Question Firewall rules for VPN Server and Client

Currently reading
Question Firewall rules for VPN Server and Client

6
2
NAS
DS213j, DS115j
Operating system
Windows
Mobile operating system
Android
Hi!
First time poster here.

Bit of background before my question:
I've got a 213j in my flat and a 115j at my parents house, they are both used to store backups of local PC's.
I've recently started looking into how I can make better use of both NAS's and wanted to use each NAS as an off-site copy of the other, so I set up a VPN where the 213j is the server and the 115j is a client.
The NAS's then sync with each other using the 'Shared Folder Sync' functionality in DSM.


My question is about the Synology firewall on both devices and what rules are needed.

On the 213j (the VPN server), I have the following rules:
Allow all ports, all protocols from 192.168.0.0/255.255.0.0 (LAN subnet)
Allow all ports, all protocols from 10.0.0.0/255.0.0.0 (VPN subnet)
Allow VPN port, UDP from my country
Deny everything else

On the 115j (a client of the above VPN server), I have the following rules:
Allow all ports, all protocols from 192.168.0.0/255.255.0.0 (LAN subnet)
Allow all ports, all protocols from 10.0.0.0/255.0.0.0 (VPN subnet)

However, when I go to add a 'deny everything else' rule, it throws a warning saying that the connection from my current computer was blocked and that the previous configuration has been used instead.
This occurs when I am accessing the 115j DSM from another PC that is also a VPN client of the 213j.
I can't figure out what is being blocked, when the only connection is (or should be) https from the VPN subnet.

Do I even need to bother configuring the firewall on the 115j that is a VPN client only?
If so, what rules do I need in addition to the 2 I already have on the 115j to prevent the warning that I'm seeing?

Of course, happy to answer any questions if more detail is needed.

Thanks!
 
1,176
534
NAS
DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
What I understood is that you’re satisfied with the 213j rules and access is working fine.

If the 115j is not accessible from WAN then it’s not necessary to enable the firewall. However, I’d still enable it in case the network is compromised so it’ll hopefully fend the attack.

Is the “other pc, vpn client” on the local 192.168.0.0 subnet? Is your subnet a class B not a C (e.g. 192.168.1.0)?

The below will only allow local (LAN) access. Use all interfaces (this is on the 115j)

Allow all ports, all protocols from 192.168.0.0/255.255.0.0
Deny all
 
6
2
NAS
DS213j, DS115j
Operating system
Windows
Mobile operating system
Android
Thanks for the responses.

Are these rules for the LAN of for all interfaces?
I've only been using the 'all interfaces' list on both NAS's.

What I understood is that you’re satisfied with the 213j rules and access is working fine.

If the 115j is not accessible from WAN then it’s not necessary to enable the firewall. However, I’d still enable it in case the network is compromised so it’ll hopefully fend the attack.

Is the “other pc, vpn client” on the local 192.168.0.0 subnet? Is your subnet a class B not a C (e.g. 192.168.1.0)?

The below will only allow local (LAN) access. Use all interfaces (this is on the 115j)

Allow all ports, all protocols from 192.168.0.0/255.255.0.0
Deny all
Correct, the rules on the 213j are working fine.
The 115j is not accessible from WAN, but as you've said I'd rather it was enabled just in case.

The local subnet for the 213j is 192.168.1.0/255.255.255.0, whereas the 115j local subnet is 192.168.0.0/255.255.255.0.
I'll update the rules accordingly, I added the class B subnet on the off chance that was causing a problem.

The PC that I am using to change the 115j firewall settings from is on the same local network as the 213j and accesses the 115j over the same VPN, which is why I have the 10.0.0.0/255.0.0.0 rule.

Thanks.
 
1,176
534
NAS
DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
The PC that I am using to change the 115j firewall settings from is on the same local network as the 213j and accesses the 115j over the same VPN, which is why I have the 10.0.0.0/255.0.0.0 rule.
So the 10.0.0.0/8 is what you’ve used in the dynamic IP address configuration pool? Did you define a starting IP address?
BTW, are you using OpenVPN? Maybe we’re not on the same page here :)
 
6
2
NAS
DS213j, DS115j
Operating system
Windows
Mobile operating system
Android
So the 10.0.0.0/8 is what you’ve used in the dynamic IP address configuration pool? Did you define a starting IP address?
BTW, are you using OpenVPN? Maybe we’re not on the same page here :)
I am using OpenVPN from the VPNServer package.
The IP range for the VPN is 10.4.0.0 - 10.4.0.255, where the server is 10.4.0.1

To correct the above, the rules are now as follows:
On the 213j (the VPN server), I have the following rules:
Allow all ports, all protocols from 192.168.1.0/255.255.255.0 (LAN subnet)
Allow all ports, all protocols from 10.4.0.0/255.255.255.0 (VPN subnet)
Allow VPN port, UDP from my country
Deny everything else

On the 115j (a client of the above VPN server), I have the following rules:
Allow all ports, all protocols from 192.168.0.0/255.255.255.0 (LAN subnet)
Allow all ports, all protocols from 10.4.0.0/255.255.255.0 (VPN subnet)

I'm connecting from a PC that is another VPN client (eg. 10.4.0.6) to the 115j on its VPN IP (eg. 10.4.0.10) to try and add the deny all rule.

Thanks.
 
1,176
534
NAS
DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
The IP range for the VPN is 10.4.0.0 - 10.4.0.255, where the server is 10.4.0.1
Maybe it’s a typo, but I don’t believe you can use 10.4.0.0 - 10.4.0.255 as an assignment range. 10.4.0.1 - 10.4.0.254 (254 not 255) can be a range.

I'm connecting from a PC that is another VPN client (eg. 10.4.0.6) to the 115j on its VPN IP (eg. 10.4.0.10) to try and add the deny all rule.
I see what you’re trying to do. Theoretically it should work (same subnet), however, the 115 is using a dynamically assigned IP address by the VPN service. So I’m not sure of DSM’s behavior when it comes to routing your connection internally (on the 115) in this case. You can try :)
 
6
2
NAS
DS213j, DS115j
Operating system
Windows
Mobile operating system
Android
Maybe it’s a typo, but I don’t believe you can use 10.4.0.0 - 10.4.0.255 as an assignment range. 10.4.0.1 - 10.4.0.254 (254 not 255) can be a range.


I see what you’re trying to do. Theoretically it should work (same subnet), however, the 115 is using a dynamically assigned IP address by the VPN service. So I’m not sure of DSM’s behavior when it comes to routing your connection internally (on the 115) in this case. You can try :)
I expect the range that you've suggested is correct, it's just what I'm seeing in the VPNServer GUI.

I agree, that theoretically it should work, but I still can't add the deny all rule.
Strangely, if I add an 'allow all from my country' rule before the deny all rule, it works.
I can't seem to narrow it down further though. Even if I only specify the ports that I'm expecting it to use (DSM, RSync & Win file shares) from my country only, I still can't add the deny all rule at the end.

I think I'm happy to leave it, it's now more of an issue of my curiosity than anything else.
I wonder if it's actually an issue with the 'lockout protection' that's preventing me from applying the rule. Maybe it is incorrectly assuming that I would be locked out by the rule and it needs to be applied locally, rather than over the VPN.

Anymore ideas?
Thanks for following my poor explanation of the problem :)
 

fredbert

Moderator
NAS Support
Subscriber
1,199
512
Operating system
macOS
Mobile operating system
iOS
An aside from the specific discussion here but related to the firewall security policy...

It's true that RFC 1918 reserves 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 for private networks and that these cannot be routed across the Internet. However, your ISP (wired or mobile) will be using these private IP subnets to ping-pong traffic between their actual Internet breakout and your 'Internet'-facing router with it's Internet IP. An ISP will have a limited amount of public IPs and these will be reserved for subnets that actually need them: the interlinking infrastructure will be using private IP subnets.

OK, so what does that really mean? It means that having a firewall rule that permits source 10.0.0.0/8 will allow traffic from your ISP's internal network to access your stuff. The better approach is to define subnets from within these ranges for LAN/VPN use and then limit firewall rules to permit these reduced ranges.



When I set my ISP's router into bridge/modem mode I can still access it using a 192.168.x.y address. This is because a small private subnet is created on the WAN side of the router: the WAN interface has two IPs ... Internet IP and the admin subnet IP. If I configure the router's firewall to permit all traffic from 192.168.0.0/16 then the ISP could connect to their router and then gain LAN access. Unlikely? Yes; A risk? Yes.
 

fredbert

Moderator
NAS Support
Subscriber
1,199
512
Operating system
macOS
Mobile operating system
iOS
Back on topic...

On the DS115j can you check what connections are currently active on the NAS? You should be able to see the IP address that the NAS thinks your PC is using: Resource Monitor and Log Center.

From what you said then both your PC and DS115j are VPN clients of the DS213j's VPN Server and you'd be connecting using the 10.4.0.0/24 addresses. I've not looked at how VPN Server would change routing for LAN-side IP ranges.
 
1,176
534
NAS
DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
I expect the range that you've suggested is correct, it's just what I'm seeing in the VPNServer GUI.
Ahh, I see what you mean now. Under Status. Yes I have that too. It’s ok. 0 for the subnet and 255 for subnet broadcast. That’s correct. Initially I thought you were referring to the dynamic IP address pool. Sorry.
BTW, Im not saying it’s impossible for hosts to use 0 and 255 (possible in CDIR as you may know). Just for your setup (classful) the hosts on the subnet will be from .1 to .254.

I think I'm happy to leave it, it's now more of an issue of my curiosity than anything else.
I’m curious too :)
Unfortunately, I’m stranded far away from my devices because of the pandemic, otherwise I might’ve tried it too. But can’t afford losing access now in case something goes wrong (and it will) :D

Anymore ideas?
If it’s possible for you to be “local” to try it and update us, we’ll sleep better (maybe).

Thanks for following my poor explanation of the problem :)
You‘re welcome. It‘s clear and interesting :)
 
6
2
NAS
DS213j, DS115j
Operating system
Windows
Mobile operating system
Android
Back on topic...

On the DS115j can you check what connections are currently active on the NAS? You should be able to see the IP address that the NAS thinks your PC is using: Resource Monitor and Log Center.

From what you said then both your PC and DS115j are VPN clients of the DS213j's VPN Server and you'd be connecting using the 10.4.0.0/24 addresses. I've not looked at how VPN Server would change routing for LAN-side IP ranges.
Ahh, I see what you mean now. Under Status. Yes I have that too. It’s ok. 0 for the subnet and 255 for subnet broadcast. That’s correct. Initially I thought you were referring to the dynamic IP address pool. Sorry.
BTW, Im not saying it’s impossible for hosts to use 0 and 255 (possible in CDIR as you may know). Just for your setup (classful) the hosts on the subnet will be from .1 to .254.

I’m curious too :)
Unfortunately, I’m stranded far away from my devices because of the pandemic, otherwise I might’ve tried it too. But can’t afford losing access now in case something goes wrong (and it will) :D

If it’s possible for you to be “local” to try it and update us, we’ll sleep better (maybe).
Thanks very much everyone.
Over the VPN, the session shows that the source is from 10.4.0.1, the VPN server address.

I've tried being 'local' and it allowed me to add the deny all rule.
I'm then still able to connect to DSM (and other functions) over the VPN having made that change.
Don't know what was blocking the change in the first place, but everything seems to be correct and working now.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top