Port Forwarding to Synology NAS

brendanos

Hi,
I am a Virgin Media customer and just bought a Synology DS916+ NAS.
I cannot setup the NAS for remote access using the EZInternet app, the router is not on the list. So I need to manually forward all the ports. That's ok, I know how to do that. I have a few questions though if anyone can help m out at all it would be great. My router/modem is Technicolour TC7200.U

1. How do I set my Nas to static IP?

2. The following page shows all the posts I need to forward, https://www.synology.com/en-global/knowledgebase/DSM/tutorial/General/What_network_ports_are_used_by_Synology_services, but there are too many ports here. I can only forward roughly 10 ports, then when I click the add button it will not let me add another row. I see some people on other threads say they need a dynda address. I have no idea how to set this up...but will go that route if someone lets m know what it is I have to do..

3. Do I need all the ports in the above list? I just want to have remote access from any pc and transfer of files also with downloading

4. Any other tips or hints are very much appreciated. I want to maximise my NAS now that I have spent money on it

All help appreciated,
Brendan

Spear

You don't need all of those ports, for example you don't need the mail server, backup or setup stuff to begin with.

What aspects of you do you intend to access? Is it the web front end? Then that's just the HTTPS port at least.

jester77

I would just set up openVPN on the NAS and port forward to it from the router. You can then access it securely as if you were on your home network.

You will probably also need a dynamic DNS service running to help you find the NAS no matter what option you go for. I would imagine Synology have a client built in, you would just need to sign up to a service and enter the details in the Synology client.

seamus

To set your NAS to a static IP, you need to go into the network settings on the Web Interface and set a static IP there.

What you'll also need to do on your router is tell the router not to assign that address to anything else. The DHCP function on routers allows you to specify what range of addresses to assign to devices. The range it's probably giving out is something like 192.168.1.2 - 192.168.1.254

I'd usually change this so it assign IPs from 192.168.1.100-192.168.1.254. Then you can give any static device (such as a NAS or a games console) an IP in the range 192.168.1.2 - 192.168.1.99.

On your questions 2, 3 & 4 the answer really lies in what you want to be able to do with your NAS. A lot of the functionality in there is something you generally only do on the local network - iTunes server, Audiostation etc. Other ones like BT (BitTorrent client) don't need you open any ports for them; you can access the client GUI through the web interface and then access the downloaded files from within your own network.

Initially I would just make HTTPS available to access your web interface and then you can add other services if and when you need then.

brendanos

Thanks a million Spear, Jester and Seamus

Spear I have some files that I want to be able to share with my friends...documents, gopro videos and some pics. I want them to be able to log into my Nas as a guest user and download those files to their pcs (I rather thos option than facebook, and I eould rather set it up on the nas than use dropbox). I also want to run some torrents. And use the DS audio, video and photo apps

Jester, yes Inhave setup the Dynamic Dns, I can look at the files on the nas but can't open or download them. I guess I need to forward those ports

brendanos

Seamus I have just setup the static IP like you suggested, hopefully that will help
Just one question with regards the BitTorrent. I am a member of an invitation only torrent site. I tried downloading a highly seeded torrent from the site (just to confirm the downloader works) but it is not downloading anything. The only thing I can think of is that the .torrent file was downloaded with my laptop onto a watched folder in the nas. Is there anywhere in the DS system ai have to give my username and password for this torrent site? I can't find anywhere but I'm thinking maybe this is the issue....
Thanks again
Brendan

Spear

I can't claim to be personally familiar with the Synology setup, but it looks like the File Station one is the one you want for minimal file access, so that's port 5001 to keep it on HTTPS at least.

And then the Bittorrent ones appropriate for the firmware.

Bear in mind this will be visible to everyone on the planet, so absolutely minimal is the way to go.

brendanos

@Spear how is it visible to everyone on the planet? You mean all my files that are on the nas? I though by setting up a guest login they would only be visiblt to people with a password! Is there any way to make it invisible to everyone, and only visible to people I want?
Brendan

Spear

The open port will be visible not the files, and thus exposed to the usual array of port scanners, bruter forcers and the like. If an exploit arises for it, you risk losing the lot.

brendanos

Ok, I didn't know that. A little concerned now! Is there any way I can increase the security?

Spear

brendanos wrote: »

Ok, I didn't know that. A little concerned now! Is there any way I can increase the security?

Usual stuff such as regular patching, enforce decent passwords. Just apply good practices. You don't need to open the same public facing ports as the internal ones, using something random and a high number and you can forward that to 5001 internally. Things like that are enough to avoid anyone port scanning on the well known and low numbered ports.

brendanos

Ok thanks Spear, I will have a google at in to get more info. Not too sure about how to do the different oirt forwarding but will try to find a tutorial on it

Wompa1

Go with OpenVPN. I was lazy. I moved places and rather than reconfiguring my OpenVPN, I just setup port forwarding. Got hacked a couple of months later. Luckily I caught the guy in the act, forced him off and closed the door before anything was compromised.

brendanos

Wompa just a quick question for you. If I setup the OpenVpn on the NAS would I do that before or after all the ports are forwarded? Or do I need to forward any ports at all if I go openvpn?

Wompa1

brendanos wrote: »

Wompa just a quick question for you. If I setup the OpenVpn on the NAS would I do that before or after all the ports are forwarded? Or do I need to forward any ports at all if I go openvpn?

I did. I followed this: http://rorymon.com/blog/?p=2171

ED E

OpenVPN solves access for Wompa1. Its not really ideal to share files via access to your home LAN.


Really best practice would be to put files you want to share on Google Drive or Mega and not give any remote access to the box. After Mirai we have evidence as to why thats problematic.