Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

Firewall Rules Question for NON VLAN Systems

As an Amazon Associate, we may earn commissions from qualifying purchases. Learn more...

1,751
351
NAS
DS 718+, 2x-DS 720+
Router
  1. RT2600ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
When creating rules in router Firewall, You Can create illegal rules.... System will not tell you it's illegal... It just sits there, doing nothing....
(No hits on rule over time is an indication of this, if you go out of the way to try and test this).... Love Hits!

My question is: regarding a current firewall rule on a system WITHOUT VLAN Implemented:

In Source and Destination areas of a firewall rule.... If you Don't have VLAN implemented, I BELIEVE that ALL and INTERNET works, as two separate filter(s), but I'm thinking that LAN as a source or destination in a rule does not work.... I believe it is illegal for a non VLAN system...
Am I Correct? Any other Non VLAN firewall rules/filters inoperative?

PS: LAN to LAN rules are also illegal...

Thank You...
 
Also: Since VLAN was made available, there has been a rule: IPV4 compatibility Here it is..
VLAN ENTRY.webp
Allow, in the firewall placed by Synology...
For Kicks, changed it to DENY.... No affect on accessing anything....

I do not have VLAN enabled...
So, what is it for?
Thank you
 
If you don't need that rule and want to tidy up then you can disable it, or even delete it. It was created to avoid the Synology support deluge of 'I can't get the private LANs to access each other'. Because the router will be mediating the connectivity of these private LANS (VLANs), and without a firewall rule it would not do what many home users want... easily.

The guest network is a VLAN (ID 1733). So you may have one, as well as the ID 0/untagged primary LAN.
 
Last edited:
Thank you for reply! Will disable, (and moved to bottom of list, below DENY ALL, as opposed to delete, so that if VLAN is ever enabled here, will have reference to it. (Added DENY ALL so I could see all the Hits, even though it's set to do that below in the "If IVPv4 matches no rules"......)
No guest WiFi here, as NAS’s firewall negates DHCP range, among other IP’s. I infrequently have guests, and those that do (daughters) have static IP in s as range that has full access for their work computers, already configured......

Does that also cover my first question about LAN Source & Destination being illegal operations? (But ALL & INTERNET ARE OK?)
Thanks for the education!!!
 
Illegal is a bit of an overstatement. There's a LAN (the primary network) which matches the LAN (all LANs) selection. Though it's improbable that a rule using All LANs as both source and destination interfaces would be useful, since the routing within the one and only LAN is direct and avoids the router/firewall.

You can change source and destination interfaces from All to the right Internet or LAN. I found out a while ago that VPN Plus clients appear on the router as part of the Internet interface, so to allow them to access the Internet needed a rule:
  • Source:
    • Internet
    • VPN service IP subnets
  • Destination
    • Internet
    • All IP (etc.)
 
Hard to follow that:
As an end user, experimenting Firewall rules…
Anything that doesn’t work, compared to the Firewall rules that are published… yea I have them.
That don’t work, But are entered without a Complaint or external comment, must then be “Illegal”???
If I have all (that I can find) Info on Firewall rules, and what I make, that are accepted, without complaint or warning….
What am I to expect??? !!
 
I'm not quite following what you're saying. Instead of illegal I would say misconfigured.

Prior to SRM 1.3 the firewall didn't have interfaces within the rules, this came with SRM 1.3 and the additional private LANs. The LAN interface option in the rule creation/edit view should apply to any private network, or the selected: primary LAN; guest network; the other three extra private LANs. So when you define a source IP address range of all of 192.168.0.0/16 you could be opening up the firewall to allow ISP located devices more access than you expected if you used All interfaces, instead of expecting a LAN outbound rule (when your LAN is only one small segment of the 192,168.0.0/16 range). By using source LAN for rules with RFC 1918 reserved source IP addressed you can be certain that the firewall will only allow these connections from your private networks.

But for firewall rules: it seems you want more validation checks so that when you create rules that don't make sense* then it will alert you? Such as when you only have one LAN and you write a rule with LAN as source and destination interface. One of the recurring activities with firewalls is to review the policy and determine if it is achieving what is required 'now'. Just be alert and review your rules.

*to you. Because logically it meets the criteria of 'is an interface' and 'is an IP address/range/subnet'. When taken in combination it doesn't tally yet, but might if/when you add another private LAN.
 
A new user is more apt to think that if no redirects or comments are replied when a firewall rule is posted, and nothing responds that it is misconfigured...
Then the user would seem to think that the just added rule is legal’. If it’s not, then it’s illegal.
Tell me if I’m not correct: the current firewall rules as published, seem to cover VLAN operation only. As I’ve found s few things that can be entered and do not work, if one does not have VLAN configured.
Why I specifically indicated non VLAN
Seeing I’m not going VLAN, I want to improve what I have, with firewall.

Being able to create rules that do not work — or don’t prompt as illegal or misconfigured for the current router configuration, and are not clearly covered in documentation either… slows down the learning curve for all users.
 
Back in the day I had to complete vendor training and certification for our firewalls. Always were things to know that were not very obvious. Like when ‘all’ services didn’t mean all of them. Some needed to be explicitly declared in order for additional payload processing to happen.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Popular tags from this forum

Similar threads

Hello! Yes I did indeed find the problem, there are some special firewall rules that you need to make for...
Replies
4
Views
2,091
  • Question Question
That’s good to know. 🙂 Thanks for your support and advice @Birdy. 👍
Replies
4
Views
164
If you create a rule: Source interface: LANs Source IP: 192.168.0.0/16 Destination interface: Any...
Replies
4
Views
495
Thank you, Birdy for the QC White paper!! Had a smattering of info on it.. Your link filled in the blanks.
Replies
8
Views
579

Thread Tags

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending content in this forum

Back
Top