ฝัง
- เผยแพร่เมื่อ 23 ก.ค. 2024
- This tutorial goes over how to set up a firewall on a Synology NAS. A firewall allows you to only accept traffic from specific IP addresses or subnets on specific ports. Most Synology users likely do not require a firewall due to the fact that their router will act as the firewall.
#synology #firewall #networking
Hire Me! www.spacerex.co/hire-me/?utm_...
Support the Channel & Get Early Access to ALL Videos: / spacerexwill
Post on the forums: forums.spacerex.co
More DSM 7.2 Videos:
DSM 7.2 release video: • DSM 7.2 Finally Releas...
SMB Multichannel: • DOUBLE YOUR Performanc...
Overview of DSM 7.2: • Synology DSM 7.2 Beta ...
Container Manager (previously docker): • DSM 7.2 Beta - Contain...
Best Synology Line up*:
DS923+ : amzn.to/3IFQb79
DS1621+: amzn.to/3SesIge
DS1821+: amzn.to/3IhBaXr
RS1221+: amzn.to/3SiOL5I
Desk accessories (desk pad, keyboard stand, wrist rest)*: bit.ly/3qRKix8 , discount code SPACEREX for 10% off
TOC
00:00 Introduction
01:09 What is a firewall?
02:17 Overview of firewalls on Synology
05:03 Setting up the firewall
06:54 Basic firewall rules (local network access only)
13:08 Configuring to allow remote access
17:18 A few closing notes
*These are affiliate links, which means that if you purchase a product through one of them, I will receive a small commission (at no additional cost to you). Thank you for supporting my channel! - วิทยาศาสตร์และเทคโนโลยี
SpaceRex is the hero of Synology. They really should pay this guy. He's bringing lots of value!
Your channel is one of my go-to places when I need help or info on my NAS.
Thanks man!
I greatly appreciate all of your Synology videos. You speak so clearly and calmly...you have helped me so much during my first Synology configuration. Thank you!!
Great tutorial, Will! Excellent information. Thanks again buddy! 😊
Fantastic Tutorial Will. I still don't fully understand the numbers, but I used the ones you provided and tested it with my phone. Works great. A lot less complicated than my old one.
It's really what I was looking for, thanks SpaceRex.🙏
Really great video! Your channel has always been very helpful and I want to thank you for all of your hard work. Keep it up!
This is exactly what I was looking for. Thanks, Will!
Thanks, Will. This is very useful information and you explained it well.
Bellissimo video! Finalmente ho risolto il mio problema di attaccchi al mio NAS da varie parti del mondo. Fino a qualche settimana fa avevo messaggi continui da parte del mio NAS di accessi non desiderati con i relativi indirizzi IP, dopo aver impostato il firewall, seguendo il tuo video, i messaggi sono completamente spariti!!! FINALMENTE!!! Seguo sempre i tuoi video molto semplici e professionali, continua così perché sei unico! Non voglio tradurre il testo con google perché voglio che si capisca che ti seguo dall'Italia... Grazie
Very useful, thank you for uploading! Now I have to reconfigure my NASes ;-)
Greetings from Germany!
Could not have come at a better time, Thankyou.
Great guide, helped me a lot. thanks!
Timely and simple. Thanks
great tutorial, very helpful, Thanks a lot
very very VERY usefull and well explained. Thanks and salute from italy
As you mention during the video, another video talking about network and subnet and would be great
"Hey", very good video. Tks.
Thanks!
Is your Time machine backup video from 3 years ago still valid since a lot has changed with new DSM versions? If so, maybe a new video on this topic?
Great video Will! Thanks for showing us how to setup firewall security in an understandable way. One question, when using a Tailscale VPN, it assigns different IP addresses to each device that are not part of the three private networks you discussed. Should we add the Tailscale IP to the firewall and allow it? I have yet to setup my Synology firewall yet with All Denied yet so want to be sure that if I did, my Tailscale network would still work. Thanks again! 👍🏻👍🏻
Ah, so with TailScale I think the traffic actually comes in via the local app (does not act like a normal VPN) so you may not have to do anything. But if it does get blocked you can open up the CGNAT subnet the same way you did the other 3. Just with the following info:
IP: 100.64.0.0
Subnet mask: 255.192.0.0
@@SpaceRexWill Great! Thank you! Since my Tailscale hands out IP’s with different second octets, would it be? …
IP: 100.0.0.0
Subnet Mask: 255.0.0.0
How would you organize the following: clients (win/linux) backup data onto a smb share on a synology NAS. Now the data is backuped but not save against viruses that encrypt data because the share is available (I found no was to set security setting, that the clients can write data but not change or delete it). So I would backup this NAS-backup share with e.g. HyperBackup to another NAS - now this backup is absolutely safe.
You see another, perhaps easier way?
Thank you! What about IPv6? Just had a look on my own NAS and it only seems to have options for IPv4.
I have not dealt with IPv6 too much, so I can’t be too much help!
Very timely Will; many thanks. I was just going through my Synology router and DS920+ last night and considering exactly this.
On the NAS, there is a section : Control Panel \ Security \ Protection \ Allow/Block List that presumably provides at least some additional protection without setting up the firewall ?
It allows you to block traffic from a specific ip address. I have a limit on the number of login attempts and then a block is set up. I have had occasions of someone with a Russian ip address trying to access my NAS and so added them to the block list on my other NAS. I once blocked myself as I was using the wrong password and had to go in from another device and remove myself from the list!
Yes! I will always add autoblock to any network and any NAS. This prevents people just brute force password guessing. Even if you set it to 100 every 10 min you will keep machines from brute forcing.
Autoblock can be used in tandem with Firewall
@@SpaceRexWill The Allow/Block list is just below Auto block. They are very different settings.
@@davewhite7182 The Allow/Block list is just below Auto block. They are very different settings.
Ah when a device is auto blocked it’s put in the block list. But if something is in the allow list it will never get blocked
If i want to allow access to Plex remotely, should i set allow "custom" port in the firewall to 32400?
I have a Synology router as well as a Synology NAS, would you say that the same firewall rules can be used for the router?
Hello, Do you have a video where you show how to configure (CAPTCHA) for entering Synology nas??
Will I discovered that with DSM 7.2 if you lock yourself out, it goes back to a previous firewall configuration to avoid it, and a pop-up window will even warn you about it!
Thats quite useful!
How does firewall work with reverse proxy? I want to allow access to certain docker apps like Jellyfin when accessing from reverse proxy. But adding port 8096 as a rule wont work, instead its port 443. However then it allow access to all my other docker apps. Is there a way to limit firewall access to only one docker app with reverse proxy?
Again, great video. While creating rules, you must select the interface(s) to apply them to. If I want to block DSM from ALL over the world except the US, I will use your example and applied to my BONDed interface. Now, I as travel, I want to be able to access DSM from ALL over the world as long as I connect to DSM's VPN Server. I guess I will have then one restrictive rule under BOND 1 and one permissive one (or at least no one blocking) for DSM over the VPN interface.
Is that correct?
the Synology has a console for watch the firewall logs?
Would it make sense to apply the same LAN IP configuration on your router?
Your router likely is already doing this
i get an error "failed to load profile data" and can't add any rules. any idea how to correct it?
Hi, I am trying to backup files to my Synology NAS from my computer using Acronis. If I leave fire wall off it works if I turn firewall on it doesn't. Any idea of the rules I need. Thank you.
Ah found it ty.
This helped me. I got someone (a bot) who kept trying to login onto the disabled admin account every 2 minutes. It was really annoying. After setting the firewall (and changing the standard dsm ports) it finally stopped. B.T.W. autoblock didn't work, the bot was using different ip's every time.
I have the same issue, how did you make that change?
@@alanstei5680 search for DSM Port in Settings. Mind you that you wil have to change portforwarding on your router too if you have that set up.
The synology Firewall does not work. I block ALL IPS but my LAN and My friend can still access my nas??? Please explain
Great tutorial but my Firewall is now greyed out and i cannot access at all. Please help with firewall problems.
What is a docker?
Synology is actually warning you if you're about to lock yourself out using the firewall so I don't even think it's possible. I have a request: Could you please make a guide on how to enable the firewall log in iptables and then how to send that log to a syslog server? I'm struggling with my poor Linux knowledge.
My conclusion, as there is a good firewall in my router, I will stick to your first advice and not set this up. Thanks again.
the last rule doesnt many anything unless you directly expose that NAS to a public ip address.
the reason is NAT, your NAS will always see any traffic from outside coming from your main router's ip address.
so the proper way to block connections from internet is basically add your router's IP address as your block rule if your aim is block any connection attempt on your NAS that is coming outside your local network,
This is not true.
The process you are talking about where the traffic looks like it is coming from the router is NAT Masquerading. This is a very rare and niche feature that 99.9% of routers do not support. Port forwarding will show the public IP of the computer connecting to the NAS.
You can try for yourself. Open up 5001 to the NAS and connect from your phone off WiFi. You will see your phones public in the connection logs