I am comfortable with my settings(don’t believe VLAN will help)

Currently reading
I am comfortable with my settings(don’t believe VLAN will help)

1,284
251
NAS
DS 718+, 2x-DS 720+
Router
  1. RT2600ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
Been wanting to post this for nearly a year, but got delayed by impending VLAN capabilities of my router RT2600ac, and issues when ISP problems came up.

I’m self taught, and I’m warning all of that.

Here is what I’ve implemented here. I post the settings because I’d like to see what others think about it.

When it becomes available, I’m thinking I will not use VLAN.

Most everything here is static ip. This allows me to determine by IP, what capabilities any new device would have, as you shall see.

DHCP here is IP .40–.54
IP Cameras are .163–.176

Firewalls: Router: (just IP specific ones)
Allow IP .1–.162 to internet
Deny all as last entry. No ports forwarded.

Firewalls: NAS1: (just IP specific ones)
Allow IP .2–.24 input to this NAS
Allow ftp from IP .163 — .176 input to this NAS
Deny all as last entry

Firewalls: NAS2&3 (just Ip specific ones)
Allow IP .2–.24 input to these NAS’s
Deny all as last entry

Due to the firewalls I have the following IP Groups:

Allow internet & NAS access
Allow internet —NO NAS access
NO INTERNET—NO NAS access

And ftp access from cameras to only 1 of 3 NAS’s.

The groups are not filled, so as new devices are acquired, I can pre determine what they will or will not be able to do based on the IP I assign to them.

Seems to work. I post this for discussion and improvement.

Open for comments, Please!

Thank You!
 
Basically, if you don’t want to use VLANs and feel secure in your current network topology then don’t change.

I’m pretty much of this view when looking at lists of new features in whatever OS/app has a major upgrade. My normal response is “don’t care; don’t care; don’t care; don’t care; might be interesting but can live without; don’t care; don’t care”.

Coming back to VLANs, you can use them to isolated devices to different roles and risks. Then if the devices on different VLANs need to interact it will have to be mediated by a router/firewall. At present you have a flat LAN where types of devices are grouped into segments of the LAN subnet. The firewall allows different external exposure, but there is no internal protection.
 
Yes, I interpreted your 'isolation comments' from other VLAN documents... I read in past month...

This 'approach' was actually implemented over a year ago, based upon an 'easy way' to implement security on new devices, and I've been debating with myself to post it, in case in my inexperience, I did something Very Incorrect....

Thank you very much for responding...
 
The cameras need to be on their own broadcast domain. Use either an addition LAN (ideal) or a VLAN (good enough); ignoring this is unwise.

I've no idea as to your wider topology so unable to comment further. However, the RT2600ac is not a router - it is a combo unit with some router functionality. I am guessing that you may use the wifi element of it too. If so then then really give your network topology some serious thought as to what systems are sharing a subnet with your wifi.

Of course, 'don't care' remains an option but it is neither performant or secure.

☕
 
If it matters is up to you and not the rest of us. So these are just my thoughts:

IP cameras run in real time and don't shut-up - effectively the reverse of what you would want on a network and behave unlike almost all other network traffic. They are not friendly bedfellows for clients on the same subnet when it comes to the routine network management and the process of delivering many different protocols to many different clients.

On the security side they are free to communicate to any other device on your main LAN - the firewall between your LAN and WAN will do nothing. As mentioned earlier, you have a flat internal network where everything is free to communicate with everything else and, of course, it has to in order to function on the same broadcast segment.

I'm not sure how you have your firewall set but stopping internal traffic (ie presumed safe) from accessing the WAN (phoning home) is a rather different challenge than setting regular firewall rules that only look to prevent unsolicited traffic from the WAN to the LAN. Most standard firewall configurations do not even include a WAN_OUT ruleset and anything let out from the LAN to the WAN will then allow return traffic through a standard firewall's 'established/related' rule. If anything, stopping this behaviour is becoming more difficult over time with the rise of new encrypted protocols.

Anyway, just looking at a Wireshark capture of your network would probably give you a good insight as to why segmenting out is considered a 'good thing'.

☕
 
Thank you for the in depth info. Yes — I had posted the Router & NAS firewall rules. NAS, being behind router, has it’s own inbound only firewall. Traps are set in router firewall logging hits if Cameras attempt anything. In 3-4 years nary a one.

Once 1.3 is fully up & running, and I understand more about VLAN, I’ll re-visit.
But for now, this has worked for me quite successfully. But please understand I’m taking your comments seriously.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

It took a while to get iOS Syno Drive Client to reset and ask for my 2FA to log back in. It was set up...
Replies
2
Views
402
  • Question
In Synology DSM 7.1.1-42962 Update 6 I have number of reverse proxy rules on different domains, and in the...
Replies
0
Views
533
QuickConnect Relay uses a client connection created from the NAS outbound to the Synology servers. This...
Replies
2
Views
3,530
Automatically added rules seem to be added using an allow ALL. Which is why not to use the feature and...
Replies
6
Views
1,396
  • Question
PF will help you for sure much more then syno fw
Replies
4
Views
2,920
This could be a job for… Renowned, conspiracy theorist at night and international diplomacy expert by...
Replies
32
Views
8,806

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top