Being attacked!

Currently reading
Being attacked!

569
187
NAS
DS918+
Operating system
  1. macOS
Mobile operating system
  1. iOS
Last edited:
Slightly of topic here, as it is security but both network as well as the NAS. As I think most folks know I use an Netgear Orbi mesh router system. I monitor the logs with respect to attacks and remote access attempts. The Orbi logs such 'attacks' and sends me an email when the log gets full. The log can hold 258 entries before it fills and sends the email to me.
Prior to last week I had maybe 2-3 emails a day. It is now sending emails through on intervals varying between a few minutes and half an hour:

Screenshot 2022-08-11 at 10.58.40.jpg


Log data is looking typically like:

[LAN access from remote] from 204.10.192.178:9509 to 192.168.1.202:443, Thursday, August 11, 2022 10:37:38
[LAN access from remote] from 204.10.192.178:47979 to 192.168.1.202:443, Thursday, August 11, 2022 10:37:36
[LAN access from remote] from 204.10.192.178:9942 to 192.168.1.202:443, Thursday, August 11, 2022 10:37:34
[LAN access from remote] from 204.10.192.178:22984 to 192.168.1.202:443, Thursday, August 11, 2022 10:37:32
[LAN access from remote] from 204.10.192.178:3663 to 192.168.1.202:80, Thursday, August 11, 2022 10:37:30
[LAN access from remote] from 204.10.192.178:41932 to 192.168.1.202:80, Thursday, August 11, 2022 10:37:28
[LAN access from remote] from 204.10.192.178:17135 to 192.168.1.202:443, Thursday, August 11, 2022 10:37:26
[LAN access from remote] from 204.10.192.178:20939 to 192.168.1.202:443, Thursday, August 11, 2022 10:37:25
[LAN access from remote] from 192.241.235.205:57625 to 192.168.1.202:443, Thursday, August 11, 2022 10:37:24
[LAN access from remote] from 204.10.192.178:56758 to 192.168.1.202:443, Thursday, August 11, 2022 10:37:22
[LAN access from remote] from 204.10.192.178:36876 to 192.168.1.202:443, Thursday, August 11, 2022 10:37:20
[LAN access from remote] from 204.10.192.178:13893 to 192.168.1.202:80, Thursday, August 11, 2022 10:37:18
[LAN access from remote] from 204.10.192.178:9985 to 192.168.1.202:80, Thursday, August 11, 2022 10:37:16
[LAN access from remote] from 204.10.192.178:57616 to 192.168.1.202:443, Thursday, August 11, 2022 10:37:14
[LAN access from remote] from 204.10.192.178:30466 to 192.168.1.202:80, Thursday, August 11, 2022 10:37:12
[LAN access from remote] from 204.10.192.178:39030 to 192.168.1.202:80, Thursday, August 11, 2022 10:37:10
[LAN access from remote] from 204.10.192.178:12990 to 192.168.1.202:443, Thursday, August 11, 2022 10:37:09
[LAN access from remote] from 204.10.192.178:10136 to 192.168.1.202:443, Thursday, August 11, 2022 10:37:07
[LAN access from remote] from 204.10.192.178:62586 to 192.168.1.202:80, Thursday, August 11, 2022 10:37:05
[LAN access from remote] from 204.10.192.178:10875 to 192.168.1.202:80, Thursday, August 11, 2022 10:37:03
[LAN access from remote] from 204.10.192.178:56094 to 192.168.1.202:443, Thursday, August 11, 2022 10:37:01
[LAN access from remote] from 204.10.192.178:22309 to 192.168.1.202:443, Thursday, August 11, 2022 10:36:59
[LAN access from remote] from 204.10.192.178:46823 to 192.168.1.202:443, Thursday, August 11, 2022 10:36:57
[LAN access from remote] from 204.10.192.178:24631 to 192.168.1.202:443, Thursday, August 11, 2022 10:36:53
[LAN access from remote] from 204.10.192.178:31005 to 192.168.1.202:443, Thursday, August 11, 2022 10:36:51
[LAN access from remote] from 204.10.192.178:18452 to 192.168.1.202:80, Thursday, August 11, 2022 10:36:50
[LAN access from remote] from 204.10.192.178:65272 to 192.168.1.202:443, Thursday, August 11, 2022 10:36:48
[LAN access from remote] from 204.10.192.178:7191 to 192.168.1.202:80, Thursday, August 11, 2022 10:36:46
[LAN access from remote] from 204.10.192.178:20721 to 192.168.1.202:80, Thursday, August 11, 2022 10:36:44
[LAN access from remote] from 204.10.192.178:6101 to 192.168.1.202:443, Thursday, August 11, 2022 10:36:42
[LAN access from remote] from 204.10.192.178:49068 to 192.168.1.202:443, Thursday, August 11, 2022 10:36:40
[LAN access from remote] from 159.65.189.170:45834 to 192.168.1.202:80, Thursday, August 11, 2022 10:35:22
[LAN access from remote] from 204.10.192.178:46613 to 192.168.1.202:80, Thursday, August 11, 2022 10:34:23
[LAN access from remote] from 204.10.192.178:19338 to 192.168.1.202:443, Thursday, August 11, 2022 10:34:21
[LAN access from remote] from 204.10.192.178:38718 to 192.168.1.202:443, Thursday, August 11, 2022 10:34:19
[LAN access from remote] from 204.10.192.178:11801 to 192.168.1.202:80, Thursday, August 11, 2022 10:34:17
[LAN access from remote] from 204.10.192.178:22198 to 192.168.1.202:80, Thursday, August 11, 2022 10:34:15
[LAN access from remote] from 204.10.192.178:51629 to 192.168.1.202:80, Thursday, August 11, 2022 10:34:13
[LAN access from remote] from 204.10.192.178:54864 to 192.168.1.202:80, Thursday, August 11, 2022 10:34:11
[LAN access from remote] from 204.10.192.178:33316 to 192.168.1.202:80, Thursday, August 11, 2022 10:34:09
[LAN access from remote] from 204.10.192.178:26258 to 192.168.1.202:80, Thursday, August 11, 2022 10:34:07
[LAN access from remote] from 204.10.192.178:61072 to 192.168.1.202:80, Thursday, August 11, 2022 10:34:05
[LAN access from remote] from 204.10.192.178:54913 to 192.168.1.202:80, Thursday, August 11, 2022 10:34:04
[LAN access from remote] from 204.10.192.178:34737 to 192.168.1.202:443, Thursday, August 11, 2022 10:34:02
[LAN access from remote] from 204.10.192.178:65244 to 192.168.1.202:80, Thursday, August 11, 2022 10:34:00
[LAN access from remote] from 204.10.192.178:50072 to 192.168.1.202:80, Thursday, August 11, 2022 10:33:58
[LAN access from remote] from 204.10.192.178:62259 to 192.168.1.202:80, Thursday, August 11, 2022 10:33:56
[LAN access from remote] from 204.10.192.178:64473 to 192.168.1.202:80, Thursday, August 11, 2022 10:33:54
[LAN access from remote] from 204.10.192.178:27238 to 192.168.1.202:80, Thursday, August 11, 2022 10:33:52
[LAN access from remote] from 204.10.192.178:11501 to 192.168.1.202:80, Thursday, August 11, 2022 10:33:50
[LAN access from remote] from 204.10.192.178:59813 to 192.168.1.202:80, Thursday, August 11, 2022 10:33:48
[LAN access from remote] from 204.10.192.178:1551 to 192.168.1.202:443, Thursday, August 11, 2022 10:33:46
[LAN access from remote] from 204.10.192.178:3765 to 192.168.1.202:80, Thursday, August 11, 2022 10:33:44
[LAN access from remote] from 204.10.192.178:38608 to 192.168.1.202:80, Thursday, August 11, 2022 10:33:42
[LAN access from remote] from 204.10.192.178:10932 to 192.168.1.202:80, Thursday, August 11, 2022 10:33:38
[LAN access from remote] from 204.10.192.178:5007 to 192.168.1.202:443, Thursday, August 11, 2022 10:33:37
[LAN access from remote] from 204.10.192.178:33520 to 192.168.1.202:80, Thursday, August 11, 2022 10:33:35
[LAN access from remote] from 204.10.192.178:15375 to 192.168.1.202:443, Thursday, August 11, 2022 10:33:33
[LAN access from remote] from 204.10.192.178:16999 to 192.168.1.202:80, Thursday, August 11, 2022 10:33:31
[LAN access from remote] from 204.10.192.178:30602 to 192.168.1.202:443, Thursday, August 11, 2022 10:33:29
[LAN access from remote] from 204.10.192.178:15072 to 192.168.1.202:443, Thursday, August 11, 2022 10:33:27
[LAN access from remote] from 204.10.192.178:30449 to 192.168.1.202:443, Thursday, August 11, 2022 10:33:25
[DoS Attack: SYN/ACK Scan] from source: 159.148.23.173, port 443, Thursday, August 11, 2022 10:32:52
[LAN access from remote] from 204.10.192.178:23569 to 192.168.1.202:80, Thursday, August 11, 2022 10:27:41
[LAN access from remote] from 204.10.192.178:24811 to 192.168.1.202:443, Thursday, August 11, 2022 10:27:39
[LAN access from remote] from 204.10.192.178:18714 to 192.168.1.202:80, Thursday, August 11, 2022 10:27:37
[LAN access from remote] from 204.10.192.178:30999 to 192.168.1.202:443, Thursday, August 11, 2022 10:27:36
[LAN access from remote] from 204.10.192.178:944 to 192.168.1.202:443, Thursday, August 11, 2022 10:27:34
[LAN access from remote] from 204.10.192.178:21396 to 192.168.1.202:80, Thursday, August 11, 2022 10:27:32
[LAN access from remote] from 204.10.192.178:14899 to 192.168.1.202:443, Thursday, August 11, 2022 10:27:30
[LAN access from remote] from 204.10.192.178:49801 to 192.168.1.202:443, Thursday, August 11, 2022 10:27:26
[LAN access from remote] from 204.10.192.178:57706 to 192.168.1.202:80, Thursday, August 11, 2022 10:27:24
[LAN access from remote] from 204.10.192.178:18210 to 192.168.1.202:80, Thursday, August 11, 2022 10:27:22
[LAN access from remote] from 204.10.192.178:34067 to 192.168.1.202:80, Thursday, August 11, 2022 10:27:21
[LAN access from remote] from 204.10.192.178:8858 to 192.168.1.202:80, Thursday, August 11, 2022 10:27:19
[LAN access from remote] from 204.10.192.178:27678 to 192.168.1.202:80, Thursday, August 11, 2022 10:27:17
[LAN access from remote] from 204.10.192.178:19167 to 192.168.1.202:80, Thursday, August 11, 2022 10:27:15
[LAN access from remote] from 204.10.192.178:54218 to 192.168.1.202:80, Thursday, August 11, 2022 10:27:13
[DoS Attack: SYN/ACK Scan] from source: 159.148.23.173, port 443, Thursday, August 11, 2022 10:25:29
[LAN access from remote] from 204.10.192.178:19295 to 192.168.1.202:80, Thursday, August 11, 2022 10:22:40
[LAN access from remote] from 204.10.192.178:18694 to 192.168.1.202:80, Thursday, August 11, 2022 10:22:38
[LAN access from remote] from 204.10.192.178:7075 to 192.168.1.202:80, Thursday, August 11, 2022 10:22:36
[LAN access from remote] from 204.10.192.178:56305 to 192.168.1.202:80, Thursday, August 11, 2022 10:22:34
[LAN access from remote] from 204.10.192.178:35155 to 192.168.1.202:80, Thursday, August 11, 2022 10:22:32
[LAN access from remote] from 204.10.192.178:39008 to 192.168.1.202:443, Thursday, August 11, 2022 10:22:30
[LAN access from remote] from 204.10.192.178:34581 to 192.168.1.202:80, Thursday, August 11, 2022 10:22:28
[LAN access from remote] from 104.248.51.8:33786 to 192.168.1.202:443, Thursday, August 11, 2022 10:22:26
[LAN access from remote] from 204.10.192.178:41894 to 192.168.1.202:80, Thursday, August 11, 2022 10:22:25
[LAN access from remote] from 104.248.51.8:23811 to 192.168.1.202:443, Thursday, August 11, 2022 10:22:24
[LAN access from remote] from 204.10.192.178:64410 to 192.168.1.202:80, Thursday, August 11, 2022 10:22:23
[LAN access from remote] from 204.10.192.178:28926 to 192.168.1.202:443, Thursday, August 11, 2022 10:22:21
[LAN access from remote] from 204.10.192.178:57281 to 192.168.1.202:80, Thursday, August 11, 2022 10:22:19
[LAN access from remote] from 204.10.192.178:28492 to 192.168.1.202:443, Thursday, August 11, 2022 10:22:17
[LAN access from remote] from 204.10.192.178:29362 to 192.168.1.202:80, Thursday, August 11, 2022 10:22:15
[LAN access from remote] from 204.10.192.178:37298 to 192.168.1.202:80, Thursday, August 11, 2022 10:22:13
[LAN access from remote] from 204.10.192.178:56144 to 192.168.1.202:80, Thursday, August 11, 2022 10:22:11
[LAN access from remote] from 51.77.117.33:39870 to 192.168.1.202:443, Thursday, August 11, 2022 10:14:59
[LAN access from remote] from 51.77.117.33:25119 to 192.168.1.202:443, Thursday, August 11, 2022 10:14:58
[LAN access from remote] from 51.77.117.33:11742 to 192.168.1.202:443, Thursday, August 11, 2022 10:14:57
[LAN access from remote] from 51.77.117.33:63750 to 192.168.1.202:80, Thursday, August 11, 2022 10:14:56
[LAN access from remote] from 51.77.117.33:30909 to 192.168.1.202:80, Thursday, August 11, 2022 10:14:55
[LAN access from remote] from 51.77.117.33:1530 to 192.168.1.202:443, Thursday, August 11, 2022 10:14:54
[LAN access from remote] from 51.77.117.33:32032 to 192.168.1.202:443, Thursday, August 11, 2022 10:14:53
[LAN access from remote] from 51.77.117.33:31006 to 192.168.1.202:443, Thursday, August 11, 2022 10:14:52
[LAN access from remote] from 51.77.117.33:25351 to 192.168.1.202:80, Thursday, August 11, 2022 10:14:51
[LAN access from remote] from 51.77.117.33:21324 to 192.168.1.202:80, Thursday, August 11, 2022 10:14:50
[LAN access from remote] from 51.77.117.33:1284 to 192.168.1.202:80, Thursday, August 11, 2022 10:14:49
[LAN access from remote] from 51.77.117.33:56368 to 192.168.1.202:80, Thursday, August 11, 2022 10:14:48
[LAN access from remote] from 51.77.117.33:38898 to 192.168.1.202:80, Thursday, August 11, 2022 10:14:47
[LAN access from remote] from 51.77.117.33:5206 to 192.168.1.202:443, Thursday, August 11, 2022 10:14:46
[LAN access from remote] from 51.77.117.33:35943 to 192.168.1.202:80, Thursday, August 11, 2022 10:14:45
[LAN access from remote] from 51.77.117.33:62239 to 192.168.1.202:443, Thursday, August 11, 2022 10:14:44
[LAN access from remote] from 51.77.117.33:31601 to 192.168.1.202:443, Thursday, August 11, 2022 10:14:43
[LAN access from remote] from 51.77.117.33:57298 to 192.168.1.202:80, Thursday, August 11, 2022 10:14:42
[LAN access from remote] from 51.77.117.33:7289 to 192.168.1.202:80, Thursday, August 11, 2022 10:14:41
[LAN access from remote] from 51.77.117.33:2416 to 192.168.1.202:80, Thursday, August 11, 2022 10:14:40
[LAN access from remote] from 51.77.117.33:12702 to 192.168.1.202:443, Thursday, August 11, 2022 10:14:39
[LAN access from remote] from 51.77.117.33:26436 to 192.168.1.202:80, Thursday, August 11, 2022 10:14:38
I'm guessing there is not a lot I can do about it except harden the firewall rules on the NAS and possibly tighten up the htccess rules on my forum (hosted on the NAS). Other solutions would be to buy a managed switch and put that ahead of the router but yeah that's not going to be viable.
The 'attacks' seem to be coming from various, ISPs, sources, countries....... much weirdness.
Any thoughts / tips would be appreciated.
-- post merged: --

Further to this I'm currently allowing built in Applications of:
  • BT - No ideas what this is used for, can it be disabled?
  • Hybrid share - Not sure if I need this?
  • WS-Discovery / WS-Transfer - No ideas what this is used for, can it be disabled?
  • Homebridge (now disabled as for experimentation only)
  • VPN Server (not in use so now disabled)
  • Windows File Server - As I'm using all Apple kit is this needed?
  • VisualStation (Search Visual Station) - I'm not using cameras with the NAS so this can get turned off I think?
  • SSH / Telnet - I assume these can be turned off unless I actually need to use them?
I have geolocking is place to deny access from certain countries, but the rule looks to be limited to 15 countries. Ahead of that I have an allow rule allowing the UK, Australia, and Ireland (locations where my forum users live). I'm wondering whether to add another rule denying other countries?
Thoughts appreciated.
 

fredbert

Moderator
NAS Support
Subscriber
3,921
1,570
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
It's worth checking the IP address and if others are reporting attacks from them. To make it easy I have a bookmarked javascript in Safari's bookmark bar. To use it I highlight the IP address in the bowser window and click the bookmark to open a new tab to abuseipdb.com appending the IP address to the URL. I call my bookmark '[IP?]'...

JavaScript:
javascript:window.open(%22https://www.abuseipdb.com/check/%22+window.getSelection())

Are the Orbi events just alerting you or do they actively drop these connection attempts? If they drop then it's likely you are ok, and have a look at enabling other protection signatures that will stop scans and known dubious IPs (I do this in SRM). If they are just alerts then you could add some specific DSM firewall rules to deny access from the IPs' subnets. I occasionally do this in SRM and sometimes I just block the /24 or otherwise it's the /16. After there are no hits on a rule I may disable it.

Regarding the DSM firewall and country rules: yes there is a 15 country limit per rule. But you can add multiple deny rules, which is what I do in SRM and have rules for regions (or multiple per region). Put these rules near/at the top of the rule base. Then allow rules below, which can be a mix of 'from anywhere' and 'from specific countries'. Then a final any/any/deny to end. Don't forget to include rules from the permitted LAN devices.

Alternatively, create the restrictive allow rules first, applying to specific countries and the LAN, then a deny everything else at the end.

For allowing access to specific DSM packages and service then you should limit to a minimum the access from the Internet: think if you every need this service from the Internet and if you don't then remove the access. Then check the Orbi port forwarding rules to ensure that they are limiting access too. It's likely that your LAN devices will want more access so have rules that are specifically for these source IP subnets.
 
569
187
NAS
DS918+
Operating system
  1. macOS
Mobile operating system
  1. iOS
Last edited:
The Orbi just alerts me. I already work with Marius Lixandru over helping to maintain his block list. I collect the log data, run it through an Apple Script to generate a list of individual IP addresses and then I run that list (when it hits close to 900 entries) through another script which checks against IP Abuse and generates a report similar to this:
Screenshot 2022-08-11 at 12.17.52.jpg

Which I send on to Marius and he incorporates the data into his 'deny-list' file. Right at the moment I've got applications at the top, then rules to cover the LAN, then rules to allow and end with deny countries. I will add in more 'deny' country rules.
The Orbi only has forwarding rules to throw the ports needed for web station towards the NAS.
Any thoughts as to those services I mentioned as to whether they are needed?
-- post merged: --

One lot of DDG'ing later:
  • Hybrid Share - I'm not using C2 for storage so turned off
  • BT = BitTorrent - Not used so again turned off
  • Visual Station - turned off
  • Terminal services both turned off
  • Windows File Server - turned off and we'll see if anything breaks :)
  • WS Discovery - allows users to access the SMB service on Synology NAS via Windows network discovery, so turned off again we'll see if anything breaks.
  • Share Snapshot replication - only the one NAS here, so turned off.
 

fredbert

Moderator
NAS Support
Subscriber
3,921
1,570
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Further to this I'm currently allowing built in Applications of:
  • BT - No ideas what this is used for, can it be disabled?
  • Hybrid share - Not sure if I need this?
  • WS-Discovery / WS-Transfer - No ideas what this is used for, can it be disabled?
  • Homebridge (now disabled as for experimentation only)
  • VPN Server (not in use so now disabled)
  • Windows File Server - As I'm using all Apple kit is this needed?
  • VisualStation (Search Visual Station) - I'm not using cameras with the NAS so this can get turned off I think?
  • SSH / Telnet - I assume these can be turned off unless I actually need to use them?
  • BT (Set up BT/HTTP/FTP/NZB | Download Station - Synology Knowledge Center) is BitTorrent for Download Station.
  • Do you use Hybrid Share? It's part of Synology C2.
  • WS-* is part of Windows file sharing, check the SMB help.
  • Homebridge ... don't know this one.
  • VPN Server: if you don't use it then don't have the rule.
  • Windows File Server is the CIFS/SMB file sharing service.
  • VisualStation is a complement service to Surveillance Station. Do you use SS?
  • I would not enable Telnet on the NAS but you may want SSH access. I wouldn't permit access to SSH from the Internet.
Some notes:
  • It seems that you are using/have used DSM's Control Panel feature to ask to add firewall rules when adding packages. It may be better to check what has happened if you say 'yes' to one of these pop-ups.
  • The firewall rules will also show the TCP/UDP ports that the package has included. You can check this list to get the full info of default DSM ports.
  • Apple has moved to using SMB for its preferred file sharing. I have disabled AFP on my NAS and only use SMB.
  • Later versions of macOS have removed telnet command line utility, so you'll not need it running on your NAS.
  • If you do want SSH enabled then you can use different TCP ports for SSH and SFTP, meaning you can control access to the command line SSH while having different control to access the secure file transfer of SFTP.
 
569
187
NAS
DS918+
Operating system
  1. macOS
Mobile operating system
  1. iOS
Yep see my amended post above. Most are now turned off. Yep I'm using SMB on my Mac as well. SSH and SFT I have no need of (as far as I'm aware).
All good therefore I guess, no problems yet :)
BT if you want a copy of my Apple Scripts for checking IP's etc you'd be very welcome to a copy of I can direct you to the Apple Scripts forum where various scriptors created them for me?
 

fredbert

Moderator
NAS Support
Subscriber
3,921
1,570
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Block lists are futile. Good only if you know the source. I wouldn't waste time chasing those.
Depends how often they are updated. The ET Open signatures for known/suspected bad IPs get quite a few hits on my Threat Prevention, of which I've changed them all to 'drop'.

There are some repeated IP that I see popping up trying to scan and attack, so their subnets are just blocked in the firewall so that the TP log is smaller.
 
569
187
NAS
DS918+
Operating system
  1. macOS
Mobile operating system
  1. iOS
I wish I could set the Orbi to drop connections from defined IPs but alas it's not supported.
-- post merged: --

I have decided to turn off the 'Port Forwarding / Port Triggering' logs and just keep the 'Known DoS attacks and Port Scans' log entries. As it looks obvious that the port triggering occurrences are for ports which aren't open and the risk is nothing I can mitigate in any case.
 
2,192
927
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
I have geolocking is place to deny access from certain countries, but the rule looks to be limited to 15 countries. Ahead of that I have an allow rule allowing the UK, Australia, and Ireland (locations where my forum users live). I'm wondering whether to add another rule denying other countries?
Thoughts appreciated.
Change the way you think about this. Don’t deny certain countries. Deny all (the whole world) and open for certain countries.

allow your local subnet
allow UK, Australia and Ireland (only 80,443, maybe more for your home country if you remotely access services like VPN).
Deny all

You can create a new firewall profile and try the above, leave what you have now as is (could be under default).
 
569
187
NAS
DS918+
Operating system
  1. macOS
Mobile operating system
  1. iOS
Oh agreed, but you can't do a 'deny whole world' rule on the NAS without setting up hundreds of geo rules for each 15 countries you can deny - unless I've missed something somewhere?

The only application ports I've (now) got open are:
  • NTP - for the NAS to do its time setting
  • Management UI - for obvious reasons (custom port numbers)
  • Web Station & WebMail - ports 80 & 443 for my forum
  • Synology Drive Server - for Synoloy Drive Client backups from the Mac (or can that be removed and it will still work across on the LAN)?
For the LAN I've got:

Allow all ports for the Orbi router (192.168.1.254), subnet 255.255.255.0
Allow all ports for LAN 192.168.1.1, subnet mask 255.255.255.0

I think that is correct?

Rule order looks like:

Screenshot 2022-08-11 at 16.59.59.jpg
 
2,192
927
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
Deny all at the end denies the whole world minus what you allowed above it.

The rules are examined top to bottom, once a rule matches, it’s executed and nothing more happens.

In my example, If a visitor is coming from Germany, the firewall rules are examined top to bottom, they end up hitting the deny all and will be denied.

Sorry I don’t know anything about your Orbi router (except that you had a big problem that was fixed recently 🙂).
 
569
187
NAS
DS918+
Operating system
  1. macOS
Mobile operating system
  1. iOS
I understand all that :)

The only issue is that I can't see a way of doing a 'deny all countries' on the DS918+ firewall?

Yeah i'm so happy that the Orbi issue was fixed :)
 

fredbert

Moderator
NAS Support
Subscriber
3,921
1,570
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
This is what I was meaning above.
Alternatively, create the restrictive allow rules first, applying to specific countries and the LAN, then a deny everything else at the end.

By specifying rules at the top with source of LAN or allowed countries followed by a deny everything else rule at the end, this is in effect a deny all countries except the ones I've explicitly stated in the allow rules.
 
2,192
927
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
Deny all denies all countries (minus what you allow before it). I think you’re still thinking of the firewall as being examined as a whole (i.e. executed altogether). It’s not, the rules are examined one by one top to bottom.

Go through the example by thinking of different countries and you’ll see how it works. Top to bottom.
 
569
187
NAS
DS918+
Operating system
  1. macOS
Mobile operating system
  1. iOS
Ah ha so you mean like below? Or like that but I should remove the deny countries rule?
Screenshot 2022-08-11 at 17.45.33.jpg
 
2,192
927
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
Yes, yes 🙂
You don’t need the two rules before the deny all.

Also for your allowed visitors, you shouldn’t allow all. Just what they need (80 and 443)
Refine and harden the rules.
 

fredbert

Moderator
NAS Support
Subscriber
3,921
1,570
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Yes. You only need the last rule of the bottom three deny rules, since the last one covers the two above.

I'm assuming that the NTP etc rule allowed for all sources doesn't have matching router port forwarding rules.
 
569
187
NAS
DS918+
Operating system
  1. macOS
Mobile operating system
  1. iOS
Okay, getting there.... So:
Screenshot 2022-08-11 at 17.59.20.jpg

And if that works okay I can delete two rules (inactive) above the last deny rule ?

And yes the NTP rule does not forward to anywhere, the only port forwards I've now in place on the Orbi are:
Screenshot 2022-08-11 at 18.04.35.jpg
 
2,192
927
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
Also 192.168.1.254 and 192.168.1.1 with a mask of 255.255.255.0 are redundant. But they’ll work.
I’d replace them with
192.168.1.0
mask: 255.255.255.0

Looks cleaner and more ”professional” .0 at the end covers the whole subnet. Your entries with .254 and .1 have the same effect because of the mask. But I’m a pain in the neck when it comes to details.
 

fredbert

Moderator
NAS Support
Subscriber
3,921
1,570
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Also 192.168.1.254 and 192.168.1.1 with a mask of 255.255.255.0 are redundant. But they’ll work.
I’d replace them with
192.168.1.0
mask: 255.255.255.0
Unless it's meant to be one IP address in each rule, in which case the subnet mask should be 255.255.255.255 for a /32.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top