So a few questions based on your security 101 above:
- access your nas via https and a valid SSL cert - are you talking about remote access here? How do you force https and how do you implement an SSL cert?
(I would usually refer to 'remote access' as a service that permits authorised users located on the Internet to access home/work services using a VPN service, such as IPsec VPN, SSL-VPN, L2TP VPN. Otherwise accesses would be termed external access.)
Within DSM there are a few places that define HTTP/HTTPS accessible services and each of these have the option to enable HSTS to force HTTP requests to be redirected to HTTPS (enable these):
- Control Panel for:
- Web Station for the normal HTTP/80 and HTTPS/443 web server plus any virtual web services you create.
You can create new SSL certificates in Control Panel's Security section. By creating a Let's Encrypt certificate then web browsers will be able to confirm that Let's Encrypt has authorised it (aka signed it) and see the web server as secure. If you create a self-signed certificate then web browsers won't be able to check who signed it (because it wasn't) but the connecting will still be secured.
When creating a LE certificate you must enter any Subject Alternative Names in full so that web browsers know that, e.g., file.domain.com is ok with the domin.com certifcate.
Once created, you need to assign the new certificate to the appropriate services (do this from the same Security page).
- default port > 1024, please explain more! local port or router port? and....... how?
UDP and TCP ports up to 1024 are reserved for system services. The device that is running the service needs to listen on a known port for incoming traffic, this will be the local port on the NAS. To then allow access inbound from the Internet you have to configure a port forwarding rule on your router to pass traffic to its port onto the NAS. To complicate matters, if you want, the router's port can be different to the NAS's port because the router will switch the numbers as it passes the traffic: this may be useful if you don't want to change default port numbers on the NAS but also don't want to advertise services on default ports to the Internet.
- VPN. this is something i keep looking into but keep giving up. i think you are referring to accessing your nas remotely and through windows file share (rather than the NAS accessing the internet through a VPN)? if so, it seems a prerequisite for this is having a static IP, is this correct? or is there some other way of doing it? i have a huawei b110 router that doesn't have port forwarding and this seems to be an issue. or am i barking up the wrong tree? because i would love to be able to access my nas remotely. currently i can only do it through the android apps, which is half way there!
To access any service on your NAS from the Internet you need at least:
- Static IP, with or without a domain name
- Dynamic IP with a domain name and a dynamic DNS service supported by DMS
- QuickConnect which controls whether access will be direct to the NAS or managed via the Synology proxy.
The previous questions would imply you intend to have Internet accessible services so you're already looking at a situation where VPN services can be used: they don't mandate static IP.
If your router doesn't do port forwarding then you can't host any services on the NAS and have them accessed from the Internet. I suggest you recheck this. If you can configure the router to act in bridge/modem mode then you should be able to add another full-featured router to do port forwarding and all other stuff (e.g. a Synology SRM router:
RT2600ac or
MR2200ac).