Firewall rules for RT2600ac & DS1019+ & VPN

Currently reading
Firewall rules for RT2600ac & DS1019+ & VPN

144
32
jonohunt.design
NAS
DS1621+, DS1019+, DS218+
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
I asked this over on reddit but didn't really get the info I needed, so hoping the experts at this new forum will be able to help :)


I've recently setup a VPN on my RT2600ac router with SSL VPN and OpenVPN (not sure why I setup both, I guess I'm just playing around as I'm new to VPNs).

I want to setup firewall rules, ideally for both my RT2600ac and DS1019+ so that externally the only things to get through would be through the VPN, and be able to access things on my local LAN such as DSM, web UIs for Docker containers I'm running (Home Assistant, Sonarr, Resilio Sync etc.)

I've tried setting up rules and already locked myself out of my NAS once, so thought I'd try and get help from people who actually know about this 😊

Here's what I've created for the RT2600ac

27


My hope is to only allow traffic through the VPNs, and then only allow traffic from the dynamic IP range of the VPNs (maybe these aren't needed at all?)


And here's what I've created for the DS1019+

28


Trying to allow access to DSM and it's various apps, but only via the LAN (through the local IP range), and externally through the VPN.

I haven't actually enabled the 'DENY ALL' rules to stop everything else yet as I'm trying not to lock myself out (again).
Do these rules look as though they should achieve what I'm trying to do?
 

Telos

Subscriber
2,385
770
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
Can't speak to the router but at the DSM level I would use the entire LAN range, or
192.168.0.0 /255.255.0.0

Also... while I can't see the allowed DSM ports, I would use "all".
 
144
32
jonohunt.design
NAS
DS1621+, DS1019+, DS218+
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
@jono you have done right by allowing 192.168.0.0/24 subnet but in addition to that allow the same rule with your vpn subnet. Then you should be able to access your lan resources as well while accessing with an active vpn client
So you mean add the 192.168.0.0-192.168.0.254 IP range to router's firewall as well as the firewall for the DS1019+. Is that correct?

And the top to bottom order of the rules look OK?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

DSM 7 I know, that is the solution I actually ended up with. But it does not actually do what I wanted...
Replies
6
Views
838
Hello, I am trying to utilize the firewall on my ds918+ to limit access to ports on my synology to...
Replies
0
Views
1,635
OK. I have 1.json but the other is 1590505357.json, go figure :) Hence why I couldn't say how they got...
Replies
12
Views
2,364
Thanks very much everyone. Over the VPN, the session shows that the source is from 10.4.0.1, the VPN...
Replies
14
Views
2,961
  • Question
I completely missed the difference you meant when you said you’re using nginx reverse proxy. DSM uses...
Replies
14
Views
552
[Contented user of UPNP shuffles around in background looking for a chair...]
Replies
11
Views
712
  • Question
Thank you so much again. I'm basically failing my way to small successes. For now, there's nothing...
Replies
4
Views
818

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top