• Hello Guest!

    We are preparing for the software update. The forum will close at 9.30 AM (CET) for approx. 2 minutes.

    Thank you for your understanding and sorry for any inconvenience.
NAS Remote Access for Newbies: Part 4 - Reverse Proxy for Multiple NAS on a Single LAN

Tutorial NAS Remote Access for Newbies: Part 4 - Reverse Proxy for Multiple NAS on a Single LAN

Preface​

This tutorial is a continuation of the Remote Access for Newbies series of tutorials, and continues the discussion started in Parts 1-3. While parts of this tutorial can stand on their own, it does reference an office building analogy used to describe your LAN in Part 1. If you are unfamiliar with the basics of your LAN or how to configure a reverse proxy, it’d be best to start with Parts 1-3 of the series:
  1. Tutorial - NAS Remote Access for Newbies: Part 1 - LAN Overview & Port Forwarding
  2. Tutorial - NAS Remote Access for Newbies: Part 2 - Port 443 & Reverse Proxy
  3. Tutorial - NAS Remote Access for Newbies: Part 3 - Accessing Mobile Apps via Reverse Proxy

Multiple NAS on a Single LAN​

It is time to explore how to set up remote access for multiple NAS on a local network. Before I get into that, I’d like to give a quick overview of how my system has grown, as some of the threads are very good references for this discussion.

My initial NAS was a DS918+ that was set up more or less in accordance with the advice given in these threads:
With this setup, I was basically connected exactly the same as how Part 1 ended. I was using port forwarding and adding the ports to my domain name URL in the browser to access my NAS. I knew very little about reverse proxy, and I certainly did not have as good of an understanding of ports as what was discussed in Part 1. However, the guys on this forum seemed legit and I was able to access my NAS from anywhere, so I was happy, albeit ignorant as to other possibilities.

The inspiration for me to make changes to my setup began when I moved into a new house. At that time, I bought my own router instead of renting one from my ISP, and so I suddenly gained much more flexibility in which ports I could select and what types of router rules I could create because I owned and controlled the router instead of the ISP. Also, I began to look into creating a redundant offsite network with my dad, and so bought an RS1219+ and a DS220+ to build this network according to these threads:
For the purpose of this story, it doesn’t really matter which NAS is which, and so from here on out they will just be referred to as NAS1, NAS2, & NAS3. I wanted to do the initial setup of all 3 NAS on my local network, and I also wanted to set up remote access for them while I was at it. My first attempt to set up remote access involved creating DDNS for each NAS:
  • Nas1.synology.me
  • Nas2.synology.me
  • Nas3.synology.me
Remember, I didn’t really have a good grasp yet on how port selection, port forwarding, and reverse proxy all worked together. I did not yet update any of the default ports in any of the NAS (they were all still pointing to 5000/5001), but I did set up port forwarding rules in my router to forward ports 5000/5001 to each of the NAS local IP addresses. I later learned that a router should not allow you to forward an external port to more than a single internal IP address, but I did not know that at the time and for whatever reason my router let me do it.

In any event, the creation of those DDNS set off a chain of problems that resulted in the posts below. You don’t have to take the time now to read them all; the tldr is that I got myself in over my head and probably started making changes without fully realizing how everything worked together. I thought that I had a grip on how to make the changes I wanted, but I did not.
As shown by that thread, I was (maybe still am) completely out of my depth with port management and remote access. This thread below is the one that I believe finally got me back on track, and I pulled tons of info out of it for Parts 1-3, and will wrap up Part 4 with it as well:
You can read those threads for the long version of the missteps and lessons I learned along the way; I’m going to proceed here with a condensed version of what I believe is a good option to network multiple NAS on a LAN.

To start with, we are going to create the following reverse proxy rules on NAS1 only. These RP’s will allow us to access DSM on all 3 unique NAS, assuming that the default DSM ports are still 5000/5001. Explanation as to how the rules work will follow the screenshots.

1610122049562.png

Figure 4-1: NAS1 DSM Reverse Proxy

1610122059027.png

Figure 4-2: NAS2 DSM Reverse Proxy

1610144164617.png

Figure 4-3: NAS3 DSM Reverse Proxy

You have now created 3 RP rules that might be confusing. You will note that all 3 rules were created as a subdomain of the NAS1 domain name. This is because we are going to be setting up NAS1 to act as a “dispatcher”. With this setup, all reverse proxy requests, even requests for NAS2 or NAS3, will be routed through NAS1. The reason for this goes back to our port forwarding rules. We cannot forward port 443 to more than one internal IP address. In order to get around this, we need to piggyback connection requests for NAS2 & NAS3 onto NAS1 domain name.

When NAS1 receives a URL such as https://DSM3.NAS1.synology.me, it will look into its reverse proxy rules and see that the destination IP is actually the IP address of NAS3, and will dispatch the request down the line in the LAN to NAS3. From there, NAS3 handles it just like any other port-access request. Note that your browser will never see any of the application ports hidden behind the reverse proxy; it only sees port 443 that was going into the reverse proxy.

Multi-NAS Reverse Proxy.jpg

Figure 4-4: Multi-NAS Reverse Proxy

The final piece to the puzzle is knowing how to set up the NAS for remote access via mobile app if desired. Recall the lesson from Part 3 where we changed the default port for Synology mobile apps? If we want to be able to access NAS1, NAS2, & NAS3 from a mobile app such as DS File (which is the mobile app used to access File Station) for whatever reason, we will need to change the default ports for the app on each NAS that we wish to access.

Something to note here is that while you cannot have multiple apps on the same NAS pointed to the same port, you could set up a single application such as File Station to be accessed from the same port on multiple NAS. You do not need to assign File Station unique ports on each NAS when setting up reverse proxies as outlined in this tutorial. In other words:
  • Not acceptable when used together: Multiple apps pointed to same port on the same NAS
    • File Station-->NAS1-->38400
    • iTunes-->NAS1-->38400
    • Bitwarden-->NAS1-->38400
  • Acceptable when used together: Single app pointed to same port number on different NAS
    • File Station-->NAS1-->38400
    • File Station-->NAS2-->38400
    • File Station-->NAS3-->38400
This is because we are accessing a different File Station on each unique NAS. In terms of our office analogy, we are accessing doors with the same number, but the doors are located on different floors of our office building.

A final note: I highly recommend figuring out how to assign fixed internal IP address to any networked devices that will be referenced by the reverse proxies and/or any firewall rules you might create. As I was writing this tutorial, my router lost power and reset its list of internal IP addresses. My NAS1 IP changed from 192.168.1.21 to 192.168.1.16, and so all of my reverse proxies were messed up. I effectively lost remote access to the NAS until I figured out what happened.

Epilogue​

I believe that this about concludes what I set out to do. Hopefully this was instructive for other newbies and others are able to use this as a starting point in their own networking projects. As I wrap this up, please let me know if you find any factual errors in what I have written, and I’ll correct them as soon as possible. Also, a sincere and heartfelt thanks to @WST16 for working with me on this project. It would have been riddled with errors if I had attempted it on my own.
Related resources
Part 1:

Part 2:

Part 3:
  • 1610122074648.png
    1610122074648.png
    25 KB · Views: 30



Top