Question Need some help to clarify some doubts (about security)

Currently reading
Question Need some help to clarify some doubts (about security)

5
1
NAS
DS215J
Thank you both (Telos and WST16) for your replies. I'm sorry I should have started a new thread, but my problem seemed exactly the same as the OPs. Anyway, good news. I'd forgotten that I'd changed the default https port on my NAS, so I had to put a port forward into my router to the NAS and all works well now.

So thanks again, and apologies to the OP (hopefully your issue will be as simple as a port forward)
 
9
0
NAS
DS218+
Operating system
  1. Windows
Mobile operating system
  1. Android
Unfortunately I'm not having the same luck as pxr :(

I have setted up the port forwarding into the Router: the right port, TCP/UDP, to the right IP address.
Then, I have enabled the DDNS. The main address is still pointing me to the router admin page, while the address and the port is giving me the error "connection refused". I thought it was the firewall, so I have disabled it without luck (both inside and outside the lan).

I have also tried the EZ-Internet configuration, enabling only the DSM HTTPS (without the 80 port) but still the same result (It have enabled the UPnP port). The DDNS is correct (i have checked it with nslookup), and the router log is giving me a "Lan access from remote" event.

The NAS' fixed ip is setted properly.

Do you want to use QuickConnect or DDNS? I’m assuming DDNS but I’m a bit confused by your answers. Correct me if I’m wrong.

I'm sorry but yes, I'm trying to configure the DDNS right now. Quickconnect is working well.
 
2,192
928
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
Let’s check a few things. Keep the firewall turned off for now.

Try IP Location while on your LAN. This should return your public (external) IP address. Make sure no VPN service is enabled.

Now try the “what’s my DNS propagation” checker posted above. Almost all the DNS servers on the list should show your external address (shown in the previous step).

Double check the ports you’ve forwarded on your DS by going to:
Control panel > Network > DSM settings tab

On the router make sure that you’ve forwarded the correct port(s) shown in the previous step to your DiskStation IP address using the router’s forwarding rules, not port trigger rules.

When you try reaching your DS, you should add the port number to the URL (e.g. https://myds.synology.me:1234).

BTW, is the IP address assigned by your ISP (external IP address), static or dynamic?
 
9
0
NAS
DS218+
Operating system
  1. Windows
Mobile operating system
  1. Android
Thanks!

BTW, is the IP address assigned by your ISP (external IP address), static or dynamic?

Dynamic I think.

I have tried again, this time enabling both HTTP and HTTPS port on the router and it actually worked, when I connect to domain:port now it gives me an access to the NAS :)
I have used the Synology me domain instead of my own one to make it a bit easier. I'll try to configure it later, maybe.

Now for the last step, I want to block everyone who try to enter the domain without the OpenVPN connection. I have managed to have it configured, and without firewall I can connect to the VPN correctly, but when I enable the firewall I can't connect to it. The firewall is still configured in the same way as the post #13. With those settings, it seems to block everyone from accessing the domain (even from the LAN) and the VPN.

I have already enabled the port for openVPN in the router.
 
2,192
928
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
If it’s a dynamic address assignment, you’ll need to make sure the IP address on Synology’s DDNS service gets updated when it changes.

Go to Control panel > external access > DDNS tab
Add Synology as a service provider.
Test it by clicking “test connection”. It should show your current external IP address.

If the only port forwarded on the router is the OpenVPN port then everything else is blocked by default. However, enabling the firewall will allow for extra security and a granular control of the VPN port (like limiting it to a certain country).

According to post 13 above, you’ve forwarded other ports too. You’ll need to add an allow for the VPN port. But VPN is a bit tricky. Did you go through the OpenVPN configuration resource and compare your settings?
If you didn’t, please do and let us know if you need any help somewhere.
 
9
0
NAS
DS218+
Operating system
  1. Windows
Mobile operating system
  1. Android
Thank you, I have followed the guide and now I have the firewall configured this way:
  • 192.168.1.0/Subnet - 255.255.255.0: every port, allow
  • VPN, UDP, from my country: allow
  • 192.168.10.0-192.168.10.10, every port: allow (should be the IPs of the clients connected to the VPN).
  • Everything: reject
I haven't enabled the "Allow LAN access" from the VPN settings.

Now it seems I can connect to the DSM by using 192.168.10.1: port (I have tested it with Video Station while on 4G). The only thing I have noticed is openVPN who complain about a lack of certificate.

Is everything else ok? By using the VPN, can I still use the Windows network drive (the drive Z: ) while I'm outside my home?
 
2,192
928
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
192.168.10.0-192.168.10.10, every port: allow (should be the IPs of the clients connected to the VPN).
192.168.10.1 not .0
I’m sure it’s a typo, because you can’t have .0 (Just to highlight it for anyone interested in this thread). However, if you’re not allowing access to the LAN, you don’t need this rule in the firewall.

The only thing I have noticed is openVPN who complain about a lack of certificate.
On my iPad and iPhone, the OpenVPN client doesn’t complain and I’m not using any certificates. Check the settings on your client to see if there’s an option to shut it up. If you’re feeling adventurous, try installing certificates :)

Is everything else ok? By using the VPN, can I still use the Windows network drive (the drive Z: ) while I'm outside my home?
Sorry, I don’t know much about Windows. That’s why I have a warning next to my username– a Mac/iOS user :)
However, if it connects while you’re on your LAN, it should connect while on the VPN. Just mind the VPN’s dynamic IP addresses. I’m guessing, if you enable “Allow LAN access”, it’ll work without any changes because it’ll use your DS’ LAN IP address (as highlighted by the referenced resource under “important” at the very end). It’s like if the traffic goes out of the DS and comes back through the LAN’s subnet.

BTW, I use http (not https) when connecting over OpenVPN for things like Video Station or if I’m on a slow WAN link. Since traffic is already encrypted with the VPN connection removing the extra encryption layer of https gives it a speed boost (should make a difference).
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
I want to thank everyone for their replies. I've learned quite a bit. Ultimately, the client pivoted and...
Replies
6
Views
1,303
  • Question
Hey @jeyare thanks for taking the time to reply in such detail, I really appreciate it. I think I get it...
Replies
2
Views
639
I haven't touched a Sonicwall in years - that said, I would probably enable the DSM firewall as you can...
Replies
2
Views
1,660
Thank you for the in depth info. Yes — I had posted the Router & NAS firewall rules. NAS, being behind...
Replies
8
Views
2,442
  • Question
thank you, thank you, thank you followed the link you sent and everything hunky-dory
Replies
5
Views
736
  • Question
Turned out I did have a key...so at least not quite as tragic....and..yes...stll disgusted as this was...
Replies
2
Views
972
  • Question
PF will help you for sure much more then syno fw
Replies
4
Views
1,722

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top