RT2600ac Further info on 1.3.1-14 release notes and new firewall rule

[Jan Janowski]

With time server fixed(MyBad!)…..
I am finding no issues with -14, but have not installed it but on one 2600 at Supports request, but I (and Support during time server debacle) didn’t have further info on network fix.
I also noticed -14 adds a new firewall rule, but it isn’t covered in release notes in specifics.

So, Nosy guy that I am….. I contacted Support again: asking for more documentation on the “Network” fix -14 has, and a further explanation on the new Firewall rule that -14 Loads to the top of the list. I Have yet to see it get a ‘hit’ on this newly rule… No matter what I do... So what’s it for???

I post this here in case others have more info.

 

[Jan Janowski]

Received this in depth update:

Based on the information you’ve shared, I understand that you have noticed a new firewall rule added to your RT2600ac after installing the SRM -14 update, and you would like a detailed explanation regarding its purpose, behavior, and potential use in your firewall configuration.

The new rule introduced in SRM -14 is a system-level compatibility rule that ensures stable communication between updated internal SRM services. Its purpose is to facilitate background communication for essential router operations such as configuration synchronization, update management, and internal service discovery.

Here are a few key points to clarify its behavior:

• Function: The rule primarily governs internal SRM traffic and not external LAN/WAN connections. It acts as a safeguard to maintain consistent service communication following SRM updates.
• “No Hits” Observation: This is expected. Since the rule manages only internal communication handled by the SRM system, it rarely logs visible traffic events under normal circumstances.
• Rule Placement: The compatibility rule is processed after all user-defined rules and does not override or modify your existing firewall configurations.
• Customization: It is not intended for user modification or removal, as doing so could interfere with core SRM operations. However, your current “canary” rules for anomaly detection will continue to operate as designed and are not impacted by this change.

You can safely continue to use your custom firewall configuration without concern. The new rule is a background enhancement to maintain SRM network stability after the update.

 

[fredbert]

I don’t see any new firewall rule: was this as a direct result of Synology IT or of the SRM 1.3.1-14 update? What exactly is the policy defined by the rule? Including the name that Synology used.

I’ve noticed that the VPN servers running on the router, in VPN Plus, use subnets that the firewall classifies under ‘Internet’ interfaces. Wonder if there are others that fell outside the ‘LAN’ banner, that really are on the internal (non-WAN) side of protection???

Some years ago my ISP notified me to say that mDNS was bleeding from the router (or the port was open), can’t recall the exact issue. So I placed firewall rules for it. The deny mDNS from LANs to Internet resulted in my HP printer falling off the .local network after a couple of hours when it went to sleep. So that could be an issue of broadcast packets not being handled correctly. When I used a dedicated travel wireless router for the printer to access the network, the problem stopped. When I disabled the firewall rule the printer started working properly (without the travel router). Had to be something to do with the handling of broadcast packets before they came onto the LAN, off the wireless connection.

 

[Jan Janowski]

This rule was added to Firewall list during the 1.3.1-14 update... NOTHING was added during IT Visit... Added it to firewall at top of the list, during -14 update install...Was a separate pop up.... during the update... This is as it was installed...
I'll find and post it... Did this help?

 

[fredbert]

I wonder if this is a rule added if QC is enabled? Because I don’t allow Internet access to the SRM web portal, and I don’t use QC. I’m not sure how this rule can be limited to ‘internal SRM traffic’, other than by being placed at the end of the firewall ruleset (assuming people don’t do what I do and have deny rules there, and manually manage port forwarding firewall rules above these).

 

[Jan Janowski]

I don’t know-Didn’t ask those type of questions. Once release comes out (Support DID Instruct me to wait for full release for subsequent 2600’s). I’ll PM a screenshot of my current firewall. It has different allow snd deny ‘groups’ in it. Later tonight

 

[fredbert]

Got the screenshot. Certainly shorter than my set of rules

I can only think that Synology could have put this system ‘don’t touch’ rule behind the user interface. I’m sure there are others they do this to

 

[Jan Janowski]

I see no difference on the -14 rule being at the top, nor 1 - up from bottom..bottom is deny all to see hits of Friewsll rules.

 

[strsljen]

Hi,

I read discussion and am still evaluating when to schedule SRM update. Nothing urgent, I guess, but that FW rule you are mentioning is not something to be concerned about after all?

@Jan Janowski happy birthday, man!

 

[Jan Janowski]

Some people report they received it. Like me, others not - as part of the -14 update….

Look earlier in this post for the rule-14 installed!

I’m out at eye dr. (1 week after last cataract surgery!!). Support says it belongs at the bottom of the list, or before the DENY ALL Rule, if you have one, and ‘may Not’: gather ‘Hits’… Support did not elaborate on that either.
That’s all I know… if you find out more, please post!

When it rolls out, I will install it on my other 2x 2600’s.. I have seen no issues, but awaiting roll out release.

 

[strsljen]

Did anyone report that it actually broke something, other than just making people annoyed?

 

[Jan Janowski]

Well make sure you don’t have a time server issue before update. (He said - based on experience!)

Now during the Time server fix, support did suggest I wait for the release for my other 2x 2600’s.. Didn’t say why-just wait for release.

One 2600 with -13 did not see update this AM. ??