A few security questions about the DS 918+

Currently reading
A few security questions about the DS 918+

54
6
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
I use quickconnect to access my NAS, I Synology drive and Active backup for business to backup my pc, I use DS cloud and DS flie to backup my android phone.
I am not using my firewall and have a few questions.
1. Should I use the firewall and will this affect the apps I use?
2.Can the Firewall be used with Quickconnect?
3.Is quickconnect a safe way of logging in?
I am using the default port, should I change the port? Can the port be changed with using quickconnect?

Thank you
 
1,681
718
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Hi,

Are you using QuickConnect with direct access (DDNS)?

1. Depends on your answer above. If QuickConnect and no DDNS (you didn’t forward any ports on your router), then no.
2. It will be of very limited use within the LAN.
3. You’ve opened the Pandora’s box :)
4. Changing the port for internal use is useless if you’re using QC only.

(other members might correct my replies and assumptions, so wait and see, as I don’t use QC).
 
54
6
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
Thanks for the reply. I have "Automatically create port forwarding rules" checked in the QuickConnect settings but did not port forward on the router.
 
1,681
718
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
That check mark tells your DS to use UPnP to open ports on your router as needed without your knowledge.

Try to check your router under the UPnP section if any, and see what you can find there. You might need to search for where these changes take place.

It’s convenient but it’s not recommended to allow devices on the LAN to have control over such critical function. This can be changed by TV’s, streaming devices, software on your laptop and even the “stupid” smart Amazon oven without you knowing :)

If you must, disable UPnP on the router and do all forwards manually so you have control and knowledge of what’s open and what’s closed.

You might decide to just use QC without direct access (DDNS) by closing all the ports. or use DDNS without QC. Just understand how they differ and the pros/cons.
 

Rusty

Moderator
NAS Support
2,873
876
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
@WST16 covered it all no question about it. QC is for convenience and not so much for security, if you add upnp on top of this, I see a few red flags imho.

Manual control of ports on your router is preferred but be prepared to manage them as needed and also using ddns instead of QC will be also faster, considering you will not be going over Synology QC in Taiwan.

So there are benefits on both sides, it's a matter of security and convenience.
 
54
6
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
My brain is about to explode! I do have upnp enabled. So can I use QC and change the default port and have everything still work? Also if I do disable upnp as WST16 suggests, will QC still work?
 
1,202
398
NAS
DS418play, DS213j, DS3621+, DSM 7.0.4-11091
can I use QC and change the default port and have everything still work? Also if I do disable upnp as WST16 suggests, will QC still work?
Disable UPnP
Disable QC
Create free DDNS account
Change the default HTTPS port
Open the NAS HTTPS port on your modem
Access your DSM login externally via DDNS
https://my.synology.me:23456
 

fredbert

Moderator
NAS Support
Subscriber
1,851
754
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
There is more than one mechanism within QC. Primarily QC attempts to determine the best connection path to the NAS, in effect being a DNS resolution to the Internet IP of your connection or to the NAS's own LAN IP for local devices. To access the NAS across the Internet using this approach still requires the router to port forward to the NAS.

Then there's the secondary mechanism: QC Relay*. This kicks in when direct connections, via QC resolution, to the NAS fail. The relay requires the NAS to create an outbound connection the the QC Relay and this resuts in a tunnel being open between relay and NAS where Internet connections can be passed to the NAS.

The downside of the QC Relay is that secure connection from the Internet sent to the relay will be decrypted at the relay and repacked for onward transmission to the NAS. In effect the QC Relay is a proxy server and the Internet client's secure connection is with Synology's SSL certificate so that the client doesn't get an 'untrusted' alert. For this convenience you have to trust Synology to inspect the decrypted contents of the communications as the pass through the relay. [You probably trust Synology not to sneak-a-peek when it's all decrypted on the NAS, but that would take more effort to report back].

*You can use enable QC on the NAS and disable use of QC Relay.
 

NAS Newbie

Subscriber
387
76
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
My brain is about to explode! I do have upnp enabled. So can I use QC and change the default port and have everything still work? Also if I do disable upnp as WST16 suggests, will QC still work?
Dude, I have been there so many times trying to get my stuff set up. :ROFLMAO: I just about had a meltdown the other day. Search through my old threads if you want to feel better about yourself.

Keep with it, the guys helping you here are great.
 
1,681
718
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
My brain is about to explode!
No explosions allowed at SynoForum 🤣
Just ask when in doubt when you approach (and try to do) any steps highlighted by @Telos above.
 
54
6
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
Based on what you guys are saying Ive decided to not use QC. Where do I get the DDNS account? Without quick connect will my apps still work fine? Backing up my phone and viewing photos?
 
1,681
718
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
On DSM go:
Control Panel > External access > DDNS tab > Add

You can choose Synology and create one and test it too.
If you go to your Synology account (account.synology.com) you can see it there.
 
54
6
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
Oh ok I thought you had to sign up to some service for DDNS. What about using a VPN on the NAS?
 
1,681
718
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
54
6
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
Would using a VPN be in place of using the DDNS or with it?
Thanks
 
1,681
718
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Create the DDNS first and then decide how to access your NAS remotely. Can be with VPN or without it.

The DDNS will keep a record of your public IP address and will be updated every time it changes (unless you were assigned a static IP address by your ISP).
 
54
6
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
Is the synology DDNS the best one to use?
 
1,681
718
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
If by best you mean if it’s reliable, then it is.
However, you’re kind of limited with your domain choices. After choosing Synology, drop down the menu (host name) and those are your options.

If you decide to use a different provider, just make sure they offer a DDNS service that can be updated by the DiskStation.
 
54
6
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
Last edited:
1.When changing the default ports is there a method to it or random numbers?
 
54
6
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
Last edited:
Getting a headache!
Ok here is what I did
  1. Went to "External Access" in the DDNS tab clicked "Add"
  2. Selected Synology then entered my name synology.me
  3. Got certificate through "Lets encrypt"
  4. Went to account.synology.com and could see the DDNS i created
  5. Went to "Security" and it is showing 2 duplicate certificates I created
  6. Went to "Network" changed the HTTP port to lets say 8000 and the HTTPS to 8501
  7. Went to "QuickConnect" and unchecked "Enable QuickConnect"
  8. Got a message in DSM "Nas cannot connect to CMS Host"
  9. Went to my router into port forwarding and added 2 profiles one with an external port of 8000 and another with 8501 and both have my NAS IP entered using TCP protocol
  10. Did not restart the router because I didnt think I needed to
  11. Now my android apps wont connect
  12. Realized Im an idiot
If I go to https://my.synology.me:8501 I can enter my user name and password but says its wrong
What now?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Top