Synology Cameras Offsite Using Site To Site VPN

Currently reading
Synology Cameras Offsite Using Site To Site VPN

10
0
Router
  1. RT2600ac
Operating system
  1. Windows
Hello all, first time post here, but I’m at my wits end with this system setup. As the drawing shows, I have two different sites. One site contains the nas and MR2200ac router with site to site vpn enabled. The other site has two cameras and the same router, with VPN connected and working back to site one. I am unable to get surveillance station to access my cameras offsite. I have read a few different posts on this matter, however none are using site to site vpn so the information doesn’t seem to be relevant. I have made sure that both ISPs are not doing any port blocking on their end. I’m far from an expert on any of this stuff, but have been working on this for days and researching for far too long, I still can’t seem to find a resolution. Do I need to anything with the ports on my NAS for this to function correctly? I would have thought the site to site vpn would allow the NAS to see the cameras with no extra work, but sadly that has not been my experience. If anyone has any information that might help, please let me know, and in the mean time ill continue messing with this hopefully until I get it working.

Thank you for reading this!
89E2E60A-BBEC-4F19-B2DD-8922941C1C51.jpeg
 
Welcome to the forum.

This has to work, I had it running that way a while back with 0 issues.

Stepping back from Surveillance Station for a bit, have you tested access of other resources from these 2 locations over STS vpn? Accessing files, the nas etc?

Also are both LAN subnets on each side different from one another?

Example site A 10.10.10.x/24 and site B 10.10.20.0/24 or are you keeping them in the same subnet on both end?
 
Welcome to the forum.

This has to work, I had it running that way a while back with 0 issues.

Stepping back from Surveillance Station for a bit, have you tested access of other resources from these 2 locations over STS vpn? Accessing files, the nas etc?

Also are both LAN subnets on each side different from one another?

Example site A 10.10.10.x/24 and site B 10.10.20.0/24 or are you keeping them in the same subnet on both end?
Hey Rusty,

Thanks for the welcome and the reply. Just to clarify, are you asking if both subnet masks are the same? They are both 255.255.255.0 assuming that’s what you are asking. Sorry my network knowledge is pretty limited compared to most folks here.

edit: forgot to answer, no I haven’t tried accessing the files on the nas, maybe I’ll give that a shot now.
 
Welcome to the forum.

This has to work, I had it running that way a while back with 0 issues.

Stepping back from Surveillance Station for a bit, have you tested access of other resources from these 2 locations over STS vpn? Accessing files, the nas etc?

Also are both LAN subnets on each side different from one another?

Example site A 10.10.10.x/24 and site B 10.10.20.0/24 or are you keeping them in the same subnet on both end?
So far I am only able to connect to the nas outside of the VPN using quick connect. Not sure what’s going on here.
 
They are both 255.255.255.0 assuming that’s what you are asking.
That would be the subnet mask, but you are right, not what I was asking. What I meant was, are both LAN segments on both ends using the same IP address range for example: 10.10.10.x/24 vs 10.10.20.x/24? So are the LAN IP addresses of devices on both ends identical or are there differences?

So far I am only able to connect to the nas outside of the VPN using quick connect. Not sure what’s going on here.
Well that's not really a scenario in which you are using STS setup, is it? Try and access the remote location via the tunnel by accessing their remote LAN IP address, not QC.
 
That would be the subnet mask, but you are right, not what I was asking. What I meant was, are both LAN segments on both ends using the same IP address range for example: 10.10.10.x/24 vs 10.10.20.x/24? So are the LAN IP addresses of devices on both ends identical or are there differences?


Well that's not really a scenario in which you are using STS setup, is it? Try and access the remote location via the tunnel by accessing their remote LAN IP address, not QC.

As of right now they are using different IP ranges, Site A is using 10.0.0.XX and site B is using 192.168.1.XX should theshe two be the same? Could this be the reason for my troubles? Also, thank you again for taking the time to reply and help me out :D
 
As of right now they are using different IP ranges, Site A is using 10.0.0.XX and site B is using 192.168.1.XX should theshe two be the same? Could this be the reason for my troubles? Also, thank you again for taking the time to reply and help me out :D
No, those should be different. Having the same ones will case issues. Ok then 1st try and see if other local traffic if working, like data transfer of some sort.
 
Have you created firewall rules allowing vpn
When setting up site to site it asks to allow various firewall rules, which I believe I checked them all. Not sure if thats what you mean.
-- post merged: --

No, those should be different. Having the same ones will case issues. Ok then 1st try and see if other local traffic if working, like data transfer of some sort.
Should the devices connected on the VPN side show though the network centers device list? If so mine are not showing.
 
When setting up site to site it asks to allow various firewall rules, which I believe I checked them all. Not sure if thats what you mean.
-- post merged: --


Should the devices connected on the VPN side show though the network centers device list? If so mine are not showing.
What network center are you talking about? The SRM one? If so then no. Devices that are part of the opposite LAN will be accessible via site to site but not visible in your SRM if that was your question.
 
What network center are you talking about? The SRM one? If so then no. Devices that are part of the opposite LAN will be accessible via site to site but not visible in your SRM if that was your question.
Ok i understand, thank you! All I see in the SRM under Site to site VPN is "connected" and no traffic upload or download. Not that there should be any right now, not that i think. Still unable to find the camera in SS though. What do you think would be the easiest way to test the connection to verify it is working correctly? While keeping in mind im not very versed in IT work lol. Thank you again for your help (and patience!)
 
Well, 1st off are you sure the traffic can function between these two locations? Have you tested accessing something from one end to the other using the local IP address?

 
Well, 1st off are you sure the traffic can function between these two locations? Have you tested accessing something from one end to the other using the local IP address?

So far I have not been able to access anything via local ip. When I was at site two I was able to view camera two simply by typing in the local IP, however now at site one I am unable to view camera at site two with local IP. I assume that points to a VPN problem? despite it saying connected.
 
While I still have my Virginmedia connection, if I have time in the next few days, I'll reconfigure the MR2200ac that is setup as a second route out (tried the two ISPs on the one RT6600ax but wanted the 2.5GbE back as the mesh back haul, and haven't yet needed a quick failover). I can then see how site-to-site works in VPN Plus and whether extra routing is needed: you can't have the same IP subnet on both sides since it won't let you save the configuration.
 
While I still have my Virginmedia connection, if I have time in the next few days, I'll reconfigure the MR2200ac that is setup as a second route out (tried the two ISPs on the one RT6600ax but wanted the 2.5GbE back as the mesh back haul, and haven't yet needed a quick failover). I can then see how site-to-site works in VPN Plus and whether extra routing is needed: you can't have the same IP subnet on both sides since it won't let you save the configuration.
I use it and no additional routing was needed but it might be a specific case with OP
 
Have you configured routing on site A’s router to site B’s LAN IP subnet, and vice versa?

If you haven’t then it might be that the local router isn’t aware of the subnet at the remote router, so isn’t sending it down the tunnel.
Not sure if i saw any options for this, ill do some poking around and see if I can make that happen. Thanks for the lead!
-- post merged: --

While I still have my Virginmedia connection, if I have time in the next few days, I'll reconfigure the MR2200ac that is setup as a second route out (tried the two ISPs on the one RT6600ax but wanted the 2.5GbE back as the mesh back haul, and haven't yet needed a quick failover). I can then see how site-to-site works in VPN Plus and whether extra routing is needed: you can't have the same IP subnet on both sides since it won't let you save the configuration.
Thank you very much! I currently have different subnets on the router, so my limited understanding tells me I should be ok there. Please correct me if I'm wrong :D
-- post merged: --

I use it and no additional routing was needed but it might be a specific case with OP
Not sure TBH, would there be a way to tell? So far ive seen no option for subnet routing, but I'm also a pretty big noob when it comes to this stuff so i may have missed it. Ill keep looking around. Thanks to everyone here for trying to help me sort through this. Its been a multi month problem LOL
 
So my first thought on doing the site to site VPN is that the firewall might be the problem. I didn't need any specific routing added to pass connections from the VirginMedia (VM) site to Giganet (GN). I'm only testing from a Macbook on the VM site to get access to my NAS and Mac Mini on the GN site.

To get it to work though needed an ingress firewall rule on the RT6600ax at the GN site. Trying to limit the rule as much as possible without touching the rest of my hard-crafted policy. This enables me to access the NAS's DSM portal and SMB shares on my Mac Mini.
ProtocolSrc InterfaceSrc IPSrc PortDst InterfaceDst IPDst PortAction
TCP/UDPInternet<192.168.c.d/24 IP subnet of VM site>All<GN site LAN I'm accessing>AllAllAllow

Ping would be more effort as it needs rule/rules for ICMP protocol. Then there may have to be rules on the VM site's MR2200ac to control access, but I'm only going out from here in this test. Also, if you don't add your own ANY/ANY/ANY/DENY rule then the SRM firewall* allows outbound to the Internet, which is why I had little to do to get it working from the VM site outbound.


*I have this and a lot more configured on my main RT6600ax.
 
So my first thought on doing the site to site VPN is that the firewall might be the problem. I didn't need any specific routing added to pass connections from the VirginMedia (VM) site to Giganet (GN). I'm only testing from a Macbook on the VM site to get access to my NAS and Mac Mini on the GN site.

To get it to work though needed an ingress firewall rule on the RT6600ax at the GN site. Trying to limit the rule as much as possible without touching the rest of my hard-crafted policy. This enables me to access the NAS's DSM portal and SMB shares on my Mac Mini.
ProtocolSrc InterfaceSrc IPSrc PortDst InterfaceDst IPDst PortAction
TCP/UDPInternet<192.168.c.d/24 IP subnet of VM site>All<GN site LAN I'm accessing>AllAllAllow

Ping would be more effort as it needs rule/rules for ICMP protocol. Then there may have to be rules on the VM site's MR2200ac to control access, but I'm only going out from here in this test. Also, if you don't add your own ANY/ANY/ANY/DENY rule then the SRM firewall* allows outbound to the Internet, which is why I had little to do to get it working from the VM site outbound.


*I have this and a lot more configured on my main RT6600ax.
Okay, i went into firewall settings and created allow rules for all VPN plus settings as shown in the screen shot. For now i have everything allowed, until I get it working. Let me poke around and see if this helps with the issue. Thanks!
Screenshot_1.png

-- post merged: --

looks like im still unable to connect to anything on the other site with IP address. I thought this was going to be easy haha little did i know
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Old thread notice: There have been no replies in this thread for quite some time. The last reply was on .
The content in this thread may no longer be relevant. It might be better to open a new thread instead.

Similar threads

Hi I`m wondering if anyone here uses the newer Dahua IP cams. Like this one IPC-Color4K-T180 . I was...
Replies
0
Views
1,172
Check the SS logs. See if you can find any messages there about what’s going on. Edit: if they’re working...
Replies
1
Views
4,040
Thank you. I agree about the performance, even though the small office doesn't heavily use the NAS. After...
Replies
2
Views
629
Discovered how to create the snapshots using action rules. SS puts them all in the same folder under the...
Replies
2
Views
2,715
What an intimidating look. I’d buy it and stick it to a wall without wiring, just to scare off potential...
Replies
5
Views
2,861
  • Question
Sorry, didn't mean to double up posts. The other thread was intended to explore the ubiquiti networking...
Replies
2
Views
1,226
  • Question
It is uploaded at this site. You edit three things: Directory of NAS to affect. Number of Days you want...
Replies
7
Views
1,981

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top