Eth1: LAN-only, Eth2: External, select processes

Topics including remote access and management can go here, including port forwarding, telnet, ssh, and advanced network settings.
Forum rules
We've moved! Head over to Synology Community (community.synology.com) to meet up with our team and other Synology enthusiasts!
AngryAnt
I'm New!
I'm New!
Posts: 8
Joined: Fri Aug 24, 2018 9:50 am

Eth1: LAN-only, Eth2: External, select processes

Unread post by AngryAnt » Thu Sep 13, 2018 8:30 am

Apologies if this has been covered earlier. Browsing the forum has not uncovered anything relevant and the search function is... interesting.

Anyway, I would like to investigate the possibility of doing a little bit of hosting via Docker without exposing all of my NAS to the interwebs and all the joyously fun people on it. Since the NAS comes with two ethernet ports, I was hoping that it might be possible to achieve the following setup:

1) By default all network activity happens via Eth1 only.
2) Select processes connect in- and outbound via Eth2 only (in this case Docker).
3) A few processes get a custom NAT setup with some outbound connections happening on Eth2 and some ports mapped.

#3 is gravy - my priority is the clean separation between Eth1 an 2. My intent is to configure my router to completely forward all inbound traffic to Eth2, which is why I'd like to explicitly control what may listen there. That same router is then configured to only grant Eth1 LAN access.

Would a setup like this be supported at all by the DSM and if so, where might I find good resources on the topic?

tb123
Knowledgeable
Knowledgeable
Posts: 362
Joined: Sun Sep 03, 2017 10:55 am

Re: Eth1: LAN-only, Eth2: External, select processes

Unread post by tb123 » Thu Sep 13, 2018 10:57 am

I’m not exactly sure what you are wanting to do, however can you setup a couple of vlans on a router and managed switch, seperate the two ethernet ports of the NAS into each of the vlans and control what can access the NAS either by vlan (firewall and port forward rules in the router) or firewall rules in the NAS per interface?
DS916+, 3 x 4TB WD Red, 1 x 4TB WD Purple
UniFi USG, 16 port PoE switch and 4 x AP’s, some Windows, Mac, Android and iDevices

Squozen
Guru
Guru
Posts: 1561
Joined: Wed Jan 09, 2013 1:35 am

Re: Eth1: LAN-only, Eth2: External, select processes

Unread post by Squozen » Thu Sep 13, 2018 11:39 am

Why would you want full internet access to the NAS? You're vulnerable to any zero-day exploit that comes along.

AngryAnt
I'm New!
I'm New!
Posts: 8
Joined: Fri Aug 24, 2018 9:50 am

Re: Eth1: LAN-only, Eth2: External, select processes

Unread post by AngryAnt » Thu Sep 13, 2018 8:00 pm

tb123 wrote:
Thu Sep 13, 2018 10:57 am
I’m not exactly sure what you are wanting to do, however can you setup a couple of vlans on a router and managed switch, seperate the two ethernet ports of the NAS into each of the vlans and control what can access the NAS either by vlan (firewall and port forward rules in the router) or firewall rules in the NAS per interface?
Indeed. I am fine with the router part of the setup - hence asking specifically about the DSM network configuration :)

AngryAnt
I'm New!
I'm New!
Posts: 8
Joined: Fri Aug 24, 2018 9:50 am

Re: Eth1: LAN-only, Eth2: External, select processes

Unread post by AngryAnt » Thu Sep 13, 2018 8:04 pm

Squozen wrote:
Thu Sep 13, 2018 11:39 am
Why would you want full internet access to the NAS? You're vulnerable to any zero-day exploit that comes along.
Agreed - that would be quite silly.

Hence the intent of granting the main interface zero internet access, while directing internet access at the other interface utilised only by select processes.

tb123
Knowledgeable
Knowledgeable
Posts: 362
Joined: Sun Sep 03, 2017 10:55 am

Re: Eth1: LAN-only, Eth2: External, select processes

Unread post by tb123 » Fri Sep 14, 2018 12:54 am

Presumably each process requires a certain port to work with?
If you only allow those ports through the LAN2 Firewall, is that enough?
DS916+, 3 x 4TB WD Red, 1 x 4TB WD Purple
UniFi USG, 16 port PoE switch and 4 x AP’s, some Windows, Mac, Android and iDevices

AngryAnt
I'm New!
I'm New!
Posts: 8
Joined: Fri Aug 24, 2018 9:50 am

Re: Eth1: LAN-only, Eth2: External, select processes

Unread post by AngryAnt » Fri Sep 14, 2018 8:59 am

tb123 wrote:
Fri Sep 14, 2018 12:54 am
Presumably each process requires a certain port to work with?
If you only allow those ports through the LAN2 Firewall, is that enough?
Sure. Though I would prefer to do such configuration on my router. Hence my just saying "all traffic" for sake of simplicity. Though we're still discussing routing rather than NAS-side ethernet interface restrictions for some reason, so I guess that intent backfired ;)

Squozen
Guru
Guru
Posts: 1561
Joined: Wed Jan 09, 2013 1:35 am

Re: Eth1: LAN-only, Eth2: External, select processes

Unread post by Squozen » Fri Sep 14, 2018 9:35 am

AngryAnt wrote:
Thu Sep 13, 2018 8:04 pm
Squozen wrote:
Thu Sep 13, 2018 11:39 am
Why would you want full internet access to the NAS? You're vulnerable to any zero-day exploit that comes along.
Agreed - that would be quite silly.

Hence the intent of granting the main interface zero internet access, while directing internet access at the other interface utilised only by select processes.
Right, but the way I'm reading it, you're allowing all ports through to the NAS and relying on its firewall to do the filtering. So if there's a bug in the firewall or you accidentally have a service listen on both interfaces you're vulnerable. Maybe it's too early in the morning and I'm still misunderstanding, but the way I configure a network is to block traffic I don't intend to reach a device as far back in the chain as I can and that's at the router in this instance. If nothing else, it reduces bandwidth on the link between the router and the NAS.

tb123
Knowledgeable
Knowledgeable
Posts: 362
Joined: Sun Sep 03, 2017 10:55 am

Re: Eth1: LAN-only, Eth2: External, select processes

Unread post by tb123 » Fri Sep 14, 2018 11:26 am

AngryAnt wrote:
Fri Sep 14, 2018 8:59 am
tb123 wrote:
Fri Sep 14, 2018 12:54 am
Presumably each process requires a certain port to work with?
If you only allow those ports through the LAN2 Firewall, is that enough?
Sure. Though I would prefer to do such configuration on my router. Hence my just saying "all traffic" for sake of simplicity. Though we're still discussing routing rather than NAS-side ethernet interface restrictions for some reason, so I guess that intent backfired ;)
No, I was talking LAN2 ethernet interface on the NAS and using its firewall to only allow certain ports through for the required services.
Port forward router to NAS LAN2, firewall only open for certain ports etc.
DS916+, 3 x 4TB WD Red, 1 x 4TB WD Purple
UniFi USG, 16 port PoE switch and 4 x AP’s, some Windows, Mac, Android and iDevices

AngryAnt
I'm New!
I'm New!
Posts: 8
Joined: Fri Aug 24, 2018 9:50 am

Re: Eth1: LAN-only, Eth2: External, select processes

Unread post by AngryAnt » Sat Sep 15, 2018 7:58 am

Thank you for your time and effort, but if we could shelve the routing advice for a second and focus on the core of my original question, I would be most grateful :)
AngryAnt wrote:
Thu Sep 13, 2018 8:30 am
Since the NAS comes with two ethernet ports, I was hoping that it might be possible to achieve the following setup:

1) By default all network activity happens via Eth1 only.
2) Select processes connect in- and outbound via Eth2 only (in this case Docker).

Would a setup like this be supported at all by the DSM and if so, where might I find good resources on the topic?

tb123
Knowledgeable
Knowledgeable
Posts: 362
Joined: Sun Sep 03, 2017 10:55 am

Re: Eth1: LAN-only, Eth2: External, select processes

Unread post by tb123 » Sat Sep 15, 2018 8:28 am

Then you probably shouldn’t have asked about routing in your original question...
DS916+, 3 x 4TB WD Red, 1 x 4TB WD Purple
UniFi USG, 16 port PoE switch and 4 x AP’s, some Windows, Mac, Android and iDevices

Locked

Return to “Remote Access and Network Management”