A few security questions about the DS 918+

Currently reading
A few security questions about the DS 918+

C’mon, explosions and headaches? We’ve just started. You better have a box of Panadol next to you :D

You’re on the right track. Almost done. Maybe ;)

Let’s try reaching DSM in different ways using your phone to see where we are and to understand how many Panadol boxes you’ll need :)
Forget about any internal computers for now. I’m assuming that you’re on your LAN (at home?) where your Synology is. We’ll use you phone.

Using your phone, first internally (over WiFi).
Type https://your NAS IP address and login.
If it works, logout.

Next, try typing your https://mynas.synology.me (whatever you’ve created). If it doesn’t work, it’s ok.

Now, remotely, switch off WiFi and use data on your phone (e.g. 4G). On the phone browser type your https://mynas.synology.me:the https port you configured (8501?)

What happened with each test?
 
Last edited:
I am at home on LAN yes

Using your phone, first internally (over WiFi).
Type https://your NAS IP address and login.
If it works, logout."
This works.

Next, try typing your https://mynas.synology.me (whatever you’ve created). If it doesn’t work, it’s ok.
"This site cant be reached" "ERR_Connection_refused"

Now, remotely, switch off WiFi and use data on your phone (e.g. 4G). On the phone browser type your https://mynas.synology.me:the https port you configured (8501?)
Correction, this also works

Got another email from synology saying NAS cannot connect to CMS Host
-- post merged: --

UPnP is off now on my router
-- post merged: --

Also when connecting to https// my IP, on my phone, it worked but a page poped up saying "Your connection is not private" then I had to click advanced to go there anyway
 
Last edited:
Now, remotely, switch off WiFi and use data on your phone (e.g. 4G). On the phone browser type your https://mynas.synology.me:the https port you configured (8501?)
Correction, this also works
That‘s good.

Next, try typing your https://mynas.synology.me (whatever you’ve created). If it doesn’t work, it’s ok.
"This site cant be reached" "ERR_Connection_refused"
This might mean that your router doesn’t support NAT loopback.

But why are you having CMS messages? Do you have more than one NAS managed by using CMS? Do you have the CMS package installed?

a page poped up saying "Your connection is not private" then I had to click advanced to go there anyway
That’s expected because of the certificate. Our focus now is to enable remote direct access via port forwarding.
-- post merged: --

While you think about what’s going on with CMS.

Do you know if your router has a “static DNS” feature? You can search the router pages or an online documentation.

Try checking under DNS page on the router. Can you share brand and model name?
 
Last edited:
Router is RT-AC68U cant see that feature but maybe it does.
Central Management System is installed on the NAS. I only have 1 NAS
Not sure what CMS does
I have the HTTPS port forwarded on the router
Also my firewall on the NAS is enabled
 
What we’re trying to do is to have your devices use the same URL whether you’re on your LAN or remotely (WAN).

Remotely it’s working now as you said. Internally, you’ll need to have something that resolves your mynas.synology.com. QuickConnect did this seamlessly. This situation can be fixed with a loopback router or an internal DNS server (Synology DNS package).

Before you shoot yourself, take a couple of caplets and check this easy tutorial.

I might be off the grid for a few days. I trust that someone will lend a hand in case you face a problem.
 
1
1.When changing the default ports is there a method to it or random numbers?
This thread of mine is a very long read, but it is where I finally started to understand ports and how to select them and stuff.

I would finish up the path you are on here with WST16 and get comfortable with using it before making any changes discussed in my thread because I don't want to mess up the process WST16 is putting in place with you. However, I had the same question you asked and this thread really helped me out.



 
WST16: I now feel like I should not have messed with it because everything worked fine. Now I cant connect with the phone apps. I will have a look at your link

NAS Newbie: Looks like you stole my name. Thanks, I will look at your thread as well.
-- post merged: --

Does the firewall have anything to do with it?
 
The phone apps will work when you forward the corresponding ports, at least externally for now until you do something about host names resolution (DNS). You should mind the firewall rules to allow the forwarded ports.

WST16: I now feel like I should not have messed with it because everything worked fine.
Then don’t go any further. It’s very easy to go back if that’s what you want. Just go to QuickConnect and put a check mark. It worked before, it should work now. Maybe you should do that.
 
WST16: I now feel like I should not have messed with it because everything worked fine. Now I cant connect with the phone apps. I will have a look at your link

NAS Newbie: Looks like you stole my name. Thanks, I will look at your thread as well.
-- post merged: --

Does the firewall have anything to do with it?
WST16 is the expert, but as a fellow newbie, I constantly missed the port at the end of the URL when using the apps and also didn't always get my port forwarding correct in my router. With most of my problems, it is almost always my fault for entering a setting incorrectly and not so much a hardware issue.

WST16 or others can correct me if I'm wrong but I believe your URL with the method he's trying to enable for you should look like this after you changed the dsm default ports.:
 
Last edited:
The phone apps will work when you forward the corresponding ports, at least externally for now until you do something about host names resolution (DNS). You should mind the firewall rules to allow the forwarded ports.


Then don’t go any further. It’s very easy to go back if that’s what you want. Just go to QuickConnect and put a check mark. It worked before, it should work now. Maybe you should do that.
I do want to get this to work just frustrating. Thanks for your help and patience.
-- post merged: --

I use Synology drive client to backup photos on my pc. I can connect by adding my NAS IP without the port number but I got a message regarding ssl and asked if I want to proceed anyway which I did then Synology drive now works
-- post merged: --

WST16 is the expert, but as a fellow newbie, I constantly missed the port at the end of the URL when using the apps and also didn't always get my port forwarding correct in my router. With most of my problems, it is almost always my fault for entering a setting incorrectly and not so much a hardware issue.

WST16 or others can correct me if I'm wrong but I believe your URL with the method he's trying to enable for you should look like this after you changed the dsm default ports.:
I can sign in with my PC using https://mynas.synology.me:8501
 
Last edited:
Ok this is weird,
1. I can now connect to the NAS through DS File on my phone by entering my IP with my HTTPS port and "HTTPS" checked, on WIFI only but not data. I tried using data and entered the http port and that didnt work either.
2. DS photo on the phone works on WIFI only by entering my IP without a port number
3. On DS Cloud I cant seem to change my login settings, I dont see the option
4. Active backup for business seems to work without adjusting any settings
5. And Synology drive works by entering the IP without the port number

Why can I connect to https://mynas.synology.me:8501 using phone data but the apps only work on wifi?
 
You sound like you are experiencing many of the issues I went through, with largely the same reaction :ROFLMAO:.

Based solely on my own experience chasing my tail and not on any technical expertise, I'd encourage you to double-check your port forwarding and to make sure you are using the correct port number at the end of the url. Here is a list of the default ports that Synology points its apps towards. With the way WST16 is currently setting you up, you will need to forward any port for any application that you want to open. DiskStation Manager - Knowledge Base | Synology Inc.

There are a couple confusing bits there though: DSM (which is your main NAS login) uses the same default ports (5000/5001) as several of the Syno applications such as CMS, Download station, Moments, and Drive to name a few. When you changed the default port of DSM to something like 8501, you also change the default port that all those applications are using. This means that you no longer need 5000/5001 open to access your apps, but you would need 8500/8501 open and you need to add :8501 to all the urls in the initial app login screen.

Also, like telos said, Photo Station uses ports 80/443, and from what I understand those ports would not automatically get rolled over to your new 8500/8501 ports. So, if you want an https connection to photo station, you would need to forward 443 to your NAS.

Ports 80/443 are another tricky bit because from what I understand they are the declared as the default http/https ports by internet protocol. Ports 5000/5001 are the http/https ports for your NAS, but using 5000/5001 for http/https is not the internet standard. From what I understand (I might have it wrong), because 80/443 are internet default http/https ports, the internet by default tries to access destination addresses via those ports. When you add 5001 to the end of the url, you are telling the internet you want to access the destination via port 5001 instead of 443. This is why Telos was telling you to try just https://mynas.synology.me to gain access with your photo station app; we know from the list I linked above that Photo Station uses ports 80/443 by default, and so we don't need to point it in any other direction.

You do need to make sure 443 is forwarded to your NAS. If it is not forwarded, then you can get some of the errors you mentioned. Its taken me forever to get my head wrapped around this much of the process, and someone will probably come on here and tell me I have it bassackwards anyways.:D
 
Finally logged into my DS Cloud using htttps://mynas.synology.me:6690 .
I got this message though. What does it mean?

Link to Cloud Station
The SSL certificate of the
Synology NAS is not trusted.
This may mean that it is a
self-signed certificate, or
someone may be trying to
intercept your connection
Cancel / Proceed Anyway
 
Usually when I get that error its because I have set up my Let's Encrypt certificate incorrectly. I was all mad at LE for being stupid and then I noticed I had misspelled my domain name on the LE cert.

It could be that, or in DSM if you go Security>>Certificate>>Configure, is Cloud Station listed there, and is it configured to use the LE cert, or is it using the default Synology cert? If it is not set to use your LE cert, then you can switch it over in this screen with the dropdown. You probably want to set all of the applications in that list to be using the LE cert and not the default synology cert.
 
Last edited:
I have the following showing in that list:
Active Backup for Business
FTPS
System Default
VPN Server
Synology Drive Server
Beside each of these its showing Synology.com. On the drop down of each of these I can only choose between Synology.com, MyNas.synology.m and Synology DDNS Certificate (default).
I dont see lets encrypt here. Maybe I did set it up wrong.
-- post merged: --

I tried adding lets encrypt again and now I see it and it works. Thank you!
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
How do I reset my Synology NAS? You can test RAM using Synology Assistant (PC Application) Note...
Replies
8
Views
1,122
Welcome to the forum! No. That FS is no supported on external drives Ofc Using Hyper Backup your can do...
Replies
1
Views
790
There are tools in the synology app store that you can setup to backup to an AWS S3. Back it up to there...
Replies
6
Views
1,365
So I've set up Tailscale for everything, and I'm not sure what I will stick with. It's fine for me, but...
Replies
10
Views
2,604

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top