- 8,057
- 2,461
- Operating system
- macOS
- Mobile operating system
- iOS
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
As an Amazon Associate, we may earn commissions from qualifying purchases. Learn more...
I’m sure you’re already on it, but please push them hard on this and drive home the benefits of this ability.I have opened the ticket but I will be using my direct connection with Syno on Monday to see if this was a bug or the intended way forward. Let’s hope not.
Dear Luka,
thanks for contacting Synology Technical Support.
We assume that you want to create a remote backup between 2 NAS devices at different locations.
To ensure the security of the NAS, since DSM 7.2 with Hyper Backup 4.0, the target NAS must open the DSM HTTPS port when creating the job. This is usually port 5001 if it has not been changed.
Please make sure that the DSM HTTPS port is open on NAS destination side and try to create the backup task again.
You can disable the DSM port again after the task has been created.
Additionally, I will forward your message as a feature request to our developers.
At the moment I can't tell you, if this function will be changed (again) in a future release, but we are always happy to receive new suggestions.
For more news, you can subscribe to our e-news. You can subscribe to it for free in your Synology account.
https://account.synology.com/
If you have any further questions or concerns, please let me know.
Best regards,
Sebastian Wagner
Senior Technical Support Engineer
The fact that you can disable the port after the task is set up is I guess a better option then to have to have it open all the time, but I still have to confirm if this is the case or not. Have a setup lined up for testing so will give it a go.
All good from a security idea, but why is opening each NAS with HB destination more secure than to push it via a 3rd party reverse proxy on a custom (single) port? Makes no sense.I get if they wanted to tighten security, all good, but to do it over the dsm ports especially if default (5000/5001) is worse imho for security.
Just an update on this topic. The same "new" principle applies to ABB remote tasks. You need to have the DSM https port opened. RP port will not follow. After the task has been configured the default 5510 (or any other that you have defined) port will take the role of the actual backup and the DSM port can be closed.
Hi Rusty,All good from a security idea, but why is opening each NAS with HB destination more secure than to push it via a 3rd party reverse proxy on a custom (single) port? Makes no sense.
I hear you, and I do hope they will allow the previous use case as well in the future version. This opening port to configure it and then close it down is... I don't know. I have mixed feelings about it. Ok, you open the port for authentication and close it down in a matter of 1 min, fine. But the existing method worked more than fine.
Guess we are at their mercy on this one.
Just tested this with several tasks and it does work. It’s just an extra step opening and closing the port to maintain security.
Hi there. Well this error still points to an unsuccessful handshake. This is mainly (probably) an issue with the firewall/port forward. Username error has a different window/error so my money is still on the traffic/ports.Is there a step I'm missing?
Yes this is one way of doing it, however it should be discouraged. This method uses UPNP which will auto open ports on your router. It is best to do these tasks manually rather than having a device open ports. This is considered more secure, and UPNP should be disabled.Never mind I have worked it out. You do it on the NAS itself by going to External Access, Router Configuration. Select Create and the Built-in Applications on the Port Forwarding menu, tick 5000 and 5001 on the check list then save. Everything should now work although you need to go back in and untick them once you have set up your backups and tested them.
It is always better to do this via your router settings, rather than allow the NAS to change your router settings. It aslo requires the router to have UPnP enabled, which can be a significant security risk to your network.You do it on the NAS itself by going to External Access, Router Configuration. Select Create and the Built-in Applications on the Port Forwarding menu, tick 5000 and 5001 on the check list then save.
All of these errors still indicated some issue with either the port forward or the firewall on the destination side. While you have written that you opened the firewall for 5001, have you done the same with port forward? Have you tried using both 5000 and 5001?hi everyone,
this I issue has been bugging me for few weeks! and even Synology team has not understand at all... they have been collected logs and logs from my NAS and they still don't know what happen! but until I found this thread and I'm not alone! I have read all of the comments (you guys are genius btw, and tried all the stuff that told but still no luck)
ok, so the thing is:
1. I have a custom port for my DSM (NOT 5001)
2. I have granted the custom port in firewall (also registered with Synology DDNS, and DSM can be reachable if not using HB, so I assume everything is working perfectly)
3. the custom port are opened on the router (both HTTP, HTTPS and also 6281 port for HB)
so the step that I have complete:
1. Download the HB Vault on Destination NAS
2. Downloaded the HB on Source NAS
3. Changed back to default port (as per Syno Rep suggested)
4. Open 5001 on the Destination Network (there's one time I just turn off the firewall see if that's the issue)
5. Connect from Source NAS (I tried DDNS & Public IP and still same)
but I do know the connection went through tho, cause there're two kinds of error message when I'm wrong on the firewall and port and when it's correct, I have attached two screenshots below
and I also have reverse proxy on my DSM for other services (not sure if this was affected as I saw there's comment above saying about RP)
when is configure error on port and firewall it will be like:
View attachment 14009
and when the configuration is correct (port and firewall) the message will be like:
View attachment 14008
I also did try the UPNP suggestion, but seems like the NAS can't recognise my router and I not really wish to override on that unless there's no choice left, since I have other configuration done on my router that's the last thing I wish to mess up with.
your help is really really really much appreciated.... please help.. thanks!!!!!
Thanks for the reply, yup at first I done my custom port ( both HTTP and HTTPS, but I saw people comments that needs to be 5000 and 5001 then I done the same, port open to 5000, 5001, 6281, my custom ports, firewall off on both NAS,tried public IP, DDNS. and also the port change to 5001 on NAS just to be clear)All of these errors still indicated some issue with either the port forward or the firewall on the destination side. While you have written that you opened the firewall for 5001, have you done the same with port forward? Have you tried using both 5000 and 5001?
DSM port needs to be 5001 (tried external 5001 while internal is different but fail, it has to be both 5001)
1. sudo -i into the Source Nas (success)
2. Ping to Destination Nas (fail, but i tried google.com and success, but hey like the old saying, if it's work just leave it right)
3. synogear install (success)
4. nmap to Destination Nas with the DSM port 5001 (success)
5. nmap to the Destination Nas with 6281 (success)
yes, originally I was using the reverse proxy for everything (I still do now) but when comes to HB, it keeps fails to connect, then I start digging and saw some post saying it has to be xxxxx.domain.com but not xxx.xxx.domain.com (wildcard is not working) then only I open up the default port but yes I will definitely try to remove the 5001 port forward and change back to the custom port that I used, hopefully is what you said, it was only for establish the connection and when the port is close I assume everything should be still working and I will also allow DSM access only for known IPs.My suggestion is you only need 5001 opened on the initial connection for authentication. After that CLOSE this port and it will still work.
If you are using 5001 for DSM access it is strongly suggested that you either change that or use reverse proxy. My setup is a reverse proxy so I don’t need that DSM port opened. I do need to open 5001 if I need to establish a connection to another HB instance. The opening of this port would be on the remote site. Once task is created and established 5001 gets closed up again since this is a well known port that people WILL scan for.
not sure about that, but it seems like it was for the diagnostic tools, as the Reps was saying to hand back the result after each steps and at the end of the instruction was "synogear remove", so I does all the steps and try to fire up the whole HB process and works like charm.So it seems this all started working after #3 “synogear install” what is that? What does it do?
HB port needs to be open, but you can do a custom port forward on your router. You can utilize the custom port number (which is the external side on router), which then forwards to the internal hyper backup port number of 6281.anyway, does anyone know if the HB port has to be open too? I intended to close that port, I really just want the 443 and 80 to be the only port that opened
We use essential cookies to make this site work, and optional cookies to enhance your experience.