Two Synology NAS servers on one IP - Drive Client can't connect remotely

Currently reading
Two Synology NAS servers on one IP - Drive Client can't connect remotely

13
6
NAS
DS918+ DS216+II
Operating system
  1. Windows
Hi, I've tried googling this problem, but I'm struggling to find a definitive answer.

The problem:

We have a small office, with 6/7 staff.
We've been using a DS216+II as a server using the Drive Client to connect to it. Everyone works in the office and at home, and we also have a number of freelancers so we need remote access to it.
We've recently needed to upgrade for a project, so now have a DS918+ as well.
In the office we use local IP addresses so there's not been a problem, but today I tried to get one of our freelancers on to the new server and realised that they're both on the same IP so the remote connection doesn't work.
We use Synology DDNS from our Synology account, each server has its own address, but they both point to the same IP.
At the moment, we don't have control of the router (but can request ports to be opened / forwarded etc...) - Next week we're moving offices so will have full control over this.

What do I need to change on the new server and/or router in order to allow access to both servers via Drive Client?

Both servers are running DSM7.1.1 ver6

Thanks, Dan.
 
Welcome to the forum.

If you're using the Mac/PC Drive Client then you can't change the TCP port that they are connecting to on Drive Server, it's fixed at TCP 6690 and cannot be proxied by DSM either. If using the mobile Drive app then you can change the web port it uses, or assign a unique domain, in Control Panel / Login Portal / Applicaitons.

So options?
  1. Get a second ISP connection and use that for TCP 6690 forwarding to the new NAS.
    1. As a business it may provide some resilience.
  2. Instead of direct Internet access via the router and port forwarding, users connect to business applications using remote access services provided by VPN Server. Once an authorised connection is made the user can have access to LAN servers via their LAN IPs.
 
Thanks for the reply:

I'm about to potentially enrage you with a stupid response, but one workaround online had something like the following happening (but this wasn't to do with the Drive Client).

Is it not possible to add :6691 (for example) after the address in the client and somehow have the router forward that to ###.###.#.###:6690 ? Does the client ALWAYS use 6690?
 
No, it's fixed at TCP 6690. It's fixed, hardcoded, in the Mac/PC client and in the server.

Is it not possible to add :6691 (for example) after the address in the client and somehow have the router forward that to ###.###.#.###:6690 ? Does the client ALWAYS use 6690?
There's an easy way to find out, you can try it. But I'm pretty sure that this isn't possible in the Drive client.
 
Thanks again.

How would a VPN work for this?
I'm pretty sure another ISP is out of the question...

As I say, I'm limited to the testing I can do at the moment because I don't have access to the router, but if there was something that might work I could contact the people who do have access and ask them to change a setting.

It can sometimes take them a while to get round to it though, so not something I want to bother them with unless I think there's a good chance it could work.
 
There is possibly the option to use QuickConnect Relay service to get access to the second Drive Server. But just consider that this all goes through Synology's relay servers: two SSL connections and they are joined on servers you don't control.


With DSM's VPN Server you can run different VPN servers:
  1. OpenVPN: Requires installation of a third party client on Mac/PC but considered the better option. You forward a TCP or UDP port to the server, UDP 1194 is the default but you can choose. The only tricky part is ensuring the .ovpn configuration file is tweaked correctly.
  2. L2TP IPsec VPN: Requires three ports forwarding, UDP 500, 1701, and 4500, they can't be changed. The pro for using this is that Mac/PC have the client builtin.
  3. PPTP VPN: the least secure of these server options. I would not consider it.
For a quick test I would opt for L2TP/IPsec, especially if you don't want people to install another client app. Longer term I would use OpenVPN.


Oh, and you can run more than one of the VPN server types, so you can see which is working best.

Plus, you may find that your Internet router has VPN server features.
 
OpenVPN client app: OpenVPN Connect - VPN For Your Operating System | OpenVPN or on Mac there's Tunnelblick | Free open source OpenVPN VPN client server software for macOS

Builtin L2TP/IPsec VPN client in macOS, go to Network settings...
1698077599522.png


Windows...
 
I think we're already past the point where this is viable. It's hard enough getting freelancers to install the Drive Client in the first place, so I doubt we can get them to connect this way...

I think we might just have to migrate everything to the DS918+ which isn't ideal...


Thanks again.
 
I've got the freelancer connecting to the Drive Client via QuickConnect.

Not the best speed-wise, but at least he can do something...
How can QuickConnect differentiate between the servers? There must be some way of this working. (I've raised this with Synology support - but after the quality of their first reply I'm not holding my breath).
Is it simply that the desktop client is badly made?
 
Why not DDNS (or domain) using a subdomain directed by reverse proxy to a specific NAS (or did I miss this in the preceding comments)?
It's not possible for the Mac/PC Drive client sync to Drive Server, they don't use HTTP-based services. Yep, you missed this in the preceding posts.

The mobile apps use HTTP-based services so this is possible to use Login Portal / Applications to set a unique domain, or unique port.

The DSM reverse proxy feature is a reverse web-proxy, not general service proxy.
 
That could be a potential workaround IF I knew what any of those words meant. :ROFLMAO:

I've seen reverse proxy mentioned, but I couldn't get my head around it.
 
How can QuickConnect differentiate between the servers?
As I linked earlier...

I summarised how QuickConnect works recently.
 
Last edited:
As I linked earlier...

I summarised how QuickConnect works recently.

So if we're connecting locally in the office, QuickConnect would be just as fast as DDNS? Is it just remotely that you get speed issues?

Is it unsafe for a business to allow upnp on its router? From that paper it looks like if upnp is allowed, the speed will be as good as DDNS...
 
The way that QC works is the client tries the various methods in order: local; direct Internet; QC relay (if enabled).

Using UPnP on the router will permit applications running on local devices to request port forwarding and firewall rules to be created, allowing whatever that application needs. That is whether you want it to have the access or not. So I would say it is better to configure the firewall policy yourself, so you know what is being permitted through your security perimeter. Reading the QC whitepaper and it doesn't mention the need to use UPnP.

There is the QC hole punching feature, this is tried before using the relay. Potentially firewalls may block this as it could be detected as a hijack attempt if QC hands over the connection. This doesn't need you to create firewall rules since the NAS initiates the connection outbound and this will be used in-out afterwards.

The QC relay isn't as quick as direct access because it is being passed through Synology's relay servers. A secure connection from client to the relay is used for one half of the connection, and the NAS creates another secure connection to the relay. The Synology servers pass packets between these two connections so the client and NAS can communicate.


If you have it working in the interim and you are ok with relay then ok.
 
Thanks, this has been really helpful... It looks like QC will be fine.
Do you know if there's a way to tell how the QC has connected a device? LAN, Hole Punched or Relay?
 
Never looked into determining which method of QC has been used. On a Mac* you could use the command line in Terminal and filter through the output of netstat. For example, using netstat -n | grep 6690 would find the connections between client_IP.port and server_IP.6690. See what server_IP is reported as and if it is your NAS LAN IP, ISP WAN IP, or something else.

*On PC you can use Powershell. It has netstat but I don't know the command that it has in place of grep.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

setup up a local DNS server and point DOMAIN1.com, DOMAIN2.com and DOMAIN3.com to your Synology IP. I am...
Replies
1
Views
1,184
Do you have a local user account and domain user account that shares the same short name? It was fixed...
Replies
2
Views
989
I don't recommend exposing the NAS directly to the internet. Modem>Powerline>Router>Devices (wired/Wi-Fi)
Replies
18
Views
2,325
@Rusty I finally got this to work. The ports need to be open on both Source & destination. Also, we need...
Replies
10
Views
2,949
Ok great thanks unfortunately I can't use the magic packet through my Sky Router otherwise it would be so...
Replies
11
Views
16,212

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top