Changed Port Forwarding for DSM

Currently reading
Changed Port Forwarding for DSM

11
3
NAS
DS418play
Router
RT2600ac
Hello,

When I first added a custom domain and Let's Encrypt cert to my DS418play for DSM remote access, I used the default ports 5000 and 5001, and on my RT2600ac I added port forwarding for 5000 to 5000 and 5001 to 5001. At the time I needed help via the Synology Forum and received the advice to set it up but was suggested to change the public port at that time which I didn't (because it took so long to get Let's Encrypt working). Now I am more comfortable with Port Forwarding and wanted to change the 5001 public port to something else. When I had the port forwarding set up 5001 to 5001 resolving my custom domain (ds.example.com) would work correctly, since I changed the public port, it doesn't resolve until I add the port (ds.example.com:1234).

I've restarted my router and my NAS, and am wondering if I should change it back to 5001 because it isn't that big of a security concern, or if I should keep it and suffer through, or does changing the port take a while to propagate? I changed it a little over 16 hours ago.

Thanks,
Josh
 

Rusty

Moderator
NAS Support
2,232
670
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
Where and what did you change exactly? Using a custom port (5000/5001 are also custom ports tbh) is nothing special and should be instant. But it depends what you configured and how you did it.
Moving away from 5000/5001 is wise considering its a signature port for Syno NAS boxes. Hardening 101 definitely should be to change those ports.
 

fredbert

Moderator
NAS Support
Subscriber
1,451
611
NAS
DS218+, DS215j
Router
RT2600ac, MR2200ac
Operating system
macOS
Mobile operating system
iOS
Erm, hum. Now I'm not going to say you're wrong because Synology might be doing something that affects how it used to work with default ports. However, I've always preferred to understand my configurations and the standard connections to a web server will be:

http://sub.domain.com: port_num and https://sub.domain.com: port_num (no spaces but : p gets converted to :p)

When : port_num is omitted the the defaults of port 80 and 443 will be assumed by the web browser. There are no other assumed port numbers.

As such, DSM's use of 5000 and 5001 is not standard so you should have been adding these before. If you omitted them then you would have been accessing Web Station's default server.

The other time that DSM wouldn't need 5000 or 5001 added is when you enabled application portal specific sub-domains for the various packages, or your own reverse proxy rules.

I have seen in some of the iOS apps that the need to add the port_num isn't always necessary, but usually it is.

What I have done is to change the 5000 and 5001 default ports in DSM itself, and then port forwarded from my router new_port to new_port. In the past I have used new_port to default_port but only for services that can't change ports. In the long run it's easier to remember one set of ports :)
 
11
3
NAS
DS418play
Router
RT2600ac
What I have done is to change the 5000 and 5001 default ports in DSM itself, and then port forwarded from my router new_port to new_port. In the past I have used new_port to default_port but only for services that can't change ports. In the long run it's easier to remember one set of ports
This was exactly what I was missing. In the original Syn Forum post, someone said to forward the new custom ports to 5000/5001 on the router. Once I switched the port in DSM and on the router to the same custom port, it resolved immediately, thank you!

A follow-up question is related to ports 80 and 443, when I was setting up Let's Encrypt for some reason it wasn't working until I forwarded 80 and 443 to the Synology 80 and 443 respectively.

I assume this is an issue, although the Security Advisor doesn't say so, so I am wondering if I should be switching it to something else, or if my switching HTTPS and HTTP ports in the DSM and router to custom ports, I no longer need 443 and 80 forwarded?

208


The top HTTP and HTTPS are the new custom DSM ports I just changed. Then the bottom two are the ones I am not sure whether to keep or change.

Thanks!
 

Rusty

Moderator
NAS Support
2,232
670
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
If you want LE renewal to work, you will need port 80 and 443 (port 80 for sure).
 
989
332
NAS
DS418play, DS213j, DSM 7.0.1-14401
As Rusty said... 80 (or 443) is needed for LE update. When 2 weeks remain on my cert expiration, I open 80 and manually force an update. 10 minutes later, that finishes and I close 80.
 

fredbert

Moderator
NAS Support
Subscriber
1,451
611
NAS
DS218+, DS215j
Router
RT2600ac, MR2200ac
Operating system
macOS
Mobile operating system
iOS
11
3
NAS
DS418play
Router
RT2600ac
Thanks Telos, I’ll set myself a reminder a couple weeks out from renewal and follow your process.

Thanks for everyone’s help and advice today!
 
1,415
611
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
You can create a user defined task (under control panel > task scheduler) with the following:
/usr/syno/sbin/syno-letsencrypt renew-all

And run it whenever you need to give the renewal process a kick in the behind to "encourage" it to renew.
Posting just in case someone needs it.

I know you guys don't need it. All of you are "online experts" :D
 
191
40
NAS
DS718+
Question regarding changing default ports. Is it still the same if we use a custom port (lets say 7770 for http) forward to 5000 and 7771 https forward to 5001? Or should the custom public ports be forward to the same internal ports (i.e. public 7770 --> internal 7770 & public 7771 --> internal 7771)?
 

Rusty

Moderator
NAS Support
2,232
670
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
Question regarding changing default ports. Is it still the same if we use a custom port (lets say 7770 for http) forward to 5000 and 7771 https forward to 5001? Or should the custom public ports be forward to the same internal ports (i.e. public 7770 --> internal 7770 & public 7771 --> internal 7771)?
Its fine. You can use a custom external and use the internal the default one. The point is that the external value is still the one that is being accessible.
 
191
40
NAS
DS718+
Its fine. You can use a custom external and use the internal the default one. The point is that the external value is still the one that is being accessible.
Thanks for the clarification, I figured it wouldn't be a problem. I'm knowledgeable but by no means an expert when it comes down to best practices.
 

fredbert

Moderator
NAS Support
Subscriber
1,451
611
NAS
DS218+, DS215j
Router
RT2600ac, MR2200ac
Operating system
macOS
Mobile operating system
iOS
On the Internet router/firewall when it says port forwarding what it really is doing is network address and port translation (NAPT). What this means is that firewall policies need to identify packets based on the destination IP address and port then it will change these to the new IP address and port and route the packet on towards the intended device. The firewall/router 'knows' that NAPT rules define packets that are not intended to be handled by services that it is running.

While you have to define all four of the parameters (original/new values for IP/port) but you don't have to change a parameter's value between original and new. Typically you would change IP address (I'm trying to think of a situation when you wouldn't*) but the port can be the same if the end device is listening on the same port, or you change it original port to whatever the end device is listening to. This is the normal way that home firewalls work since you usually have only one Internet IP address.


*bigger firewall gateways where you own the Internet subnet, and you're using zoning on the firewall to allow overlapping IP address schemes, then you may be able to keep the IP address unchanged and still route the end device. Unlikely, might as well subdivide your address space: very small Internet subnet and create a firewalled DMZ with another Internet subnet. Otherwise the firewall does proxy-ARP (if that's still the way) to get the other IP address packets sent to it and then do NAPT.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top