DSM is accessible via own domain address, but certificate causes problems within LAN

[Namaste]

Hi there,

I managed to access my NAS and its various services form the WAN with a valid LE certificate. However, this certificate causes problems when my devices are within the same LAN as the NAS. E.g. on a windows machine, I get warnings and alarms from my malware protection solution, or from the browser itself. Even more problematic: Synology's DS Note app (and others? Not sure) is unable to connect to the server and sync. However, deactivating the Wi-Fi and using my 4G data plan is OK. That's not convenient at all.

Some web sites suggest this is due to a DNS loopback issue. I could find some tutorials explaining how to set up a DNS server on the NAS itself, but the given examples are never based on the same problem I have and I didn't managed to have this work.

So my two questions are:

1. Is the DNS loopback diagnostic right, or am I on the wrong way?
2. Do you know any (beginner friendly) resource that could help me with this issue?

Thank you for your answer and have nice evening!

 

[Rusty]

Is the DNS loopback diagnostic right, or am I on the wrong way?

Yes, this sounds like a NAT loopback problem, getting to your local hosted FQDN destinations from inside your LAN. This is why it works outside your LAN.

What's your network setup like (router, ISP, etc)? Maybe you can configure the NAT loopback option on your router and that will not require the need to set up your local DNS to resolve your services while inside LAN.

 

[esquimo_2ooo]

Hello,
I suggest you install a pi-hole on your network (or on your DSM docker), that will allow you to add local dns names with no headache (or no configuration of the DSM dns server) , then you will be able to access your fqdn from inside and your wilcard certificat will work just fine

 

[Namaste]

What's your network setup like (router, ISP, etc)?

Router is Synology's MR2200, connected to my ISP with a media converter only (because optical fiber). No bridge or similar setup. All devices are connected to the MR either via switch, or Wi-Fi. I don't know what other information could help

The NAS is a 920+.

I had a look on Synology's User Manual but couldn't find the "loopback" keyword, so I guess it is not a built-in feature (if such thing exists).

I suggest you install a pi-hole on your network

That was my plan for a near future, but I wanted to fix "basic things" first, make a break of a few weeks with all that IT work at home, and open the project later again. But if you say it would be easier to do so first... Is it really? Would you have any good resource to recommand for a beginner like me?

The same for the wildcard certificate.

Thank's for the advices!

 

[esquimo_2ooo]

I understand what you wanted to achieve, but sometimes adding stuff make the whole easier to use
So I believe on the 920+ you have the docker package installed. So you have all prerequisite to follow this very clear tutorial : How to Install Pi-Hole on Your Synology NAS
(haven't tested it but looks clear and complete to me).

Just one thing, you should use only DNS role of pihole, not dhcp, leave that to your router.
One pihole is setup, go to your router config and set the pihole ip (should be your nas local ip address) address as primary dns server. refresh your dhcp lease on one test device, then check if you can resolve dns.
Then logon as admin, go to Local DNS/DNS Records and add mynas.mydomain.org -> 192.168.0.x, and try the fqdn from inside

For the certificate, I add one included in my domain name hosting, so I am using it locally too. I believe you could use Let's Encrypt (Let's Encrypt - Free SSL/TLS Certificates) but I never used it so I can't really help on that

 

[Rusty]

Router is Synology's MR2200, connected to my ISP with a media converter only (because optical fiber). No bridge or similar setup.

Syno routers do support nat loopback out of the box but if your have your isp router in front of it you are looking at double nat (if it’s not bridged) and that will not work well with using your fqdn names in your lan without what esquimo said.

 

[Namaste]

I have no ISP router. The only routerI have is my MR2200, as my ISP does support it.

OK, I'll have a look at the Pi-hole solution. It looks more reasonable I planned to do it later anyway.
Thank's agains for all your advices and answers!

 

[WST16]

The referenced guide uses Docker’s bridge network. All client requests will show up as if they are coming from the Docker gateway. I’m not sure what happens if you enable the DNS. That might fix it.

A better –a bit harder to configure though– way is to use Docker’s Macvlan driver when configuring Pi-hole.