Question Synology router/ISP’s DMZ?

WST16 · 14. Jun 2020

A quick question please:
Anyone running a Synology router connected to the DMZ of the ISP’s provided junk router (because you can’t bridge it)?

What’s your experience please? Thanks for sharing.

Rusty · 14. Jun 2020

WST16 said:
A quick question please:
Anyone running a Synology router connected to the DMZ of the ISP’s provided junk router (because you can’t bridge it)?

What’s your experience please? Thanks for sharing.

A friend of mine is running it like that. 0 problems. All traffic is being passed onto the Syno router and all controls regarding traffic, firewall etc are there. No particular problems.

WST16 · 14. Jun 2020

That’s great news, @Rusty. Thanks.

A follow up question if I may:

Would it be better to get a PfSense instead of a 2600 for some traffic monitoring and intrusion detection, or will I be able to accomplish some of that with the Synology router?

I know that they’re different animals, but I just want some basic intrusion detection, like blocking some outbound/inbound traffic, monitoring and understanding what some of the devices on the LAN are communicating with outside and blocking or adjusting their permissions. VPN capabilities of the 2600 will be good to have too. WiFi is not important. Most likely will be shut off.

I hope I’m making sense and that the 2600 is capable of doing the above.

fredbert · 14. Jun 2020

Haven't used pfSense so can't comment on how it compares. With the RT2600ac you'll have a familiar GUI.

For my Internet speeds (can't say about performances on 1Gb lines) I find the combination of Threat Prevention, SRM firewall, and Safe Access to work well. Add that I can open Traffic Control on the web GUI and apply maximum limits/priorities to gaming/streaming devices that are hogging the bandwidth while I'm trying to do work video conf calls.

The Threat Prevention package will be a surprise for what's knocking on your Internet door

and what it's blocking. I've modified the rules to block anything that's scanning and in low reputation IP groups.

Rusty · 14. Jun 2020

WST16 said:
That’s great news, @Rusty. Thanks.

A follow up question if I may:

Would it be better to get a PfSense instead of a 2600 for some traffic monitoring and intrusion detection, or will I be able to accomplish some of that with the Synology router?

I know that they’re different animals, but I just want some basic intrusion detection, like blocking some outbound/inbound traffic, monitoring and understanding what some of the devices on the LAN are communicating with outside and blocking or adjusting their permissions. VPN capabilities of the 2600 will be good to have too. WiFi is not important. Most likely will be shut off.

I hope I’m making sense and that the 2600 is capable of doing the above.

All in all, it will work fine. As you said those are 2 separate platforms and pf will offer way more granular options then ips and safe net on syno. Still if you are looking a turn key solution you will have no problem with 2600.

Ips will tax it’s cpu at about 30-50% without vpn active in it (that’s why I have that separated). Also depending on your net speed you will maybe feel that vpn penalty more with ips active as well.

Once activated, over time you might have to tweak the rules a bit but that’s very individual so you will see how it behaves with your needs

Again 2600 is a great all around device that will offer enough options without the need to build a custom pf box or go for some stronger appliances that offer same or better solutions.

WST16 · 14. Jun 2020

Excellent. Thank you both for sharing

Actually I’d like to stay with the familiar Synology interface. I’m just checking if it’s going to work for what I want.

Can the router show me what traffic is going out of my iPad’s apps? Something like what Little Snitch is doing on the Mac. I’m thinking possible but not as granular as Little Snitch.

fredbert · 14. Jun 2020

This isn't directly relevant but is educational on how business-grade firewall vendors view the impact of enabling features: take the base 'firewall' numbers as the best performance in firewall-only mode then see how enabling IPS and more advanced next gen. threat prevention hits it.

https://www.checkpoint.com/downloads/products/check-point-appliance-comparison-chart.pdf

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/Fortinet_Product_Matrix.pdf

It's clear that SRM Threat Prevention on a £200 device can't be doing as deep inspection as these (and you're not paying an annual licence either).

fredbert · 14. Jun 2020

WST16 said:
Can the router show me what traffic is going out of my iPad’s apps? Something like what Little Snitch is doing on the Mac. I’m thinking possible but not as granular as Little Snitch.

Traffic Control can see real time usage and offers device/application/app category/domain. You can then see historical usage too. Not sure that the applications will be as granular: I can see things like RTMP, Twitch, Amazon, Netflix, SSL, Webex, Cloudflare, other well known online services, and well known Internet service types (e.g. IMAPS).

For real time domain view you'll also see each request and which device, but in historical view this is split to top domains and top devices (and offers detailed lists for all domains and all devices).

WST16 · 14. Jun 2020

Thanks again.

I might get the 2600, will need to check a few things regarding the setup. But first I have something in mind. The CFO will be livid

Question Synology router/ISP’s DMZ?

Currently reading
Question Synology router/ISP’s DMZ?

WST16

Rusty

WST16

fredbert

Rusty

WST16

fredbert

fredbert

WST16

Similar threads

Trending threads

Forum statistics

We value your privacy

Question Synology router/ISP’s DMZ?

Currently reading Question Synology router/ISP’s DMZ?

Similar threads

We value your privacy

Currently reading
Question Synology router/ISP’s DMZ?