Accessing NAS securely?

Currently reading
Accessing NAS securely?

88
19
NAS
DS920+
Operating system
  1. Linux
  2. macOS
Mobile operating system
  1. iOS
So first off, sorry I'm a noob! Any help and advice is really appreciated. I'm in the process of setting up my new ds920+ and wondering if I'm connecting to the NAS securely and what actually is the best way to connect both over LAN and WAN.

Locally
  • If I connect locally using https://X.X.X.X:5001/ I'm told the connection is not secure.
  • If I connect to any installed app ie. Plex via local_ip:[PORT] or the quick connect address I'm warned the connection is not secure.
  • If I connect locally using https://X-X-X-X.[NAME].direct.quickconnect.to:5001/ everything is good

Externally
  • I can connect through Synology's QuickConnect website (using phone with wifi turned off)
  • I set up DDNS, everything seems ok but I can't connect. the certificate seems good. The only problem I had was my router said "The specified ports are being used by other configurations" when I tried to forward ports 80,443 and 5001. However, I can see they are already mapped in the uPNP table.
  • Within an android app I use (NZB360) I have the connection https://[EXTERNAL_IP]:[FORWARDED_PORT]/ but this won't work though it works on another computer

I'd appreciate it if someone can explain what I'm doing wrong and how it's best to connect. should I just delete the DDNS and use the QuickConnect address for all external connection needs? Should I use different ports altogether? when connecting locally does it matter that it's not secure?

Thanks for any help and advice
 
I have also just started my DS920+ journey and I don't mind not having SSL when accessing internally but the way I connect externally is by connecting to my OpenVPN which connects into my NAS (with SSL) and then do what I need via a completely different port, I have also changed my NAS port away from 5000-5001.

Perhaps @Rusty or @jeyare can better advise :)
 
Upvote 0
Thanks for any help and advice
Not sure you need internal https but ok. The point it if your router support nat loopback then using your public, external url. Best to use reverse proxy for your needs. Then you will be able to use 443 port without any problems.

This way you can use one url for all your needs over https/443 and case closed.
 
Upvote 0
Last edited:
I have also just started my DS920+ journey and I don't mind not having SSL when accessing internally but the way I connect externally is by connecting to my OpenVPN which connects into my NAS (with SSL) and then do what I need via a completely different port, I have also changed my NAS port away from 5000-5001.

Perhaps @Rusty or @jeyare can better advise :)
Hey thanks for the reply,

Yeah I presumed it didn't matter at home but would like to learn/understand this much better, especially before I open up the NAS to friends and family.

I thought I'd read something about changing the default ports, where's that setting to please?

VPN is on my list to setup, I might bother you for advice when I get around to it if you don't mind.

Thanks!
-- post merged: --

Not sure you need internal https but ok.
Yeah It was a stupid question. More to do with annoying browser messages but I'll just use the quickconnect address instead (y)
The point it if your router support nat loopback then using your public, external url. Best to use reverse proxy for your needs. Then you will be able to use 443 port without any problems.

This way you can use one url for all your needs over https/443 and case closed.
Thanks, I believe my router does support it. I'll have a search and see if I can figure out how to set it up.

Cheers!
 
Upvote 0
Not sure you need internal https but ok. The point it if your router support nat loopback then using your public, external url. Best to use reverse proxy for your needs. Then you will be able to use 443 port without any problems.

This way you can use one url for all your needs over https/443 and case closed.
So I need a bit of help with this If you don't mind please.

I've set up the reverse proxy but used the synology.me domain from the DDNS I set up earlier (which didn't work for some reason). So I went to Control Panel > External Access > Router Configuration. Everything is OK when I test the connection but when it does the router test when I click 'Set up Router' I get this message...
detect router information.png

I have a virginmedia router in modem only mode and a netgear orbi router behind that. Any idea if that will have something to do with why this isn't working? Or any idea what I'm doing wrong?

Thanks.
 
Upvote 0
You’ll hear this a lot here: don’t enable UPnP on your router for allowing LAN devices to set its firewall policy. It is much better/secure to manually setup and maintain your router’s firewall. Any device that gets local access would be able to setup/mess-up your perimeter security.

The NAS’s router detection is to see if it can automatically set firewall rules using UPnP. Best to not allow this.

I have a Virgin Media Hub 5 in modem/bridge mode connected to a Synology RT2600ac. Works fine.
 
Upvote 0
Last edited:
You’ll hear this a lot here: don’t enable UPnP on your router for allowing LAN devices to set its firewall policy. It is much better/secure to manually setup and maintain your router’s firewall. Any device that gets local access would be able to setup/mess-up your perimeter security.

The NAS’s router detection is to see if it can automatically set firewall rules using UPnP. Best to not allow this.

I have a Virgin Media Hub 5 in modem/bridge mode connected to a Synology RT2600ac. Works fine.
Thanks Fredbert,

I've turned uPNP
I've changed port 5001
I've checked the DDNS and the reverse proxy I set up but still can't seem to get through

Any Ideas?

Cheers
-- post merged: --

I'm sooooooo stupid.

After turning uPNP off I forgot to forward the necessary ports manually. All seems to be working now.

Thanks everyone (y)
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

FYI nothing new, but still worth sharing as patching remains essential, even when we think that using VPN...
Replies
0
Views
1,055
It took a while to get iOS Syno Drive Client to reset and ask for my 2FA to log back in. It was set up...
Replies
2
Views
574

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top