What you say makes perfectly sense to me. Unfortunately for me it doesn't work. I have set up DDNS in my Syno to my-name.synology.me and configured Reverse Proxy to test.my-name.synology.me. My Fritz Box redirects ports 80 and 443 to my Syno where both ports are open in Syno firewall. nslookup to test.my-name.synology.me via 220.127.116.11 returns the correct ip assigned by my ISP. From within my network test.my-name.synology.me connects to the right app but from extern (tested with my smartphone with wifi off) test.my-name.synology.me returns 'server not found'. No clue why. What am I doing wrong? Or does this not work via Synology's DDNS service because of 4th level domain? Any hint appreciated. Thanks folks.The primary DNS for synology.me will have a record for xyz.synology.me that is dynamically updated to your ISP IP address. There will also be a wildcard entry *.xyz.synology.me that also points to your ISP IP address.
So is there is an explicit DNS record for www.xyz.synology.me then that IP will be returned, otherwise the wildcard IP address is returned.
Within RP it is looking at the FQDN, e.g. app.xyz.synology.me:443, as a text match not a DNS resolution. It sees the text of the FQDN/port combo match a rule and so does what it's told to do ... forward to the new destination.
The answer is 'Can't resolve host' (using ping network utility on iPhone) while connected with mobile data. But... when I'm connected to my friend's wifi RP works as expected. Same thing when I'm connected to VPN. No VPN to my home but NordVPN. Maybe it is related to IPv4 or IPv6. I've disabled IPv6 in both Fritz Box and Syno.If you ping test.my-domain.org from outside your local network, do you get "no response", or do you get "ping request could not find host test.my-domain.org"? If the latter, you need to go into DNS settings at your ISP, and explicitly set up a DNS entry for that hostname (not just the domain name).
Thanks for your explanation. I guess it's not DS-Lite. See screenshot.Can you tell us if you have a dual stack (public ipv4+ public ipv6) or ds-lite (natted ipv4 + public ipv6) connection?
With a ds-lite connection incomming ipv4 connections from the internet won't work, as the wan ip already is a natted private-ip, which can not be reached from the internet. Outgoing ipv4 connection will work regardless whether it's dual stack or ds-lite.
With ds-lite, the only way to expose a service to the internet is by either using ipv6 (dns record needs to resolve the target machine, not the router!) , use a vpn connection that allows port forwarding (dns record needs to point to the vpc endpoint) or a service like ngrok - secure introspectable tunnels to localhost (does not allow bring your own domain).
Thanks. The result is Success: I can see your service on ... on port (443)I am not sure if this information from the FB-Dashboard qualifies to distinguis Dual Stack and DS-Lite. As in both cases you have an ipv4 and internet, though in one case it is an internet ip and in the other case a natted ip in the isp's network.
Try Open Port Check Tool -- Verify Port Forwarding on Your Router and see if a forwarded port on your FB can be reached from the internet.
Thanks again. Let me try to sort this out: I create a subdomain at my Domain Provider like test.my-domain.org which get's updated by Syno DDNS correctly with the current WAN IP. In my FB I forward port 443 to my Syno running RP. In RP I create a rule forwarding test.my-domain.org to my service which I want to expose. So far so good, that works. But if I create a RP rule like app.test.my-domain.org to expose another service this address can't be resolved from mobile data. From within my friend's wifi it works, also when I connect my mobile phone via NordVPN. Only mobile data doesn't work. Hope that makes sense...Then it realy should be a dual stack line.
You own a domain like my-domain.org and added a subdomain test.my-domain.org in your dns (or by the DDNS). You checked in the dns server where you administrate the domain that the entry exists and points to the right wan-ip?
You forward WAN port 80/443 to the Syno-RP, in the Syno-RP you have an entry where the hostname is test.my-domain.org (and in case of https, a valid certificate assigned to it) and the firewall does not block traffic? Then I can't see a reason that it's not working
No, because in my opinion that should be handled by RP.Did you create that subdomain?
That's not supported with my domain provider.If not, did you create a wildcard subdomain for *.test.my-domain.org?
Either you confuse responsibilities or I simply don't understand your problem.No, because in my opinion that should be handled by RP
== No, because in my opinion that should be handled by RP.Did you create that subdomain?