RT2600ac Safe Access does not apply to wired computers on LAN. Is it only me?

Currently reading
RT2600ac Safe Access does not apply to wired computers on LAN. Is it only me?

4
1
NAS
ds720+ ds412+
Router
  1. RT2600ac
Operating system
  1. Windows
Mobile operating system
  1. Android
  2. iOS
Hello to the Forum!
I finally came down to playing with Safe Access - the reason I bought this router in the first place.
I tried with my own laptop. My laptop is known to the router under 2 MACs and IP addresses - wired and wifi, depending whether it's connected to its dock. I have added both instances to the profile.

So, when my laptop is on WiFi, I see Safe Access blocking what I want it to block. But once I connect to Ethernet, it lets me go whenever I want to.

Sure enough, my son's desktop (wired) is also unaffected by Safe Access policies.
I'm running SRM 1.2.5-8227 Update 4 . And I'm 2 days after my return window closed :-(

Not sure it matters, but this router acts as DHCP, but announces domain controller as DNS server. That DNS server then forwards to the router DNS server. Otherwise domain authentication won't work.

Any ideas or advices?
 
Welcome to the forum.

To begin with I can verify that ethernet connected devices (even not directly connected to the router) should respect SafeAccess profile rules. Now in order to dig deeper into this, you would need to share a bit more info on the matter how the profile of the devices is configured so that maybe we can notice some potential "problems".
 
Upvote 0
I can also confirm that wired and wireless devices on my home LAN are all using Safe Access. It sounds that the difference between you and most other users may be the domain controller being used for DNS. I'm not a MS Windows person so not sure how your setup may affect Safe Access. Can you explain how DNS and web requests flow for you?

Another way that Safe Access can be bypassed is by using Internet VPN/'privacy' services.
 
Upvote 0
Welcome to the forum.

To begin with I can verify that ethernet connected devices (even not directly connected to the router) should respect SafeAccess profile rules. Now in order to dig deeper into this, you would need to share a bit more info on the matter how the profile of the devices is configured so that maybe we can notice some potential "problems".
Rusty, thanks for the hint! I will try to connect directly to Synology and see if there's any difference. Currently there's a switch between computers and Synology. Not easy to try quickly, or I would already tried.
 
Upvote 0
I can also confirm that wired and wireless devices on my home LAN are all using Safe Access. It sounds that the difference between you and most other users may be the domain controller being used for DNS. I'm not a MS Windows person so not sure how your setup may affect Safe Access. Can you explain how DNS and web requests flow for you?

Another way that Safe Access can be bypassed is by using Internet VPN/'privacy' services.
thanks for the reply. I don't think DNS configuration is an issue, since there's no difference in DNS for WiFi or Ehternet. Still:
- DHCP ( Synology) tells client, that its DNS server is DC (domain controller host), and its router is Synology and IP address is such and such
- clients goes to DC to resolve youtube.com. DC does not know address for youtuble.com, so it asks Synology.
- Synology asks up the chain
 
Upvote 0
thanks for the reply. I don't think DNS configuration is an issue, since there's no difference in DNS for WiFi or Ehternet. Still:
Except the wireless devices definitely route through the RT2600ac to get resolution on the domain controller.

My setup (@Rusty you can go make a cup of tea):
  • DNS Server on NAS for personal domain, as master zone, forward-only for other domains using CloudFlare/OpenDNS.
  • DNS Server on RT2600ac as slave zone for personal domain (directed to NAS DNS Server), forward-only for other domains using CloudFlare/OpenDNS.
  • RT2600ac Internet DNS set to (preferred) router's LAN IP, (alternate) to CloudFlare.
  • RT2600ac DHCP service uses:
    • primary DNS: router's LAN IP
    • secondary DNS: NAS LAN IP
    • forward known DNS servers (router's DNS setting's in Internet): disabled
    • disable DNS over HTTPS
This does work; I haven't touched it for ages. The DNS Servers are configured to limit which LANs can access them, also they are not accessible from the Internet.

I have sometimes put RT2600ac firewall rules to block access to known DoH DNS services, mainly CloudFlare and Google, from LAN subnets.

One other thing you can and probably should enable is Threat Prevention.
 
Upvote 0
Except the wireless devices definitely route through the RT2600ac to get resolution on the domain controller.

My setup (@Rusty you can go make a cup of tea):
  • DNS Server on NAS for personal domain, as master zone, forward-only for other domains using CloudFlare/OpenDNS.
  • DNS Server on RT2600ac as slave zone for personal domain (directed to NAS DNS Server), forward-only for other domains using CloudFlare/OpenDNS.
  • RT2600ac Internet DNS set to (preferred) router's LAN IP, (alternate) to CloudFlare.
  • RT2600ac DHCP service uses:
    • primary DNS: router's LAN IP
    • secondary DNS: NAS LAN IP
    • forward known DNS servers (router's DNS setting's in Internet): disabled
    • disable DNS over HTTPS
This does work; I haven't touched it for ages. The DNS Servers are configured to limit which LANs can access them, also they are not accessible from the Internet.

I have sometimes put RT2600ac firewall rules to block access to known DoH DNS services, mainly CloudFlare and Google, from LAN subnets.

One other thing you can and probably should enable is Threat Prevention.
Fredbert, thanks a lot! Your primary/secondary DNS configuration did the trick! Works!
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

There was some changes to DNS and Safe Access, with people wanting to use their own internal pi-hole...
Replies
1
Views
1,689
On a Windows 10 Enterprise in Edge browser when I try to enter Safe Access it says the same, just more...
Replies
4
Views
1,391
  • Question
User defined Destination NAT (DNAT) /Source NAT (SNAT) is what is needed. My last router had this and...
Replies
1
Views
1,904
Safe Access is an outbound access control mechanism, meaning that it controls requests coming from your...
Replies
5
Views
1,936
I've already posted this in Synology official forum, but maybe here I get more help, or quicker :-) I'm...
Replies
0
Views
1,037
Interesting. It’s likely this is just a one off. It seems the wired devices I could see before the upgrade...
Replies
2
Views
1,968
When you are considering about bridge mode in the exist Asus router then 2200 as primary managed router =...
Replies
5
Views
3,248

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top