Firewall rules for RT2600ac & DS1019+ & VPN

Currently reading
Firewall rules for RT2600ac & DS1019+ & VPN

142
31
jonohunt.design
NAS
DS1019+, DS218+, DS416play, unRAID
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
I asked this over on reddit but didn't really get the info I needed, so hoping the experts at this new forum will be able to help :)


I've recently setup a VPN on my RT2600ac router with SSL VPN and OpenVPN (not sure why I setup both, I guess I'm just playing around as I'm new to VPNs).

I want to setup firewall rules, ideally for both my RT2600ac and DS1019+ so that externally the only things to get through would be through the VPN, and be able to access things on my local LAN such as DSM, web UIs for Docker containers I'm running (Home Assistant, Sonarr, Resilio Sync etc.)

I've tried setting up rules and already locked myself out of my NAS once, so thought I'd try and get help from people who actually know about this 😊

Here's what I've created for the RT2600ac

27


My hope is to only allow traffic through the VPNs, and then only allow traffic from the dynamic IP range of the VPNs (maybe these aren't needed at all?)


And here's what I've created for the DS1019+

28


Trying to allow access to DSM and it's various apps, but only via the LAN (through the local IP range), and externally through the VPN.

I haven't actually enabled the 'DENY ALL' rules to stop everything else yet as I'm trying not to lock myself out (again).
Do these rules look as though they should achieve what I'm trying to do?
 

Telos

Subscriber
1,919
637
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
Can't speak to the router but at the DSM level I would use the entire LAN range, or
192.168.0.0 /255.255.0.0

Also... while I can't see the allowed DSM ports, I would use "all".
 

Rusty

Moderator
NAS Support
4,466
1,288
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
@jono you have done right by allowing 192.168.0.0/24 subnet but in addition to that allow the same rule with your vpn subnet. Then you should be able to access your lan resources as well while accessing with an active vpn client
 
142
31
jonohunt.design
NAS
DS1019+, DS218+, DS416play, unRAID
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
Can't speak to the router but at the DSM level I would use the entire LAN range, or
192.168.0.0 /255.255.0.0

Also... while I can't see the allowed DSM ports, I would use "all".
Thanks, I'll do that!
 
142
31
jonohunt.design
NAS
DS1019+, DS218+, DS416play, unRAID
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
@jono you have done right by allowing 192.168.0.0/24 subnet but in addition to that allow the same rule with your vpn subnet. Then you should be able to access your lan resources as well while accessing with an active vpn client
So you mean add the 192.168.0.0-192.168.0.254 IP range to router's firewall as well as the firewall for the DS1019+. Is that correct?

And the top to bottom order of the rules look OK?
 

Rusty

Moderator
NAS Support
4,466
1,288
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I meant if you will have trouble accessing your nas and it’s services, then add a vpn subnet in your nas firewall rules.
 
142
31
jonohunt.design
NAS
DS1019+, DS218+, DS416play, unRAID
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
@Rusty Ah, gotcha. I'll do that, thanks!
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

DSM 7 I know, that is the solution I actually ended up with. But it does not actually do what I wanted...
Replies
6
Views
426
Hello, I am trying to utilize the firewall on my ds918+ to limit access to ports on my synology to...
Replies
0
Views
815
OK. I have 1.json but the other is 1590505357.json, go figure :) Hence why I couldn't say how they got...
Replies
12
Views
1,764
Thanks very much everyone. Over the VPN, the session shows that the source is from 10.4.0.1, the VPN...
Replies
14
Views
1,780
  • Question
Yes... Before I had the workflow, and not the real world example... Now I've seen it happen... and only...
Replies
4
Views
179

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top