Can't Access Mobile Apps While On Same Network

[mdbsoccer21]

This group is my last resort as I haven't been able to find my answers elsewhere and I am at a complete loss. So I hope y'all can help!

I have everything set up and it is working flawlessly minus one small hurdle. Let me explain...

I am using a custom domain name and running through Cloudflare. I really, REALLY want to be as secure as possible and I have heard this is the best way.
I have subdomains set up - files.domain.com, I also have them set up in Cloudflare.
I have certificates set up and everything is working perfectly.
Using reverse proxy.

The problem and what is puzzling is this:
I can access files.domain.com on my computer and phone (web browser) while on the network and while off the network (cell).
However, I am unable to use the iOS apps while on the network using the domain and/or subdomain. This is a problem because I switch from my home network to traveling and vice versa and I dont want to have to update the login box every time I come on and off my home network.

I hope this makes sense because I have been pulling my hair out scouring the internet looking for an answer.

 

[Rusty]

Try and use the port number in the address line regardless if you have selected the HTTPS option on the bottom.

So use this format https://subdomain.domain.com:443 and see if that will work out for you.

 

[mdbsoccer21]

Thank you for that. I am sorry I failed to mention that I have done that already as well.

 

[Rusty]

exact error?

 

[fredbert]

I'm not clear what Cloudflare has in all this, is it just your Internet DNS service provider for your private domain? Such that client's on the Internet will get mydomain.com and sub.mydomain.com resolved by Cloudflare and directed to you router's Internet IP?

You mention reverse proxy but not who or what is providing this nor exactly what it is doing. Within DSM Control Panel there is the Application Portal area and provides two sections:

1. Application Portal for specifying customised domains and aliases for Synology packages (e.g. File Station).
2. Reverse Proxy for defining proxy redirects for custom domains or ports to other web addresses.

Did you use one of these or is there a Cloudflare reverse proxy being used?


That the iPhone can use Safari to browse to the customised domains should mean that the iOS mobile apps should also be able to. First I would test that the mobile apps can access the NAS by using LAN_IP:443 and use the login page's Set Up options to not validate the certificate. Does this work? If it does then it points to the resolution of the domain. (don't forget to turn on certificate validation)

I run DNS Server on NAS as an internal DNS: it resolves my personal domain for home devices and gives the local IP, for all other domains DNS Server will get the resolution from an Internet DNS service. Doing this means I don't have to rely on local loopback via my Internet router.

 

[mdbsoccer21]

I'm not clear what Cloudflare has in all this, is it just your Internet DNS service provider for your private domain? Such that client's on the Internet will get mydomain.com and sub.mydomain.com resolved by Cloudflare and directed to you router's Internet IP?

Thank you for your clarifying questions. I always like to add Cloudflare into the mix and be transparent as I can and no how to so that everyone knows the exact set up. It may or may not have anything to do with the situation. I just want to be clear.

So yeah I have A name record and CNAME all set up and they point to my external IP address.

You mention reverse proxy but not who or what is providing this nor exactly what it is doing. Within DSM Control Panel there is the Application Portal area and provides two sections:

1. Application Portal for specifying customised domains and aliases for Synology packages (e.g. File Station).
2. Reverse Proxy for defining proxy redirects for custom domains or ports to other web addresses.

Did you use one of these or is there a Cloudflare reverse proxy being used?

I am using the reverse proxy inside of DSM. From my understanding and watching the tutorials, this is the best option. So I have my router forwarding ports to the Synology. Then inside of the NAS I am using reverse proxy to point to the different applications. So, no I did not use Cloudflare reverse proxy.

That the iPhone can use Safari to browse to the customised domains should mean that the iOS mobile apps should also be able to. First I would test that the mobile apps can access the NAS by using LAN_IP:443 and use the login page's Set Up options to not validate the certificate. Does this work? If it does then it points to the resolution of the domain. (don't forget to turn on certificate validation)

Can you be a little more clear about this?
I have tested on the network and they can access said services using the mobile apps using the IP address, without the port number. However, I can not login to mobile app using the domain, subdomain, port number.

From my home network (the same network the nas is on), I can also log into the dsm from a web browser using subdomain.domain.com. I can also log into the files using subdomain.domain.com. I can do this both on my computer and mobile device.

I run DNS Server on NAS as an internal DNS: it resolves my personal domain for home devices and gives the local IP, for all other domains DNS Server will get the resolution from an Internet DNS service. Doing this means I don't have to rely on local loopback via my Internet router.

Is there a good tutorial on how to do this? And, do you think this would solve the problem? I am using an Eero and they have me going through a custom dns because I pay for their "protection" program.

Thank you so much for this. It has given me a lot to chew on and hopefully with your help and others I can get this figured out once and for all.

-- post merged: 15. Apr 2021 --

exact error?

The exact error is one of two things:

"Logging In..." forever that results in nothing

Sign In
Unable to connect to the server.
Please check:
– the IP address is correct
– the network connection
– Synology NAS is connected
We recommend using quick connect for easier connection to your server.

 

[fredbert]

I am using the reverse proxy inside of DSM. From my understanding and watching the tutorials, this is the best option. So I have my router forwarding ports to the Synology. Then inside of the NAS I am using reverse proxy to point to the different applications.

Why didn't you use the Application Portal section (of Application Portal) for assigning customised domains to the packages that it supports, e.g. File Station, Drive, Moments?

I have tested on the network and they can access said services using the mobile apps using the IP address, without the port number. However, I can not login to mobile app using the domain, subdomain, port number.

From my home network (the same network the nas is on), I can also log into the dsm from a web browser using subdomain.domain.com. I can also log into the files using subdomain.domain.com. I can do this both on my computer and mobile device.

When you say 'the network' do you mean the Internet or home LAN/network. I had read it that the iOS apps were having the problem when your phone is connected to the home LAN but worked when connected to the Internet. To summarise what logs in correctly or not...

		From Internet	From Internet	On LAN	On LAN
Client device	Application	Using IP address	Using custom domain	Using IP address	Using custom domain
Mac	Web browser	Yes	Yes	Yes	Yes
iPhone	Web browser	Yes	Yes	Yes	Yes
iPhone	Mobile app	Yes	Yes	Yes	No

Is there a good tutorial on how to do this? And, do you think this would solve the problem? I am using an Eero and they have me going through a custom dns because I pay for their "protection" program.

Not sure on a tutorial, I worked it out myself.

Have you tried using a different DNS service instead of Eero's to see if that is blocking it. I don't see why it would.

 

[mdbsoccer21]

Why didn't you use the Application Portal section (of Application Portal) for assigning customised domains to the packages that it supports, e.g. File Station, Drive, Moments?

I dont know. I have always seen people using reverse proxy. Do you suggest I use application portal? I have just always heard you reverse proxy. However, I have tried this and still have the same problem.

When you say 'the network' do you mean the Internet or home LAN/network.

When I say home network, I mean the internal network of computers that my computer and other devices sit on.

I had read it that the iOS apps were having the problem when your phone is connected to the home LAN but worked when connected to the Internet. To summarise what logs in correctly or not...

Client device	Application	Using IP address	Using custom domain	Using IP address	Using custom domain
		From Internet	From Internet	On LAN	On LAN
Mac	Web browser	Yes	Yes	Yes	Yes
iPhone	Web browser	Yes	Yes	Yes	Yes
iPhone	Mobile app	Yes	Yes	Yes	No

WOW! What a great matrix. Here is my response using your matrix. I think because it's my understanding that the IP address only works while Im on my home network.

Client / Device	Application	Using IP address	Using Custom Domain	Using Custom Domain
		While On Home Network/Internet	While On Home Network/Internet	While Off Home Network/Internet
Mac	Web browser	Yes	Yes	N/A
iPhone	Web browser	Yes	Yes	Yes
iPhone	Mobile app	Yes	No	Yes w/ Port #

Not sure on a tutorial, I worked it out myself.

Have you tried using a different DNS service instead of Eero's to see if that is blocking it. I don't see why it would.

I have not just because I can access it in every scenario except on my home network/wifi using the mobile app.

It just doesn't make any sense and no one can figure out why?

 

[fredbert]

So now I'm really confused. To translate your terminology with mine:

LAN (local area network, i.e. the private network at home) = On home network​

Internet (the public network that is beyond your LAN) = Off home network​

When you say 'while On home network / Internet = No' is that a mistake or are you saying the mobile apps don't work on the LAN and the Internet. I think you're trying to say what I tabled, i.e. that it just doesn't work for mobile apps when on the LAN / at home / home network.

I would definitely try to use different DNS servers to check that there isn't something that the Eero is introducing.

Failing that you can setup a local DNS server for you home. It would resolve local IP addresses for your personal domain and for everything else it can forward to Eero's DNS servers. I don't know how Eero's DHCP server works, it's probably one of these:

• If DHCP clients use the Eero LAN IP as DNS server: change the Eero's Internet settings for DNS server to have the first server IP as the local DNS server
• If DHCP clients get assigned the Eero DNS server IP: change the DHCP server's configuration to have the local DNS server's IP as the first DNS server.

 

[mdbsoccer21]

So now I'm really confused. To translate your terminology with mine:

LAN (local area network, i.e. the private network at home) = On home network​

Internet (the public network that is beyond your LAN) = Off home network​

When you say 'while On home network / Internet = No' is that a mistake or are you saying the mobile apps don't work on the LAN and the Internet. I think you're trying to say what I tabled, i.e. that it just doesn't work for mobile apps when on the LAN / at home / home network.

I would definitely try to use different DNS servers to check that there isn't something that the Eero is introducing.

Failing that you can setup a local DNS server for you home. It would resolve local IP addresses for your personal domain and for everything else it can forward to Eero's DNS servers. I don't know how Eero's DHCP server works, it's probably one of these:

• If DHCP clients use the Eero LAN IP as DNS server: change the Eero's Internet settings for DNS server to have the first server IP as the local DNS server
• If DHCP clients get assigned the Eero DNS server IP: change the DHCP server's configuration to have the local DNS server's IP as the first DNS server.

I am sorry for being confusing. I can see how it may have been confusing, even though I thought I was being clear... Ughh! Again, sorry and thank you for sticking with me.

Let me see if I can add clarity. When I am at home and on my wifi (which I assume includes resources from my local network (computers, printers, smart devices, etc) as well as the internet) I can not access the Synology services using Synology apps on my iPhone using my subdomain.customdomain.com, including if I use port #'s also. However, I can access these through Safari on my iPhone. Also, I can access all of these services using subdomain.customdomain.com using Safari on my laptop while connected to my wifi.

I am able to use these Synology apps if I am on another other network that provides internet access (Cell, Starbucks, My friends house, etc).

I am not sure if this is clear or adds more confusion in my efforts to clear things up.

As far as the Eero DNS, I pay for this monthly because it includes ad blocking , etc so I dont want to get rid of it; however, in an effort to troubleshoot, I did turn it off and still did not change the outcome.

Thank you again for everyones help, especially thankful to @fredbert

 

[mdbsoccer21]

What is interesting, and may be completely irrelevant, is that I can indeed access these using quickconnect.

 

[fredbert]

Clear.

I agree that the DNS was unlikely to get anywhere, but I'm stumped. I just tested DS file with a few different server URL and port combinations.

Let's say my DSM HTTPS port is the default 5001, it's not but for the results below I'm translating it. This all using DS file while my phone is on WiFi at home.

Server string used	Notes	Result
<NAS_LAN_IP>		Fails with same error as you
<NAS_LAN_IP>:443		Fails with same error as you
<NAS_LAN_IP>:5001		Log in
file.mydomain.com	Application Portal customised domain for File Station	Fails with same error as you
file.mydomain.com:443		Log in
file.mydomain.com:5001	Uses DSM HTTPS port	Log in
office.mydomain.com	DSM Reverse Proxy redirecting to HTTPS 5001	Fails with same error as you
office.mydomain.com:443		Log in
office.mydomain.com:5001		Log in
audio.mydomain.com	Application Portal customised domain for Audio Station	Fails with same error as you
audio.mydomain.com:443		Fails : Invalid port
audio.mydomain.com:5001		Log in
moments.mydomain.com	Application Portal customised domain for Moments	Fails with same error as you
moments.mydomain.com:443		Fails : Invalid port
moments.mydomain.com:5001		Log in
www.mydomain.com	DNS resolving to NAS IP. Not setup in NAS for any service.	Fails with same error as you
www.mydomain.com:443		Fails with same error as you
www.mydomain.com:5001		Log in

 

[Gerard]

You have to specify port numbers when using the mobile apps. If using reverse proxy use the domain name then :443. That is how I have it setup, this is due to the apps being hard coded for 5000 & 5001 when you just enter the domain name.

 

[fredbert]

You have to specify port numbers when using the mobile apps. If using reverse proxy use the domain name then :443. That is how I have it setup, this is due to the apps being hard coded for 5000 & 5001 when you just enter the domain name.

Yup. I think this has already been said first.

If the default 5000/5001 is assumed if no port number is specified then my table for 'www.mydomain.com', and others, would also login if I wasn't translating my actual DSM HTTPS port to 5001 for this. I've never used the default ports so didn't know this.

On some newer mobile apps the port suffix isn't need when ':443'. This is definitely true for the iOS Drive app as I just tested it. So seems that Synology have fixed this for new apps but the older ones (file, cloud, etc) didn't get it.

 

[Gerard]

On some newer mobile apps the port suffix isn't need when ':443'. This is definitely true for the iOS Drive app as I just tested it.

Correct drive isn’t needed. Also you can use the application portal alias for drive. Use your dsm domain name /alias

-- post merged: 17. Apr 2021 --

So use this format https://subdomain.domain.com:443 and see if that will work out for you

Thank you for that. I am sorry I failed to mention that I have done that already as well.

Don’t include https in the url. Most of the apps already have an https toggle switch

 

[mdbsoccer21]

I just want to be able to leave my app logged in when I switch from my wifi to my cell signal.

I have tried what seems like every combination with no dice.

I’ll try again right now. Let’s just stick to one app for now to simplify things.

I’m using the files app on iOS on my wifi w/ https switch toggled-
subdomain.domain.com - logging in constantly and doesn’t connect
sub.domain.com:443 - immediate error
sub.domain.com:5001 - logging in for a while and then gives error
sub.domain.com:7001 -logging in for a while and then gives error

using safari on my phone:
sub.domain.com- immediate connection with login screen

 

[Gerard]

I just want to be able to leave my app logged in when I switch from my wifi to my cell signal.

I have tried what seems like every combination with no dice.

I’ll try again right now. Let’s just stick to one app for now to simplify things.

I’m using the files app on iOS on my wifi w/ https switch toggled-
subdomain.domain.com - logging in constantly and doesn’t connect
sub.domain.com:443 - immediate error
sub.domain.com:5001 - logging in for a while and then gives error
sub.domain.com:7001 -logging in for a while and then gives error

using safari on my phone:
sub.domain.com- immediate connection with login screen

Can we see the reverse proxy settings for this specific subdomain

Also the settings of application portal

 

[mdbsoccer21]

@Gerard what are you looking for specifically? I am unsure how "secure" it is to show you a screenshot of my settings; but of course I want the help.

Im just not sure why everything is connecting except the mobile apps.

 

[Gerard]

@Gerard what are you looking for specifically? I am unsure how "secure" it is to show you a screenshot of my settings; but of course I want the help.

Just blur out or white out your domain name. I’m looking to see if port numbers or aliases are set consistently

 

[mdbsoccer21]