Can't get a VPN to route, Security rules Failing.

Topics pertaining to SRM usage, usability and management
Forum rules
We've moved! Head over to Synology Community (community.synology.com) to meet up with our team and other Synology enthusiasts!
yerbabie
Experienced
Experienced
Posts: 134
Joined: Thu Oct 28, 2010 12:16 am

Can't get a VPN to route, Security rules Failing.

Unread post by yerbabie » Thu Oct 12, 2017 5:10 am

Hi All

Recently replaced my RT1900AC with a RT2600AC, and I was re-instating my security rules to allow VPN access out from my DSM 1817+

So I have 2 rules, The first rule blocks all TCP/UDP from my 1817+, and then the second (third) to open ports for VPN access.

If the block rule is disabled, then the VPN connects etc, no issues (also used to work on 1900ac).
When enabled I can see the block rule getting hits and stopping packets, but the secondary rules are not allowing traffic though at all. I've tried 443 with OpenVPN, as well as PPTP ports 1723 etc, but nothing connects, and these rules don't appear to be getting "hits"...

I've check the .ovpn file and it's port 443 for openvpn... so getting very frustrated.
I have also confirmed from the 1817+ from the VPN log... it's getting a connection time out.

I have also confirmed it's doing it for port 80 traffic etc, as it also wont check for auto-updates. or check package center, even when I add port 80,443 etc

Am I missing something... very very frustrating, and I'm sure it's the same as the 1900AC.

cheers,
B
STORAGE DS1817+ (5 x 4TB WD Red RAID 6)
BACKUP DS1010+ (5 x 3TB WD Red RAID 5)
RT2600AC Routing

User avatar
Yaky
Trainee
Trainee
Posts: 11
Joined: Sat Sep 30, 2017 1:34 am

Re: Can't get a VPN to route, Security rules Failing.

Unread post by Yaky » Thu Oct 12, 2017 3:53 pm

The Firewall will check the rules from top to bottom, when match is found it will not check the remaining rules. Consider moving the block all to the bottom of the rule order.

yerbabie
Experienced
Experienced
Posts: 134
Joined: Thu Oct 28, 2010 12:16 am

Re: Can't get a VPN to route, Security rules Failing.

Unread post by yerbabie » Thu Oct 12, 2017 11:07 pm

Yep I've tried that, It's also not working for port 80/443 for DSM updates and packages etc, starting to wonder if the 2600 has issues...
STORAGE DS1817+ (5 x 4TB WD Red RAID 6)
BACKUP DS1010+ (5 x 3TB WD Red RAID 5)
RT2600AC Routing

Babylonia
Virtuoso
Virtuoso
Posts: 1305
Joined: Tue Jul 26, 2016 10:47 am

Re: Can't get a VPN to route, Security rules Failing.

Unread post by Babylonia » Sat Oct 14, 2017 1:58 am

yerbabie wrote:The first rule blocks all TCP/UDP from my 1817+
As you have set to block TCP as well UDP within the first rule already, a follow up rule to "open" VPN, as it is using UDP, it shall not be opened,
because you have already blocked all UDP traffic in front of it.

For better understanding Firewall rules, as examples how to set Firewall rules, see:
https://forum.synology.com/enu/viewtopi ... 29#p452529

Very typical usage: https://forum.synology.com/enu/viewtopi ... 78#p479578
RT1900ac / DS213j / DS415+ / DS218+ (at different locations).

Locked

Return to “Installation and Configuration”