Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

QuickConnect and Firewall

As an Amazon Associate, we may earn commissions from qualifying purchases. Learn more...

Hello,

Does anyone here know the details for how quickconnect actually works? I have a rule in my firewall blocking all inbound ICMP and that seems to make it so quickconnect does not function properly. Disabling the rule makes it work but don't really want to open it all the way. Thinking maybe whitelist a few IPs for it?
 
There are different mechanisms that QC uses. I guess the central Internet servers of QC might ping your WAN IP as one of its tests to see if there’s a response, rather than using a UDP or TCP test.

Even though the white paper may not mention ICMP, if you give it more than a skim you will learn how QC works. The only ways it pokes holes in your firewall is when using QC Relay service, in that the NAS initiates the connection out and this is then used to enable inbound traffic.
 
Last edited:
Have yet to look at document (Thanks), but your incoming block of ICMP in firewall got my attention.
I’ve 4 ICMP rules. In firewall:
Topmost of 4:
Range of LAN IP’s blocking I/O ICMP for security cams,
A range of LAN IP's allowing I/O ICMP for computers,

Forgot! One LAN IP to another WAN IP Allow (This is my check on ISP connection)
and lowest in list- block all ICMP.

With those no QC issues, and in fact have used it worldwide, me and others.
 
Have yet to look at document (Thanks), but your incoming block of ICMP in firewall got my attention.
I’ve 4 ICMP rules. In firewall:
Topmost of 4:
Range of IP’s blocking I/O ICMP for security cams,
A range allowing I/O ICMP for computers,

Forgot! One LAN IP to another WAN IP Allow,
and lowest in list- block all ICMP.

With those no QC issues, and in fact have used it worldwide, me and others.
Thanks that helped me go down the correct path.

Using packet capture, I noticed that during the QC startup the DS reaches out to global.quickconnect.to and one of the TLS packets triggers an ICMP message to be sent from my ISP - Type 3 code 4 (Destination unreachable fragmentation needed). This behavior is consistent everytime I reboot the DS.

I allowed unreachables through the firewall from the /8 my ISP usually assigns me and boom QC working as intended.

I have no idea why it behaves this way after reading the other document however. Not sure if this is a bug or "feature". IMO this should be documented.
 
My last entry:the allows for ‘computers’ includes phones and pads in that list. Amazing! now considering phones and pads as computers as much as phones/pads!
 
Thank you, Birdy for the QC White paper!! Had a smattering of info on it.. Your link filled in the blanks.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Popular tags from this forum

Similar threads

  • Question Question
That’s good to know. 🙂 Thanks for your support and advice @Birdy. 👍
Replies
4
Views
164
Back in the day I had to complete vendor training and certification for our firewalls. Always were things...
Replies
8
Views
216
If you create a rule: Source interface: LANs Source IP: 192.168.0.0/16 Destination interface: Any...
Replies
4
Views
495
Hello! Yes I did indeed find the problem, there are some special firewall rules that you need to make for...
Replies
4
Views
2,091

Thread Tags

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending content in this forum

Back
Top