Can't get a VPN to route, Security rules Failing.

Topics pertaining to SRM usage, usability and management
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your Synology model.
yerbabie
Experienced
Experienced
Posts: 130
Joined: Thu Oct 28, 2010 12:16 am

Can't get a VPN to route, Security rules Failing.

Postby yerbabie » Thu Oct 12, 2017 5:10 am

Hi All

Recently replaced my RT1900AC with a RT2600AC, and I was re-instating my security rules to allow VPN access out from my DSM 1817+

So I have 2 rules, The first rule blocks all TCP/UDP from my 1817+, and then the second (third) to open ports for VPN access.

If the block rule is disabled, then the VPN connects etc, no issues (also used to work on 1900ac).
When enabled I can see the block rule getting hits and stopping packets, but the secondary rules are not allowing traffic though at all. I've tried 443 with OpenVPN, as well as PPTP ports 1723 etc, but nothing connects, and these rules don't appear to be getting "hits"...

I've check the .ovpn file and it's port 443 for openvpn... so getting very frustrated.
I have also confirmed from the 1817+ from the VPN log... it's getting a connection time out.

I have also confirmed it's doing it for port 80 traffic etc, as it also wont check for auto-updates. or check package center, even when I add port 80,443 etc

Am I missing something... very very frustrating, and I'm sure it's the same as the 1900AC.

cheers,
B
STORAGE DS1817+ (5 x 4TB WD Red RAID 6)
BACKUP DS1010+ (5 x 3TB WD Red RAID 5)
RT2600AC Routing
User avatar
Yaky
I'm New!
I'm New!
Posts: 3
Joined: Sat Sep 30, 2017 1:34 am

Re: Can't get a VPN to route, Security rules Failing.

Postby Yaky » Thu Oct 12, 2017 3:53 pm

The Firewall will check the rules from top to bottom, when match is found it will not check the remaining rules. Consider moving the block all to the bottom of the rule order.
yerbabie
Experienced
Experienced
Posts: 130
Joined: Thu Oct 28, 2010 12:16 am

Re: Can't get a VPN to route, Security rules Failing.

Postby yerbabie » Thu Oct 12, 2017 11:07 pm

Yep I've tried that, It's also not working for port 80/443 for DSM updates and packages etc, starting to wonder if the 2600 has issues...
STORAGE DS1817+ (5 x 4TB WD Red RAID 6)
BACKUP DS1010+ (5 x 3TB WD Red RAID 5)
RT2600AC Routing
Babylonia
Skilled
Skilled
Posts: 628
Joined: Tue Jul 26, 2016 10:47 am

Re: Can't get a VPN to route, Security rules Failing.

Postby Babylonia » Sat Oct 14, 2017 1:58 am

yerbabie wrote:The first rule blocks all TCP/UDP from my 1817+

As you have set to block TCP as well UDP within the first rule already, a follow up rule to "open" VPN, as it is using UDP, it shall not be opened,
because you have already blocked all UDP traffic in front of it.

For better understanding Firewall rules, as examples how to set Firewall rules, see:
https://forum.synology.com/enu/viewtopi ... 29#p452529

Very typical usage: https://forum.synology.com/enu/viewtopi ... 78#p479578

Return to “Installation and Configuration”

Who is online

Users browsing this forum: No registered users and 4 guests