Synology firewall

[Gerard]

Eventually you should look into reverse proxy. It makes it easy. You can just use yourdnsname.com internally or externally and don’t have to worry about specifying port numbers

-- post merged: 11. Jun 2022 --

For reverse proxy it’s port 443 which is https traffic so anything.com, google.com etc is transmitted on 443.

On your isp router port forward 443 to 443 of your nas. On the nas side you’ll have to go into the reverse proxy section, setup the domain name and a few other things. You’ll also need to setup a let’s encrypt certificate but all of this can be done without cost using a synology.me domain name

Other have purchased their own domain name from other providers. You can have yourdomain.com whereas synology is synologyddns.synology.me

-- post merged: 11. Jun 2022 --

Again use different custom ports for the external side which then forward to the service port on the internal side

One other note the reason we say to use custom ports for port forwarding is because hackers know synology dsm runs on port 5001. If you port forward on your isp router 5001 to your nas 5001, hackers can see this open port and attempt brute force attacks or other known vulnerabilities. Hackers use port scanners so if they know a specific vulnerability on a synology they’ll set the scanner to scan the world for open ports of 5001. This is how a lot of people get hacked or ransomwared. Don’t use the default ports at the gate of your network (meaning isp router/firewall).

 

[Cyberwasp]

Lol. Ok, now this is wierd. last night with the firewall on I couldn't log in with cellular and can with wifi. Now if I disabled the firewall I still can't log in via cell. And no, I have touched anything since other than turing off the firewall. I tell you, I'm jinxed!

 

[Gerard]

Lol. Ok, now this is wierd. last night with the firewall on I couldn't log in with cellular and can with wifi. Now if I disabled the firewall I still can't log in via cell. And no, I have touched anything since other than turing off the firewall. I tell you, I'm jinxed!

You won’t be able to login with cellular until you port forward on your isp router.

If you’ve previously been able to do that it was most likely because of the upnp protocol which opened the ports up for you. If that is the case you should check the isp firewall because you may now have something opened that shouldn’t be. As an example upnp (that router config you were messing with) may have used upnp to open port 5000 or 5001 on the isp firewall. Since these are default ports this is bad security practice. This is why manually opening the ports is the best bet.

 

[Cyberwasp]

yeah. In port forwarding ftp 20-21 where open which I removed. I'm still missing one thing. If I disable the firewall, shouldn't I be able to log in from outside of my network?

Like, I want to let a friend have access to synology photos so they can upload/download or browse them.

 

[Gerard]

If I disable the firewall, shouldn't I be able to log in from outside of my network?

If you disable your nas firewall, then it’s opened up to everything and anything, because you have no blocks in place.

What connects you from the outside is your isp firewall. If you have the rule there, you’re going to get in regardless of the nas firewall. I’m order to stop that your nas firewall needs to be on and then you have to not allow the remote access (that’s number 1) but again you have to touch your isp firewall in addition since it’s the external access.

Isp firewall controls external access to internal. Nas firewall is going to control the traffic after it hits your isp firewall and in your internal lan.