Please help me understand making my NAS secure.

[WST16]

Oh just to make sure the mask settings is 255.255.255.0
Right?

 

[NAS Newbie]

Nah, he’ll be ok
Ok so you’re on subnet 192.168.10.0
We need this for the firewall.

Do you have a vpn service by the way to test with?

Oh just to make sure the mask settings is 255.255.255.0
Right?

No VPN set up and don't know where to find the mask settings. I've seen discussions of logging in using VPN, but haven't had a chance to research them yet. It was another thing I was going to ask you about if we didn't get to it in the course of discussion.

 

[WST16]

I don’t mean the DS vpn. I’m asking if you have a vpn service that you use on your pc or mobile.
The idea is to test access before and after. Although I’m confident that we can trust that it’s working.

For IP address and mask you can check control panel > info center > network tab
See at the bottom under LAN. On the DS that is.

 

[NAS Newbie]

I don’t mean the DS vpn. I’m asking if you have a vpn service that you use on your pc or mobile.
The idea is to test access before and after. Although I’m confident that we can trust that it’s working.

For IP address and mask you can check control panel > info center > network tab
See at the bottom under LAN. On the DS that is.

The mask is 255.255.255.0 as you thought. I don't use any vpn at all that I'm aware of. I use internet explorer to access DSM.

 

[WST16]

Ok.

Here we go.
We’ll enable the firewall and as a start configure 3 rules
1. Allow your internal lan access
2. Allow your country (U.S. you said) access
3. Block everything else

You have located the firewall in control panel under security, right?

Go, do not check enable firewall yet and edit

 

[WST16]

Here comes the first rule. Hang on for the screenshots

 

[WST16]

1st rule

 

[WST16]

Can you do rule 2 or do you need screenshots?
Rule 2 enables USA access.

 

[WST16]

Rule 2
Click create
For ports choose all
For source ip choose location and click select and search for USA and choose it
Action: allow

 

[WST16]

You disappeared!

 

[NAS Newbie]

You disappeared!

LOL. Sorry, yes. Kids just woke up from their naps. I'm going to have to take a break for today, but will try to get back to it tonight or tomorrow. I really appreciate you walking me through all of this. Hopefully it ends up being useful for others as well.

 

[WST16]

Sure, no problems. Good luck...

 

[Gerard]

@WST16

There’s also the interface drop down on the top right. Should these rules (based on best practices) be configured on “all” interfaces or just “lan1”

 

[WST16]

In this case we should be working with “all interfaces”.
That’s the default when you click edit rules.

The “all interfaces” takes priority over individual interfaces in Rules priority.

Later when configuring VPN, we’ll need to do a slight change here.
I’ll leave the VPN configuration and the change in the firewall rules and router to someone who’s actually running VPN (as they should go together). Someone with both, experience and theory is better than someone with theory only.

I don’t run VPN.

 

[Telos]

Hang on for the screenshots

Screenshot images are dead here

 

[Rusty]

Screenshot images are dead here

You can't see the images?

 

[SynoMan]

Screenshot images are dead here

Really?

 

[Telos]

Really?

O Snap! I just refreshed my page view and there they were. Next time I'll add a screen grab with the broken icon and rambly filename.

 

[WST16]

To complete the picture for a better understanding, here’s a shot of what it looks like on my router under the port forwarding section.
I hope your dad is not around

These are standard mail ports.
Just look at how they’re mapped. I added those, just like you’ve added 5000 and 5001 on yours.

Your router will have something like
5000-5000 5000-5000 192.168.10.250 enable
And another one for 5001

And here, we have the ports used by Synology. Scroll down to see where 5000 and 5001 are being used. It starts at web applications.

Give us an update on where you are in the firewall configuration, and we’ll continue implementing our simple 3 rules.

 

[subie]

@WST16

Do you normally use an admin account in accessing DSM at home and outside?

and How to 3. Block everything else ?