Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

Firewall best practice

As an Amazon Associate, we may earn commissions from qualifying purchases. Learn more...

15
4
NAS
920+
Router
  1. RT6600ax
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Hi,
I would like to start off a discussion about firewall best practices with the router. Here is my current configuration and what it does.

1. Allow VPN access from certain countries
2. Allow SRM access only from my origin country Germany
3. Allow NAS access from certain countries for Synology Photos
4. Deny access from all other countries
5. Port forward for Synology Photos

I think that limiting access from certain countries vastly improves security. As you can see from the hit counter in rule 4 that there are tons of requests from countries that should not really access the router. What are your thoughts? Are there any additional rules that might be usefull?

1700741074752.webp
 
Not sure why you need Internet access to the SRM management GUI: does this actually work as there is a SRM setting to block/allow WAN access. It’s usual to only allow LAN access to your router management, it’s your security perimeter and would reduce the risk. Since you have a NAS, my personal view is, there’s no good reason to run file/media services on the router. Also, limit standard user access to the VPN Plus services. Why not use a VPN session if you need to access SRM GUI?

It’s recommended that the DSM HTTP/S ports be changed from the well known defaults of 5000 and 5001, along with other best practices for securing the NAS. Which brings me to the firewall rules that match the port forwarding rules… do they actually get used? I ask because the rule before them is blocking everything, and the firewall rules are processed top to bottom and stop when a match is made.

SRM port forwarding has an option to automatically create matching firewall rules, but they create any/any/LAN IP/port/Allow rules. And it puts them at the end of the rulebase. You can manually create these firewall rules then place them where you like, and restrict the sources.
 
The SRM was rule was generated when I enabled quick connect. I like the app on my phone to check on the router and I think that is required for that. You are correct, when I use VPN on my phone I would not need this rule. Changing the default ports 5000 and 5001 is a good point. I also disabled the port forwarding rules at the end.
 
Last edited:
I am hoping to isolate multiple devices on LAN -totally- with the firewall.
I’m doing this in multiple ways:
1. Using Static IP’s and only allowing certain IP’s to access internet, in router firewall.
2. Allowing ICMP From specific LAN IP to specific WAN IP, to allow my “ISP Traps” to function in router firewall from a Static IP outside of allowed internet access rule range.
3. ICMP IP range Allow follows in router firewall.
4. ICMP Block All follows in router firewall.
5. Configuring DHCP devices IP’s to have internet access, but be blocked by NAS firewall. (No guest WIFI)
6 To 12 & 4 Deny Rules in router firewall that are there just for the “Hits”. Intentional rules that confirm that rules above it work. These should never display anything but 0. As new rules are confirmed, these extra deny rules are retired.
10. All of which are before a DENY ALL Rule in both router and NAS firewall.
(Wish NAS firewall showed ‘hits’!)

I have NO Ports forwarded, or UPNP enabled, and have used DS FILE, DS CAM, DS FINDER, DS ROUTER, DRIVE… Worldwide.
 
The SRM was rule was generated when I enabled quick connect. I like the app on my phone to check on the router and I think that is required for that. You are correct, when I use VPN on my phone I would not need this rule. Changing the default ports 5000 and 5001 is a good point. I also disabled the port forwarding rules at the end.
OK. I don't bother with QuickConnect for my router, there's nothing running on it that others need to have easy-to-remember access... and I know what IP addresses it has on each internal LAN. The DS router app works perfectly fine on the LAN using the router's LAN IP as the destination. I also changed the SRM HTTP/S ports from the defaults too. So in DS router use LAN_IP:SRM_Secure_Port as the router's address.

I do run VPN Plus but I limit this to non-admin users, so that it requires two user accounts to be able to gain admin access to the router: VPN with std user account; then access router with admin account. I also run LDAP Server on the NAS and then connect the router to it so that I don't have managed local users on the router: a selection of the LDAP accounts get VPN Plus access.

I do like having an explicit 'deny all else' rule at the end of the firewall policy. This was why I manually create and manage the firewall rules that correspond to port forwarding rules: I can limit which sources have access to my exposed services.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I was able to implement vlan network segmentation overnight while I was in another state remotely...
Replies
8
Views
312
With SMTP servers if they are where your domain is resolving to for mail then you can’t really block which...
Replies
4
Views
1,232
All. One minute I can see where to post then I look away and its gone (ok down off the page under...
Replies
0
Views
997

Thread Tags

Tags Tags
firewall

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending content in this forum

Back
Top