If I change DSM default ports, does that disable the default port access for mobile apps?

[NAS Newbie]

So I'm still poking around my network trying to understand all the ports and how they're interacting. Eventually I'll get some reverse proxies set up, but I want to make sure I clearly understand what is going on at the base level before moving on.

I had DSM set on the default 5000/5001 ports. My android mobile apps (DS Cam & DS File) worked by simply loading in myname.synology.me for the address. I then changed the DSM ports to 38400/38401 and added those ports to my router port forwarding (ports 500,5001,38400,38401 all forwarded for now) and I lost all access with my apps. I tried myname.synology.me:5001 & myname.synology.me:38401 with no luck. If I switched DSM back to 5000/5001, then the apps worked again.

I then tried switching DSM to 38400/38401 and going into the application portal and changing the default ports for File Station to 38440/38441 and added those ports to my growing port forwarding list. myname.synology.me did not work in the apps, but myname.synology.me:38441 did.

Can someone please correct me if my conclusions below are wrong? Given my recent history I want to make sure I'm not making the wrong assumptions.
1. Changing DSM port to something else besides 5000/5001 disables all default ports for mobile app access.
2. In absence of reverse proxy, once #1 occurs, the default ports for the application must be updated under the application portal in DSM and added to port forwarding.

 

[Telos]

Just add the new port to the DS app URL. All will be fine.

https://secret.synology.me:38401

I then changed the DSM ports to 38400/38401 and added those ports to my router port forwarding (ports 500,5001,38400,38401 all forwarded for now) and I lost all access with my apps.

You don't need 5000/5001 forwarded.

 

[NAS Newbie]

Just add the new port to the DS app URL. All will be fine.

https://secret.synology.me:38401

You don't need 5000/5001 forwarded.

many curse words were just said.

I did that. I did it multiple times before posting. I switched DSM ports back and forth between 5001 & 38401 multiple times to test my problem before posting. Triple checked that I was typing everything in correctly. Gave me the same problem every time. I wanted to make sure I had a real problem that I could replicate each time before posting.

Now you come in and tell me to do what I have just done repeatedly again. I do it one more time, and it works this time. What little reputation I might have in this place is going downhill fast. Thanks for fixing it.

edit: I also knew that once changing the DSM port that I shouldn't need 5000/5001 forwarded, but I left it open after my initial connectivity issues with the apps thinking that maybe they were still looking for 5001.

 

[Rusty]

What little reputation I might have in this place is going downhill fast

Do you really think you are the only one with these kinds of problems? This is your 1st NAS and you are still testing the watters. Give yourself some credit. You are trying, listening to advice, and more importantly, not giving up.

Kudos m8. Keep at it.

 

[WST16]

Don’t worry about it @NAS Newbie. It happens to the best of us. What matters is that you’re learning and gaining experience.

 

[NAS Newbie]

Thanks guys. I guess I haven't dealt with something that has repeatedly made me feel this dumb in quite a while. I literally spent hours from the time I first started the OP to when I posted it making sure I wasn't asking another dumb question. I'll keep plugging away.

-- post merged: 17. Dec 2020 --

As a follow up as I explore reverse proxies:

Let's say I want to explore setting up a reverse proxy for DS cam as cam.myname.synology.me is easier to remember than which port an app needs to be pointed to.

If I change dsm ports to 38400/38401 but do not change any of the ports for the app in the application portal, which ports will I be using as the source and destination for the RP?

Will the destination be 38401 as well by following dsm, or will it require the default 5001 if I don't have a port following the ddns name?

 

[WST16]

It should be 38401 (for Surveillance Station over https). It follows what you’ve changed for DSM if I recall correctly.

Network ports used by Synology services

Not a resource per se, but a pointer to Synology’s knowledge base page that shows the default ports used by the services. I find that I refer to it frequently. Might be useful (and easier) to pin it here for all of us :) Network ports used by...

www.synoforum.com

 

[NAS Newbie]

It should be 38401 (for Surveillance Station over https). It follows what you’ve changed for DSM if I recall correctly.

Network ports used by Synology services

Not a resource per se, but a pointer to Synology’s knowledge base page that shows the default ports used by the services. I find that I refer to it frequently. Might be useful (and easier) to pin it here for all of us :) Network ports used by...

www.synoforum.com

I saw your posting of that list before and it's been very helpful.

I assume that apps that aren't defaulted to 5000/5001 such as hyperbackup will not automatically be pulled forward to 38401? I assume those stick with whatever port they were assigned in your list? I'm not saying I am going to create an RP for hyperbackup, but if I were going to, what would the ddns look like that I'd have to load into a browser?

-- post merged: 17. Dec 2020 --

I should clarify. If hb default port stays on 6281 after switching dsm ports:

Can I create a hyper.synology.me RP and have the source be 38401 and the destination 6281? If so, would I then use hyper.synology.me or hyper.synology.me:38401 in my browser and theoretical apps? Just trying to understand how it is all working

 

[Telos]

I posted it making sure I wasn't asking another dumb question.

It wasn't a dumb question. If it had been, I would not have replied to the thread. Hang in there. Be teachable.

 

[NAS Newbie]

It wasn't a dumb question. If it had been, I would not have replied to the thread. Hang in there. Be teachable.

Believe me, I'm not going anywhere. I'm figuring things out with all the help, I just underestimated how big of a technical networking jump it was going to be to get multiple NAS across multiple locations set up.

 

[fredbert]

I assume that apps that aren't defaulted to 5000/5001 such as hyperbackup will not automatically be pulled forward to 38401? I assume those stick with whatever port they were assigned in your list?

You assume correctly.

DSM is a Web service (based on HTTP) and can be controlled like the other Web portal packages through Application Portal and Reverse Proxy.

Services like Hyper Backup are not Web services so will not work with Web proxy features.

Some of the non-Web sevices may allow changing the port they listen to, eg SSH and SFTP, but others don’t, eg Synology Drive Server (the port connected by desktop sync clients).

Though you could intervene before the inbound connection reaches the server port. Place a port forward in a router/firewall so clients (if they can define the destination port) can send to a new port and the port forwarder intervenes to redirect to the fixed port.

 

[NAS Newbie]

You assume correctly.

DSM is a Web service (based on HTTP) and can be controlled like the other Web portal packages through Application Portal and Reverse Proxy.

Services like Hyper Backup are not Web services so will not work with Web proxy features.

Some of the non-Web sevices may allow changing the port they listen to, eg SSH and SFTP, but others don’t, eg Synology Drive Server (the port connected by desktop sync clients).

Though you could intervene before the inbound connection reaches the server port. Place a port forward in a router/firewall so clients (if they can define the destination port) can send to a new port and the port forwarder intervenes to redirect to the fixed port.

So.... Drive uses the following ports:

80 (link sharing), 443 (link sharing), 5000 (HTTP), 5001 (HTTPS), 6690 (Synology Drive Client)

If I change DSM to 38401, will I still need 5001 open for Drive, or will that portion of the drive routing roll over to 38401? Will I also need 80, 443, and 6690 open for drive? Can I RP those through either 38401 or another non-default port (38402, 38403, etc)? I'm trying to limit open ports and avoid known default ports, or am I over-thinking things?

 

[WST16]

Go to Control Panel > Application Portal > Application tab
to see what can be accessed with a portal. You can give them new ports here too that you can use in your RPs.
Note that the list is populated as you add supported packages (as explained by @fredbert).
So if you don’t have Audio Station, it won’t be there. However, once you install it, you can find it under the applications portal.

 

[NAS Newbie]

Go to Control Panel > Application Portal > Application tab
to see what can be accessed with a portal. You can give them new ports here too that you can use in your RPs.
Note that the list is populated as you add supported packages (as explained by @fredbert).
So if you don’t have Audio Station, it won’t be there. However, once you install it, you can find it under the applications portal.

Yes, I saw that and have played with it a bit. I'll probably play around some more and then post any new questions. I tried making a DS file RP yesterday when dealing with all of the issues that led to the OP and couldn't get it to work right, but that might have been due to whatever issue was messing things up in my OP too. I'll give it another shot.

 

[WST16]

Here’s an RP I’ve created for my Emby server, if it helps.



Note that this will not be added to the applications portal (it’s not Synology’s), however, it comes with its own web access and I can RP it. The same goes for a lot of things that you run in docker.

 

[NAS Newbie]

Here's what lead to my original RP question on this thread:

When creating a new RP for DS file, I go through the setup, and the resulting source address is file.myname.i234.me:38401 as shown below. However, my bitwarden RP that I created using the tutorial on here does not have the port following the new RP FQDN. Why does one have the port and the other doesn't? Do I need to include the port when I use my new DS File RP in a browser or app? If so, that entirely defeats the purpose of creating the RP to begin with, because I'll still have to remember the port number at the end of the fqdn.

-- post merged: 17. Dec 2020 --

Thinking about this more, the BW RP is coming in through port 443. Is the port not included on the BW RP because 443 is a default https port? So, if I pointed my DS file RP to 443 instead of 38401, then the RP assumes which port it needs to access and so I don't need the port number at the end of the FQDN?

If so, then I am still curious about the security concerns about using a known default port instead of a random one. This thread kind of got off track more than I intended, but it's been informative.

 

[WST16]

Just bring them in via 443 (https). All of them, unless you need not to.
In your list above, the ones with no port number is either 443 (https) or 80 (http).

Think of the RP service as the main number for a company (443), you dial it and you get the automated answering thing, you bunch in an extension (the different ports you specify) and it directs you to a person/office.

So in your example, bring in file.whatever via 443.
Also change the IP address to “localhost” as long as it’s on the same DS/RS.

-- post merged: 17. Dec 2020 --

If so, then I am still curious about the security concerns about using a known default port instead of a random one.

Yes you’re using a known port but one needs to know the full URL to access it.
So simply reaching the door (443) is useless. So you have that (the name of the service) to overcome to reach the next hurdle which is the user name/password of the service.

While if someone scans the ports (whatever random port you’ve used) and finds it open, they can get to the service (user name/password) immediately (with the browser).

So it’s an extra layer of security actually. Thats how I see it.

 

[NAS Newbie]

ok, that makes more sense. when you say point everything to 443, does that include DSM?

If yes, then I also have my specific case to figure out too. I have the 3 NAS on the same LAN currently. Will nas1.synology.me:443 , nas2.synology.me:443, & nas3.synology.me:443 all access their respective NAS? As I recall from when I had my issue the other day, I had problems when they all came in on the same port, but I don't know if that's because I had something else screwed up or if the 3 NAS were actually clashing by coming in on the same port and being forwarded from there.

 

[WST16]

when you say point everything to 443, does that include DSM?

Yes.

mydsm1.nas1.synology.me “RPed”to localhost
mydsm2.nas1.synology.me “RPed”to IP address of NAS2
mydsm3.nas1.synology.me “RPed” to IP address of NAS3

 

[NAS Newbie]

Yes.

mydsm1.nas1.synology.me “RPed”to localhost
mydsm2.nas1.synology.me “RPed”to IP address of NAS2
mydsm3.nas1.synology.me “RPed” to IP address of NAS3

ok, so you have the nas1.synology.me with ports set up on say 38400/38401, but you do NOT have 38400/38401 forwarded to the NAS. Rather, you have set up an RP with mysdsm1.nas1.synology.me with a source of 443 and a destination of 38401?

If so, how is 443 opened on your router and how is it directed to the 3 respective NAS? I feel like I'm really close to finally putting this whole puzzle together in my head, thanks for walking me through it.