RT2600ac Router overrides Traefik certs with self-signed

Currently reading
RT2600ac Router overrides Traefik certs with self-signed

7
1
NAS
DS918+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Following an internet disruption or modem reboot my router will provide its own self-signed cert instead of Traefik's container-specific certs running on my DS218+.

I can delete the default cert present in
Code:
/usr/syno/etc/ssl
but they just regenerate when the router is rebooted.

How do I stop their generation or stop this interdicting behavior?
 
If that Traefik is used as reverse/cert generation, how does a router self-signed cert interrupt your workflow in your setup?
Exactly! That's my question too. Traefik is indeed reverse proxying ports 80 and 443 so why my router puts its own cert (after an internet disruption) on those ports is what has me stumped.

Gitlab.foo.bar has its own LE cert Traefik fronts but sometimes it will be fronted by the SynologyRouter default cert, which gives a certificate mismatch warning when browsed to. Here's the default cert served (I know it exposes the real domain).
 
Exactly! That's my question too. Traefik is indeed reverse proxying ports 80 and 443 so why my router puts its own cert (after an internet disruption) on those ports is what has me stumped.

Gitlab.foo.bar has its own LE cert Traefik fronts but sometimes it will be fronted by the SynologyRouter default cert, which gives a certificate mismatch warning when browsed to. Here's the default cert served (I know it exposes the real domain).
reverse container is running on custom ports (local ones) not 80/443? There should be 0 communication with router cert if its pushing 443 communication towards RP container on your NAS. Never had a similar problem. Think that's a router issues. Is that an ISP router or your private one (internal)?
 
reverse container is running on custom ports (local ones) not 80/443? There should be 0 communication with router cert if its pushing 443 communication towards RP container on your NAS. Never had a similar problem. Think that's a router issues. Is that an ISP router or your private one (internal)?
I have a free_ports.sh script on the DS218+ that frees up the 80 and 443 ports for use by Traefik. Traefik RPs 80 and 443 to its dependent containers.

Router is an RT2600ac. Modem is a Sagemcom and all its router functionality is turned off (it's literally switched to modem-only mode): it should be passing traffic directly to the router. I think this is a Syno thing and I think the RT2600ac is the problem but I don't know why it passes its own self-signed when as you said it's pushing 443 communication to the Traefik container.
 
I have a free_ports.sh script on the DS218+ that frees up the 80 and 443 ports for use by Traefik. Traefik RPs 80 and 443 to its dependent containers.
There is really no point in doing this. Just use reverse container on custom ports that internally again point to 80/443. You will get the same result without messing with DSM nginx, but up to you.

it should be passing traffic directly to the router
Is it configured as a "router" or a modem in bridge? Where is PPOE terminated? Do you have your ISP configured if not in bridge then maybe in DMZ?

I think this is a Syno thing and I think the RT2600ac is the problem
I wouldn't bet on it. I have the same setup (without the ISP router), and never had syno self-signed cert taking over communication. Personally I think this has some issue with your ISP<> syno router config that probably has influence by changes or maintenance from the ISP side.
 
Is it configured as a "router" or a modem in bridge? Where is PPOE terminated? Do you have your ISP configured if not in bridge then maybe in DMZ?
It's configured as modem in bridge. I'm not sure I understand what PPOE termination is or where I'd check. Can you explain?

I haven't configured anything to be in the DMZ. The only thing I've done on the router side is to forward ports, change my LAN subnet to .99. and configured DNS to point to NextDNS.
 
It's configured as modem in bridge. I'm not sure I understand what PPOE termination is or where I'd check. Can you explain?
If you are in a bridge configuration, that means that Syno router is initiating a connection towards your ISP. Depending on your service, in most cases it is a PPoE setup (where you enter your username and pass provided by your ISP). Regardless, if you are in bridge mode (proper bridge), then yes, the problem might be on Syno router side, but again, I have never seen this type of behaviour. Again, not sure how router could intercept this communication if port forward is configured to push 443 traffic to your RP.

The only thing I've done on the router side is to forward ports, change my LAN subnet to .99. and configured DNS to point to NextDNS.
VLAN was ofc configured on your Syno wan adapter side, yes?
 
If you are in a bridge configuration, that means that Syno router is initiating a connection towards your ISP.
Here you can see Bridge Mode enabled on my Sagemcom Fast 3890
1648545973376.png


VLAN was ofc configured on your Syno wan adapter side, yes?
At first I thought you meant VLAN ID which Synology still doesn't support but I did a little digging. Could you be referring to this?
1648546088892.png

If so, that isn't necessary according to my ISP's guide. As I understand, the modem "binds" or activates to the first MAC address it sees. It should not require any router configuration.

If you mean something else, let me know and I'll get that info for you.
 
At first I thought you meant VLAN ID which Synology still doesn't support but I did a little digging. Could you be referring to this?
Yes I was.

If so, that isn't necessary according to my ISP's guide. As I understand, the modem "binds" or activates to the first MAC address it sees. It should not require any router configuration.
Hmm so where is the connection towards your ISP being initiated then? Is that an xDSL, fiber or cable service?

If its not in the "connection" section on your Syno, it has to be on your ISP modem. In that case, that is not a proper bridge mode. Not saying it won't work, but ISP model is still taking charge in this case.

Also where are port forwards configured (ISP or Syno)?
 
Hmm so where is the connection towards your ISP being initiated then? Is that an xDSL, fiber or cable service?
It's DOCSIS 3.1 cable.

Ports are configured on the Syno, specifically the NAS that talks to the RT2600ac to set them.

Here's a pic of the Network Parameters tab of the modem. Likely not helpful but thought I'd include just in case:
1648555734460.png
 
Ok so ISP device is handling the connectivity. So that raises a question for me regarding that "bridge" setting. This is not a "proper" bridge mode imho. I would say that still these occasional problems are coming from ISP changes/maintenance from time to time, but I could be wrong.

From a personal experience in a proper bridge setup, this works 100% correctly.
Ports are configured on the Syno, specifically the NAS that talks to the RT2600ac to set them.
If forward is on the syno router level, I really don't see how it and in what case can it intercept RP communication and fail back to its own certificate.
 
Ok so ISP device is handling the connectivity. So that raises a question for me regarding that "bridge" setting. This is not a "proper" bridge mode imho. I would say that still these occasional problems are coming from ISP changes/maintenance from time to time, but I could be wrong.
Thanks, Rusty. I've opened a thread on the ISP support forum where hopefully I can get some clarity. I'll update here.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I've narrowed it down further. Part of the story is that I couldn't log into my NAS in the normal way...
Replies
3
Views
542
Welcome to the forum. Go to the Forums list, then scroll down to find the router section...
Replies
1
Views
189
  • Question
The self-signed certificate is created just to enable secure services to work. But you can create a new...
Replies
1
Views
496
ok, just ordered a tp link 2.5g for $29 on amazon. Figured it a brand name and I only need 1g so...
Replies
8
Views
1,084
Why do you feel the need for 4 Wifi access points?My home in the UK is fairly large (5xbeds around 230...
Replies
3
Views
1,454

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top