Hyper Backup task remote connection issue due to DSM 7.2 *RESOLVED*

Currently reading
Hyper Backup task remote connection issue due to DSM 7.2 *RESOLVED*

I have opened the ticket but I will be using my direct connection with Syno on Monday to see if this was a bug or the intended way forward. Let’s hope not.
I’m sure you’re already on it, but please push them hard on this and drive home the benefits of this ability.
 
Here is the reply that I got from Syno on this matter not moments ago.

Code:
Dear Luka,
 
thanks for contacting Synology Technical Support.

We assume that you want to create a remote backup between 2 NAS devices at different locations.

To ensure the security of the NAS, since DSM 7.2 with Hyper Backup 4.0, the target NAS must open the DSM HTTPS port when creating the job. This is usually port 5001 if it has not been changed.

Please make sure that the DSM HTTPS port is open on NAS destination side and try to create the backup task again.

You can disable the DSM port again after the task has been created.

Additionally, I will forward your message as a feature request to our developers.

At the moment I can't tell you, if this function will be changed (again) in a future release, but we are always happy to receive new suggestions.

For more news, you can subscribe to our e-news. You can subscribe to it for free in your Synology account.

https://account.synology.com/

 
If you have any further questions or concerns, please let me know.
 
Best regards,
 
Sebastian Wagner
Senior Technical Support Engineer

The fact that you can disable the port after the task is set up is I guess a better option then to have to have it open all the time, but I still have to confirm if this is the case or not. Have a setup lined up for testing so will give it a go.
 
Last edited:
The fact that you can disable the port after the task is set up is I guess a better option then to have to have it open all the time, but I still have to confirm if this is the case or not. Have a setup lined up for testing so will give it a go.

This is true and what I was told to do too, however that is only good if you have remote access to the remote routers to open the port forward.

Since we don’t allow that on many of our setups, this will require a physical drive to the location, in which in a few cases is at most 10+ hours away.

I get if they wanted to tighten security, all good, but to do it over the dsm ports especially if default (5000/5001) is worse imho for security.

It would work after you close the port back down. My existing hyper backup task had been working for a few days since the updates with no issues. This was a task that was set up three years ago so it has been there for a while.
 
I get if they wanted to tighten security, all good, but to do it over the dsm ports especially if default (5000/5001) is worse imho for security.
All good from a security idea, but why is opening each NAS with HB destination more secure than to push it via a 3rd party reverse proxy on a custom (single) port? Makes no sense.

I hear you, and I do hope they will allow the previous use case as well in the future version. This opening port to configure it and then close it down is... I don't know. I have mixed feelings about it. Ok, you open the port for authentication and close it down in a matter of 1 min, fine. But the existing method worked more than fine.

Guess we are at their mercy on this one.

Just tested this with several tasks and it does work. It’s just an extra step opening and closing the port to maintain security.
 
Just an update on this topic. The same "new" principle applies to ABB remote tasks. You need to have the DSM https port opened. RP port will not follow. After the task has been configured the default 5510 (or any other that you have defined) port will take the role of the actual backup and the DSM port can be closed.
 
Just an update on this topic. The same "new" principle applies to ABB remote tasks. You need to have the DSM https port opened. RP port will not follow. After the task has been configured the default 5510 (or any other that you have defined) port will take the role of the actual backup and the DSM port can be closed.

Thank you for checking with ABB too.
 
All good from a security idea, but why is opening each NAS with HB destination more secure than to push it via a 3rd party reverse proxy on a custom (single) port? Makes no sense.

I hear you, and I do hope they will allow the previous use case as well in the future version. This opening port to configure it and then close it down is... I don't know. I have mixed feelings about it. Ok, you open the port for authentication and close it down in a matter of 1 min, fine. But the existing method worked more than fine.

Guess we are at their mercy on this one.

Just tested this with several tasks and it does work. It’s just an extra step opening and closing the port to maintain security.
Hi Rusty,

I have been struggling with this issue for a while now, and I'm still unable to get past the initial error illustrated by Gerrad:

1692144085044.png

Following this thread, I have opened the default DSM ports (5000/5001) and the alternate DSM ports (5XXX/5XXX), as no one should use the default ports upon secure initialisation. I opened the ports on the router and allowed access via the Synology Firewall, but I'm still unable to access the HyperBackup task. Is there a step I'm missing?

Technical Details:

Local: DS918+ with DSM 7.2 (update 1) / HyperBackup (ver 4.1.0-3716)
Remote: DS415play with DSM 7.1.1 (update 5) / HyperBackup Vault (ver 3.0.2-2531)
 
Is there a step I'm missing?
Hi there. Well this error still points to an unsuccessful handshake. This is mainly (probably) an issue with the firewall/port forward. Username error has a different window/error so my money is still on the traffic/ports.
 
Hi all. I may be a bit dim as I am a new Synology user but how do I open the default port 5001 on the destination NAS. Is this on the router or on the NAS?

Thanks in advance, Sad Nation
 
Never mind I have worked it out. You do it on the NAS itself by going to External Access, Router Configuration. Select Create and the Built-in Applications on the Port Forwarding menu, tick 5000 and 5001 on the check list then save. Everything should now work although you need to go back in and untick them once you have set up your backups and tested them.
 
Never mind I have worked it out. You do it on the NAS itself by going to External Access, Router Configuration. Select Create and the Built-in Applications on the Port Forwarding menu, tick 5000 and 5001 on the check list then save. Everything should now work although you need to go back in and untick them once you have set up your backups and tested them.
Yes this is one way of doing it, however it should be discouraged. This method uses UPNP which will auto open ports on your router. It is best to do these tasks manually rather than having a device open ports. This is considered more secure, and UPNP should be disabled.

For your originally question, you will need to open the port mainly on the router and if you have the NAS firewall turned on you will need to allow it there too.
 
You do it on the NAS itself by going to External Access, Router Configuration. Select Create and the Built-in Applications on the Port Forwarding menu, tick 5000 and 5001 on the check list then save.
It is always better to do this via your router settings, rather than allow the NAS to change your router settings. It aslo requires the router to have UPnP enabled, which can be a significant security risk to your network.
 
hi everyone,

this I issue has been bugging me for few weeks! and even Synology team has not understand at all... they have been collected logs and logs from my NAS and they still don't know what happen! but until I found this thread and I'm not alone! I have read all of the comments (you guys are genius btw, and tried all the stuff that told but still no luck)

ok, so the thing is:

1. I have a custom port for my DSM (NOT 5001)
2. I have granted the custom port in firewall (also registered with Synology DDNS, and DSM can be reachable if not using HB, so I assume everything is working perfectly)
3. the custom port are opened on the router (both HTTP, HTTPS and also 6281 port for HB)

so the step that I have complete:

1. Download the HB Vault on Destination NAS
2. Downloaded the HB on Source NAS
3. Changed back to default port (as per Syno Rep suggested)
4. Open 5001 on the Destination Network (there's one time I just turn off the firewall see if that's the issue)
5. Connect from Source NAS (I tried DDNS & Public IP and still same)

but I do know the connection went through tho, cause there're two kinds of error message when I'm wrong on the firewall and port and when it's correct, I have attached two screenshots below

and I also have reverse proxy on my DSM for other services (not sure if this was affected as I saw there's comment above saying about RP)

when is configure error on port and firewall it will be like:

1700849514439.png

and when the configuration is correct (port and firewall) the message will be like:

1700849409783.png

I also did try the UPNP suggestion, but seems like the NAS can't recognise my router and I not really wish to override on that unless there's no choice left, since I have other configuration done on my router that's the last thing I wish to mess up with.

your help is really really really much appreciated.... please help.. thanks!!!!!
 
hi everyone,

this I issue has been bugging me for few weeks! and even Synology team has not understand at all... they have been collected logs and logs from my NAS and they still don't know what happen! but until I found this thread and I'm not alone! I have read all of the comments (you guys are genius btw, and tried all the stuff that told but still no luck)

ok, so the thing is:

1. I have a custom port for my DSM (NOT 5001)
2. I have granted the custom port in firewall (also registered with Synology DDNS, and DSM can be reachable if not using HB, so I assume everything is working perfectly)
3. the custom port are opened on the router (both HTTP, HTTPS and also 6281 port for HB)

so the step that I have complete:

1. Download the HB Vault on Destination NAS
2. Downloaded the HB on Source NAS
3. Changed back to default port (as per Syno Rep suggested)
4. Open 5001 on the Destination Network (there's one time I just turn off the firewall see if that's the issue)
5. Connect from Source NAS (I tried DDNS & Public IP and still same)

but I do know the connection went through tho, cause there're two kinds of error message when I'm wrong on the firewall and port and when it's correct, I have attached two screenshots below

and I also have reverse proxy on my DSM for other services (not sure if this was affected as I saw there's comment above saying about RP)

when is configure error on port and firewall it will be like:

View attachment 14009
and when the configuration is correct (port and firewall) the message will be like:

View attachment 14008
I also did try the UPNP suggestion, but seems like the NAS can't recognise my router and I not really wish to override on that unless there's no choice left, since I have other configuration done on my router that's the last thing I wish to mess up with.

your help is really really really much appreciated.... please help.. thanks!!!!!
All of these errors still indicated some issue with either the port forward or the firewall on the destination side. While you have written that you opened the firewall for 5001, have you done the same with port forward? Have you tried using both 5000 and 5001?
 
All of these errors still indicated some issue with either the port forward or the firewall on the destination side. While you have written that you opened the firewall for 5001, have you done the same with port forward? Have you tried using both 5000 and 5001?
Thanks for the reply, yup at first I done my custom port ( both HTTP and HTTPS, but I saw people comments that needs to be 5000 and 5001 then I done the same, port open to 5000, 5001, 6281, my custom ports, firewall off on both NAS,tried public IP, DDNS. and also the port change to 5001 on NAS just to be clear)

Im still waiting for Synology reply tho, they has been requested the DAT file from both NAS and now waiting their reply.

worse case I just move those two NAS under same network and create task, then change Target to the public IP, I saw some people do works in this way by creating the task first then change target later.
 
Hi all,

After months of back and forth with digging the internet, ask ChatGPT and talking to Synology Reps, I manage to connect with both NAS with hyper backup. So here the story:

continued with the Reps reply, they ask me to enable the remote session for allow them to troubleshoot, i have rejected the request due to my hesitation on their remote access (also got a pretty good advice from @Gerard that I’m advice no to provide that)

then the reps ask me to do below steps and let them know the result since i do not want to share them the remote:

1. sudo -i into the Source Nas (success)
2. Ping to Destination Nas (fail, but i tried google.com and success, but hey like the old saying, if it's work just leave it right)
3. synogear install (success)
4. nmap to Destination Nas with the DSM port 5001 (success)
5. nmap to the Destination Nas with 6281 (success)

then when i try to reply the same result to
the reps i felt like wanted to give it a try.

and voila! the connection establish successfully! tried both DDNS and also public IP all works like a charm! here are some firewall and router setting if anyone so unfortunately having the same
issue as me:

  • DSM port needs to be 5001 (tried external 5001 while internal is different but fail, it has to be both 5001)
  • firewall needs to be open for 5001 and 6281 (you can only allow specific IP if yoi have static IP)
  • port forward for 5001 and 6281 (i really wish to reduce the open port stuff, ill see what i can do after the full backup completed)

so the last "touch up" i has now is, i wish to only allow that NAS go through my router (but not using port forward) and able to backup, i have serious paranoid issue when comes to data. ill keep trying and searching through the net see what i can get.

thanks everyone for the help!
 
DSM port needs to be 5001 (tried external 5001 while internal is different but fail, it has to be both 5001)

My suggestion is you only need 5001 opened on the initial connection for authentication. After that CLOSE this port and it will still work.

If you are using 5001 for DSM access it is strongly suggested that you either change that or use reverse proxy. My setup is a reverse proxy so I don’t need that DSM port opened. I do need to open 5001 if I need to establish a connection to another HB instance. The opening of this port would be on the remote site. Once task is created and established 5001 gets closed up again since this is a well known port that people WILL scan for.
-- post merged: --

1. sudo -i into the Source Nas (success)
2. Ping to Destination Nas (fail, but i tried google.com and success, but hey like the old saying, if it's work just leave it right)
3. synogear install (success)
4. nmap to Destination Nas with the DSM port 5001 (success)
5. nmap to the Destination Nas with 6281 (success)

So it seems this all started working after #3 “synogear install” what is that? What does it do?
 
Last edited:
My suggestion is you only need 5001 opened on the initial connection for authentication. After that CLOSE this port and it will still work.

If you are using 5001 for DSM access it is strongly suggested that you either change that or use reverse proxy. My setup is a reverse proxy so I don’t need that DSM port opened. I do need to open 5001 if I need to establish a connection to another HB instance. The opening of this port would be on the remote site. Once task is created and established 5001 gets closed up again since this is a well known port that people WILL scan for.
yes, originally I was using the reverse proxy for everything (I still do now) but when comes to HB, it keeps fails to connect, then I start digging and saw some post saying it has to be xxxxx.domain.com but not xxx.xxx.domain.com (wildcard is not working) then only I open up the default port but yes I will definitely try to remove the 5001 port forward and change back to the custom port that I used, hopefully is what you said, it was only for establish the connection and when the port is close I assume everything should be still working and I will also allow DSM access only for known IPs.
-- post merged: --

So it seems this all started working after #3 “synogear install” what is that? What does it do?
not sure about that, but it seems like it was for the diagnostic tools, as the Reps was saying to hand back the result after each steps and at the end of the instruction was "synogear remove", so I does all the steps and try to fire up the whole HB process and works like charm.

but on my guessing is, the nmap did the trick, will it be possible some configuration messed up and the nmap will do like a reset stuff? I'm not sure tho.... but I just knowing when I use SSH to ping NAS B from NAS A the packet was 100% loss... meaning it can't connect to the NAS B either DDNS or Public IP tho...
-- post merged: --

anyway, does anyone know if the HB port has to be open too? I intended to close that port, I really just want the 443 and 80 to be the only port that opened
 
anyway, does anyone know if the HB port has to be open too? I intended to close that port, I really just want the 443 and 80 to be the only port that opened
HB port needs to be open, but you can do a custom port forward on your router. You can utilize the custom port number (which is the external side on router), which then forwards to the internal hyper backup port number of 6281.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Thanks, but the hbk files are gone. I want to begin again using the same task. So a task "reset" or its...
Replies
2
Views
5,636
  • Question
That will work with 4.1 version. Looks like user feedback has been implemented.
Replies
4
Views
918
You are welcome! Glad that you got it eventually working. You can still create a Synology support ticket...
Replies
11
Views
1,529
Well in a way this is expected. Your DSM6 machine (host) is still on an older version and anything other...
Replies
1
Views
594
  • Question
A bit odd tbh. Not sure how the name could be a factor here as Synology doesn't have a list of all bucket...
Replies
4
Views
962
Not sure what to say... I have about 5-6 separate tasks towards C2 and not a single time on any of them...
Replies
3
Views
1,188
Sorry, I do not know how to write a script for this but I am confused and have a question. Maybe there is...
Replies
1
Views
948

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top