Firewall rules

Topics including remote access and management can go here, including port forwarding, telnet, ssh, and advanced network settings.
Forum rules
We've moved! Head over to Synology Community ( to meet up with our team and other Synology enthusiasts!
I'm New!
I'm New!
Posts: 6
Joined: Fri Jun 03, 2016 2:36 pm

Firewall rules

Unread post by chrisrpriceuk » Mon Aug 08, 2016 11:22 am

Hi all,

I just want to check that my understanding is correct?

I have my firewall rules setup to only allow access to SRM HTTPS.

If IPV4 / IPV6 WAN-to-SRM, WAN-to-LAN traffic matches no rules - all set to deny access.

I then have port forwarding set for a port that I want to forward incoming traffic to.

Would that be the correct approach?

The reason I ask is that I was suddenly having some issues with the port that was being forwarded and whilst reviewing settings noticed that "IPV4 WAN-to-LAN traffic matches no rules" was set to Allow Access and I thought this seemed wrong. I've set it to deny access and things all seemed to start working again which was odd..

This morning the port forwarding seemed to stop again and on re-enabling and disabling IPV4 WAN-to-LAN, it's come back to life again..

All very strange.


I'm New!
I'm New!
Posts: 5
Joined: Tue Mar 21, 2017 11:30 am

Re: Firewall rules

Unread post by markab » Tue Mar 21, 2017 11:36 am

I noticed that the default firewall configuration of my firewall on the 2600 out of the box was...

IPv4 WAN to LAN traffic matches no rules was set to ALLOW!! surely this is bad configuration for new installation?! all the others were set to DENY.

Is there any reason why it would be set this way? I assume all the "matches no rules" options should be DENY and then I just allow IP's and ports as exceptions to that? is this the best way to configure the synology firewall?

I'm New!
I'm New!
Posts: 3
Joined: Mon Apr 17, 2017 10:26 pm

Re: Firewall rules

Unread post by Tompous » Mon Apr 17, 2017 10:42 pm

Those firewalls rules are functionnal?

Beacause I set no custom rules and I select the "Deny Access" if the trafic don't match rules for the 4 entries.
So normally there is no trafic allowed for all my network.

But.. With this configuration I have no problems to access Internet or watch videos or use Skype etc...

So i'm a little bit disappointed, have anyone and idea for this?

PS : Yes it's the good way to configure a Firewall normally, default rules set to Deny and exceptions are set to allow authaurized trafic.

I'm New!
I'm New!
Posts: 3
Joined: Mon Apr 17, 2017 10:26 pm

Re: Firewall rules

Unread post by Tompous » Tue Apr 18, 2017 11:15 am

Update :

I set a custom rule that deny all trafic on all ports to Deny.

With this rules I see the "hit" count increase and my network didn't have access to Internet anymore. So this custom rule is working.

I tried to setup another rule to accept HTTP to make an exception but it didn't work (i placed this rule on top of and then on bottom of but nothing's working...).

I think that the solution is maybe there (need to make more test).. Create a custom deny rule and then create others customs allowing rules on top of this rule that are enabled before the last one (deny all)... I will continue the tests and update the topic if I find the way to go.

Anyway, if someone have an idea why the 4 "default" rules are not working i'm interested.

I'm New!
I'm New!
Posts: 3
Joined: Mon Apr 17, 2017 10:26 pm

Re: Firewall rules

Unread post by Tompous » Tue Apr 18, 2017 9:49 pm


Is there anyone present on this Forum?

I made some tests and I'm starting to tink that the Firewall on the Synology router is a Joke...

When I set the allow all custom rule on top of the deny all rule, all the trafic pass (Normal)
When I do the reverse all the trafic is blocked (normal).
That prove that there's a priority concept working on the rules.

But when I set :
1) Name "Wan_To_Lan" / Protocol "TCP/UDP" / Source IP "All" / Source Port "All" / Destination IP "" / Destination port "All" / Action "Allow
2) Name "Wan_To_SRM" / Protocol "TCP/UDP" / Source IP "All" / Source Port "All" / Destination IP "SRM" / Destion port "All" / Action "Allow

Nothing on the first rule (0 HIT) and all on the second rule.. But the local IP of the synology router ils ... So normally the first rule include the second rule...
Except if the "SRM" value is not equal to the local IP address of synology router?

User avatar
Posts: 85
Joined: Wed Apr 16, 2008 1:12 pm
Location: Denmark

Re: Firewall rules

Unread post by Mock » Fri Apr 20, 2018 2:19 pm

I see the firewall is working fine, and also as expected.

I run the default settings
Lan>wan no rule matching
created two rules at the buttom


This one blocks all RDP, and only allow a single ip RDP access

Thinks you need to keep in mind is to not use the source address for restriction, and if you already have an open connection the rule will only take affect when reconnecting to the RDP as in this example
DS1515+ (16GB) | DSM 6.1-15047 Update 2 | SHR Raid 5 | DX510
Synology RT2600ac SRM 1.1.3-6447 Update 4 |(Windows 10 Enterprise 64bit 10.0.14393)


Return to “Remote Access and Network Management”