Questions regarding firewall

[kittenmittens]

First off I'll say that I am a complete muggle when it comes to network security. Now in my middle years I'm trying to learn about it, so please bear with my ignorance.

I just set up a synology as a plex server, home cloud for my family and computer backup. Things went well though I had to open a port for plex (which lead me to learn about port forwarding). I realized I hadn't configured my synology's firewall and watched some videos / read up on it. This is when I of course started to block myself from mapping network drives etc. I can still access it through quickaccess to make changes so I'm not stuck per se, just trying to figure things out.

So initially I set up only 2 rules:
1) The management, UI etc on ports 5000 & 5001 - all protocols - all IPs - allow
2) All ports, all protocols, all IP - Deny

This is when I lost access to my mapped drives. If i remove the 2nd rule I can ping my NAS and reconnect to it via windows / mac. So I'm wondering if there's another application rule I need to allow in the firewall? I did create a rule to allow ports 137-139 and 445 which is what SMB uses I think, but that didn't work so I removed the rule.

My second question is about geoblocking / ip blocking.
For my first rule above I changed the source IP to allow only USA. I am in the USA and it wouldn't let me choose that because it said I would be blocking myself. I checked my ip and sure enough I wasn't connected to a VPN and my ip was a local one so I was puzzled on why it was not allowing that rule. Then I thought that I would put in a subnet. So I wasn't sure what to put for IP so I tried initially my router with the subnet mask 255.255.255.0 which didn't work. Then I tried the IP range that my router would assign computers via DHCP and that didn't work. So I left it as "allow all" and that works (by works I mean I have no restrictions to my NAS when logging in remotely).

I appreciate your help. I've been trying to resolve these issues by googling, reading, watching videos but I'm stuck so I created an account here. I am more than willing to put in the legwork to learn this material more in depth as I clearly know nothing about network security and I think it's high time to learn.

Thank you all in advance, I appreciate your help and time.

 

[Telos]

So initially I set up only 2 rules:
1) The management, UI etc on ports 5000 & 5001 - all protocols - all IPs - allow
2) All ports, all protocols, all IP - Deny

(1) is unsafe. Basically anyone, anywhere can hit your NAS, presuming you have set port forwards on those ports (BTW, I presume 5000/5001 are just for example, and you have changed from those “setup only” ports, as recommended by Synology).

(2) will end local mappings as you have discovered.

What to do? First, the NAS firewall is largely unnecessary if the NAS is behind a router firewall, presuming you trust devices on your LAN.

However... for the NAS firewall to have a chance of working as you intend... the first rule should allow the range of local IP addresses for trusted devices on your LAN. For those, you can allow “all ports”.

If you connect via VPN, the second rule would be similar, permitting the range of IP address you have allotted in your local VPN server.

If you connect by domain/DDNS, a third rule should permit accessing the HTTPS port for all IPs from the countries you are active in.

Finally... deny all

So you can a) leave the firewall disabled entirely, or b) start with a small set of rules.

 

[kittenmittens]

Telos thank you for your response. So in all honesty no, I didn't change the ports - but I did just after reading your post.
I'll play around with the firewall some more to try and see where I'm making mistakes and hopefully learn from them.

For the range of local IP addresses, I should be able to just use what my router says it will assign correct? Any thoughts on the geolocation issue of it blocking me despite being in the US?

Thanks again

 

[Telos]

Any thoughts on the geolocation issue of it blocking me despite being in the US?

Your original rules only allowed ports 5000/5001... but when mapping drives for Windows, you will typically use port 445 (or 139). Since they weren't permitted, your mappings broke. Allowing all ports on the local LAN range, permits mapping (and others... SSH/SFTP/WebDAV...).

Depending on how you connect from the US, you should be fine (LAN/VPN IPs are not US recognized).

As long as you have your LAN open, any unintended blocks are easily recoverable. If you do fully lock yourself out, Reset, Mode 1 can restore access.

 

[kittenmittens]

Thank you so much again. I'm basically failing my way to small successes. For now, there's nothing really on my NAS that would compromise me in any way or that if I lost would be devastating so I feel like learning now is best.

I'll keep reading and tinkering. You've cleared up a lot. I appreciate you taking the time.