External Access in Control Panel on DS918+

tekguru · 8. Feb 2021

Okay guys a newbie here as far as remote access is concerned..... So far I've set up a DDNS entry in the External Access part of the control panel, let's call that hostname MYNAS.synology.me. I've also set up a CNAME record on my web domain, let's call that MYNAS.MYDOMAIN.COM.

If I try to access MYNAS.synology.me or MYNAS.MYDOMAIN.COM I get a site can't be reached error. So I've now looked at the Router part of the configuration and I get screens as follows:

The router is an Orbi RBR50 mesh system. It's NOT running in bridge mode but is working properly allocating IP addresses via DHCP etc. So no ideas why the config is throwing up comments ref multiple routers. Anyway it seems to be finding the router properly. However once it has gone through the wizard it does not show any record for the router in the control panel and no forwarding rules have been set up in the Orbi's configuration.

And before anyone mentions UPnP being turned on I had to re-enable it in the router to get the following working:

- Plex server remote connection
- UPS Power monitor on the Mac Mini to connect to the UPS Power monitor server system on the DS918+

So what am I missing? My aim is to hit MYNAS.MYDOMAIN.COM and be able to get the NAS logon page up...

Robbie · 8. Feb 2021

Any chance you have more than the Orbi giving out DHCP information (this may be info beyond allocating IP addresses, such as gateway, DNS, IPv6 etc)?

tekguru · 8. Feb 2021

Nope nothing at all. The Orbi router is the only router on the network.

Rusty · 8. Feb 2021

tekguru said:
And before anyone mentions UPnP being turned on I had to re-enable it in the router to get the following working

Please, please do not use UPnP. Even more so because of this as of a few days ago - [FIX] PMS leveraged for amplified dDoS attack (SSDP)

So don't use this wizard. Open your router configuration and manually port forward any port that you need. In the Plex case that's only a single "manually configured" port (default 32400 or whatever you use).

The reason, why you can't access your content, is probably again, locked port. So what port number are you looking at here? Is your site hosted on your NAS using webstation? If so, then 80 or 443 depending on the protocol of choice.

That CNAME that you have setup is pointing to your DDNS name? If so, then you only need to open one port on your router to get access (80/443).

tekguru · 8. Feb 2021

Yeah I read about that dDoS issue which is why I turned UPnP off over the weekend but the developed the issues with Plex and the UPS Power monitor.

I've nothing web based hosted on the NAS. So I should:

Turn UPnP off again
For plex set port 32400 to forward to the NAS IP
The CNAME is pointing to the DDNS name, so set ports 80 & 443 to forward to the NAS IP.
For the UPS Power monitor (localhost:58879 on the Mac) again forward port 58879 to the NAS IP?

Do I have that right? That is:

All pointing to the IP of the NAS.....

Plex seems happy, no errors from the UPS monitor, connecting to MYNAS.synology.me or MYNAS.MYDOMAIN.COM, now works as I changed the port to 5001...

tekguru · 8. Feb 2021

Oh ref the Plex issue looks like they have locked down the problem somewhat.

Robbie · 8. Feb 2021

Rusty said:
Please, please do not use UPnP. Even more so because of this as of a few days ago

@Rusty

Not challenging this, just need to understand it a little more.

With a reasonable firewall in place is there a material difference between a port-forward by hand and one created by UPnP2? If I scan & probe my own IP the only open port (ie non-stealth) hit I get is with whatever port Plex is on, which seems to be a pretty random port number on the WAN side. For the 'temporary' port used by PMS the probed port return is 'Open' and 'Unknown protocol for this port'.

If I look at the ports opened by upnp2 on my router it shows all the details I would expect of a TCP-only port forward:

Code:

admin@Router-4:~$ show upnp2 rules

Firewall pin holes

 pkts bytes target     prot opt in     out     source               destination         

62666 4469K ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.1.16            tcp dpt:32400

NAT port forwards

 pkts bytes target     prot opt in     out     source               destination         

  162 10360 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:12991 to:10.0.1.16:32400

 pkts bytes target     prot opt in     out     source               destination         

    0     0 MASQUERADE  tcp  --  *      *       10.0.1.16            0.0.0.0/0            tcp spt:32400 masq ports: 12991

admin@Router-4:~$

Do I gain anything else with a manual port-forward, albeit without the more random external port number allocated, or is the concern that anything with a hint of automatic could defeat the firewall without the user's knowledge?

Coop777 · 8. Feb 2021

The problem with UPnP is the router is deciding what ports to open and does so automatically - while this is convenient for users that don't understand networking and want things to "just work" this is a glaring security risk. Port forwarding is as well, but you are in control of it and at least aware of what is open and what is not.

Rusty · 8. Feb 2021

Robbie said:
Do I gain anything else with a manual port-forward, albeit without the more random external port number allocated, or is the concern that anything with a hint of automatic could defeat the firewall without the user's knowledge?

Just a personal suggestion that’s it all. Keeping things locked down as much as possible would be my preferred choice. Less possible attack vectors in general and I don’t like apps/services/hw to open up ports on their own. But this is just me.

Coop777 · 8. Feb 2021

^ he said it better than I. Well done sir.

Rusty · 8. Feb 2021

Coop777 said:
^ he said it better than I. Well done sir.

You said it as well can’t argue with that. Fact is that it is convenient but once a day0 exploit happens it’s usually the “manufacturers” fault in the eyes of users. Truth is it rarely is.

Looks like I failed to see the recent messages posted before I posted (on mobile). Wouldn’t posted it in that case considering it’s a double post with the same conclusion/facts.

Coop777 · 8. Feb 2021

has added value - explaining it in a slightly different way. What really annoys me about at least Netgear as a router manufacturer is they turn on UPnP on as a factory default and the average user doesn't know the risks.

Robbie · 8. Feb 2021

@Coop777 & @Rusty - thanks guys. I do tend to keep an eye on what my router is up to and have the firewalls tweaked to my liking but I can see that screwing the nut down tighter on the ports makes total sense.

I don't expose my NASs to the internet at all, even with Plex. The PMS on the NAS is local only, with a different instance of PMS on a Mac mini providing external access, with a NAS acting as the local bulk storage. It just gives an extra layer of control & visibility and hopefully a different barrier from a dissimilar manufacture to complicate any attack.

I dodged the 2014 synolocker attack but it was a good reminder of the perils of not being paranoid.

Rusty · 9. Feb 2021

Robbie said:
I dodged the 2014 synolocker attack

Well, that was something that happened to people who don't follow best practices and were not up to date. Another reason for this forum

External Access in Control Panel on DS918+

Currently reading
External Access in Control Panel on DS918+

tekguru

Robbie

tekguru

Rusty

tekguru

tekguru

Robbie

Coop777

Rusty

Coop777

Rusty

Coop777

Robbie

Rusty

Similar threads

Trending threads

Forum statistics

We value your privacy

External Access in Control Panel on DS918+

Currently reading External Access in Control Panel on DS918+

Similar threads

We value your privacy

Currently reading
External Access in Control Panel on DS918+