Firewall rules per package

Currently reading
Firewall rules per package

15
2
www.lukasberan.com
NAS
DS1621+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Hi.

On my DS218 with DSM 7, I have multiple packages and want to have different firewall rules for each of them, because some services will be available world-wide, some of them just from my country and some of them will be just internal.

Synology Drive should be available publicly with no restrictions. It has its own subdomain name drive.example.com and uses default port (publicly it is 443 + 6690 for the Drive app).

Surveillance station uses its own subdomain cam.example.com with the default port (publicly 443) and should be accessible just from my local country. And here comes the tricky part - how to separate these two? They are different app packages on different subdomains via reverse proxy, but I did not find a way how to configure it via the built-in firewall. I can only choose external ports there, but both packages use the same external port (TCP/443).

I know I can limit source IPs/IP ranges in Access Control Profiles for reverse proxy apps, but I can't set there GeoIP restrictions - that is possible only via the built-in firewall. But the built-in firewall on the other hand does not support per package configuration if all packages use the same external port.

Am I missing something? Or how to configure it?
 
Separate IPs - you mean 2 different public IPs? Because the NAS has one internal IP and RT2600ac has a static public IP on WAN. And I do port forwarding on the router for 80, 443, 6690 to the NAS' internal IP. So the packages are available on on the same public IP + public port, but different public domain name (like dsm.domain.com and drive.domain.com - though still pointing to the same public IP).

So I was hoping that I could either separate it via the internal ports, public domain names (the same way as for standard vhosts on Apache for example) or directly pet package. But I did some tests and neither of it worked. And from your answer I have the feeling that there is really no solution for what I want to achieve...
 
Last edited:
...and some of them will be just internal.
This bit can be done. [I'm going to assume DSM 6]

For both Application specific access and Reverse Proxy rules you can assign an access control profile. The profile, like mine, limits which IPs/subnets are allowed/denied to access the service it is applied to.

1626442013710.png


For example, here's Download Station's setup page in Application Portal being assigned access from only LAN and VPN IPs.

1626442286102.png



You could do this for Internet sources but that would be a monumental effort and likely drive you potty.
 
DSM 7

I know, that is the solution I actually ended up with. But it does not actually do what I wanted. Because I need to allow access from multiple networks with dynamic IPs, including cell networks. That would be a management nightmare changing the IPs somehow dynamically in access control profiles. So I wanted to leverage the GeoIP restrictions and allow my country only, which would be fine for me (good enough). But GeoIP does not work with reverse proxy access control profiles.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Hello! Yes I did indeed find the problem, there are some special firewall rules that you need to make for...
Replies
4
Views
764
  • Question
Generically you would. 1. Allow specific IPs/Ports from your local LAN 2. Allow specific IP/Port for VPN...
Replies
5
Views
5,013
Morning lads I'm having some issues with with an IP camera I recently bought (Reolink e1 pro), I've...
Replies
0
Views
1,360
I have now yea, seems like it was the docker network element that was the issue and these don't offer...
Replies
3
Views
2,176
Hello, I am trying to utilize the firewall on my ds918+ to limit access to ports on my synology to...
Replies
0
Views
3,179
OK. I have 1.json but the other is 1590505357.json, go figure :) Hence why I couldn't say how they got...
Replies
12
Views
4,945
Thanks very much everyone. Over the VPN, the session shows that the source is from 10.4.0.1, the VPN...
Replies
14
Views
5,446

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top