Question Synology router/ISP’s DMZ?

Currently reading
Question Synology router/ISP’s DMZ?

1,476
640
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
A quick question please:
Anyone running a Synology router connected to the DMZ of the ISP’s provided junk router (because you can’t bridge it)?

What’s your experience please? Thanks for sharing.
 

Rusty

Moderator
NAS Support
2,383
706
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
A quick question please:
Anyone running a Synology router connected to the DMZ of the ISP’s provided junk router (because you can’t bridge it)?

What’s your experience please? Thanks for sharing.
A friend of mine is running it like that. 0 problems. All traffic is being passed onto the Syno router and all controls regarding traffic, firewall etc are there. No particular problems.
 
1,476
640
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
That’s great news, @Rusty. Thanks.

A follow up question if I may:

Would it be better to get a PfSense instead of a 2600 for some traffic monitoring and intrusion detection, or will I be able to accomplish some of that with the Synology router?

I know that they’re different animals, but I just want some basic intrusion detection, like blocking some outbound/inbound traffic, monitoring and understanding what some of the devices on the LAN are communicating with outside and blocking or adjusting their permissions. VPN capabilities of the 2600 will be good to have too. WiFi is not important. Most likely will be shut off.

I hope I’m making sense and that the 2600 is capable of doing the above.
 

fredbert

Moderator
NAS Support
Subscriber
1,622
674
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Haven't used pfSense so can't comment on how it compares. With the RT2600ac you'll have a familiar GUI.

For my Internet speeds (can't say about performances on 1Gb lines) I find the combination of Threat Prevention, SRM firewall, and Safe Access to work well. Add that I can open Traffic Control on the web GUI and apply maximum limits/priorities to gaming/streaming devices that are hogging the bandwidth while I'm trying to do work video conf calls.

The Threat Prevention package will be a surprise for what's knocking on your Internet door :) and what it's blocking. I've modified the rules to block anything that's scanning and in low reputation IP groups.
 

Rusty

Moderator
NAS Support
2,383
706
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
That’s great news, @Rusty. Thanks.

A follow up question if I may:

Would it be better to get a PfSense instead of a 2600 for some traffic monitoring and intrusion detection, or will I be able to accomplish some of that with the Synology router?

I know that they’re different animals, but I just want some basic intrusion detection, like blocking some outbound/inbound traffic, monitoring and understanding what some of the devices on the LAN are communicating with outside and blocking or adjusting their permissions. VPN capabilities of the 2600 will be good to have too. WiFi is not important. Most likely will be shut off.

I hope I’m making sense and that the 2600 is capable of doing the above.
All in all, it will work fine. As you said those are 2 separate platforms and pf will offer way more granular options then ips and safe net on syno. Still if you are looking a turn key solution you will have no problem with 2600.

Ips will tax it’s cpu at about 30-50% without vpn active in it (that’s why I have that separated). Also depending on your net speed you will maybe feel that vpn penalty more with ips active as well.

Once activated, over time you might have to tweak the rules a bit but that’s very individual so you will see how it behaves with your needs

Again 2600 is a great all around device that will offer enough options without the need to build a custom pf box or go for some stronger appliances that offer same or better solutions.
 
1,476
640
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Excellent. Thank you both for sharing :)

Actually I’d like to stay with the familiar Synology interface. I’m just checking if it’s going to work for what I want.

Can the router show me what traffic is going out of my iPad’s apps? Something like what Little Snitch is doing on the Mac. I’m thinking possible but not as granular as Little Snitch.
 

fredbert

Moderator
NAS Support
Subscriber
1,622
674
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
This isn't directly relevant but is educational on how business-grade firewall vendors view the impact of enabling features: take the base 'firewall' numbers as the best performance in firewall-only mode then see how enabling IPS and more advanced next gen. threat prevention hits it.


It's clear that SRM Threat Prevention on a £200 device can't be doing as deep inspection as these (and you're not paying an annual licence either).
 

fredbert

Moderator
NAS Support
Subscriber
1,622
674
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Can the router show me what traffic is going out of my iPad’s apps? Something like what Little Snitch is doing on the Mac. I’m thinking possible but not as granular as Little Snitch.
Traffic Control can see real time usage and offers device/application/app category/domain. You can then see historical usage too. Not sure that the applications will be as granular: I can see things like RTMP, Twitch, Amazon, Netflix, SSL, Webex, Cloudflare, other well known online services, and well known Internet service types (e.g. IMAPS).

For real time domain view you'll also see each request and which device, but in historical view this is split to top domains and top devices (and offers detailed lists for all domains and all devices).
 
1,476
640
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Thanks again.

I might get the 2600, will need to check a few things regarding the setup. But first I have something in mind. The CFO will be livid :)
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top