @WST16, @Rusty, @fredbert, @Telos, @jeyare, @SynoMan and I’m sure others I’ve missed. @WST16 has been especially helpful, as they have worked with me in creating these tutorials as a fact-checker and editor. I am very thankful for their support. These users have been incredibly patient with all my questions. As a result of all these questions, I believe that I eventually arrived at a very good setup for remotely accessing multiple NAS that are all on the same local network.
An Office Divided Among Ports UnknownWe’ll start our story by attempting to put a non-technical face to some very technical concepts to try and help you better understand your router, your Local Area Network, and all of its ports. To avoid becoming overly-technical, I am leaving the network switch out of this story. If you are completely new to networking, I found the book “Networking All-in-One for dummies” to be useful. @jeyare has created a couple of good tutorials that tie together networking and NAS selection:
- Tutorial - Newbies - Your first NAS, part 1
- Tutorial - Newbies - Your first NAS, part 2 ... Network preparation
The Building (Router/LAN)Think of the shell of the building as the router containing your LAN. The building/router will be given an IP address such as 220.127.116.11 by your ISP. You can find your external IP address through tools such as www.whatsmyip.com. This IP address is what allows your router to be located in the internet. Now that we know the address of the building, we approach the door, except that this building has thousands of external doors. These doors are actually the ports on your router. These doors by default should be closed on your router, and only opened if you actually need access through one of them.
Figure 1-1: Building Shell
The Floors (Devices/Clients)Inside our office building, there are many different floors. Each floor could be considered as representing a device that is connected to your local network such as a computer, smart TV, or your NAS, and each floor will be given its own internal IP address by the router such as 192.168.1.1. The next floor would be 192.168.1.2 and so on. Each floor of the office is broken up into many rooms, each with its own locked door.
Note: It is ok to post your internal IP addresses on forums such as this one on the internet. Sometimes another forum user needs that information in order to better understand your network configuration. These internal addresses are defined for private use and the internet does not route them. They never leave your LAN. A hacker cannot locate your devices on the internet by knowing any of your internal IP addresses. The external IP address discussed in the previous section is the one that you never want to post on the internet.
Figure 1-2: Building Floors
The Rooms (Device Applications & Internal Device Ports)These doors to these rooms represent the internal ports that are present on your LAN-connected device. In the room behind these ports/doors are the different applications that you host on your NAS. A sample IP address that’d direct you to port 5001 on the 2nd device on your LAN might be 192.168.1.2:5001. Note that the port is added to the end of the IP address. This will be important later. You can find a list of the Synology default ports for applications here:
Figure 1-3: Rooms
The Telephone System (Port Forwarding & Reverse Proxy)The phone system for this building is old-school; it is connected with hardlines. Think of port forwarding as connecting a single external door/port to a single internal door/port with a phone line. Once the external port is connected to an internal port, then the external port is considered open. If an internal port has not been connected to an external port via port forwarding, then you will not be able to access the internal port outside of your LAN without implementing other strategies. Here are a couple basic port forwarding rules to consider:
- Each external door/port can be connected to any of the internal doors/ports, no matter which floor/device the internal port resides on. This means that external port 443 could be connected to the internal port 806 of Device 1, or internal port 443 of Device 6.
- Each external port can have only 1 port forwarding rule setup for it. This means that if external port 443 is forwarded to internal port 443 of device 6, it cannot also be forwarded to internal port 443 of Device 2
Now that we have a rough picture of our LAN and its ports, we can move on to talking about how a connection is actually made. For this section we are assuming:
- You have already configured the application you want to access on your NAS
- You have already configured the correct port-forwarding rules. For this portion of the discussion, we are port-forwarding port 5001 in order to access DSM remotely via its default port. Note that it is not typically recommended to access your NAS via default ports as they are a known access avenue for evil-doers. It is just easier for the purpose of this tutorial to start with the default.
- You have already configured a DDNS such as yourname.synology.me
- You have already configured a security certificate through a service such as Let’s Encrypt
- When you want to access a particular –already-configured– service on your NAS remotely, you’ll start by typing the full URL you created via DDNS in your browser bar. Note that you will include the forwarded port at the end of the URL (e.g. https://yourname.synology.me:5001). The internet will route your request after finding the IP address assigned to your internet router by your ISP. This is called resolving a domain name and it’s done by DNS servers on the internet (you can google “DNS server” to read more about how they work). This step is also where our Let’s Encrypt validation takes place to ensure that we are trying to visit a legitimate site. Referring back to our office building analogy, we have now reached the exterior doors.
- Once the request reaches your router it’ll be forwarded inwards to the NAS according to our port forwarding rule that you already configured. Since you already set up port forwarding for port 5001, your router will forward the connection from exterior door/port 5001 to the interior port 5001 on your NAS. If you do not have port forwarding set up, then the exterior door will remain locked to outside access. Again, port forwarding is similar to connecting a phone line from the exterior port 5001 to the interior NAS port 5001 in our office building
- Once you are forwarded to port 5001 on your NAS, your browser attempts to establish a secure connection
- As the final step in establishing communications and to unlock the last interior door, the application that is hosted behind port 5001 will have its own login credentials. Once you enter correct login credentials, you will gain access to the application. Congrats, you have just accessed an app remotely.
Figure 1-4: Multi-Port Forwarding Flowchart
These 4 steps would need to be repeated for any other app that you might want to access, and as a reminder, it is not allowed to have more than one port forwarding rule set up for any given port. So, if you wanted to access iTunes (port 3689) or a VPN server (port 1194), you would have to setup port forwarding rules for each of those ports. As you can see by the Figure 1-4 above, you would soon have quite a large tree of open ports and port forwarding rules. This starts to get dangerous because you are opening up more and more avenues for hackers to attack. Another problem with this approach is that you will need to remember which ports represent which applications. A good solution that will keep open ports to a minimum while also creating easy-to-remember URL’s is Reverse Proxy, which will be discussed in Part 2 of this tutorial series.
- Related resources
Tutorial - NAS Remote Access for Newbies: Part 2 - Port 443 & Reverse ProxyPreface This tutorial is a continuation of the Remote Access for Newbies series of tutorials, and continues the discussion started in Part 1. While parts of this tutorial can stand on their own, it does reference an office building analogy used...www.synoforum.com
Tutorial - NAS Remote Access for Newbies: Part 3 - Accessing Mobile Apps via Reverse ProxyPreface This tutorial is a continuation of the Remote Access for Newbies series of tutorials, and continues the discussion started in Parts 1&2. While parts of this tutorial can stand on their own, it does reference an office building analogy...www.synoforum.com
Tutorial - NAS Remote Access for Newbies: Part 4 - Reverse Proxy for Multiple NAS on a Single LANPreface This tutorial is a continuation of the Remote Access for Newbies series of tutorials, and continues the discussion started in Parts 1-3. While parts of this tutorial can stand on their own, it does reference an office building analogy...www.synoforum.com