Firewall smb setting

Currently reading
Firewall smb setting

OK, I unchecked that. Not sure why it was there unless my hand jerked while putting something else in. It's been a long day!
Delete it, it’s not needed. If that is for local within your network connections then it’s covered by rule 1.

Next rule 2 you have management, file station and whatever else is in there opened for all (any) ip’s. This means all local ips (duplicate of rule 1) and any public ip worldwide. As an example a connection from Russia is allowed with rule 2. Rule 2 should be for external connections, therefore only allow the countries that are needed. Once this is completed delete rule 3 (any/any/USA) as this is now not only more wide open than rule 2 but it is a duplicate as well.

Your rule 3 (any/any/us) is opened to all ips everywhere and you haven’t limited packages. So things like ssh, ftp, etc are allowed in because any means all packages all ports.

Update and send another screenshot. You’re practically all set and done. 97% there
So you just want the first one and then the Deny. That is scary as everything I've read says the management UI should be the first thing, otherwise you get locked out and have to reset the nas!
So you just want the first one and then the Deny. That is scary as everything I've read says the management UI should be the first thing, otherwise you get locked out and have to reset the nas!
Rule 1 - The first one already has management ui for your local network.

Rule 2 - The second one will only be for things you need access to outside of your local network. If you need management ui outside of your network allow management, source ip for only the countries you’ll be in accessing your nas from outside your network.

Rule 3 - deny all
I got in!


  • fw.JPG
    48.5 KB · Views: 21
Ok so as you have it now only devices in your local home network can access the nas with no restrictions. You’re allowing everything for your local subnet, which is good. with rule 1 you allow management, smb, ws discovery, etc. it’s everything because it’s a trusted network.

Now do you need to access your nas from outside of your network (when you’re away from home)? If so what do you need access to? And where do you need access from? Create another rule and position it as number 2. This rule should have a source ip of where you’re going to be accessing it from, such as your home country.
Ok, I had a bunch of users from outside using synology photos from their phones and they connect via OpenVPN. Before I started this, I moved them to a friend's nas, just in case. I also use the photos app on my phone!
Last edited:
Ok so in order to allow the OpenVPN connection to get to your nas, add a rule 2 allow OpenVPN and select the country they are coming from. Additionally if there’s anything else that connects into your nas from outside the home, add that package or port to rule 2. Rule 2 is going to be for the external connections outside of your local connections (local - which is covered in rule 1). Prior to adding this rule you can test with your cell phone turn off wifi and go on cell network try to connect to your nas, you won’t be able to that is why you need rule 2 for the external connections (when your not home or on wifi).

Then we’ll move on to allowing the vpn user to access the data/services on the NAS,
Ok, Synology photos and mailplus or photos client are not connecting via cell. I tried adding mail plus to the firewall, but no luck. I don't see one for photos!
no I don't
Ok with rule 2 add management ui which is ports 5000/5001 for now. Not only do these ports do dsm management but it also allows for some packages that utilize the 5000/5001 ports such as photos, mail plus, vide audio station etc. Test your services again on cell network such as photos, and you should be able to connect now.
Ah ha, II should have tried that before. No, disabling firewall made no difference. although before with my ratty firewall I could connect with cellular but not always

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Old thread notice: There have been no replies in this thread for quite some time. The last reply was on .
The content in this thread may no longer be relevant. It might be better to open a new thread instead.

Similar threads

  • Question
I had the exact same problem. In my case, I found 2 rules for dsassistant in the firewall inbound rules...
Are you absolutely certain your cables are good for GB. I went so far as only use CAT6.
  • Question
Excellent tip! I had the same issue, I stumbled into this forum as I was looking for a solution and it...
Many vulnerabilities are due to malformed packets that don't conform fully to the specification: the...
  • Solved
I guess I'd say it depends. My biggest "I'm not doing that" is people who rely on services like gmail or...

Welcome to! is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads