Firewall rules for RT2600ac & DS1019+ & VPN

148
32
NAS
DS1621+, DS1019+, DS218+
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
I asked this over on reddit but didn't really get the info I needed, so hoping the experts at this new forum will be able to help :)


I've recently setup a VPN on my RT2600ac router with SSL VPN and OpenVPN (not sure why I setup both, I guess I'm just playing around as I'm new to VPNs).

I want to setup firewall rules, ideally for both my RT2600ac and DS1019+ so that externally the only things to get through would be through the VPN, and be able to access things on my local LAN such as DSM, web UIs for Docker containers I'm running (Home Assistant, Sonarr, Resilio Sync etc.)

I've tried setting up rules and already locked myself out of my NAS once, so thought I'd try and get help from people who actually know about this 😊

Here's what I've created for the RT2600ac

27


My hope is to only allow traffic through the VPNs, and then only allow traffic from the dynamic IP range of the VPNs (maybe these aren't needed at all?)


And here's what I've created for the DS1019+

28


Trying to allow access to DSM and it's various apps, but only via the LAN (through the local IP range), and externally through the VPN.

I haven't actually enabled the 'DENY ALL' rules to stop everything else yet as I'm trying not to lock myself out (again).
Do these rules look as though they should achieve what I'm trying to do?
 
Can't speak to the router but at the DSM level I would use the entire LAN range, or
192.168.0.0 /255.255.0.0

Also... while I can't see the allowed DSM ports, I would use "all".
 
@jono you have done right by allowing 192.168.0.0/24 subnet but in addition to that allow the same rule with your vpn subnet. Then you should be able to access your lan resources as well while accessing with an active vpn client
So you mean add the 192.168.0.0-192.168.0.254 IP range to router's firewall as well as the firewall for the DS1019+. Is that correct?

And the top to bottom order of the rules look OK?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Hello! Yes I did indeed find the problem, there are some special firewall rules that you need to make for...
Replies
4
Views
1,922
If you create a rule: Source interface: LANs Source IP: 192.168.0.0/16 Destination interface: Any...
Replies
4
Views
399
Thank you, Birdy for the QC White paper!! Had a smattering of info on it.. Your link filled in the blanks.
Replies
8
Views
380

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top