Video I mentioned in regards to Configuring pfsense Firewall Rules For Home th-cam.com/video/bjr0rm93uVA/w-d-xo.html More Lawrence Systems Synology Tutorials lawrence.technology/synology/ Getting Stared with pfsense firewall rules th-cam.com/video/eb1pTs7XamA/w-d-xo.html How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsense th-cam.com/video/b2w1Ywt081o/w-d-xo.html Office Network Design and Planning with VLANs, LLDP, Rules, IoT, Guest using UniFi & pfsense th-cam.com/video/ouARr-4chJ8/w-d-xo.html
Awesome that you made this video. Earlier this year I set my firewall rules on my Synology interfaces similar to what you specify for extra security on my network segments. Your guidance has been life-changing to many sir.
Perfect timing Tom, I was just days ago pondering the best way to setup my cameras and Synology and you provided a great solution. Thanks and Happy holidays, Ron
So if traffic happens, and the top rule allows it, any rule below it that may deny it, doesn’t count. It goes by the first rule from the top that it ever matches with?
Thanks Tom, Great video - when the trusted network also has access to the Synology on the less trusted network, does that potentially cause asymmetric routing?
I love this video, Tom. Thank you so much for doing this. I admit I had never considered using multiple interfaces on my Synology for anything other than aggregation (what a dope!) This is a brilliant use, and I hope to implement this soon! I also loved your pfsense video on this, even though I don't use a pfsense router. It gave me a ton of ideas for how to better secure my home network, which I'm always looking for! Thank you once again!
Nice summary video. You mentioned the camera network use case, I would love to see an overview of Synology Surveillance Station and a video comparing to UniFi Protect. I'm contemplating the two but thinking since I already have a mid range Synology that Surveillance Station will probably be the better option due to camera costs from Ubiquiti but haven't decided yet and don't yet understand what is needed to get started with S.S. such as licensing. Thanks for the great content!
I’m curious to if there a specific reason to use the Synology’s firewall compared to your pfsense box? What are the pros and cons? Are there any limitations in any of the methods? I use an EdgeRouter with VLANs, and use the router’s firewall to block/allow access to, for instance, the Synology unit’s management interface. By the way, I have no cameras (which someone in another comment mentioned could burden the router’s firewall; if choosing that option). Thanks for the video, Tom!
@@LAWRENCESYSTEMS Thanks. I guess you refer to the note at 10:52. You decide the scope of the video (who else?), so you could take my questions as ideas for future contents. I’m grateful for the content you produce, and wish you a fantastic 2022!
@@LAWRENCESYSTEMS Thanks again for taking the time to respond. It was brief mention that was well placed in the “setting the scene“ introduction, but easily forgotten after having watched the full video.
Great video. Rather than use the 2 Synology ports separately as described, would it be possible or advantageous to setup Link Aggregation with the 2 ports and then create a vLAN for the Less Trusted Network?
This video came right on time. Just setting up some VLANs and was wondering how to set up my Synology. Do you know of a way to get Plex to use the second nic?
@@LAWRENCESYSTEMS Now it's working. Had to visit the web interface on the new IP:port. From there disable and re-enable remote access for it to recognize the new IP. Also needed to restart chromecast.
Thank you, Tom. Great and useful video content, as usual. I was interested which software you used to draw the network design and if there was a free version of it? Cheers!
So I ask myself, where the difference is in between having a firewall on the system or the firewall on another point in the network, except from network congestion. Maybe you can explain that to me abut further?
The only down side i can find is that it sends camera traffic through the firewall which means it will waste a bit of bandwidth, especially if you're using high-res cameras with h264. In my case it uses about 30 mbit constantly, but I have quite a few cameras.
If I understand it, and your comment, correctly, the firewall is on the Synology, not the pfSense box, so there would be no change in bandwidth use because the camera traffic was going directly to the Synology both before and after the firewall is activated. That's ignoring any VLAN management on the network, but that isn't changed by this procedure anyway.
@@jadamsnz that's true if they are on the same subnet, then we won't have to route through the firewall. And yes that won't waste any bandwidth. I myself don't use the firewall in the nas, instead it passes through my pfsense. Putting them on the same lan might be smarter. 😅👍
Hi Tom, thank you for the greate Video ! If you want to add another layer of security. You can moddify the "Admin Group" and allow the "DSM" application only from certian subnets. be carefule to not lock you out ;-)
So I have LAN1 as my secure network for accessing Synology. LAN2 (which is my IOT network) I have blocked as per your video. The issue I'm having though, is now when I'm on my IOT Wifi, I cannot use Photos Mobile backup. I need to switch over to my secure WiFi in order to backup my photos. Any idea on how I can stay on my IOT Wifi and get Photos Mobile through the Synology Firewall?
I struggle with wanting to be able to look at my cameras remotely, so they need access to the internet, but I don't want China ;-) getting into my LAN which obviously begs for the cameras to have their own interface, but also complicating this scenario is that I have my cameras FTP'ing motion triggered video clips to my NAS. Currently, I have those going to an older NAS which I'm not that concerned about, but I may need to eventually move that backup to my Synology NAS.
I just cannot separate the downloadstation, filestation, etc from the management UI. I just cannot block only the management-ui. Kind of useless for me with that all or nothing approach. But thanks
You can leave first interface for management and then bond 3 other interfaces as LACP, then create any number of VLANs on top of aggregation. Unfortunately Synology GUI only allows you to create one VLAN, extra can be added using SSH ... GUI will show all VLAN interfaces, but all will have same name ...
NOT secure is that the 2nd NAS can be accessed freely by devices from the 192 subnet ... an attacker can place malicious files on the 10 subnet NAS that are then synced back into the 192 subnet (or restored after the 192 NAS fails)
Video I mentioned in regards to Configuring pfsense Firewall Rules For Home
th-cam.com/video/bjr0rm93uVA/w-d-xo.html
More Lawrence Systems Synology Tutorials
lawrence.technology/synology/
Getting Stared with pfsense firewall rules
th-cam.com/video/eb1pTs7XamA/w-d-xo.html
How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsense
th-cam.com/video/b2w1Ywt081o/w-d-xo.html
Office Network Design and Planning with VLANs, LLDP, Rules, IoT, Guest using UniFi & pfsense
th-cam.com/video/ouARr-4chJ8/w-d-xo.html
Wait...You use firewalls?
Awesome that you made this video. Earlier this year I set my firewall rules on my Synology interfaces similar to what you specify for extra security on my network segments. Your guidance has been life-changing to many sir.
I enjoy these firewall rules and VLAN videos, I find out how little I really know
10.13.37.0 is certainly the leet network lol. Great vid as usual, thanks for making this!
Perfect timing Tom, I was just days ago pondering the best way to setup my cameras and Synology and you provided a great solution. Thanks and Happy holidays, Ron
Thanks for this, Tom. Happy New Year!
Great additional security settings i've never thought about. Thanks for this eye opener 😁.
Happy to help!
So if traffic happens, and the top rule allows it, any rule below it that may deny it, doesn’t count. It goes by the first rule from the top that it ever matches with?
Nice. Clear and well presented. Thanks, Tom.
Thanks Tom, Great video - when the trusted network also has access to the Synology on the less trusted network, does that potentially cause asymmetric routing?
You can set the gateway for routing
I love this video, Tom. Thank you so much for doing this. I admit I had never considered using multiple interfaces on my Synology for anything other than aggregation (what a dope!) This is a brilliant use, and I hope to implement this soon! I also loved your pfsense video on this, even though I don't use a pfsense router. It gave me a ton of ideas for how to better secure my home network, which I'm always looking for! Thank you once again!
Excellent - just what I've been waiting for. Many thanks Tom.
Nice summary video. You mentioned the camera network use case, I would love to see an overview of Synology Surveillance Station and a video comparing to UniFi Protect. I'm contemplating the two but thinking since I already have a mid range Synology that Surveillance Station will probably be the better option due to camera costs from Ubiquiti but haven't decided yet and don't yet understand what is needed to get started with S.S. such as licensing. Thanks for the great content!
th-cam.com/video/cNbal0f2qTA/w-d-xo.html
If you need to open ports to the internet, you can limit access from a specific country (your country) through the firewall.
Thanks for doing the video as requested. Very useful.
Thank you for this.
Nice tutorial, thanks Lawrence.
Great video Lawrence Sys. I use Qnap. I imagine it's similar, given the 2 interfaces. Digging in. Thanks for this!
I’m curious to if there a specific reason to use the Synology’s firewall compared to your pfsense box? What are the pros and cons? Are there any limitations in any of the methods?
I use an EdgeRouter with VLANs, and use the router’s firewall to block/allow access to, for instance, the Synology unit’s management interface. By the way, I have no cameras (which someone in another comment mentioned could burden the router’s firewall; if choosing that option).
Thanks for the video, Tom!
I answered that in the video.
@@LAWRENCESYSTEMS Thanks. I guess you refer to the note at 10:52. You decide the scope of the video (who else?), so you could take my questions as ideas for future contents. I’m grateful for the content you produce, and wish you a fantastic 2022!
right in the beginning of the video at 1:22 mark.
@@LAWRENCESYSTEMS Thanks again for taking the time to respond. It was brief mention that was well placed in the “setting the scene“ introduction, but easily forgotten after having watched the full video.
Great video. Rather than use the 2 Synology ports separately as described, would it be possible or advantageous to setup Link Aggregation with the 2 ports and then create a vLAN for the Less Trusted Network?
That should work as well.
This video came right on time. Just setting up some VLANs and was wondering how to set up my Synology. Do you know of a way to get Plex to use the second nic?
It does automatically
@@LAWRENCESYSTEMS Now it's working. Had to visit the web interface on the new IP:port. From there disable and re-enable remote access for it to recognize the new IP. Also needed to restart chromecast.
you're a good teacher.
Great video, but this LAN 4 firewall rules only works if you have all cameras on separate PoE switch connected to LAN 4 interface of Synology right?
Thank you, Tom. Great and useful video content, as usual.
I was interested which software you used to draw the network design and if there was a free version of it?
Cheers!
Yes th-cam.com/video/mpF1i9sfEJ0/w-d-xo.html
Your video makes my day.....thank you
So I ask myself, where the difference is in between having a firewall on the system or the firewall on another point in the network, except from network congestion.
Maybe you can explain that to me abut further?
Hi tanks for this very informative video. Can you do something like that for truenas? Happy new year!
Great video Tom Tnx.
Very informative.
If I'm not opening up the NAS to the internet then wouldn't it be easier to manage firewall rules on the router?
The only down side i can find is that it sends camera traffic through the firewall which means it will waste a bit of bandwidth, especially if you're using high-res cameras with h264. In my case it uses about 30 mbit constantly, but I have quite a few cameras.
If I understand it, and your comment, correctly, the firewall is on the Synology, not the pfSense box, so there would be no change in bandwidth use because the camera traffic was going directly to the Synology both before and after the firewall is activated. That's ignoring any VLAN management on the network, but that isn't changed by this procedure anyway.
@@jadamsnz that's true if they are on the same subnet, then we won't have to route through the firewall. And yes that won't waste any bandwidth. I myself don't use the firewall in the nas, instead it passes through my pfsense. Putting them on the same lan might be smarter. 😅👍
Hi Tom, thank you for the greate Video !
If you want to add another layer of security. You can moddify the "Admin Group" and allow the "DSM" application only from certian subnets.
be carefule to not lock you out ;-)
So I have LAN1 as my secure network for accessing Synology. LAN2 (which is my IOT network) I have blocked as per your video. The issue I'm having though, is now when I'm on my IOT Wifi, I cannot use Photos Mobile backup. I need to switch over to my secure WiFi in order to backup my photos. Any idea on how I can stay on my IOT Wifi and get Photos Mobile through the Synology Firewall?
Thank you.
I struggle with wanting to be able to look at my cameras remotely, so they need access to the internet, but I don't want China ;-) getting into my LAN which obviously begs for the cameras to have their own interface, but also complicating this scenario is that I have my cameras FTP'ing motion triggered video clips to my NAS. Currently, I have those going to an older NAS which I'm not that concerned about, but I may need to eventually move that backup to my Synology NAS.
Use a VPN to remotely access your network
Would I be secure if I dont forward any ports on my router to the Synology NAS. In other words, I would only have local access right?
Not opening ports does up your security.
On Synology's part it would be useful to just shortlist the ports/interfaces that are in use when your making the firewall rules.
I just cannot separate the downloadstation, filestation, etc from the management UI. I just cannot block only the management-ui. Kind of useless for me with that all or nothing approach. But thanks
You can leave first interface for management and then bond 3 other interfaces as LACP, then create any number of VLANs on top of aggregation. Unfortunately Synology GUI only allows you to create one VLAN, extra can be added using SSH ... GUI will show all VLAN interfaces, but all will have same name ...
NOT secure is that the 2nd NAS can be accessed freely by devices from the 192 subnet ... an attacker can place malicious files on the 10 subnet NAS that are then synced back into the 192 subnet (or restored after the 192 NAS fails)
Sorry but you need to explain more basic and slow. I assume this tutorial is for beginners?