D-Link Forums
The Graveyard - Products No Longer Supported => Routers / COVR => DIR-655 => Topic started by: Dannermax on May 05, 2015, 12:37:20 PM
-
hi all.
I would like to know, how i block all outgoing internet traffic in my router, (exept VPN traffic) from my NAS. My nas is connected to a VPN service with OPENVPN. As far as i know, the VPN traffic is on port 1194.
Can this be achieved from "access control"? And if so, how do i enter this??
I want to achieve this, because sometimes the vpn tunnel fails, and my real IP is exposed..
Thanks for your time! Hope to hear from you :)
-
Link>Welcome! (http://forums.dlink.com/index.php?topic=48135.0)
- What Hardware version is your router? Look at sticker under the router case.
- Link>What Firmware (http://forums.dlink.com/index.php?topic=47512.0) version is currently loaded? Found on the routers web page under status.
- What region are you located?
Internet Service Provider and Modem Configurations
- What ISP Service do you have? Cable or DSL?
- What ISP Modem Mfr. and model # do you have?
Additional Info:
How to Block a specific port using Access Control: http://forums.dlink.com/index.php?topic=58731.0 (http://forums.dlink.com/index.php?topic=58731.0)
How to set up Web Filters: http://www.dlink.cc/d-link-wireless/how-to-setup-website-filter-on-d-link-dir-series-router-dir-655.htm (http://www.dlink.cc/d-link-wireless/how-to-setup-website-filter-on-d-link-dir-series-router-dir-655.htm)
How to Block FB: http://forums.dlink.com/index.php?topic=50490.0 (http://forums.dlink.com/index.php?topic=50490.0)
Web Filter How To: http://forums.dlink.com/index.php?topic=5509.0 (http://forums.dlink.com/index.php?topic=5509.0)
Specific Port Blocking: Use Block Some Access/Apply Advanced Port Filters
[/list]
-
Hello Furry, and thanks for your reply.
Here is some information on my system:
DIR-655 - Hardware version A4 - Firmware version 1.37NA
Here is a screenshot of the Access Control of my router, which i have added a policy to my NAS:
(http://oi59.tinypic.com/1zxp85e.jpg)
As you can see, i have blocked all ports except port 1194 (which is openvpn) But i have run into an issue. I am also using a program called Flexget, which runs a script, many times a day. And i can see in its log file, that it cant do URL lookups. So i am guessing that i am blocking dns requests? So how do I, let's say, allow VPN traffic, and googles DNS (8.8.8.8)? (and perhaps something else for it to function properly??)
Again, i am interrested in only letting VPN traffic through, to the internet, all the time. My ip pool is from 192.168.1.2 to 192.168.1.199
Thanks ALOT for your help!!
Regards
-
Eeeks, I think your Dest Start and End IPs need to be more specific to just the IP address of the NAS. Your using a wide range which would included any other devices connected to the router. I believe Start and End IPs should be just the IP address of the NAS. I would start with using all ports then narrow down to specific ports while testing to see if the rule configuration works or not.
-
I don't really understand..
This policy i have added, is specific for ONLY 192.168.1.52 which is my NAS. further along the wizard i get to the attached picture above, where i have specified which IP's and ports are blocked, for that particulaly IP, så that it cannot access them on the internet. I have selected IP's that are outside of the port range of my router, so i do not understand your reply.
you said:
I believe Start and End IPs should be just the IP address of the NAS.
But, dest start and end ip, are the IP's that is blocked from the outside of my LAN...not my local IP...right?
once again, thanks. I know this is not your NORMAL kind of support question.
-
Ok, Let me see if we can get some additional help on this...
-
Ok. Cant wait!!
-
Hi,
Google's DNS 8.8.8.8 on port 53/udp is blocked by your syno3 rule because 8.8.8.8 lies within the destination range 0.0.0.0 - 192.168.0.255 for which you blocked any outgoing traffic from your NAS device.
As far as I understood your scenario, you want to allow your NAS device (192.168.1.52) to talk to
- your LAN = 192.168.1.0/24
- to Google's DNS on 8.8.8.8 (53/udp)
- some unknown external address w.y.x.z (1194/udp) which represents the external OpenVPN tunnel endpoint
Hence you have to block anything else except the above. And this only works if w.x.y.z is a fixed known address, because you have to build your rules around this address.
From your current rules syno1 and syno2 which seem to allow the OpenVPN connection, I draw the conclusion that "w.x" in w.x.y.z is greater than 192.168. Hence the following set of filter rules should work, given you selected 192.168.1.52 in the wizard's step 3 and "Block Some Access" + "Apply Advanced Port Filters -> checked" in the wizard's step 4:
[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 192.168.0.255 TCP 0 65535
Checked syno2 192.168.2.0 255.255.255.255 TCP 0 65635
Checked syno3 0.0.0.0 8.8.8.7 UDP 0 65535
Checked syno4 8.8.8.9 192.168.0.255 UDP 0 65535
Checked syno5 192.168.2.0 w.x.y.(z-1) UDP 0 65535
Checked syno6 w.x.y.z w.x.y.z UDP 0 1193
Checked syno7 w.x.y.z w.x.y.z UDP 1195 65535
Checked syno8 w.x.y.(z+1) 255.255.255.255 UDP 0 65535
This ruleset is not exactly what you really want because it still allows ICMP to any address and UDP to all ports at 8.8.8.8 (instead of 53 only), but unfortunately this would need additional rules and you cannot specify more than eight.
PT
-
Thank you PT. ::)
-
Hi again,
my assumption above includes an error in reasoning: Of course LAN internal traffic bypasses the routing/filter process in your router, hence 192.168.1.0/24 doesn't have to be excluded in the filter rules. As a consequence you can use the following filter set:
[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 255.255.255.255 TCP 0 65535
Checked syno2 0.0.0.0 8.8.8.7 UDP 0 65535
Checked syno3 8.8.8.8 8.8.8.8 UDP 0 52
Checked syno4 8.8.8.8 8.8.8.8 UDP 54 65535
Checked syno5 8.8.8.9 w.x.y.(z-1) UDP 0 65535
Checked syno6 w.x.y.z w.x.y.z UDP 0 1193
Checked syno7 w.x.y.z w.x.y.z UDP 1195 65535
Checked syno8 w.x.y.(z+1) 255.255.255.255 UDP 0 65535
syno1 disallows your NAS to send TCP to any external IP address.
syno2-8 restrict your NAS to talk UDP to port 53 at 8.8.8.8 and port 1194 at w.x.y.z only.
ICMP isn't blocked, but in genereal it is a good idea to allow ICMP error messages to be sent from you NAS to external addresses (e.g. to w.x.y.z).
PT
-
Wow!! This is just what i was looking for.. But when i enter the rules, my vpn client disconnects after 10 seconds. Telling me that it cannot establish a connection. And i can see that the vpn server that i use, have 4 different IP addresses. But when connected to the vpn server, i could see the IP address i had, and i entered it in the rules..but this just made it disconnect..pretty strange.. I dont REALLY need googles DNS.. couldent i just write 192.168.1.1 in the DNS fiels of my network setup? instead of the google DNS? And then delete the google dns rules in my router?
Again.. WOW this is an awesome piece of work you done here.. i really apprechiate it!!
-
Hi,
yes, if you configure your NAS to use 192.168.1.1 for DNS resolution (given you activated DNS relay function in your router), you wouldn't have to write filters for Google's DNS server 8.8.8.8 - this frees up limited rule space for other purposes.
Can the 4 vpn server addresses be aggregated to some minimum sized IP range encompassing those four addresses, say w.x.0.0/16 ? If so, try the following rule set:
[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 255.255.255.255 TCP 0 65535
Checked syno2 0.0.0.0 w.(x-1).255.255 UDP 0 65535
Checked syno3 w.x.0.0 w.x.255.255 UDP 0 1193
Checked syno4 w.x.0.0 w.x.255.255 UDP 1195 65535
Checked syno5 w.(x+1).0.0 255.255.255.255 UDP 0 65535
Here syno1 disallows your NAS to send TCP to any external IP address.
syno2-5 restrict your NAS to talk UDP to port 1194 at any destination address in the range w.x.0.0/16, including the 4 possible OpenVPN servers.
Of course, if another port (instead of 1194) or protocol (TCP instead of UDP) is used to constitute the OpenVPN connection, or if additional communication is in place between OpenVPN client and servers (which you might find out doing a packet trace?) above rules must be adjusted accordingly.
For OpenVPN basics see
- OpenVPN HOWTO (https://openvpn.net/index.php/open-source/documentation/howto.html)
- OpenVPN and the SSL VPN Revolution (http://www.sans.org/reading-room/whitepapers/vpns/openvpn-and-the-ssl-vpn-revolution-1459?show=1459.php&cat=vpns)
But when connected to the vpn server, i could see the IP address i had, and i entered it in the rules..but this just made it disconnect..pretty strange..
When saying "the IP address i had", you obviously mean the IP address your NAS is using inside the OpenVPN tunnel. But this address is irrelevant to the configuration of your router's filter list, because it belongs to IP packets encrypted via SSL inside the VPN tunnel. Hence it is invisible to your router. Your router only sees the "outer" IP packets transmitted from/to your NAS's address 192.168.1.52 to/from the VPN server's IP address which may be one of 4, if I understood you properly.
Your NAS's OpenVPN client might have some configuration file as specified here (https://openvpn.net/index.php/open-source/documentation/howto.html#client). If so, look at "remote" entries that list the possible VPN server addresses (or DNS names that you have to resolve to find the addresses).
PT
-
ok, it will take me some days to wrap my head around this... So your telling me to find out wether or not, my vpn provider have a server which have 4 IP addresses within the same range.. x.y.0.0 (where 0 are the range they are within...?
ok, my VPN provider have several servers through out the world, so i will go search for the ones i can use...but you were telling me that:
When saying "the IP address i had", you obviously mean the IP address your NAS is using inside the OpenVPN tunnel.
What i ment, was the external IP addresses of the VPN server i am connected to.. which can be 1 or more.. which is what you are telling me to look up, and write into the rules right?
Thanks again for your patience!!
-
Hi,
What i ment, was the external IP addresses of the VPN server i am connected to.. which can be 1 or more.. which is what you are telling me to look up, and write into the rules right?
Exactly! Because this is the only relevant information you need to specify the filter rule set.
But to make things easy, if you don't know what the VPN server addresses exactly are, or if they might change in an unpredictable manner or if they lie widespread in IP address space, so they can't be aggregated to some ip range significantly smaller than the whole IPv4 space, I'd suggest you try the following simple ruleset:
[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 255.255.255.255 TCP 0 65535
Checked syno2 0.0.0.0 255.255.255.255 UDP 0 1193
Checked syno3 0.0.0.0 255.255.255.255 UDP 1195 65535
Here syno1 disallows your NAS to send TCP to any external IP address.
syno2-3 restrict your NAS to talk UDP to port 1194 at any external address, including any possible OpenVPN server address.
If this ruleset works, in a next step find out and report what IP addresses the OpenVPN servers use, so I can try to further narrow down the rules.
PT
-
Excellent...Ok. I will try it out, and report back when i have the relevant ip addresses!!
-
allright, now i have contacted my VPN provider, and asked which one of their servers, have the closest IP range.. But would it work if 3 addresses were generally close, and had 1 which was totally off?
The VPN hostnames from my provider, all have 4 ip addresses associated to them.. afaik.
I will return when i have heard from them!
-
Hi,
first of all, does the following ruleset from my last post work?
[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 255.255.255.255 TCP 0 65535
Checked syno2 0.0.0.0 255.255.255.255 UDP 0 1193
Checked syno3 0.0.0.0 255.255.255.255 UDP 1195 65535
If not, we don't have to think about how to further narrow it down.
You could also consider this set to be sufficient for you needs, because allowing your NAS to talk to UDP port 1194 at any external IP address only can be regarded as restrictive enough.
Of course the better choice would be to further narrow down "any external address" (Dest IP Start=0.0.0.0 Dest IP End=255.255.255.255) to one or more smaller ranges. With one rule needed to block TCP and hence 7 rules left to block UDP you are limited to a maximum of two "allow"-ranges (each one consisting of two blocking rules for UDP ports 0-1193 and 1195-65535) for which you would allow communication to port 1194/UDP, while for addresses lying outside the two ranges you would completely block UDP communication (this results in 3 additional "block"-ranges, each one consisting of a single blocking rule for UDP ports 0-65535, one lying before the first allow-range, one lying between the two allow-ranges and one lying after the last allow-range).
Hence to answer your question "But would it work if 3 addresses were generally close, and had 1 which was totally off?": Yes this could be expressed via a ruleset as described above by declaring the one "totally off" address to be the first or second "allow"-range (depending if it is smaller or greater than the other 3 addresses) and the other 3 addresses to be the second or first "allow"-range respectively. The range encompassing these 3 addresses would start with the smallest address and end with the largest address.
But maybe your VPN provider uses changing VPN server addresses (which the VPN client on your NAS device determines by resolving well known DNS names, written down in some client configuration file or hard coded within the client software). In this case your only chance to further narrow down the ruleset is to know the network ranges reserved for use by your VPN provider (which could be determined via 'whois"-service), which encompass any possible VPN server addresses. If it is no more than 2 ranges you could use the smallest and largest IP address of any range to form the two "allow"-ranges mentioned above. Otherwise you would have to summarize more than two ranges to no more than two ranges by aggregating several neighboring ranges to one condensed range.
PT
-
No it does not work, unfortunately. The access is blocked when i try your last suggested rules. And forgive me, for the late response time.. got a lot of work lately..!! :(
I have read your last post a couple of times, and i dont really understand all of it..But i have 4 ip addresses from my vpn provider. Would you be able to make a set of rules with those? It just seems like there is something we are blocking, that we dont know about. I have removed manually dns from my NAS, so i guess the dns used now, is my vpn providers... or at least i guess so. I have sent you a PM with the ip-addresses.
Again, sorry for the late reply...
-
Hi,
No it does not work, unfortunately. The access is blocked when i try your last suggested rules.
So then you first have to figure out what protocols and ports besides 1194/udp your VPN client uses or if it uses port 1194/udp at all. Without exactly knowing this it is useless to think about filtering rulesets inside your router.
I recommend you ask your VPN provider (looks like he is this (http://knowledgelayer.softlayer.com/topic/vpn) one?) about which ports and protocols he uses for his VPN service.
But i have 4 ip addresses from my vpn provider. Would you be able to make a set of rules with those?
Using the RIPE Database Query (https://apps.db.ripe.net/search/query.html) I could figure out that 3 of the 4 addresses lie in some /26 range x.y.6.0 - x.y.6.63 and the fourth address lies in a different /26 range x.y.23.64 - x.y.23.127. And both these /26 ranges lie in the /16 range x.y.0.0 - x.y.255.255. All these ranges belong to your VPN provider.
Hence, given you know the ports and protocols your VPN client uses to connect to the VPN service it would be easy to make a ruleset.
PT
EDIT:
Please try the following ruleset (where x.y is the first two numbers of the four IP addresses):
[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 x.y.5.255 Any 0 65535
Checked syno2 x.y.6.64 x.y.23.63 Any 0 65535
Checked syno3 x.y.23.128 255.255.255.255 Any 0 65535
This ruleset restricts your NAS to talk only to the two /26 ranges (2x 64 addresses) the four addresses lie in without further restrictions concerning protocols (udp, tcp) or ports of these protocols (because we don't know which ones to use).
-
Hello again. I will try these rules as soon as I get the chance.. And try to follow up on your question, regarding whether or not my client uses other ports than 1194
Speak to you soon
-
Hi,
I have removed manually dns from my NAS, so i guess the dns used now, is my vpn providers... or at least i guess so.
Just to exclude VPN failure due to inability of your NAS to resolve names via DNS. We discussed this earlier, but maybe I have to be more precise:
If your NAS uses any external DNS servers to do name resolution (no matter if the DNS server addresses are assigned manually or via DHCP by your router), you have to take care, that these DNS server addresses are reachable for port 53/udp. My ruleset didn't allow for it, because I assumed, that you use your router's DNS relay function!
Hence to be explicit at this point, check if the following conditions are met:
- In your router look at the ROUTER SETTINGS inside SETUP | NETWORK SETTINGS and check if Enable DNS Relay is activated!
- With DNS Relay active inside your router it should deploy its own address (192.168.1.1) as DNS server address to DHCP clients. You have to reboot your DHCP clients to make this change effective.
- If your NAS is configured to be a DHCP client, reboot it so it gets your router's address 192.168.1.1 as its new DNS server address. Or configure your NAS manually to use your router's address 192.168.1.1 as its new DNS server.
After having done all the steps above and with any ACCESS CONTROL Policy disabled check if your VPN connection still works. If so and if you haven't used the DNS Relay function of your router before, this could have been the reason for VPN failure.
Given this was the only reason for failure and port 1194\udp is your VPN provider's port for SSLVPN service the following ultimate ruleset should work, where x.y is the first two numbers of the four IP addresses used by the SSLVPN service:
[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 255.255.255.255 TCP 0 65535
Checked syno2 0.0.0.0 x.y.5.255 UDP 0 65535
Checked syno3 x.y.6.0 x.y.6.63 UDP 0 1193
Checked syno4 x.y.6.0 x.y.6.63 UDP 1195 65535
Checked syno5 x.y.6.64 x.y.23.63 UDP 0 65535
Checked syno6 x.y.23.64 x.y.23.127 UDP 0 1193
Checked syno7 x.y.23.64 x.y.23.127 UDP 1195 65535
Checked syno8 x.y.23.128 255.255.255.255 UDP 0 65535
This ruleset restricts your NAS to talk only to port 1194/udp at 128 possible destination addresses in the ranges x.y.6.0 - x.y.6.63 and x.y.23.64 - x.y.23.127 including the four present SSLVPN service addresses. This also covers the case, that one or more of these addresses may change as long as the new addresses still reside within these two ranges. Otherwise a new ruleset for the bigger range x.y.0.0 - x.y.255.255 should be used as follows:
[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 255.255.255.255 TCP 0 65535
Checked syno2 0.0.0.0 x.y-1.255.255 UDP 0 65535
Checked syno3 x.y.0.0 x.y.255.255 UDP 0 1193
Checked syno4 x.y.0.0 x.y.255.255 UDP 1195 65535
Checked syno5 x.y+1.0.0 255.255.255.255 UDP 0 65535
PT
-
I have now added the rules in my router. DNS relay, was already enabled in my router. I Will enter my routers IP number, as dns server in the network settings of my NAS. I will test this as soon as possible, and get back to you with the results.. cross fingers..! :)
edit: Cant remember if i told you this, but i cant enter 0 as a port in ACCESS CONTROL, so i enter 1 instead.. don't think it makes any difference thou.
-
Hi again,
here is kind of measure of last resort:
From the names "syno" you used to name the filter rules, am I correct with my assumption that you are using a Synology NAS?
If so, there is a possibility to connect via SSH to the NAS's DSM operating system which looks like some Linux derivative. And in the best case the tool 'tcpdump' is available which you could use to do a packet trace while your NAS tries to connect to the VPN server. By configuring tcpdump to write its packet trace to an output file and analyzing this file via Wireshark you could figure out which ports, protocols and addresses are used for VPN connection setup (at the end it turns out you are using PPTP VPN instead of SSL VPN ... :D)
If tcpdump isn't available, here (http://www.chainsawonatireswing.com/2012/01/09/installing-3rd-party-software-on-your-synology-diskstation-ds411j/) is a description how to install the package manager 'ipkg' and using ipkg to install 'tcpdump'...
Okay, I'm aware that this is really advanced, but maybe you like that kind of challenges ;D
PT
-
Hey!
Great news..
I added the last rules you made, and unlike the other times i added a VPN profile to my "yes you guessed it, Synology DISKSTATION" i added a hostname, but now i added a specific IP address. Now my NAS is connected to this specific IP address and with the rules applied. And this IP address is one of the addresses i wrote to you.
Yes i am very familar with Linux. I Could track the activity with tcpdump but now it seems unnecessary.. right?
So wouldent it make sense if i used rules, that only allowed traffic through that specific IP address? The address is the 2.nd one, i wrote to you.
And i am positive that im connecting through OPENVPN, and not PPPoE :-)
-
Hi again,
So wouldent it make sense if i used rules, that only allowed traffic through that specific IP address? The address is the 2.nd one, i wrote to you.
The ruleset using the 2nd address x.y.23.79 would be as follows:
[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 255.255.255.255 TCP 0 65535
Checked syno2 0.0.0.0 x.y.23.78 UDP 0 65535
Checked syno3 x.y.23.79 x.y.23.79 UDP 0 1193
Checked syno4 x.y.23.79 x.y.23.79 UDP 1195 65535
Checked syno5 x.y.23.80 255.255.255.255 UDP 0 65535
But I don't think it's a good choice to work with this single address because VPN connection setup will fail if your VPN provider changes this address. In this case you would have to figure out which new set of addresses is valid, pick one of them and then adapt your ruleset to this new address. I think this is not what you want, but of course it's your choice.
I Could track the activity with tcpdump but now it seems unnecessary.. right?
Not really, because it would be interesting to figure out why VPN connection setup fails if you use a hostname instead of an IP address in your NAS's VPN profile.
But I think I know the reason, and if I'm right a packet trace isn't needed.
Here is my theory:
If you use a hostname in your VPN profile, the VPN client first has to resolve this name via DNS into IP addresses. Of course this name resolves into the four well known IP addresses (you could check this via the Windows nslookup command or the Linux dig command). And no matter if these addresses will change, what remains constant is the VPN profile's hostname which always resolves into the four IP addresses actually valid. The advantage of using four addresses (from the point of view of your VPN provider) is that the sequence these addresses are presented in the DNS reply will change in a round robin manner so you always use another address for any new VPN connection setup. The result is a kind of load balancing the work load of many VPN connections from different customers among those four VPN servers.
My assumption is, that this DNS resolution fails even if your DIR-655 is working as a DNS relay, because the 8th filter rule in my last post (Checked syno8 x.y.23.128 255.255.255.255 UDP 0 65535) will drop DNS requests to port 53/udp at 192.168.1.1 (your router's LAN address). If so this would really be a poor filter implementation because I would expect that only traffic forwarded to the Internet via the WAN interface is subject to filtering but not any traffic sent to the router's LAN side address only.
Hence following this theory we would have to complement the ruleset in order to allow 53/udp traffic sent from your NAS to your router's LAN address 192.168.1.1.
Unfortunately we can't do that, because the maximum of 8 filters is already reached, so we can't add any additional ones. Hence we have to summarize the two /26 ranges x.y.6.0 - x.y.6.63 and x.y.23.64 - x.y.23.127 to a single range x.y.6.0 - x.y.23.127 (which amounts to 4480 addresses instead of 2x64=128 addresses). But since your VPN provider might also change to addresses even outside this bigger range, I would recommend to work with the maximum range x.y.0.0 - x.y.255.255 of 65536 addresses that belong to your VPN provider.
So I would ask you to return to the original VPN profile using the hostname and try the following ruleset:
[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 192.167.255.255 TCP 1 65535
Checked syno2 192.169.0.0 255.255.255.255 TCP 1 65535
Checked syno3 0.0.0.0 x.y-1.255.255 UDP 1 65535
Checked syno4 x.y.0.0 x.y.255.255 UDP 1 1193
Checked syno5 x.y.0.0 x.y.255.255 UDP 1195 65535
Checked syno6 x.y+1.0.0 192.167.255.255 UDP 1 65535
Checked syno7 192.169.0.0 255.255.255.255 UDP 1 65535
This ruleset restricts your NAS to talk to 1194/udp at any possible VPN provider address lying in the range x.y.0.0 - x.y.255.255. In addition your NAS may talk TCP and UDP to any local (!) IP address lying in the range 192.168.0.0 - 192.168.255.255 including DNS requests using 53/udp or 53/tcp. Choosing the complete range 192.168.0.0/16 gives you the freedom to renumber your network to any new range 192.168.x.0/24 without adapting the ruleset.
PT
-
Wow once again thanks for all your hard work. I will try to apply the rules as soon as I can and see what happens. I think it makes sense to use the last set of rules you posted so I will sureely try to do that.
-
Any status on this? ???
-
Ahh sorry for not getting back sooner... I'm still using the old ruleset.. And when I'm getting back from vacation in 10 days or so I will try and implement the rules you gave me.. It just takes a long time to enter the rules because the router throws me off when there is inactivity for a short while.. It took me a long time to write one old ones you gave me.. I can tell you that the rules I have so far are working great.. But I have to restart the NAS from time to time...
Again, I cant tell you how glad I am for your help! Wish there were more people like you!!:)
-
Right, now i just added the rules to my router. Im in a summerhouse atm. And i cannot access the webinterface of my synology diskstation from outside my LAN. But when i get home i will enter the hostname instead of an ipaddtess, ,into the VPN profile...😃 and hope for the best!!!
-
Hey Furry!
Im back from Holiday, and i have applied the last rule-set you suggested, and i entered the hostname, in my VPN profile (instead of a single IP address. And guess what? IT WORKS!!! yaa.. So far its been connected for 2 hours.. soo the only thing that could ruin this setup, is if an IP address got changed..But ill cross that bridge when i get to it!
One think thou, any idea why i cant do:
curl ifconfig.me
I want to get my external IP address for my diskstation, but im returned with:
DiskStation> curl ifconfig.me
curl: (7) Failed to connect to ifconfig.me port 80: Connection timed out
In ny synology diskstation, i have entered 8.8.8.8 as dns server... hey perhaps i just answered my own question.. the rules in my router are not allowing this? So if i removed the DNS, and used my routers, i guess ill be fine? But on the other hand, im able to download files from the internet with my NAS.. so i guess its working as it should now!! :)
-
Enjoy! PT (proxying Furry ;))
-
How embarrassing! Of course I mean PacketTracer.. Forgive me for my foolishness !!:)