Firewall geoblocking doesn't work at all, totally stumped.

Currently reading
Firewall geoblocking doesn't work at all, totally stumped.

9
2
NAS
220+
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
Hello all, I'm a long time lurker that recently made an account. I had never needed to before as this site, in conjunction with good Googling, always led me to the right answers. This time, I'm just totally stumped. I have set up my firewall as attached, and this seems to be exactly the same (only the countries are different) as others who have no problems.

I am based in the UK but often access my NAS at work. I work for a multinational corporation, and the traffic is routed through Czech, German and Swiss servers at random. I had to therefore allow UK, Czechia, Switzerland and Germany and deny all others.

The problem is that my NAS can still be accessed from ANY country. I first tried to use a VPN on my mobile phone to access it and realised something was very wrong. I checked with online geolocators that I was being routed through (for example) Thailand, USA, Brazil etc. and could always access my NAS. I then asked friends in many countries (Malta, Argentina, South Africa, Spain etc.) if they could access it and they all could. They were not using VPNs, just their standard residential access.

Is there something I'm missing with this setup? I'm going crazy!
Thanks in advance.
 

Attachments

  • 1.JPG
    1.JPG
    57.2 KB · Views: 210
Hello. I don't have logs per se, they didn't try to actively log in, just visited the NAS and confirmed they could see the login page - which should not have been the case.
And no, I don't have any settings tied to any specific interfaces. I figured 'all' should cover them.
 
Upvote 0
Yes. All interfaces should cover them.

Do you see IP addresses reflected correctly in the log center for your logins? For example when you use your mobile phone or if you login from another country over VPN (if possible)?

Might not be related, but why do you have the first rule like that? Why not just your subnet?
 
Upvote 0
I think you may have hit on something there, I just connected from France via VPN (on my mobile phone, using mobile data - not wifi) and in the log it states "User [myusername] from [192.168.1.1] signed in to [DSM] successfully via [password]"

Why 192.168.1.1? The only thing that comes to mind is NAT loopback, but my router (Netgear R7800) definitely supports it. I can see my NAS using the Synology DDNS address when on my home network and in the manufacturer specs it clearly states it is supported. Besides, I don't think NAT loopback is relevant.
 
Upvote 0
To the firewall, all connections appear local, therefore they’re allowed.
It‘s like if the connections are lopped back internally.

How about fixing that first rule? I doubt it has anything to do with it, but it’s bugging me :)
-- post merged: --

Are you sure the forward on the router is correct? Forwarded to you NAS’ IP address?
 
Upvote 0
Honestly, geoblocking is not a good tool, any hacker knows how to deal with it.
The databases behind geolocation do their best, you’d better not trust it.
A reversed system “allow what is ok” is much better.
 
Upvote 0
To the firewall, all connections appear local, therefore they’re allowed.
It‘s like if the connections are lopped back internally.

How about fixing that first rule? I doubt it has anything to do with it, but it’s bugging me :)
-- post merged: --

Are you sure the forward on the router is correct? Forwarded to you NAS’ IP address?
I've attached my gateway config and corrected that first rule to the subnet, though it (predictably) hasn't made a difference.
-- post merged: --

Honestly, geoblocking is not a good tool, any hacker knows how to deal with it.
The databases behind geolocation do their best, you’d better not trust it.
A reversed system “allow what is ok” is much better.
I agree, and it's not the only method I'm using to protect my NAS. At this point, I just want to know why it's not working correctly.
 

Attachments

  • 2.JPG
    2.JPG
    62.8 KB · Views: 128
  • 3.JPG
    3.JPG
    61.6 KB · Views: 127
Upvote 0
From the NAS's SSH command line you can use utilities such as netstat and tcpdump to see the connections and the realtime traffic.

I wonder if the Netgear is NAT'ing both source and destination IP address, and if it is doing the source IP then it could be to its own 192.168.1.1.
 
Upvote 0
Thank you both for looking into this, I'm happy to say that this is now resolved. It turn out I had masquerading active on my router firewall (using OpenWRT 21.02). Disabling it worked, and the geoblocking behaviour is now as expected. Thanks again
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Maybe Wireshark can help? I am pretty sure there is a way to install it via docker. Maybe it deserves a try.
Replies
1
Views
583
  • Question
I get the remote but she tells me when it should be used. I'm like a more reliable Siri.
Replies
16
Views
5,467
I'm still studying up and trying to understand porting and everything as I set up new apps...
Replies
0
Views
1,230
The Synology Drive mobile app uses Web ports, but the Synology Drive desktop client uses a non-Web service...
Replies
3
Views
4,112
And disabelong the firewall is like asking “please hack me “. There is no reason I can think of to use...
Replies
2
Views
3,826

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top