Hi,
I'm trying to setup my ds2411+ with the following network limitations.
Allow connections from the wan to only the openVPN
Allow connections from anything on the lan (192.168.1.1/255.255.255.0)
If not on my lan I'd like to force everyone to connect to the vpn and then aaccess the unit that way.
I've tried a few things but none have worked, any pointers would be great.
Thanks!
Firewall rules
Forum rules
This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
6 posts
• Page 1 of 1
Firewall rules
by arden » Tue Feb 21, 2012 7:59 pm
- arden
- Rookie
- Posts: 32
- Joined: Tue Feb 21, 2012 7:46 pm
Re: Firewall rules
by iket » Tue Feb 21, 2012 10:05 pm
Plug your DS into your private LAN and any IP on your LAN has full access.
Open the VPN port (1194-OpenVPN 1723-PPTP better check these in the docs) on your FW/router and forward to your DS private IP and connect with your favorite VPN client on the WAN side via your public IP, DDNS domain, etc.
Everything else should be closed on the WAN side assuming you haven't forwarded any other ports. Not sure what you mean by forcing a VPN connection other than not allowing any other than VPN access.
You don't need any firewall rules in your DS.
Is this what you want?
Edit: I assume you have installed and are running the VPN server on your DS and have configured it properly with valid users, etc.
Open the VPN port (1194-OpenVPN 1723-PPTP better check these in the docs) on your FW/router and forward to your DS private IP and connect with your favorite VPN client on the WAN side via your public IP, DDNS domain, etc.
Everything else should be closed on the WAN side assuming you haven't forwarded any other ports. Not sure what you mean by forcing a VPN connection other than not allowing any other than VPN access.
You don't need any firewall rules in your DS.
Is this what you want?
Edit: I assume you have installed and are running the VPN server on your DS and have configured it properly with valid users, etc.
DS 211J DSM 4.0-2228
DS 212 DSM 4.0-2228
DS 212J DSM 4.0-2228 (at work)
DS 1512+ DSM 4.0-2228 / Kingston KVR1066D3S8S7/2G
Camera - FOSCAM FI8918W, FOSCAM FI8910W, Linksys WVC54GC
Firewall - SonicWALL TZ 100 Switch - Cisco SG200-08
UPS - APC Back-UPS ES 750, CyberPower CP825AVR LCD
-
iket - Experienced
- Posts: 101
- Joined: Fri Jan 27, 2012 3:57 am
- Location: Montreal, Canada
Re: Firewall rules
by arden » Wed Feb 22, 2012 10:04 am
Hey,
Thanks for the reply! Yup, vpn is up and running on the DS, but my setup requires that the DS be in the DMZ for other reasons that I can't go into, so all internet connections will be comming into it and why I'd like to limit connections on the WAN side of things to just VPN access for better security.
I've tried adding subnet limits but find that I'm still able to get to the login page on the DSM via the wan and log in which makes no sence considering all connections are ment to be on deny by default if no rule is found?
I currently only have the vpn rule added to allow connections on that port from any, but as it's in the DMZ I can still access the DSM via wan
Thanks!
Thanks for the reply! Yup, vpn is up and running on the DS, but my setup requires that the DS be in the DMZ for other reasons that I can't go into, so all internet connections will be comming into it and why I'd like to limit connections on the WAN side of things to just VPN access for better security.
I've tried adding subnet limits but find that I'm still able to get to the login page on the DSM via the wan and log in which makes no sence considering all connections are ment to be on deny by default if no rule is found?
I currently only have the vpn rule added to allow connections on that port from any, but as it's in the DMZ I can still access the DSM via wan
Thanks!
- arden
- Rookie
- Posts: 32
- Joined: Tue Feb 21, 2012 7:46 pm
Re: Firewall rules
by arden » Thu Feb 23, 2012 11:15 am
Hey again,
It seems it's working correctly now after a reboot of the unit. I have all the things blocked I wanted blocked and have the vpn up and running.
It seems it's working correctly now after a reboot of the unit. I have all the things blocked I wanted blocked and have the vpn up and running.
- arden
- Rookie
- Posts: 32
- Joined: Tue Feb 21, 2012 7:46 pm
Re: Firewall rules
by daveharrison » Fri Mar 02, 2012 1:04 am
I am trying to do something very similar but I cannot seem to connect to my DS at all. Instead when using DDNS static Ip I only get as far as the router dashboard. It appears no port forwarding is happening although it is all set up to forward. Can you offer any advice. BTW I have not put my DS in the DMZ yet! this would be last resort
VPN server is running both openVPN and PPTP, although I cannot access them
Used the wizard so assume all port forwarding is correct
PnP is activated so should automatically open necessary port
Firewall on router is active but as i say port forwarding should control access
Can you offer an advice. I ask as you seem to have some sucess in getting a VPN from outside your LAN which is all i want to achieve for safe browsing while out and about with my tablet/laptop
Cheers
Dave
VPN server is running both openVPN and PPTP, although I cannot access them
Used the wizard so assume all port forwarding is correct
PnP is activated so should automatically open necessary port
Firewall on router is active but as i say port forwarding should control access
Can you offer an advice. I ask as you seem to have some sucess in getting a VPN from outside your LAN which is all i want to achieve for safe browsing while out and about with my tablet/laptop
Cheers
Dave
- daveharrison
- I'm New!
- Posts: 1
- Joined: Fri Mar 02, 2012 12:58 am
Re: Firewall rules
by iket » Fri Mar 02, 2012 4:55 am
My suggestion is not to assume anything. Check the router port forwarding rules and make sure. Report back with the info and maybe we can help. You haven't given much to go on.
For VPN PPTP make sure port 1723 is forwarded and/or VPN pass through is enabled on the router.
Personally I think UPnP is very dangerous and a bad idea. I don't want any software having full control of opening ports on my routers. Remember the bad guys will have the same ability. I always turn it off on any router. All real firewalls don't even know about UPnP.
WPS is proving to be the same joke
(read about "this great idea" and reaver on google)
Learn how to create port forwarding rules yourself on your router.
And don't forget to have fun.
For VPN PPTP make sure port 1723 is forwarded and/or VPN pass through is enabled on the router.
Personally I think UPnP is very dangerous and a bad idea. I don't want any software having full control of opening ports on my routers. Remember the bad guys will have the same ability. I always turn it off on any router. All real firewalls don't even know about UPnP.
WPS is proving to be the same joke
(read about "this great idea" and reaver on google) Learn how to create port forwarding rules yourself on your router.
And don't forget to have fun.
DS 211J DSM 4.0-2228
DS 212 DSM 4.0-2228
DS 212J DSM 4.0-2228 (at work)
DS 1512+ DSM 4.0-2228 / Kingston KVR1066D3S8S7/2G
Camera - FOSCAM FI8918W, FOSCAM FI8910W, Linksys WVC54GC
Firewall - SonicWALL TZ 100 Switch - Cisco SG200-08
UPS - APC Back-UPS ES 750, CyberPower CP825AVR LCD
-
iket - Experienced
- Posts: 101
- Joined: Fri Jan 27, 2012 3:57 am
- Location: Montreal, Canada
6 posts
• Page 1 of 1
Return to Remote Access and Network Management
Who is online
Users browsing this forum: Bing [Bot], snoopy78 and 8 guests