Ports forwarding

Currently reading
Ports forwarding

104
7
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
Hi everyone,

Could anybody please tell me how this should be interpreted? I'm quite unsure how to setup port forwarding on router due to different name definition given by synology and by huawey router.

Internal port - external port - local port - router port

Huawey router
1602712984095.png


Synology external access
1602712958842.png


I assume I have to set these ports in my router, but is it really necessary to set these ports on my router providing the connection tests above are all ok?
If yes, how to enter the ports in the right field, 'cause a little confused what really is meant with "router port" and "local port" from synology point of view comparing to router´s "internal port" and "external port" from Huawey point of view. I think it is:

Router port = external port
Local port = internal port

PS. Documentation from Huawey is not helpful, the router is provided from ISP, capped at lot by the way.
 
Huawei external port is the port that is responding to outside traffic requests and then redirecting them to internal port. Internal in this case is the port expected and listening on your LAN side.

Router port = external port
Local port = internal port
This is correct mapping.
 
Upvote 0
Looking at the Huawei screenshot: there are three fields tagged with *. Is there a footnote or other additional information to say that these are the mandatory fields? Because they are the minimum that you need to define a port forwarding rule:
  • Internal Host: that LAN IP where the inbound connection will be forwarded to.
  • Protocol (it's already pre-selected): TCP; UDP; TCP & UDP.
  • Internal port number: the port or range of ports on the destination host (the packet's new destination port).
  • External port number: the port or range of ports on the router (the original packet's destination port).
Internal port number can be the same as the External port number or be changed to a new number, depending on what port the Internal Host is using.

The other External Source IP/Port fields look to be additional parameters that can be used to restrict the port forwarding to specific initiating devices.
 
Upvote 0
Last edited:
Looking at the Huawei screenshot: there are three fields tagged with *. Is there a footnote or other additional information to say that these are the mandatory fields? Because they are the minimum that you need to define a port forwarding rule:
  • Internal Host: that LAN IP where the inbound connection will be forwarded to.
  • Protocol (it's already pre-selected): TCP; UDP; TCP & UDP.
  • Internal port number: the port or range of ports on the destination host (the packet's new destination port).
  • External port number: the port or range of ports on the router (the original packet's destination port).
Internal port number can be the same as the External port number or be changed to a new number, depending on what port the Internal Host is using.

The other External Source IP/Port fields look to be additional parameters that can be used to restrict the port forwarding to specific initiating devices.
Thanks for added info. I just filled them out but doesn't work at all. See new post added about it.
-- post merged: --

Huawei external port is the port that is responding to outside traffic requests and then redirecting them to internal port. Internal in this case is the port expected and listening on your LAN side.


This is correct mapping.
Ok, but the question remains: why do I have to add these ports into the router if the connection test are indicated with OK -- as seen at the first screenshot? (Thus, assuming that it works even without the ports mapped in the router?!?).
-- post merged: --

Just make it like the below and it should work. Of course, use your own port numbers and choose the protocol accordingly (TCP/UDP/both).

View attachment 2318
It doesn't work for me. See new post.
-- post merged: --

I do enter the port as suggested and it doesn´t work. Popup a message like
1602797690339.png

after setting ports as follows:
1602797736394.png

1602797752815.png
 
Upvote 0
Last edited:
Can you link to the Huawei documentation for your router.

Edit: did a search for this huawei "the configured port conflicts with the internal service port" and a few results and these specifically from TalkTalk users that are having problems with a Wifi Hub
 
Upvote 0
According to @fredbert links above, it seems that this is an issue with a particular model.
What’s the model number of the one you’re using?

Does it work if you steer away from 80 and 443? Did you try that?
The model is Huawei EchoLife HG8247H. Steer away like what?
-- post merged: --

Can you link to the Huawei documentation for your router.

Edit: did a search for this huawei "the configured port conflicts with the internal service port" and a few results and these specifically from TalkTalk users that are having problems with a Wifi Hub
I don't know what they do mean by "wifi hub".
 
Upvote 0
Last edited:
Steer away like what?
It looks like the device is under the impression that these are reserved for its own use. So what happens if you try to forward 30487 to 443, if does not allow it, try 30487 to DSM on 30487 for example (just different port numbers that are not used by services). Does it allow it? I know this is not what you want, but we’re trying to understand your device’s logic (if it has any).
-- post merged: --

Here’s the user guides page. However, it needs an ID and a password to download. Register and check the configuration guide and the FAQ/troubleshooting too. You might find something there.
 
Upvote 0
I don't know what they do mean by "wifi hub".
You didn't give any indication on the actual model of device you own so I did a google search of the error message, being the only thing to do that might also reveal your device. The TalkTalk forum matched this search and they were discussing the WiFi Hub: which I assume is a name of a device provided by TalkTalk.
 
Upvote 0
It looks like the device is under the impression that these are reserved for its own use. So what happens if you try to forward 30487 to 443, if does not allow it, try 30487 to DSM on 30487 for example (just different port numbers that are not used by services). Does it allow it? I know this is not what you want, but we’re trying to understand your device’s logic (if it has any).
-- post merged: --

Here’s the user guides page. However, it needs an ID and a password to download. Register and check the configuration guide and the FAQ/troubleshooting too. You might find something there.
If I did understand what you meant by "30487 to 443, if does not allow it, try 30487 to DSM on 30487", no warnings was given by entering this:
1602955744938.png

But this port 30487 isn't requested by synology. But the question still remains: why do I need to enter the ports into the router if the connection is OK and synology requests to enter these port numbers into router?

I did register myself to huawei site, as indicated in your link, but couldn't have enough privileges to download the router's manual. So I did have to register a product to gain privileges. But again, it wasn't enough, I have to wait approval from them. But sincerely I skeptic it will be approved, 'cause the router wasn't acquired by me, it is a acquisition or contract from my ISP.
1602956520778.png

-- post merged: --

You didn't give any indication on the actual model of device you own so I did a google search of the error message, being the only thing to do that might also reveal your device. The TalkTalk forum matched this search and they were discussing the WiFi Hub: which I assume is a name of a device provided by TalkTalk.
1602956796768.png
 
Upvote 0
But this port 30487 isn't requested by synology.
You can configure DSM to utilize this port (or many other free ports). But let’s understand what are you trying to do first.

But the question still remains: why do I need to enter the ports into the router if the connection is OK and synology requests to enter these port numbers into router?
You forward ports on the router so the connection request coming from WAN (external) to your LAN (internal) is not blocked. In other words, to allow external access.
If you’re saying the connection is OK then why are you bothered with all this, what are you trying to accomplish?

BTW, under “WAN Name” drop down list (your screenshot above showing “internet”), do you have any other options, can you click the drop down box?
 
Upvote 0
You can configure DSM to utilize this port (or many other free ports). But let’s understand what are you trying to do first.


You forward ports on the router so the connection request coming from WAN (external) to your LAN (internal) is not blocked. In other words, to allow external access.
If you’re saying the connection is OK then why are you bothered with all this, what are you trying to accomplish?
I just trying to enter the ports what synology is requesting (see below).
chrome_zn40LR2Mrb.png

But as you said, if it is OK why even borthered with all of this. So this brings me to the question, how is it possible the connection being OK if these requested router ports (49923, 49924) aren't even declared in the router's port forwarding?
BTW, under “WAN Name” drop down list (your screenshot above showing “internet”), do you have any other options, can you click the drop down box?
No, no option at all, just "internet".

PS.: by the way, huawei has reply my request to download the router manual: request no approved!
The router registration has been denied. Reason: I'm not an enterprise.
 
Upvote 0
From DSM’s help page (the “?” Symbol at the top right):

If your Synology NAS device is on a local area network, other devices on the Internet cannot connect to it. You can set up port forwarding rules at Control Panel > External Access > Router Configuration to make your Synology NAS device accessible over the Internet.

From the looks of it, it seems that you have enabled your DiskStation to auto-configure your router. Those ports (according to your screenshot) are enabled for external access now. Whether it’s working or not, you’ll need to verify. Most likely not as I understood so far.

However, do you need to access your DiskStation remotely (outside your LAN)? If no, turn off this feature and double-check that the ports are not forwarded.
use a
port checker.

Many users (and I’m one of them), don’t like this auto configuration where it’s under DSM’s control to add (and open) ports as it wishes on the router. I’ve disabled this feature, and I add the ports manually on the router to forward as needed.
 
Upvote 0
From DSM’s help page (the “?” Symbol at the top right):

If your Synology NAS device is on a local area network, other devices on the Internet cannot connect to it. You can set up port forwarding rules at Control Panel > External Access > Router Configuration to make your Synology NAS device accessible over the Internet.

From the looks of it, it seems that you have enabled your DiskStation to auto-configure your router. Those ports (according to your screenshot) are enabled for external access now. Whether it’s working or not, you’ll need to verify. Most likely not as I understood so far.

However, do you need to access your DiskStation remotely (outside your LAN)? If no, turn off this feature and double-check that the ports are not forwarded.
use a
port checker.

Many users (and I’m one of them), don’t like this auto configuration where it’s under DSM’s control to add (and open) ports as it wishes on the router. I’ve disabled this feature, and I add the ports manually on the router to forward as needed.
The ports are open as tested via link you sent and via synology on Info Center - Service (see below)
1603380001572.png

1) As you see I do have external access to my server, EVEN without forwarding ports on router. I don't open the ports either. So, this is what I don't understand and asked you about.
2) Another thing I want to understand: I use the apps on android and log in normally by using my certified hostname WITHOUT the port appended. Because I changed the port numbers from the default 5000/5001 to different ones, now I MUST append the port number to the hostname to succeed log in to the apps on android, otherwise it gives an error message as shown below. Do you know why this happens?
Error connecting to Synology NAS. Check network connection or Synology NAS IP address.
 
Upvote 0
Last edited:
As you see I do have external access to my server, EVEN without forwarding ports on router. I don't open the ports either. So, this is what I don't understand and asked you about.
I believe it’s because the ports have been configured by your DiskStation. Your DiskStation contacted your router and told it to forward those ports. It’s a function of UPnP.

Another thing I want to understand: I use the apps on android and log in normally by using my certified hostname WITHOUT the port appended. Because I changed the port numbers from the default 5000/5001 to different ones, now I MUST append the port number to the hostname to succeed log in to the apps on android, otherwise it gives an error message as shown below. Do you know why this happens?
That’s expected. See this:
Solved - Why does this reverse proxy fail
-- post merged: --

If you want it that way (DiskStation configuring your router), at least enable your DiskStation’s firewall.
 
Upvote 0
Because I changed the port numbers from the default 5000/5001 to different ones, now I MUST append the port number to the hostname to succeed log in
The apps are hardcoded for ports 5000/5001. Since you change the default ports you have to prescribe them in the apps. You'll see the same when logging into DSM from a browser.
 
Upvote 0
I believe it’s because the ports have been configured by your DiskStation. Your DiskStation contacted your router and told it to forward those ports. It’s a function of UPnP.
Humm, that's not a neat practice, no transparency. But it explains, thanks.
That’s expected. See this:
Solved - Why does thi
Will read it, thanks.
The apps are hardcoded for ports 5000/5001. Since you change the default ports you have to prescribe them in the apps. You'll see the same when logging into DSM from a browser.
Aha, now it's clear. Thanks for sharing this info.
s reverse proxy fail
-- post merged: --

If you want it that way (DiskStation configuring your router), at least enable your DiskStation’s firewall.
 
Upvote 0
Last edited:
no transparency.
That’s why you can turn it off and do the forwards manually. I think it was off by default.
On the router you should be able turn off UPnP too, so devices on the network can’t change settings.
-- post merged: --

On the router check under Network Application (might be a tab) then UPnP configuration.
You should see the ports that where configured by DiskStation on that page if I’m not mistaken.

You can also enable/disable UPnP from there.
 
Upvote 0
That’s why you can turn it off and do the forwards manually. I think it was off by default.
On the router you should be able turn off UPnP too, so devices on the network can’t change settings.
-- post merged: --

On the router check under Network Application (might be a tab) then UPnP configuration.
You should see the ports that where configured by DiskStation on that page if I’m not mistaken.

You can also enable/disable UPnP from there.
Thanks, this explains what you've said above (on my router):
1604345079415.png
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Don't forget to run the Security Advisor, regularly. Default ports used by DSM and its packages. Some may...
Replies
2
Views
1,297
  • Question
Thanks for the suggestion. I will have a look at WireShark.
Replies
4
Views
1,143
  • Solved
Not offensed at all. I was actually starting to think the same :) OK I'll continue with some testing. Thank's!
Replies
59
Views
20,646
If you're captain obvious then it's pretty obvious that I'm Corporal Clueless with a lot of this stuff...
Replies
9
Views
3,682
This kind gentleman is running a simple website that allows you to test if outbound ports are open by...
Replies
0
Views
1,961
I’m using Network Analyzer Pro. A free, limited version is also available.
Replies
2
Views
2,122
Thank you, got it to work: issue was, that I was expecting TCP port forwarding through the VPN, which was...
Replies
2
Views
2,431

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top