Can't access synology external network finder

[nathanhorn]

Problem: Unable to connect finder via https://username.synology.me or via public IP from external network.
Here's all what I've done so far to try and get it to work. It worked in the past on my synology play, then I migrated to the DS720+ and now it's not working anymore even though I've probably updated all the settings.

1. Device:
   DS720+
   DSM 7.1-42661
2. Ports forwarded on my Fritz!box 7530 router:
   5000, 5001, 445, 443, 80, 6690, 5353, 5005, 5006
3. I've disabled automatic router configuration
4. NAS is directly connected to Fritz!box 7530 Router with 2 LAN cables on Active/Standby
5. Automatically redirect http connection to https for DSM desktop is turned on.
6. Static IP
7. Permissions are all set

I'm out of help articles online for trying so I wonder what I'm doing wrong this time? Is it the combining of 2 Lan ports perhaps?
This worked yesterday with my Synology Play. Now I've migrated to the DS720+ and updated all settings but I can't get it to work again. I'm following the same instructions I did before.

 

[Rusty]

So just to recap you are trying to get your NAS visible inside macOS Finder from outside the local network?

5000, 5001, 445, 443, 80, 6690, 5353, 5005, 5006

close down as many ports as possible, you are exposed this way, way too much. Not to mention opening 445 to the Internet.

Do you have WebDAV configured, considering you are opening 5005 and 5006 ports? Is all configured regarding your public domain name and its certificate?

 

[nathanhorn]

So just to recap you are trying to get your NAS visible inside macOS Finder from outside the local network?


close down as many ports as possible, you are exposed this way, way too much. Not to mention opening 445 to the Internet.

Do you have WebDAV configured, considering you are opening 5005 and 5006 ports? Is all configured regarding your public domain name and its certificate?

I just now found out that if I access it through http://publicip/5005 I am able to acces it so my issue is resolved. I opened up all those ports because nothing was working. But I also notice that I only have read permissions using this. So something is still not right.

I'm going to check which is faster the 5005 or 5006. from my understanding 5006 should be more secure but therefore maybe slower?

Do I need to leave some ports open if I want to be able to upload my pictures through synology photos as I'm trying to move away from iCloud.

 

[Rusty]

I'm going to check which is faster the 5005 or 5006. from my understanding 5006 should be more secure but therefore maybe slower?

encrypted traffic is slower but that all depends. In this case, you might not even notice any difference but ofc, go HTTPS if you can. Also for this to work error-free you will need a valid cert with a valid domain name.

Do I need to leave some ports open if I want to be able to upload my pictures through synology photos as I'm trying to move away from iCloud.

Synology Photos uses the default DSM ports (5000/5001 or any other that you might be using instead). Also you could push out that particular app over reverse proxy on port 443 to a) avoid using the custom port and b) opening more than you have to

 

[nathanhorn]

encrypted traffic is slower but that all depends. In this case, you might not even notice any difference but ofc, go HTTPS if you can. Also for this to work error-free you will need a valid cert with a valid domain name.


Synology Photos uses the default DSM ports (5000/5001 or any other that you might be using instead). Also you could push out that particular app over reverse proxy on port 443 to a) avoid using the custom port and b) opening more than you have to

Thanks for the fast reply!
I'm not familiar with adding a valid cert. Am I correct to assume that I have one since I have the DDNS from Synology set up with the letsencrypt issued?

 

[Rusty]

Am I correct to assume that I have one since I have the DDNS from Synology set up with the letsencrypt issued?

Correct

 

[fredbert]

You can confirm what certificates you have in Control Panel -> Security -> Certificate. Here you can also check which network services are assigned to which certificate (if you have more than one).

When accessing the network service you just have to access it using a server name that is covered by the certificate (either its domain name, or from the list of subject alternate names [maybe displayed as a list called DNS names]). If the certificate includes *.ddnsname.com then you can even select a unique server name part (in place of *) and it will still work.

 

[nathanhorn]

Correct

Okay! The only thing I was wondering, I'm doing all this so that my friend in another country can connect to my NAS, since he'll probably have to reconnect every time his computer goes to sleep or if he shuts it down, is there a way to make the finder connectable with the DDNS? Because that doesn't work for me yet.

-- post merged: 14. Jun 2022 --

Okay! The only thing I was wondering, I'm doing all this so that my friend in another country can connect to my NAS, since he'll probably have to reconnect every time his computer goes to sleep or if he shuts it down, is there a way to make the finder connectable with the DDNS? Because that doesn't work for me yet.

Never mind, i found out that using 5006 works with the DDNS. Thank you for all your help!