A few security questions about the DS 918+

Currently reading
A few security questions about the DS 918+

119
9
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
I use quickconnect to access my NAS, I Synology drive and Active backup for business to backup my pc, I use DS cloud and DS flie to backup my android phone.
I am not using my firewall and have a few questions.
1. Should I use the firewall and will this affect the apps I use?
2.Can the Firewall be used with Quickconnect?
3.Is quickconnect a safe way of logging in?
I am using the default port, should I change the port? Can the port be changed with using quickconnect?

Thank you
 
Hi,

Are you using QuickConnect with direct access (DDNS)?

1. Depends on your answer above. If QuickConnect and no DDNS (you didn’t forward any ports on your router), then no.
2. It will be of very limited use within the LAN.
3. You’ve opened the Pandora’s box :)
4. Changing the port for internal use is useless if you’re using QC only.

(other members might correct my replies and assumptions, so wait and see, as I don’t use QC).
 
Thanks for the reply. I have "Automatically create port forwarding rules" checked in the QuickConnect settings but did not port forward on the router.
 
That check mark tells your DS to use UPnP to open ports on your router as needed without your knowledge.

Try to check your router under the UPnP section if any, and see what you can find there. You might need to search for where these changes take place.

It’s convenient but it’s not recommended to allow devices on the LAN to have control over such critical function. This can be changed by TV’s, streaming devices, software on your laptop and even the “stupid” smart Amazon oven without you knowing :)

If you must, disable UPnP on the router and do all forwards manually so you have control and knowledge of what’s open and what’s closed.

You might decide to just use QC without direct access (DDNS) by closing all the ports. or use DDNS without QC. Just understand how they differ and the pros/cons.
 
@WST16 covered it all no question about it. QC is for convenience and not so much for security, if you add upnp on top of this, I see a few red flags imho.

Manual control of ports on your router is preferred but be prepared to manage them as needed and also using ddns instead of QC will be also faster, considering you will not be going over Synology QC in Taiwan.

So there are benefits on both sides, it's a matter of security and convenience.
 
My brain is about to explode! I do have upnp enabled. So can I use QC and change the default port and have everything still work? Also if I do disable upnp as WST16 suggests, will QC still work?
 
can I use QC and change the default port and have everything still work? Also if I do disable upnp as WST16 suggests, will QC still work?
Disable UPnP
Disable QC
Create free DDNS account
Change the default HTTPS port
Open the NAS HTTPS port on your modem
Access your DSM login externally via DDNS
https://my.synology.me:23456
 
There is more than one mechanism within QC. Primarily QC attempts to determine the best connection path to the NAS, in effect being a DNS resolution to the Internet IP of your connection or to the NAS's own LAN IP for local devices. To access the NAS across the Internet using this approach still requires the router to port forward to the NAS.

Then there's the secondary mechanism: QC Relay*. This kicks in when direct connections, via QC resolution, to the NAS fail. The relay requires the NAS to create an outbound connection the the QC Relay and this resuts in a tunnel being open between relay and NAS where Internet connections can be passed to the NAS.

The downside of the QC Relay is that secure connection from the Internet sent to the relay will be decrypted at the relay and repacked for onward transmission to the NAS. In effect the QC Relay is a proxy server and the Internet client's secure connection is with Synology's SSL certificate so that the client doesn't get an 'untrusted' alert. For this convenience you have to trust Synology to inspect the decrypted contents of the communications as the pass through the relay. [You probably trust Synology not to sneak-a-peek when it's all decrypted on the NAS, but that would take more effort to report back].

*You can use enable QC on the NAS and disable use of QC Relay.
 
My brain is about to explode! I do have upnp enabled. So can I use QC and change the default port and have everything still work? Also if I do disable upnp as WST16 suggests, will QC still work?
Dude, I have been there so many times trying to get my stuff set up. :ROFLMAO: I just about had a meltdown the other day. Search through my old threads if you want to feel better about yourself.

Keep with it, the guys helping you here are great.
 
Based on what you guys are saying Ive decided to not use QC. Where do I get the DDNS account? Without quick connect will my apps still work fine? Backing up my phone and viewing photos?
 
Oh ok I thought you had to sign up to some service for DDNS. What about using a VPN on the NAS?
 
If by best you mean if it’s reliable, then it is.
However, you’re kind of limited with your domain choices. After choosing Synology, drop down the menu (host name) and those are your options.

If you decide to use a different provider, just make sure they offer a DDNS service that can be updated by the DiskStation.
 
Last edited:
1.When changing the default ports is there a method to it or random numbers?
 
Last edited:
Getting a headache!
Ok here is what I did
  1. Went to "External Access" in the DDNS tab clicked "Add"
  2. Selected Synology then entered my name synology.me
  3. Got certificate through "Lets encrypt"
  4. Went to account.synology.com and could see the DDNS i created
  5. Went to "Security" and it is showing 2 duplicate certificates I created
  6. Went to "Network" changed the HTTP port to lets say 8000 and the HTTPS to 8501
  7. Went to "QuickConnect" and unchecked "Enable QuickConnect"
  8. Got a message in DSM "Nas cannot connect to CMS Host"
  9. Went to my router into port forwarding and added 2 profiles one with an external port of 8000 and another with 8501 and both have my NAS IP entered using TCP protocol
  10. Did not restart the router because I didnt think I needed to
  11. Now my android apps wont connect
  12. Realized Im an idiot
If I go to https://my.synology.me:8501 I can enter my user name and password but says its wrong
What now?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Welcome to the forum! No. That FS is no supported on external drives Ofc Using Hyper Backup your can do...
Replies
1
Views
682
There are tools in the synology app store that you can setup to backup to an AWS S3. Back it up to there...
Replies
6
Views
1,095
This is true and can be annoying. Though once logged in, local Plex servers remain accessible by the...
Replies
5
Views
2,532
no worries - LACP/LAG/Jumbo Frames/MTU is something I spent much of a full weekend implementing in an...
Replies
30
Views
3,892
I have DS Manager pro. I think the only calls it makes are to the AppStore and it’s done via Akamai. Might...
Replies
2
Views
1,882
So I've set up Tailscale for everything, and I'm not sure what I will stick with. It's fine for me, but...
Replies
10
Views
1,979

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top