VPN & Firewall

Currently reading
VPN & Firewall

Last edited:
Hi there,

I hope someone will be able to help me resolve my issue.
Here is my setup :
DS723+ hosted in France with fixe IP address '82.AB.CD.EF'
Fiber connection (8 Gb/s upload and download)

I setup a VPN IPSEC connection which works fine when I'm in France. I can reach the NAS and all my devices which are in my local network.
When connected to the VPN, my ip address is 10.2.0.x and my private subnet is 192.168.1.0/24

I also setup the firewall like this, with the rules in this order :
  • All Synology applications that I'm using (including ports 80, 443, 5000 and 5001) are allowed from France only
  • All ports and all protocoles are allowed from the VPN addresses 10.2.0.1 to 10.2.0.10
  • All ports and all protocoles are allowed from private subnet 192.168.1.0/24
  • All ports and all protocoles are allowed from my ISP address 82.AB.CD.EF
  • All the rest are not allowed

I'm currently abroad, with and ISP address like 37.XY.AB.CD
I can connect to my VPN and access all my devices in my private subnet 192.168.1.0
I checked https://whatismyipaddress.com/ and I have my french ip address. Then I'm connected to my VPN and all the traffic go through it.

But I cannot login to the DSM. When I ask someone in France to disable the Synolofy firewall, I can connect to DSM from abroad.
After investigation, I found out that even if I'm connected through my VPN, the DSM firewall sees my connection coming from the ip address 37.XY.AB.CD.

Can you help me solve this issue which seems to be a firewall configuration ?
What I want is to connect to the DSM from everywhere through the synology VPN.

Thanks,
Kalongo
 
So VPN is hosted on the 723+ but with IPSec, you have no option on the "server" side to push for full tunnel setup. Considering that you have not mentioned your devices or OS versions, I will ask if have you enabled "full VPN traffic" (or similar) on your clients.

For example, macOS has the setting (checkbox) for ipsec profile to force full tunnel and not allow for split traffic.
 
How are you trying to access the DSM NAS? Is it using: the private LAN IP address; L2TP IPsec VPN server IP address (it’s .1 on the VPN IP subnet that is assigned to clients); server name on your private or DDNS domain; QuickConnect mechanism.

When the DSM firewall is disabled, which rules are disabled to make the connection work?

It does sound like you are split-tunnelling. If you are using private or DDNS domain you might be resolving using an Internet DNS server it will return your public 82… address. A split-tunnel will only send private IP addressing down the tunnel (or whatever the client is told to send) then everything else goes direct to Internet.
 
Last edited:
So VPN is hosted on the 723+ but with IPSec, you have no option on the "server" side to push for full tunnel setup. Considering that you have not mentioned your devices or OS versions, I will ask if have you enabled "full VPN traffic" (or similar) on your clients.

For example, macOS has the setting (checkbox) for ipsec profile to force full tunnel and not allow for split traffic.
I mainly use MacOS and I forced full traffic through the VPN
-- post merged: --

How are you trying to access the DSM NAS? Is it using: the private LAN IP address; L2TP IPsec VPN server IP address (it’s .1 on the VPN IP subnet that is assigned to clients); server name on your private or DDNS domain; QuickConnect mechanism.

When the DSM firewall is disabled, which rules are disabled to make the connection work?

It does sound like you are split-tunnelling. If you are using private or DDNS domain you might be resolving using an Internet DNS server it will return your public 82… address. A split-tunnel will only send private IP addressing down the tunnel (or whatever the client is told to send) then everything else goes direct to Internet.
Thanks for your answer.
I'm using my own domain in xxxxx.com.
Does it mean I must configure the VPN DNS with an Internet DNS server like 1.1.1.1.
In my current configuration, the DNS is Adguard, hosted in the NAS itself, thus the DNS has the same IP address as the NAS.
 
It could be the DNS resolution for your domain is returning the Internet IP for router’s WAN port. Does your NAS’s local perimeter router/firewall device support local loopback? That means does the router recognise LAN-side requests to it’s WAN IP where there is a corresponding port forwarding rule… so the router loops back the request to the LAN IP it normally forwards to.

If you try to connect to the NAS down the VPN using the NAS’s LAN IP then this may work, just have to accept any exceptions due to certificate is for domain/server names and not matching the IP.

Since I’m lazy and don’t want to have my router handle all my internal connections using loopback, I run DNS Server on DSM to resolve my domain to LAN IPs. Local devices are told to use this via DHCP, with DNS Server sending resolution for other domains to Internet DNS services. For devices on the Internet they still resolve my domain using public DNS services and that’s to my router’s WAN IP.
 
It could be the DNS resolution for your domain is returning the Internet IP for router’s WAN port. Does your NAS’s local perimeter router/firewall device support local loopback? That means does the router recognise LAN-side requests to it’s WAN IP where there is a corresponding port forwarding rule… so the router loops back the request to the LAN IP it normally forwards to.

If you try to connect to the NAS down the VPN using the NAS’s LAN IP then this may work, just have to accept any exceptions due to certificate is for domain/server names and not matching the IP.

Since I’m lazy and don’t want to have my router handle all my internal connections using loopback, I run DNS Server on DSM to resolve my domain to LAN IPs. Local devices are told to use this via DHCP, with DNS Server sending resolution for other domains to Internet DNS services. For devices on the Internet they still resolve my domain using public DNS services and that’s to my router’s WAN IP.
Hi Fredbert,

I followed your "lazy" tip and it works fine. Thanks :)
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Anyone have VPN split tunneling and have functionality as described below, using an android VPN app...
Replies
0
Views
483

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top