I've just bought and installed fresh a new DS920+ with 2 x 8TB IronWolf Seagate disks. I hope you can help me here with my thread, as I'm new to how to setup a server properly.
I'm facing issues with accessing NAS via internet, i.e. I mean an external internet access to my DS920+ (not LAN access).
I run the following setup: Internet --> Router (D-Link DWR-116) --> Multi-Switch (TP-Link TL-SG105) --> NAS (DS920+)
(I've also tried to put NAS behind the router but it didn't allow me to access NAS remotely, either)
In router I'm sending the following ports (started with 443 and then subsequently added all below):
Ping test: Router --> NAS is successful:
When using DSM to setup router connection I noticed my router is not listed in a drop-down box of available router devices, hence I had to choose a manual setup in router itself.
After 2 weeks of trying & consulting this issue with Synology Community- with all respect for great ideas there, I'm still unable to resolve the problem. Synology support via ticket raised by me didn't put me further, either. This is a shame to have such a great product and so little support - I'm really to solve this. If this helps, I can also point to the thread in the other forum (to not to repeat the scenarios again).
Welcome to the forum! Hopefully, we can sort this out.
So you expand the problem, what you did, but not how are you actually trying to access your nas or what errors you are getting.
Considering that you have manually forwarded the ports, there is no need (and do not use ) the router wizard inside DSM, it's not working as it should and opens you up to a whole lot of trouble.
So, list your methods of access, problems you are having (some screens or errors), and let's take it from there.
I can see you have opened 80/443 combo, 5000/5001 (those ports should change for security reasons), and also 6690 (drive client) as well as FTP insecure port. Those are a lot of attack vectors on your NAS from the outside.
Would also help if you would state how exactly you want to access your nas and what services you need access to from the outside.
1. I've managed to login into my router withadmin user & password (LAN), but still i'm not sure about my router's setup to access the router (INTERNET). This is why I've opened probably more ports than required.
To your questions:
- Yes, I've opened a combo (80/443) and enabled it.
- I've opened initially http/https (5000/5001) but updated it to 30000/30001 (security reasons, as you've suggested). Ports are enabled.
- I've entered 6690 but I haven't enabled this port. Interestingly, login via QuickConnect (cloud) works all right (from laptop, from my cell phone).
- folowing your advice, I've disabled port 21 (ftp) now due to security reasons.
2. I was advised to setup ports manually via router interface rather than via NAS soft as it is superflueous and not reliable. So I did it, I hope. It seems router communicates with NAS, see ping result (screen above).
3. Enabling or disabling UPnP on my router D-Link DWR-116 hasn't got any impact on the result.
This is regardless if uPnP is enabled or disabled, there is a warning message displayed: "Checking network environment".
Picture: uPnP enabled in router settings
Picure below: uPnP disabled in router settings.
5. I've setup DDNS via DSM on NAS:
DDNS advanced settings - "as is" - I left this blank.
just to add, I got a security advise to remove 5000/5001 - which I did and replaced with 3000/3001 and I've marked this:
6. Then I've enabled the security certificate as follows (via Synology service):
TESTS: Once all was setup, I've started to test with the following
http://192.168.2.13:3000
I can connect to NAS login page from laptop (can't from cell phone). So, it doesn't work. http://tomzik.synology.me:3000
I can not connect to NAS login page from my laptop nor from my cell. So, it doesn't work either.
I've started to ask basic questions:
1. Am I forwarding correct ports at all? It seems 443 is required. What else?
I've logged a ticket to Synology Support. They've pointed me to Knowledge Center with this link:
OR Configure your router manually - this what we aim here, so:
b) Once I have found the router port forwarding configuration page, please refer to this article for a complete list of port numbers used by Synology products' applications and services.
In the article, there is complete list of ports which can be used which goes on and on...
A long post with a lot of good info. There is nothing wrong from the configuration standpoint looking at the images, but can you share what exact errors do you get when you say that you can't connect from your mobile device?
Also, when you try to connect with your tomzik domain name from your laptop does that mean you connect from your LAN at that time? Same question for your mobile device. Are you trying to connect using your mobile device while it's on the same local device or using your 4G connection?
A lot to read and I've not much time, but there's no reason nowadays to use HTTP for anything but public sites where secure sessions are not required. Specifically I would not have HTTP accessible across the Internet (except where it's still needed to support Let's Encrypt certificate validation process) to my NAS and especially not for my user/admin connections. But from what I can see and a little light googling I don't think this is going to be a problem.
Looking at the IP addressing of the router's WAN port it would seem to fall into the range reserved for Carrier Grade NAT.
One disadvantage is that "It makes it impossible to host services." and that is what you're trying to do. Your router's connection is not directly accessible from the Internet.
Your solution would be to use QuickConnect's relay service, though this will have some speed issues but that would be better than the no speed you have at the moment. QC relay service relies on the NAS making a connection out the the QC servers. When an Internet client tries to connect it is to these servers too. The QC servers then bridge the two connections and allows the Internet request to pass back down the NAS's connection. You will have to trust Synology as the two connection will only be secured to the QC servers and not directly between the two endpoints.
I noticed the same lack of assigned Internet IP when setting up a 4G-only router/firewall for a friend.
A long post with a lot of good info. There is nothing wrong from the configuration standpoint looking at the images, but can you share what exact errors do you get when you say that you can't connect from your mobile device?
Also, when you try to connect with your tomzik domain name from your laptop does that mean you connect from your LAN at that time? Same question for your mobile device. Are you trying to connect using your mobile device while it's on the same local device or using your 4G connection?
Accessing a) and b) from mobile phone doesn't bring any result or error, it just stops in a scala from 1 - 100% of progress at lets say 10% and doesn't move along. After a while There is a message:
This site can't be reached.
tomzik.synology.me took to long to respond.
Try:
Checking the connection
ERR_CONNECTION_TIMED_OUT
To me it seems there is a firewall blocking the device to access the link address. But I'm not sure.
A lot to read and I've not much time, but there's no reason nowadays to use HTTP for anything but public sites where secure sessions are not required. Specifically I would not have HTTP accessible across the Internet (except where it's still needed to support Let's Encrypt certificate validation process) to my NAS and especially not for my user/admin connections. But from what I can see and a little light googling I don't think this is going to be a problem.
Looking at the IP addressing of the router's WAN port it would seem to fall into the range reserved for Carrier Grade NAT.
One disadvantage is that "It makes it impossible to host services." and that is what you're trying to do. Your router's connection is not directly accessible from the Internet.
Your solution would be to use QuickConnect's relay service, though this will have some speed issues but that would be better than the no speed you have at the moment. QC relay service relies on the NAS making a connection out the the QC servers. When an Internet client tries to connect it is to these servers too. The QC servers then bridge the two connections and allows the Internet request to pass back down the NAS's connection. You will have to trust Synology as the two connection will only be secured to the QC servers and not directly between the two endpoints.
I noticed the same lack of assigned Internet IP when setting up a 4G-only router/firewall for a friend.
Thanks for the hint, so the bottom line is I should use QuickConnect going forward to access NAS.
Now, is this connection secured in a way that I can control it? I see that I can login from my mobile without authorisation required. If I can, anybody else can do this to. Is my understanding correct?
Using QuickConnect and its relay service is a transport mechanism between the two endpoints, it doesn't remove any user authentication mechanisms that the NAS employs to ensure only authorised users get access to application services.
As well as the Help pages here there is also a whitepaper that explains how this all works.
Synology Knowledge Center offers comprehensive support, providing answers to frequently asked questions, troubleshooting steps, software tutorials, and all the technical documentation you may need.
One disadvantage is that "It makes it impossible to host services." and that is what you're trying to do. Your router's connection is not directly accessible from the Internet.
This is a pity with host services being not possible from my router. Furthermore, LTE technology seems to be well established here in the country - there is a new access point built nearby and I have a preety good connection. Obviously, a cable connection would be ultra fast if comparing to mine but it would have an advantage of host serviced being available, too.
Unfortunatly, this is a theory - I live in a real world down here..
The alternative way would be for the NAS to create a VPN tunnel out to an Internet VPN service that provides a gateway for inbound connections. I have no information on if there are any service providers that do this.
Maybe it would be worth looking into if your provider has ipv6. In many cases when you are behind CGNAT, they do provide that and you can get a publicly routable ipv6 address on your NAS with DHCP-PD for example that DSM can use for it's DDNS.
Also, even if there's a cable provider that you could switch to, there's a real possibility that they'd provide the same CGNAT and ipv6 so make sure to ask around about that.