Firewall rules for RT2600ac & DS1019+ & VPN

Currently reading
Firewall rules for RT2600ac & DS1019+ & VPN

111
23
jonohunt.design
NAS
DS1019+, DS218+, DS416play, unRAID
Router
RT2600ac, MR2200ac
Operating system
Linux, macOS, other
Mobile operating system
iOS
I asked this over on reddit but didn't really get the info I needed, so hoping the experts at this new forum will be able to help :)


I've recently setup a VPN on my RT2600ac router with SSL VPN and OpenVPN (not sure why I setup both, I guess I'm just playing around as I'm new to VPNs).

I want to setup firewall rules, ideally for both my RT2600ac and DS1019+ so that externally the only things to get through would be through the VPN, and be able to access things on my local LAN such as DSM, web UIs for Docker containers I'm running (Home Assistant, Sonarr, Resilio Sync etc.)

I've tried setting up rules and already locked myself out of my NAS once, so thought I'd try and get help from people who actually know about this 😊

Here's what I've created for the RT2600ac

27


My hope is to only allow traffic through the VPNs, and then only allow traffic from the dynamic IP range of the VPNs (maybe these aren't needed at all?)


And here's what I've created for the DS1019+

28


Trying to allow access to DSM and it's various apps, but only via the LAN (through the local IP range), and externally through the VPN.

I haven't actually enabled the 'DENY ALL' rules to stop everything else yet as I'm trying not to lock myself out (again).
Do these rules look as though they should achieve what I'm trying to do?
 
999
336
NAS
DS418play, DS213j, DSM 7.0.1-14401
Can't speak to the router but at the DSM level I would use the entire LAN range, or
192.168.0.0 /255.255.0.0

Also... while I can't see the allowed DSM ports, I would use "all".
 

Rusty

Moderator
NAS Support
2,264
677
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
@jono you have done right by allowing 192.168.0.0/24 subnet but in addition to that allow the same rule with your vpn subnet. Then you should be able to access your lan resources as well while accessing with an active vpn client
 
111
23
jonohunt.design
NAS
DS1019+, DS218+, DS416play, unRAID
Router
RT2600ac, MR2200ac
Operating system
Linux, macOS, other
Mobile operating system
iOS
Can't speak to the router but at the DSM level I would use the entire LAN range, or
192.168.0.0 /255.255.0.0

Also... while I can't see the allowed DSM ports, I would use "all".
Thanks, I'll do that!
 
111
23
jonohunt.design
NAS
DS1019+, DS218+, DS416play, unRAID
Router
RT2600ac, MR2200ac
Operating system
Linux, macOS, other
Mobile operating system
iOS
@jono you have done right by allowing 192.168.0.0/24 subnet but in addition to that allow the same rule with your vpn subnet. Then you should be able to access your lan resources as well while accessing with an active vpn client
So you mean add the 192.168.0.0-192.168.0.254 IP range to router's firewall as well as the firewall for the DS1019+. Is that correct?

And the top to bottom order of the rules look OK?
 

Rusty

Moderator
NAS Support
2,264
677
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
I meant if you will have trouble accessing your nas and it’s services, then add a vpn subnet in your nas firewall rules.
 
111
23
jonohunt.design
NAS
DS1019+, DS218+, DS416play, unRAID
Router
RT2600ac, MR2200ac
Operating system
Linux, macOS, other
Mobile operating system
iOS
@Rusty Ah, gotcha. I'll do that, thanks!
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Trending threads

Top