If I change DSM default ports, does that disable the default port access for mobile apps?

[NAS Newbie]

So I'm still poking around my network trying to understand all the ports and how they're interacting. Eventually I'll get some reverse proxies set up, but I want to make sure I clearly understand what is going on at the base level before moving on.

I had DSM set on the default 5000/5001 ports. My android mobile apps (DS Cam & DS File) worked by simply loading in myname.synology.me for the address. I then changed the DSM ports to 38400/38401 and added those ports to my router port forwarding (ports 500,5001,38400,38401 all forwarded for now) and I lost all access with my apps. I tried myname.synology.me:5001 & myname.synology.me:38401 with no luck. If I switched DSM back to 5000/5001, then the apps worked again.

I then tried switching DSM to 38400/38401 and going into the application portal and changing the default ports for File Station to 38440/38441 and added those ports to my growing port forwarding list. myname.synology.me did not work in the apps, but myname.synology.me:38441 did.

Can someone please correct me if my conclusions below are wrong? Given my recent history I want to make sure I'm not making the wrong assumptions.
1. Changing DSM port to something else besides 5000/5001 disables all default ports for mobile app access.
2. In absence of reverse proxy, once #1 occurs, the default ports for the application must be updated under the application portal in DSM and added to port forwarding.

 

[WST16]

ok, so you have the nas1.synology.me with ports set up on say 38400/38401, but you do NOT have 38400/38401 forwarded to the NAS. Rather, you have set up an RP with mysdsm1.nas1.synology.me with a source of 443 and a destination of 38401?

Yes, correct.

If so, how is 443 opened on your router and how is it directed to the 3 respective NAS?

It’s directed to one, not three. Maybe you missed it above.
443 is directed to nas1. nas1 is the “dispatcher”.

I typed nas1 for all of them above. Maybe you missed it

 

[NAS Newbie]

Yes, correct.


It’s directed to one, not three. Maybe you missed it above.
443 is directed to nas1. nas1 is the “dispatcher”.

I typed nas1 for all of them above. Maybe you missed it

No, I did not miss it, but I thought you did . I figured it was a copy/paste typo.

You have just thrown in wrench in the gears spinning in my head.

So now: all 3 "mydsm" fqdn are coming in thru port 443. from there mydsm1 will access NAS1. I do not understand what is happening after that in order to access NAS 2 & 3.

A couple add-on questions. If we are setting up dsm access via RP, then we no longer need to forward 5000/5001 (or 38400/38401) on our router, correct? However, I'm guessing we still need to have unique ports assigned in DSM for the 3 NAS so that the "mydsm2" & "mydsm3" fqdn work, even though I don't yet understand how they work? Or, can all 3 NAS be left on the default 5000/5001 ports?

Sheesh, I thought that I was close to being done with questions and then you threw that "dispatcher" bit in there.

 

[WST16]

No, I did not miss it, but I thought you did

You have just thrown in wrench in the gears spinning in my head.

No, don’t worry. It’s easy. Just think like an IP packet

So now: all 3 "mydsm" fqdn are coming in thru port 443. from there mydsm1 will access NAS1. I do not understand what is happening after that in order to access NAS 2 & 3.

The RP on nas1 (where you’re doing all your RP entries) will intercept mydsm2.nas1.synology.me and direct it to the IP address of nas2. It will act as a middle man in between.
the same for mydsm3.nas3.

As I said, just think like an ip packet and trace it as it’s translated from an FQDN to your public IP address, then it hits the router, router directs the traffic (over 443) to your nas1. nas1 intercepts the connection request with the Reverse Proxy service and according to the URL (the proxy rule) routes it to the correct nas where DSM answers back and the connection is established and the traffic flows over the RP on nas1.

A couple add-on questions. If we are setting up dsm access via RP, then we no longer need to forward 5000/5001 (or 38400/38401) on our router, correct?

Correct.

I'm guessing we still need to have unique ports assigned in DSM for the 3 NAS

Not necessarily. They’re hosted on different ip addresses. They can be the same if you wish.

 

[NAS Newbie]

ok, that makes more sense.

So with this setup, I am not creating any RP on NAS2 or NAS3, correct? How does NAS2 recognize mydsm2.nas1.synology.me as being an acceptable connection to NAS2? I assume all the LE certs for the 3 "mydsm" RP are hosted on NAS1?

With this setup, what will the port forwarding for 443 look like? Is it only being sent on to NAS1?

Why use this setup instead of an RP direct to NAS2 or NAS3? Is it to avoid forwarding port 443 to multiple NAS?

 

[WST16]

So with this setup, I am not creating any RP on NAS2 or NAS3, correct?

Maybe this is what’s confusing you. You’re thinking that you’ll repeat the RP exercise on each nas. That’s not the case because they’re all using one public IP address. We have to choose one to act as a reverse proxy for all of them. Sorry, I thought it was obvious.

How does NAS2 recognize mydsm2.nas1.synology.me as being an acceptable connection to NAS2? I assume all the LE certs for the 3 "mydsm" RP are hosted on NAS1?

No need to change anything. Your browser will validate with the respective NAS.

With this setup, what will the port forwarding for 443 look like? Is it only being sent on to NAS1?

On the router, 443 will be directed to nas1 ip addres. You can leave the internal port blank.
nas1 will handle it from there according to the RP entries.

Why use this setup instead of an RP direct to NAS2 or NAS3? Is it to avoid forwarding port 443 to multiple NAS?

You can’t direct the port more than once. Try it and see what will the router say. Something like “the port already exists”.
It‘s like our example of the company. You’re trying to assign the same internal extension to more than one person. That’s a no no

 

[NAS Newbie]

ok. I think that all makes sense. For now. When I was having problems the other day someone else had commented saying the router should block me from forwarding a single port to multiple address, but it did not. I've made enough assumptions about how stuff should work and been wrong that I'm trying to make sure this time around that I really nail it down before I go messing with my settings again.

I think I have a couple last question and hopefully we can put this thread to bed for a bit.

We could port forward custom DSM-specific ports to each NAS and then setup RP for each NAS through the custom port, correct? However, we'd then need to add the port number after all the address because we are no longer using the default 443 port? The main benefits to your setup are that we only have 1 open port and that we won't need to add the port number at the end of all the addresses?

How does app access work with your RP/dispatcher setup? suppose I wanted to create an RP for DS file, but I want to be able to access all 3 NAS? Is it the same setup as DSM?

ie:

dsfile1.nas1.synology.me “RPed”to localhost
dsfile2.nas1.synology.me “RPed”to IP address of NAS2
dsfile3.nas1.synology.me “RPed” to IP address of NAS3

File & DSM are both on the same default port. would I need to go into Application Portal on all 3 NAS and change File Station default port to something besides 5001? I'd then point the "dsfile" RP to that destination port? I'm not saying I actually need this access, I'm just trying to understand the process.

 

[WST16]

When I was having problems the other day someone else had commented saying the router should block me from forwarding a single port to multiple address, but it did not.

It should not allow it. My router says the port already used or it exists or something like that. Try again and see.

I think I have a couple last question and hopefully we can put this thread to bed for a bit.

No problems. Just try building it with the main RP NAS (maybe that would be your RS as it’s the most powerful) and another one. So do one and it’ll all be clear and after testing you can do the 2nd one.
Mind your firewall rules.

We could port forward custom DSM-specific ports to each NAS and then setup RP for each NAS through the custom port, correct? However, we'd then need to add the port number after all the address because we are no longer using the default 443 port? The main benefits to your setup are that we only have 1 open port and that we won't need to add the port number at the end of all the addresses?

Correct. You can do that if you wish to have each NAS handling its own RP, but at the inconvenience –and risk, if you count more open ports as risky albeit they’re all proxied– that you’ve just mentioned.

How does app access work with your RP/dispatcher setup? suppose I wanted to create an RP for DS file, but I want to be able to access all 3 NAS? Is it the same setup as DSM?

Yes.

File & DSM are both on the same default port. would I need to go into Application Portal on all 3 NAS and change File Station default port to something besides 5001? I'd then point the "dsfile" RP to that destination port? I'm not saying I actually need this access, I'm just trying to understand the process.

You got it. Correct.

I couldn’t help but laugh when I read “your RP setup” multiple times
It’s there. I didn’t invent it. I merely pointed to it

 

[NAS Newbie]

ldn’t help but laugh when I read “your RP setup” multiple times
It’s there. I didn’t invent it. I merely pointed to it

LOL. I hearby dub it the "WST16 protocol".

Below is a demo of forwarding port 5000 to all 3 NAS IP. This is in Unifi, no warnings that I can find are given. Perhaps it has something to do with the multi-port forwarding that it doesn't catch it.

 

[WST16]

LOL. I hearby dub it the "WST16 protocol".

Below is a demo of forwarding port 5000 to all 3 NAS IP. This is in Unifi, no warnings that I can find are given. Perhaps it has something to do with the multi-port forwarding that it doesn't catch it.

View attachment 2633

This is interesting. I’d like to know why. I’ve never used a Unifi.
This is @jeyare department
Maybe he can shed some light on it.

 

[WST16]

Below is a demo of forwarding port 5000 to all 3 NAS IP. This is in Unifi, no warnings that I can find are given. Perhaps it has something to do with the multi-port forwarding that it doesn't catch it.

It’s still bugging me

When you entered these, did you specify a “source IP address”? In the screenshot above, do you have a “source ip address column”?

 

[NAS Newbie]

That shot is just a summary page of all rules. below is a shot of the rule-creating window. There is no source IP, just source port. I do know that forwarding does forward to multiple ports; I'd enter NAS1 DDNs and it'd send me to NAS2. It seemed random and non-repeatable which NAS I'd actually end up at. I agree that I shouldn't be forwarding to the same ports, but it doesn't appear that Unifi knows that.

It also is not because of the multi-port forwarding. I tested forwarding just port 5001 to two separate NAS IP and it didn't warn me about anything. Perhaps I don't have Unifi's customer-help brain turned on?

 

[WST16]

Maybe because you specified “limited”. If you specify ”anywhere” it might (hopefully) reject it, that’s if I understood this interface correctly. Have you tried “anywhere”, because I believe that’s what you need to configure?

 

[NAS Newbie]

It is on "anywhere". There's a black dot filling the bubble. If it's limited the box to the left opens and I can list an ip address I assume. Sorry....

 

[WST16]

Thanks. I gave up. But I’d sleep better if I know what’s going on with this router

 

[Rusty]

Wow, that was a marathon of reading for me. Well done on explaining it all @WST16. @NAS Newbie just limit yourself to a single port forward (443) and route all traffic via that port to your RP NAS and from there traffic will be redirected to where it needs to go.

 

[WST16]

@NAS Newbie was determined to crack the code

 

[NAS Newbie]

Yes, this thread went way off on a tangent but I feel like I finally have a good idea how the RP will work. I understood what it did on its own, but didn't really understand how to implement it as part of of an overall approach.

@WST16 was great at walking me through it.

 

[NAS Newbie]

I'm putzing with this a bit trying it all out. I'm curious as to why we point the destination port of the DSM RP towards the http port 5000 instead of 5001. I have https redirect turned on in DSM, so the RP ends up on the https 5001 port anyways. Why not just point the destination to the https port to begin with? I don't believe anybody on this thread said to point to the http port, but the Bitwarden tutorial showed making an RP for bitwarden using http port 80 as the destination, and so that's my only other experience with the RP. Perhaps I'm just mixing up tutorials and I could just as easily point the destination to https.

 

[WST16]

You can direct it to the https port if you wish. It should work.
The difference is that it’s either encrypted or not encrypted internally. HTTP will be slightly faster. But in your case it’ll always end up as https (redirected as configured).

 

[NAS Newbie]

You can direct it to the https port if you wish. It should work.
The difference is that it’s either encrypted or not encrypted internally. HTTP will be slightly faster. But in your case it’ll always end up as https (redirected as configured).

if I'm coming in through the 443 port already, do I still need the https redirect?

right now if I type only "dsm.myname.synology.me", it auto-redirects to "dsm.myname.synology.me:5001" and I can gain access from there. I assume that the "5001" ending up at the end of the url is the result of the reverse proxy going through the 5000 port and being redirected to 5001?