New modem, cant access NAS services from outside

Currently reading
New modem, cant access NAS services from outside

46
6
NAS
DS720+,DS212
Operating system
  1. Windows
Mobile operating system
  1. Android
I had a working setup: diskstation with reverse proxy (multiple sub-domains), my router, cable modem. I had port forwarding to a custom port on the modem, then on my router from the custom port to the NAS:443.
I got a new cable modem today. I setup a port forwarding rule on it (custom port to my router:custom port). I get an open port status from Open Port Check Tool - Test Port Forwarding on Your Router . If I remove the port forwarding on my router, the port check says the port is closed, so it seems like things are fine at least to my router.
But I cannot access my services... what obvious setting am I missing? I have not changed any settings on my router or the NAS from it's working condition.
 
You'll have to provide more information on the capabilities of the cable modem (it sounds more like a cable modem that also includes firewall and router than a plain modem that presents an ethernet interface to 'my router') and how you have configured it.

My first though its that it is using a different internal LAN subnet, you've re-used an internal IP for your router that isn't assigned to it, and/or cable modem's DHCP service isn't reserving an IP for your router WAN port.
 
Upvote 0
Thanks for attempting, rereading my original post, I'm not happy with my description. Let me try to give some more details.
@Rusty:
  • No, this is not DMZ, nor are the routers bridged. The ISProuter is 192.168.0.x and MyRouter is 192.168.1.x.
  • The error I get is a connection timeout when trying to access my wiki's webpage from an external network. (Due an earlier problem see here (though I've changed ISPs since then) I used a custom port, not 443 (let's say it's 777, so my access urls are https://wiki.<id>.synology.me:777/wikiname)
  • Yes, I am using the public fqdn while inside the LAN. I'm not too concerned about loopback because I need it to work from outside, not just using loopback.
@fredbert:
  • Yes, ISProuter is a modem/firewall/router combo. I turn off the wifi and connect MyRouter to it via ethernet, using MyRouter wifi (MyRouter is running OpenWRT).
  • I set MyRouter's IP to static on ISProuter and my por forwarding rule uses this IP. I've also confirmed that, when I look in MyRouter's settings, it sees itself as the same IP address
To me, the confusing part is that the port appears open, and I can change it's status by toggling the port forwarding rule at MyRouter. It's also confusing that it was working, but adding the port forward to the new ISProuter doesn't enable access.
Also, all services on the NAS can reach outside (I use FreshRSS and it's updating fine... I can't access my account from outside my LAN, but it's getting new content).

I also have ISProuter security set to:
"Minimal security: WAN to LAN = Allow All; LAN to WAN = IDS enabled and block port 113 (IDENT)."
No, my custom port is not 113.

Does this help at all?
 
Upvote 0
but adding the port forward to the new ISProuter doesn't enable access
So becasue you dont have DMZ configured on ISP router (with your routers WAN ip address configured there), you are configuring port forward on both of them?

Why not configured a DMZ IP address, add that address to your internal routers WAN port, and pass all traffic to it. Then, you will have to deal with a single routers portforward/firewall and have a less complicated situation.
 
Upvote 0
Why not? Because I didnt understand the tradeoffs!
Ok, so on ISProuter, I turned off port forwarding and turned on DMZ. I set the DMZ IP = MyRouter WAN IP (as provided in ISProuter's connected devices)... but still get a timeout error. I did not add or change anything in MyRouter.

?
 
Upvote 0
It goes like this.

On your ISP router, and its subnet (192.168.0.x), pick any address. Lets say 192.168.0.33. Configure that IP to be the DMZ address.

Then, on YourRouter's WAN port, configure that same IP address (0.33) to be its IP address. Also, set the subnet (255.255.255.0) and gateway as well. GW will be your ISP LAN IP address, lets say its 192.168.0.1. Finally, as a DNS setting, configure anything you want, your ISP IP address again (0.1) or any other public DNS, like 1.1.1.1 (cloudflare).

Now all port forwards and firewalls will be handled by YourRouter, so you will have one roadblock less to worry about.

Also, leave YourRouter LAN subnet as 192.168.1.0/24, so do not use the same subnet as your ISP router.
 
Upvote 0
Hmmmm... I tried to follow those instructions, but all I got were DNS or "page could not be reached errors" (so basically I had LAN access but no WAN access). I couldn't figure out how to set the WAN subnet on MyRouter's WAN interface, maybe that's part of the problem.
(In OpenWRT, I went to Network->Interfaces->WAN->Edit ... I changed from DHCP Client to Static Address, and then set the IP, Gateay, and DNS as recommended above.)
I'll try again, but I've got to go to work at the moment.
 
Upvote 0
Ok, got the DMZ setup correctly, not sure what I did wrong before, but I can get to websites and the port I need is showing open on the port testing site.

But I still can't access any of my Nas services. Is there any way to see if the nas is getting the requests? Or is that implied by the open port status?
 
Upvote 0
Built in. I walked through the settings and MyRouter forwards the custom port to my nasIP:443, then I have reverse proxy on wiki.* to go to internal port 22071, then I have a "virtual host" in Web Station to take 22071 and send it to my wiki folder.
Before switching my modem, all of that was working though... that's where I get really confused.
 
Upvote 0
Built in. I walked through the settings and MyRouter forwards the custom port to my nasIP:443, then I have reverse proxy on wiki.* to go to internal port 22071, then I have a "virtual host" in Web Station to take 22071 and send it to my wiki folder.
Before switching my modem, all of that was working though... that's where I get really confused.
So built in nginx with Web station running.

Custom port > internal 443 forwarded. What web browser error are you getting in the end?
 
Upvote 0
Apache 2.4, not nginx, but via Web Station.

I am getting an error in my browser:


This site can’t be reached​

wiki****** refused to connect.
Try:
  • Checking the connection
  • Checking the proxy and the firewall
ERR_CONNECTION_REFUSED
 
Upvote 0
Apache 2.4, not nginx, but via Web Station.

I am getting an error in my browser:


This site can’t be reached​

wiki****** refused to connect.
Try:
  • Checking the connection
  • Checking the proxy and the firewall
ERR_CONNECTION_REFUSED
Well if the site is working and running (locally), this might be an issue on the FW level indeed.
 
Upvote 0
I've been trying to understand what is happening. From what has been said so far it sounds that:
  1. Cable modem/router now setup to have main router/firewall as its DMZ device: all inbound Internet requests to TCP/UDP ports and ICMP services that aren't by default listen for by the cable modem and haven't had port forwarding rules added will be NAT'ed and directed to the main router's WAN IP address.
  2. The main router forwards HTTPS TCP 443 to the NAS.
  3. The NAS configuration for wiki.* (I can't seem to make a reverse proxy or virtual host with wildcard name) is:
    1. Control Panel / Login Portal / Advanced / Reverse Proxy used to define a listener for wiki.* on HTTPS/443. This is a proxy for HTTP or HTTPS (not defined) on TCP port 22071 on localhost / 127.0.0.1 / NAS LAN IP (not defined).
    2. Web Station has a Virtual Host listening on TCP 22071 for HTTP or HTTPS (not defined) and uses a NAS folder (not defined) as its document root.
If the Virtual Host is using HTTPS why do you use the reverse proxy too?

Could you have assigned an access policy to one of these two features?
 
Upvote 0
@fredbert
1. Correct.
2. Correct.
3. it isn't wildcard there... I just didnt want to provide my synology DDNS "handle."

3.1: Here is a sample of my reverse proxy settings:
reverseProxy.jpg

3.2 Here is a sample of my virtual host settings (going to the backend tab, there are no access policies set):
virtualHost.jpg


Finally, here are my NAS firewall settings:
1669303651503.png


Again, not sure why a new modem would affect any of these settings though...
 
Upvote 0
Just wondering:
  • Does the ISP router run a web server on 443?
  • Has this new router started to block incoming web requests?
  • Are you trying to connect from the Internet using a source IP that is blocked by firewall rule 3. Do you use an Internet VPN service on the device you are testing with, or some IP masquerading feature?
  • Can you try using a non-standard HTTPS port for Internet access?
  • Can you temporarily add aFW to allow all source IP to TCP 443.
 
Upvote 0
@fredbert: I am currently using a non-standard HTTPS port, it is not 443.

I do not use a VPN service... but your question about masquerading made me think because I've been trying to understand OpenWRT's firewall configurations this morning. This would be for MyRouter, not the ISP router:

1669317160098.png


But then, I tried turning off wifi on my phone and I was able to access the wiki... so I cant when connected to the local network, attempting to use the external address! I thought I had checked this before and it didnt work, so maybe DMZ had an effect.

Is this something to do with loopback?

Either way, my problem is not in port forwarding/access, but rather how my two routers are affecting each other... which makes sense. Just not sure where to start.
 
Upvote 0
Ok, I got things working.

Previously, on MyRouter, I had a port forward: WAN:customPort to NASip:443. I added another forward: LAN:customPort to NASip:443. Now, I can access my NAS services from inside the local network.

I'm wondering if the old modem had some "loopback" rule that made this additional port forward unnecessary.

Anyway thanks for the help: @Rusty, the DMZ does make things easier! @fredbert, thinking through your questions helped me clarify my own thoughts!
 
Upvote 0
That’s good to hear. I’m not familiar with OpenWRT so good debugging! Having local loopback, or not, is often a missing detail in router specs so you don’t know you use it until it’s upgraded to not there.

I normally try to visualise connections going through each gate: what does it look like to the outside; what does have to look like after here; what has to happen to make the connection proceed. And just keep doing that at each point until it works 😀
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Seeing that I found reference to a security flaw in the units I was trying, and at MFG's website there is...
Replies
6
Views
1,607
Okay I seem to have fixed it. Needed to add a manual route add-vpnconnectionroute -connectionname "Home...
Replies
1
Views
3,290
anything changed? have you tried the other LAN, can you log on to the router and check out the ports...
Replies
5
Views
2,005
  • Question
It sounds that the main focus is a LAN reconfiguration of DHCP and DNS services so that dynamically...
Replies
1
Views
528
Had simelar issue last Thursday. Router and 1 NAS worked, 2 NAS’s didn’t! This occurred as I was adding...
Replies
5
Views
782
  • Question
I guess "my Firewall" is the firewall on the Synology? a step by step tutorial can be found online like...
Replies
1
Views
797
OK at last, worked it out, you have to install Synology app on PC first then add name amd password then...
Replies
12
Views
1,250

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top