DS920+ connection with router

Currently reading
DS920+ connection with router

6
0
NAS
DS920+ 2 x 8 TB Seagate IronWolf
Operating system
  1. Windows
Hi All,

I've just bought and installed fresh a new DS920+ with 2 x 8TB IronWolf Seagate disks. I hope you can help me here with my thread, as I'm new to how to setup a server properly.

I'm facing issues with accessing NAS via internet, i.e. I mean an external internet access to my DS920+ (not LAN access).

I run the following setup: Internet --> Router (D-Link DWR-116) --> Multi-Switch (TP-Link TL-SG105) --> NAS (DS920+)
(I've also tried to put NAS behind the router but it didn't allow me to access NAS remotely, either)

In router I'm sending the following ports (started with 443 and then subsequently added all below):

ports forwarded.png


Ping test: Router --> NAS is successful:
2021-07-12 11_10_36-Window.png


When using DSM to setup router connection I noticed my router is not listed in a drop-down box of available router devices, hence I had to choose a manual setup in router itself.

Control Panel 1.png
Control Panel 2.png


After 2 weeks of trying & consulting this issue with Synology Community - with all respect for great ideas there, I'm still unable to resolve the problem. Synology support via ticket raised by me didn't put me further, either. This is a shame to have such a great product and so little support - I'm really to solve this. If this helps, I can also point to the thread in the other forum (to not to repeat the scenarios again).

Can you help?


Thanks,

tomtom1977
 
Welcome to the forum! Hopefully, we can sort this out.

So you expand the problem, what you did, but not how are you actually trying to access your nas or what errors you are getting.

Considering that you have manually forwarded the ports, there is no need (and do not use ) the router wizard inside DSM, it's not working as it should and opens you up to a whole lot of trouble.

So, list your methods of access, problems you are having (some screens or errors), and let's take it from there.

I can see you have opened 80/443 combo, 5000/5001 (those ports should change for security reasons), and also 6690 (drive client) as well as FTP insecure port. Those are a lot of attack vectors on your NAS from the outside.

Would also help if you would state how exactly you want to access your nas and what services you need access to from the outside.
 
When you try to test the access to your router's WAN interface from the Internet:
  • Check that your ISP permits inbound connections
  • The router WAN interface has been assigned an Internet routable IP address (not in ranges 10.x.x.x, 172.16.x.x - 172.31.x.x, or 192.168.x.x).
  • The NAS's firewall is allowing connectivity
  • The domain you use is resolving to the router's WAN IP
Some information on these Internet tests would be useful.
 
Last edited:
Sure, I will include here what I did so far:

1. I've managed to login into my router with admin user & password (LAN), but still i'm not sure about my router's setup to access the router (INTERNET). This is why I've opened probably more ports than required.

To your questions:
- Yes, I've opened a combo (80/443) and enabled it.
- I've opened initially http/https (5000/5001) but updated it to 30000/30001 (security reasons, as you've suggested). Ports are enabled.
- I've entered 6690 but I haven't enabled this port. Interestingly, login via QuickConnect (cloud) works all right (from laptop, from my cell phone).
- folowing your advice, I've disabled port 21 (ftp) now due to security reasons.

2. I was advised to setup ports manually via router interface rather than via NAS soft as it is superflueous and not reliable. So I did it, I hope. It seems router communicates with NAS, see ping result (screen above).

3. Enabling or disabling UPnP on my router D-Link DWR-116 hasn't got any impact on the result.

1626016726_AgIag.png


This is regardless if uPnP is enabled or disabled, there is a warning message displayed: "Checking network environment".

Picture: uPnP enabled in router settings


Control Panel view 3


Picure below: uPnP disabled in router settings.

Control Panel view 1



5. I've setup DDNS via DSM on NAS:

1626094829_tyZJw.png


DDNS advanced settings - "as is" - I left this blank.

1626094839_Nxu8M.png

  • just to add, I got a security advise to remove 5000/5001 - which I did and replaced with 3000/3001 and I've marked this:
1626341835_rpbZS.png

DSM Settings updated.png



6. Then I've enabled the security certificate as follows (via Synology service):
1626423187727.png




TESTS: Once all was setup, I've started to test with the following

http://192.168.2.13:3000
I can connect to NAS login page from laptop (can't from cell phone). So, it doesn't work.
http://tomzik.synology.me:3000
I can not connect to NAS login page from my laptop nor from my cell. So, it doesn't work either.




I've started to ask basic questions:

1. Am I forwarding correct ports at all?
It seems 443 is required. What else?

I've logged a ticket to Synology Support. They've pointed me to Knowledge Center with this link:

How do I make my Synology NAS accessible over the Internet? - Synology Knowledge Center

bunch of info, all in all - i should:

a)
Use EZ-Internet to make Synology NAS accessible over the Internet

OR Configure your router manually - this what we aim here, so:

b) Once I have found the router port forwarding configuration page, please refer to this article for a complete list of port numbers used by Synology products' applications and services.

In the article, there is complete list of ports which can be used which goes on and on...

What network ports are used by DSM services? - Synology Knowledge Center

Proposed solution: In a doubt, I will go one by one and test all :) --> It didn't work





2. Is the user authorisation with NAS_Synology working?

I realize this is secondary (after I can access login page in NAS_Synology, I should be able to login), but what if I'm wrong?

1626339366_JhwpB.png


So, I've tested it
by changing the password for 'admin' user. It seems there was a notification send on my email:

Response auto-generated by NAS:

Dear user,

This is a confirmation that your password on NAS_Synology has been changed.

To modify your account settings, please point your browser at
http://192.168.2.13:5000/, http://tomzik.synology.me:5000/. (If you
cannot connect to the server, please contact the administrator.)

From NAS_Synology

Proposed solution: In a doubt, I will take those links as given :)

a) http://192.168.2.13:3000

I can connect to NAS login page from laptop (can't from cell phone). So, it doesn't work either.

b) http://tomzik.synology.me:3000

I can not connect to NAS login page from my laptop nor from my cell. So, it doesn't work either.



I've expanded the testing to those two cases:

c) https://192.168.2.13:3001

I can connect to NAS login page from laptop (can't from cell phone). So, it doesn't work either.

d) https://tomzik.synology.me:3001

I can not connect to NAS login page from my laptop nor from my cell. So, it doesn't work either.



It didn't work



3. There is some other reason which I can't figure out.

I suspect some problem with security certificate, i.e.

How do I obtain a certificate from Let's Encrypt on my Synology NAS? - Synology Knowledge Center

a) There is a point about domain name vs subject alternative name - I didn't care and left this one blank for now.

Is this a problem?

1626342317_VveQJ.png


b) Email domain name should end up with [....].com and in this case it is [...].de

1626342439_fFO84.png


I'm open to your suggestions.

-- post merged: --

Also, to answer the question about firewall:

Firewall Settings --> Enable + I set rules for local devices to allow them to login

It didn't change anything - NAS is not responding.

Also, I was thinking if the setup Internet --> Router --> Multi-switch --> NAS might be a problem, so I've re-done the setup.

Now I've put NAS behind the router, i.e. Internet --> Router --> NAS.

I didn't change anything - NAS is not responding. I came back to how it was setup initially (for a better performance).
-- post merged: --

When you try to test the access to your router's WAN interface from the Internet:
  • Check that your ISP permits inbound connections
  • The router WAN interface has been assigned an Internet routable IP address (not in ranges 10.x.x.x, 172.16.x.x - 172.31.x.x, or 192.168.x.x).
  • The NAS's firewall is allowing connectivity
  • The domain you use is resolving to the router's WAN IP
Some information on these Internet tests would be useful.

Thanks for your hints,

to Your 1st question: I'm not sure how to check this?

to Your 2nd question: router is assigned with a fix IP address 192.168.2.1, other settings listed below:
1626424213691.png


1626424238021.png


to Your 3rd question:yes, I believe firewall does enable it.

1626424307650.png

1626424328565.png



to Your 4th question: I'm not sure how to check this?
 
From NAS_Synology

Proposed solution: In a doubt, I will take those links as given :)

a) http://192.168.2.13:3000

I can connect to NAS login page from laptop (can't from cell phone). So, it doesn't work either.

b) http://tomzik.synology.me:3000

I can not connect to NAS login page from my laptop nor from my cell. So, it doesn't work either.



I've expanded the testing to those two cases:

c) https://192.168.2.13:3001

I can connect to NAS login page from laptop (can't from cell phone). So, it doesn't work either.

d) https://tomzik.synology.me:3001

I can not connect to NAS login page from my laptop nor from my cell. So, it doesn't work either.
A long post with a lot of good info. There is nothing wrong from the configuration standpoint looking at the images, but can you share what exact errors do you get when you say that you can't connect from your mobile device?

Also, when you try to connect with your tomzik domain name from your laptop does that mean you connect from your LAN at that time? Same question for your mobile device. Are you trying to connect using your mobile device while it's on the same local device or using your 4G connection?
 
Last edited:
A lot to read and I've not much time, but there's no reason nowadays to use HTTP for anything but public sites where secure sessions are not required. Specifically I would not have HTTP accessible across the Internet (except where it's still needed to support Let's Encrypt certificate validation process) to my NAS and especially not for my user/admin connections. But from what I can see and a little light googling I don't think this is going to be a problem.

Looking at the IP addressing of the router's WAN port it would seem to fall into the range reserved for Carrier Grade NAT.

One disadvantage is that "It makes it impossible to host services." and that is what you're trying to do. Your router's connection is not directly accessible from the Internet.

Your solution would be to use QuickConnect's relay service, though this will have some speed issues but that would be better than the no speed you have at the moment. QC relay service relies on the NAS making a connection out the the QC servers. When an Internet client tries to connect it is to these servers too. The QC servers then bridge the two connections and allows the Internet request to pass back down the NAS's connection. You will have to trust Synology as the two connection will only be secured to the QC servers and not directly between the two endpoints.


I noticed the same lack of assigned Internet IP when setting up a 4G-only router/firewall for a friend.
 
Last edited:
A long post with a lot of good info. There is nothing wrong from the configuration standpoint looking at the images, but can you share what exact errors do you get when you say that you can't connect from your mobile device?

Also, when you try to connect with your tomzik domain name from your laptop does that mean you connect from your LAN at that time? Same question for your mobile device. Are you trying to connect using your mobile device while it's on the same local device or using your 4G connection?

Sure, here we go:

a) accessing http://tomzik.synology.me:3000

1626425444538.png


after a while I get the error message below:

1626425495738.png


when expanding Details:

1626425573902.png



b) accessing https://tomzik.synology.me:3001

1626425668337.png


gives basically the same:

1626425698777.png


Accessing a) and b) from mobile phone doesn't bring any result or error, it just stops in a scala from 1 - 100% of progress at lets say 10% and doesn't move along. After a while There is a message:

This site can't be reached.
tomzik.synology.me took to long to respond.
Try:
Checking the connection
ERR_CONNECTION_TIMED_OUT

To me it seems there is a firewall blocking the device to access the link address. But I'm not sure.

The same error pops up whed trying:
http://192.168.2.13:3000
https://192.168.2.13:3001
but much faster - I don't need to wait 2 mins or so to see the error message.

Does it help you further?
-- post merged: --

A lot to read and I've not much time, but there's no reason nowadays to use HTTP for anything but public sites where secure sessions are not required. Specifically I would not have HTTP accessible across the Internet (except where it's still needed to support Let's Encrypt certificate validation process) to my NAS and especially not for my user/admin connections. But from what I can see and a little light googling I don't think this is going to be a problem.

Looking at the IP addressing of the router's WAN port it would seem to fall into the range reserved for Carrier Grade NAT.

One disadvantage is that "It makes it impossible to host services." and that is what you're trying to do. Your router's connection is not directly accessible from the Internet.

Your solution would be to use QuickConnect's relay service, though this will have some speed issues but that would be better than the no speed you have at the moment. QC relay service relies on the NAS making a connection out the the QC servers. When an Internet client tries to connect it is to these servers too. The QC servers then bridge the two connections and allows the Internet request to pass back down the NAS's connection. You will have to trust Synology as the two connection will only be secured to the QC servers and not directly between the two endpoints.


I noticed the same lack of assigned Internet IP when setting up a 4G-only router/firewall for a friend.

Thanks for the hint, so the bottom line is I should use QuickConnect going forward to access NAS.
Now, is this connection secured in a way that I can control it? I see that I can login from my mobile without authorisation required. If I can, anybody else can do this to. Is my understanding correct?
 
Using QuickConnect and its relay service is a transport mechanism between the two endpoints, it doesn't remove any user authentication mechanisms that the NAS employs to ensure only authorised users get access to application services.

As well as the Help pages here there is also a whitepaper that explains how this all works.
 
Nice find m8.
This is a pity with host services being not possible from my router. o_O Furthermore, LTE technology seems to be well established here in the country - there is a new access point built nearby and I have a preety good connection. Obviously, a cable connection would be ultra fast 🏍️ if comparing to mine 🚌 but it would have an advantage of host serviced being available, too.

Unfortunatly, this is a theory - I live in a real world down here.. 🙃
 
Maybe it would be worth looking into if your provider has ipv6. In many cases when you are behind CGNAT, they do provide that and you can get a publicly routable ipv6 address on your NAS with DHCP-PD for example that DSM can use for it's DDNS.
Also, even if there's a cable provider that you could switch to, there's a real possibility that they'd provide the same CGNAT and ipv6 so make sure to ask around about that.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Those metrics are over the internet without VPN. I wanted to get some baseline numbers before adding VPN...
Replies
2
Views
504
Ok finally found it... chance DNS settings in the profile file and now I am able to browser the Internet...
Replies
12
Views
1,398
  • Solved
hi im having the same problem can you tell me what you changed? I only my router to a tplink router it was...
Replies
4
Views
4,559
Once I got the NAS up and running with internet connection again, I was able to reauthenticate Tailscale...
Replies
7
Views
637

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top