Sign in to follow this  
naets

external acces

Recommended Posts

I am totally NOT a computer wizard but like to get most out off things.

 

I run the dsm 6.0.2-8451 v1.01

 

My DiskStation is placed behind 2 routers (witch I configured with port forwarding). I assume I can access the internet as I can download packages.

 

When I try to create an external way to reach the DS it always say that this is not possible.

I tried quickconnect - activate - but when I want to make an account it always gives a screen saying that the action I tried to perform is not possible due to an error somewhere.

I also tried it when I placed my DS behind only 1 router but this gives the same errors.

 

I did some reading and found that it would have to do something with the serial number off the device? trying to create the sinology account It would check the serial number of the DS to see if you have a real synology DS, is this so??

 

 

 

How can I create a (safe) external access to my DS?

Share this post


Link to post
Share on other sites

Your reading about needing 'real' synology mac and serial numbers is correct for a quickconnect account. There are ways to create 'real' numbers and edit the boot configuration files (search the forum for both, its not hard to find)

however there is no reason why your 'double natted' access through two routers should not work provided you set the correct ports and protocols on your routers depending on what you want to access, eg dsm web pages, ftp etc. I would do some tests, assuming the 'inside' router is a) and the 'outside' ie the internet connection is b)

 

1) set dhcp address reservation for the nas on router a)

2) set port forwarding to the nas on router a) for the required services

3) connect to the 'wan' side of router a) and check you can access the web pages etc from that side (eg http://wanip:5000)

4) set dhcp reservation for router a) on router b)

5) set port forwarding to router a) from router b) for the required services for the nas

6) you should then be able to connect with http://internetip:5000

7) setup ddns on router b)

Share this post


Link to post
Share on other sites

Connecting with the http://wanip:5000 is possible from inside the network.

 

From outside the network : the internetip I assume that is the unique address I get and not some 192.168.X.X or 10.0.X.X , I assume I can find this by ipconfig/ all on my desktop? or in router b)

 

I'am going to check this when I am home.

 

What is setup ddns, how do I do this? Is this just enabeling ddns, I wil search for this?

Share this post


Link to post
Share on other sites

Don't ever hang your Diskstation directly to the internet.

If an exploit appears for DSM then you're screwed.

It's better to use VPN for this. That way you can access your data without exposing ports.

Share this post


Link to post
Share on other sites

What do you mean by hanging your DS directly on the internet?

 

off course your DS is placed in your local network.

To reach it from outside the local network you can use different methods. do you mean I can not try to reach it by internetip:5000 ??

 

I think I will try the ddns like sbv3000 posted. Does the he ddns only have to be set up on the router b) ?

Share this post


Link to post
Share on other sites

login to router b) and have a look at the 'wan' status, you should see a 'public' ip address provided by your isp. that will be your internetip.

as for ddns, have a look at your router specs and see if it supports ddns - most do and it will be in the 'services' or similar features/configuration. find out which ddns services are supported then you can generally setup a 'free' account for that supplier. Lets say you create a free ddns account called 'naetsnas@freeip.biz' you would get to your nas with http://naetsnas@freeip.biz:5000' for dsm web.

 

Brantje has an excellent point about 'exposing' your nas in this way - there are 'bad dudes' who scan internet connections and look for ports and services and will try and login to devices, or could run scripts against badly written web pages in dsm. vpn is a good idea, but you would need more work on your setup for that. the other things you could do is to translate ports rather than forward - eg 65000 forward to 5000, use https, if your router allows it setup time based access rules, or use the vpn to activate rules when you need them

Share this post


Link to post
Share on other sites

the connection with the DS by http://internetip:5000 works but when I try https://internetip:5001 is does not ( it tells that the owner of the website didn't configure it wright.

 

When I want to setup ddns in the DS it always gives me that the verification failes. The registration of the internetip for my chosen hostname failed

Share this post


Link to post
Share on other sites

you would need to forward port 5001 through both routers and it should work, but you will get https/ssl errors in the browser, but you can create a personal certificate.

you register your ddns account on the router not on ds

Share this post


Link to post
Share on other sites

My router b) does not support ddns, router a) does. Can I configure the ddns on this router en do a port forward on router b) ?

Share this post


Link to post
Share on other sites
What do you mean by hanging your DS directly on the internet?

 

off course your DS is placed in your local network.

To reach it from outside the local network you can use different methods. do you mean I can not try to reach it by internetip:5000 ??

 

I think I will try the ddns like sbv3000 posted. Does the he ddns only have to be set up on the router b) ?

No way in hell I would EVER expose my NAS onto the Internet in that way..

 

I would check whether your router supports use of a VPN and use it to access your network.....

 

#H

Share this post


Link to post
Share on other sites

Why not setup a free DNS service, something like NO-IP https://www.noip.com/

Create a NO-IP account then on your server go to Control Panel/External Access & setup the NO-IP DNS you created.

Share this post


Link to post
Share on other sites
My router b) does not support ddns, router a) does. Can I configure the ddns on this router en do a port forward on router b) ?

 

Which router are you using atm?

Share this post


Link to post
Share on other sites
What do you mean by hanging your DS directly on the internet?

 

off course your DS is placed in your local network.

To reach it from outside the local network you can use different methods. do you mean I can not try to reach it by internetip:5000 ??

 

I think I will try the ddns like sbv3000 posted. Does the he ddns only have to be set up on the router b) ?

No way in hell I would EVER expose my NAS onto the Internet in that way..

 

I would check whether your router supports use of a VPN and use it to access your network.....

 

#H

 

I agree using a vpn is the way to go, but I get the feeling the member asking the question isn't familiar with this type of access or the security risk associated with exposing ports/services.

 

Maybe some links to synology vpn/security resources would help them out, or a post with a basic guide might help prevent a bad situation occurring for people that are new to this type of usage? I'm not sure if there's anything like that on this forum already?

 

This may do as a starting point for a vpn setup http://bpmsg.com/how-to-make-your-synology-disk-station-nas-more-secure/comment-page-1/ but it doesn't really go beyond the vpn aspect.

 

This article gives some useful info https://www.wijngaard.org/hardening-access-to-your-synology-diskstation-and-prepare/

 

Ideally you need to find information that's more generic, that doesn't explain everything directed towards a real synology and their quick connect service etc.

Share this post


Link to post
Share on other sites
But to use VPN I fisrt have to create a ddns, wright?

 

If you have a few pennies available to you, get a new router, one that supports VPN. I uses an ASUS myself, most of the options in there are easy to understand so you can make your network fairly hardy.

 

As for Syno security, have a look at:

https://www.synology.com/en-uk/knowledg ... nology_NAS

 

Even with all that in mind I still wouldn't set your Syno up to face the internet (as in open ports on your firewall and be able to log in from the outside world). A few years back there was a nasty program called SynoLocker that smashed through DSM ransomware style. ( https://forum.synology.com/enu/viewtopic.php?t=88770 ) It's better not to take the risk and instead connect to your machine via a VPN.

 

There's this to look at too. It won't do a thorough scan of your network but it'll graze over the top in the same way a none targeted hacker would looking for an easy catch :

https://pentest-tools.com/

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this