Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

The general discussion room of Synology Router RT1900ac.
Do not post support questions in this room, please refer to one of the rooms below for further assistance.
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:

https://account.synology.com/support/su ... p?lang=enu



2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
sims11
Rookie
Rookie
Posts: 30
Joined: Fri Jul 01, 2011 2:47 pm

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by sims11 » Thu Feb 16, 2017 2:10 am

UGOTSERVED wrote: You can do the same with home networks as long as you're willing and able to administer. The signatures were for the IPS where you should have them updated daily automatically.

To keep it simple yes, double NAT but don't set the Synology router on a DMZ port from the Verizon router.
You'll need to monitor what's getting blocked if you set to IPS because you'll probably have a lot of false positives
Sounds good.

So the takeaway:
- Double NAT is ok.
- First port of contact router (Verizon) should have firewall enabled, not have DMZ, and the Synology router can be second port.
- On Synology router enable IPS
- and I suppose on the "first port of contact" router, open ports that are needed


to be frank, am a little confused about this - double NAT and not having Synology router on DMZ port. Because it sounds like for the Synology NAS to be accessible from outside, I will now have to enable two port forwards - once on the first router and then on the second router.

You don't have to coach on this any further - just saying that I guess I am a little uncertain about the most secure and reasonable to manage config for a home user.

Thank you!

User avatar
UGOTSERVED
Beginner
Beginner
Posts: 21
Joined: Wed Feb 01, 2017 5:04 am

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by UGOTSERVED » Sat Feb 18, 2017 2:12 am

sims11 wrote:
UGOTSERVED wrote: You can do the same with home networks as long as you're willing and able to administer. The signatures were for the IPS where you should have them updated daily automatically.

To keep it simple yes, double NAT but don't set the Synology router on a DMZ port from the Verizon router.
You'll need to monitor what's getting blocked if you set to IPS because you'll probably have a lot of false positives
Sounds good.

So the takeaway:
- Double NAT is ok.
- First port of contact router (Verizon) should have firewall enabled, not have DMZ, and the Synology router can be second port.
- On Synology router enable IPS
- and I suppose on the "first port of contact" router, open ports that are needed


to be frank, am a little confused about this - double NAT and not having Synology router on DMZ port. Because it sounds like for the Synology NAS to be accessible from outside, I will now have to enable two port forwards - once on the first router and then on the second router.

You don't have to coach on this any further - just saying that I guess I am a little uncertain about the most secure and reasonable to manage config for a home user.

Thank you!
Verizon Router
WAN port to ONT

Synology Router
WAN port to Verizon Router LAN
LAN ports to internal wired network

You don't have to to use NAT on Synology router but may be easier depending on your situation.
I would enable IDS on Synology router first and make sure you review your logs for a couple of weeks to see what "normal" traffic is before turning on IPS. I would definitely read up on this for further understanding of what you'd be getting yourself into.

sims11
Rookie
Rookie
Posts: 30
Joined: Fri Jul 01, 2011 2:47 pm

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by sims11 » Sun Feb 19, 2017 2:43 pm

UGOTSERVED wrote: Verizon Router
WAN port to ONT

Synology Router
WAN port to Verizon Router LAN
LAN ports to internal wired network

You don't have to to use NAT on Synology router but may be easier depending on your situation.
I would enable IDS on Synology router first and make sure you review your logs for a couple of weeks to see what "normal" traffic is before turning on IPS. I would definitely read up on this for further understanding of what you'd be getting yourself into.
Thanks for the reply.

I will read about IDS and IPS.
Wondering though that if I do not have NAT on Synology router, would I also not be disabling the routing functions (including IDS etc)?

Will try and set this up and see if how it works.

I do wish that somebody who understands this better, lays out a recommended network for non-business but security conscious users (with some explanation of why the recommendations...). May be that Synology itself or may be an expert here.

Thank you again!

robertk007
I'm New!
I'm New!
Posts: 1
Joined: Fri Aug 18, 2017 7:52 pm

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by robertk007 » Fri Aug 18, 2017 8:02 pm

IPS is cutting speed to half on any Internet connection with default rule set.

I tested IPS today on classic slow 40/5 VDSL line and router with IPS turned on, downstream was incredibly slow, just the half.
IDS: 40/5
IPS: 20/5

How did you get downloads like 70 Mbps with IPS on ??

MSimon
I'm New!
I'm New!
Posts: 2
Joined: Mon Oct 02, 2017 4:17 pm

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by MSimon » Mon Oct 02, 2017 10:27 pm

robertk007 wrote:IPS is cutting speed to half on any Internet connection with default rule set.

I tested IPS today on classic slow 40/5 VDSL line and router with IPS turned on, downstream was incredibly slow, just the half.
IDS: 40/5
IPS: 20/5

How did you get downloads like 70 Mbps with IPS on ??
Downgrade usb 3.0 to 2.0 (works with cable connection) than it is about 20% speed loss.

tiz_i_gman
I'm New!
I'm New!
Posts: 2
Joined: Tue Apr 03, 2018 8:52 pm

Re: Same bad Intrusion Prevention performance on new RT2600ac as on RT1900ac

Unread post by tiz_i_gman » Sun Apr 15, 2018 5:12 pm

I've placed an untangle unit in bridged mode to handle the IDS/IPS, etc. If you purchase the Home license ($5 per month) you get all the features.
Or if you don't want to pay that you can use OpenDNS or Symantec DNS servers to do some filtering with the DNS plugin.
I do like the Synology SSL VPN and WAN failover features. Also if they support the router for the same length of time like they do their NAS devices it's worth getting.

Post Reply

Return to “Synology Router”