Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Dannermax]

allright, now i have contacted my VPN provider, and asked which one of their servers, have the closest IP range.. But would it work if 3 addresses were generally close, and had 1 which was totally off?

The VPN hostnames from my provider, all have 4 ip addresses associated to them.. afaik.

I will return when i have heard from them!

[PacketTracer]

Hi,

first of all, does the following ruleset from my last post work?

[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 255.255.255.255 TCP 0 65535
Checked syno2 0.0.0.0 255.255.255.255 UDP 0 1193
Checked syno3 0.0.0.0 255.255.255.255 UDP 1195 65535

If not, we don't have to think about how to further narrow it down.

You could also consider this set to be sufficient for you needs, because allowing your NAS to talk to UDP port 1194 at any external IP address only can be regarded as restrictive enough.

Of course the better choice would be to further narrow down "any external address" (Dest IP Start=0.0.0.0 Dest IP End=255.255.255.255) to one or more smaller ranges. With one rule needed to block TCP and hence 7 rules left to block UDP you are limited to a maximum of two "allow"-ranges (each one consisting of two blocking rules for UDP ports 0-1193 and 1195-65535) for which you would allow communication to port 1194/UDP, while for addresses lying outside the two ranges you would completely block UDP communication (this results in 3 additional "block"-ranges, each one consisting of a single blocking rule for UDP ports 0-65535, one lying before the first allow-range, one lying between the two allow-ranges and one lying after the last allow-range).

Hence to answer your question "But would it work if 3 addresses were generally close, and had 1 which was totally off?": Yes this could be expressed via a ruleset as described above by declaring the one "totally off" address to be the first or second "allow"-range (depending if it is smaller or greater than the other 3 addresses) and the other 3 addresses to be the second or first "allow"-range respectively. The range encompassing these 3 addresses would start with the smallest address and end with the largest address.

But maybe your VPN provider uses changing VPN server addresses (which the VPN client on your NAS device determines by resolving well known DNS names, written down in some client configuration file or hard coded within the client software). In this case your only chance to further narrow down the ruleset is to know the network ranges reserved for use by your VPN provider (which could be determined via 'whois"-service), which encompass any possible VPN server addresses. If it is no more than 2 ranges you could use the smallest and largest IP address of any range to form the two "allow"-ranges mentioned above. Otherwise you would have to summarize more than two ranges to no more than two ranges by aggregating several neighboring ranges to one condensed range.

PT

[Dannermax]

No it does not work, unfortunately. The access is blocked when i try your last suggested rules. And forgive me, for the late response time.. got a lot of work lately..!!

I have read your last post a couple of times, and i dont really understand all of it..But i have 4 ip addresses from my vpn provider. Would you be able to make a set of rules with those? It just seems like there is something we are blocking, that we dont know about. I have removed manually dns from my NAS, so i guess the dns used now, is my vpn providers... or at least i guess so. I have sent you a PM with the ip-addresses.

Again, sorry for the late reply...

[PacketTracer]

Hi,

No it does not work, unfortunately. The access is blocked when i try your last suggested rules.

So then you first have to figure out what protocols and ports besides 1194/udp your VPN client uses or if it uses port 1194/udp at all. Without exactly knowing this it is useless to think about filtering rulesets inside your router.

I recommend you ask your VPN provider (looks like he is this one?) about which ports and protocols he uses for his VPN service.

But i have 4 ip addresses from my vpn provider. Would you be able to make a set of rules with those?

Using the RIPE Database Query I could figure out that 3 of the 4 addresses lie in some /26 range x.y.6.0 - x.y.6.63 and the fourth address lies in a different /26 range x.y.23.64 - x.y.23.127. And both these /26 ranges lie in the /16 range x.y.0.0 - x.y.255.255. All these ranges belong to your VPN provider.

Hence, given you know the ports and protocols your VPN client uses to connect to the VPN service it would be easy to make a ruleset.

PT

EDIT:

Please try the following ruleset (where x.y is the first two numbers of the four IP addresses):

[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 x.y.5.255 Any 0 65535
Checked syno2 x.y.6.64 x.y.23.63 Any 0 65535
Checked syno3 x.y.23.128 255.255.255.255 Any 0 65535

This ruleset restricts your NAS to talk only to the two /26 ranges (2x 64 addresses) the four addresses lie in without further restrictions concerning protocols (udp, tcp) or ports of these protocols (because we don't know which ones to use).

[Dannermax]

Hello again. I will try these rules as soon as I get the chance.. And try to follow up on your question, regarding whether or not my client uses other ports than 1194

Speak to you soon

[PacketTracer]

Hi,

I have removed manually dns from my NAS, so i guess the dns used now, is my vpn providers... or at least i guess so.

Just to exclude VPN failure due to inability of your NAS to resolve names via DNS. We discussed this earlier, but maybe I have to be more precise:

If your NAS uses any external DNS servers to do name resolution (no matter if the DNS server addresses are assigned manually or via DHCP by your router), you have to take care, that these DNS server addresses are reachable for port 53/udp. My ruleset didn't allow for it, because I assumed, that you use your router's DNS relay function!

Hence to be explicit at this point, check if the following conditions are met:

• In your router look at the ROUTER SETTINGS inside SETUP | NETWORK SETTINGS and check if Enable DNS Relay is activated!
• With DNS Relay active inside your router it should deploy its own address (192.168.1.1) as DNS server address to DHCP clients. You have to reboot your DHCP clients to make this change effective.
• If your NAS is configured to be a DHCP client, reboot it so it gets your router's address 192.168.1.1 as its new DNS server address. Or configure your NAS manually to use your router's address 192.168.1.1 as its new DNS server.

After having done all the steps above and with any ACCESS CONTROL Policy disabled check if your VPN connection still works. If so and if you haven't used the DNS Relay function of your router before, this could have been the reason for VPN failure.

Given this was the only reason for failure and port 1194\udp is your VPN provider's port for SSLVPN service the following ultimate ruleset should work, where x.y is the first two numbers of the four IP addresses used by the SSLVPN service:

[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 255.255.255.255 TCP 0 65535
Checked syno2 0.0.0.0 x.y.5.255 UDP 0 65535
Checked syno3 x.y.6.0 x.y.6.63 UDP 0 1193
Checked syno4 x.y.6.0 x.y.6.63 UDP 1195 65535
Checked syno5 x.y.6.64 x.y.23.63 UDP 0 65535
Checked syno6 x.y.23.64 x.y.23.127 UDP 0 1193
Checked syno7 x.y.23.64 x.y.23.127 UDP 1195 65535
Checked syno8 x.y.23.128 255.255.255.255 UDP 0 65535

This ruleset restricts your NAS to talk only to port 1194/udp at 128 possible destination addresses in the ranges x.y.6.0 - x.y.6.63 and x.y.23.64 - x.y.23.127 including the four present SSLVPN service addresses. This also covers the case, that one or more of these addresses may change as long as the new addresses still reside within these two ranges. Otherwise a new ruleset for the bigger range x.y.0.0 - x.y.255.255 should be used as follows:

[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 255.255.255.255 TCP 0 65535
Checked syno2 0.0.0.0 x.y-1.255.255 UDP 0 65535
Checked syno3 x.y.0.0 x.y.255.255 UDP 0 1193
Checked syno4 x.y.0.0 x.y.255.255 UDP 1195 65535
Checked syno5 x.y+1.0.0 255.255.255.255 UDP 0 65535

PT

[Dannermax]

I have now added the rules in my router. DNS relay, was already enabled in my router. I Will enter my routers IP number, as dns server in the network settings of my NAS. I will test this as soon as possible, and get back to you with the results.. cross fingers..!

edit: Cant remember if i told you this, but i cant enter 0 as a port in ACCESS CONTROL, so i enter 1 instead.. don't think it makes any difference thou.

[PacketTracer]

Hi again,

here is kind of measure of last resort:

From the names "syno" you used to name the filter rules, am I correct with my assumption that you are using a Synology NAS?

If so, there is a possibility to connect via SSH to the NAS's DSM operating system which looks like some Linux derivative. And in the best case the tool 'tcpdump' is available which you could use to do a packet trace while your NAS tries to connect to the VPN server. By configuring tcpdump to write its packet trace to an output file and analyzing this file via Wireshark you could figure out which ports, protocols and addresses are used for VPN connection setup (at the end it turns out you are using PPTP VPN instead of SSL VPN ...   )

If tcpdump isn't available, here is a description how to install the package manager 'ipkg' and using ipkg to install 'tcpdump'...

Okay, I'm aware that this is really advanced, but maybe you like that kind of challenges 

PT

[Dannermax]

Hey!

Great news..

I added the last rules you made, and unlike the other times i added a VPN profile to my "yes you guessed it, Synology DISKSTATION" i added a hostname, but now i added a specific IP address. Now my NAS is connected to this specific IP address and with the rules applied. And this IP address is one of the addresses i wrote to you.

Yes i am very familar with Linux. I Could track the activity with tcpdump but now it seems unnecessary.. right?

So wouldent it make sense if i used rules, that only allowed traffic through that specific IP address? The address is the 2.nd one, i wrote to you.
And i am positive that im connecting through OPENVPN, and not PPPoE   :-)

[PacketTracer]

Hi again,

So wouldent it make sense if i used rules, that only allowed traffic through that specific IP address? The address is the 2.nd one, i wrote to you.

The ruleset using the 2nd address x.y.23.79 would be as follows:

[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 255.255.255.255 TCP 0 65535
Checked syno2 0.0.0.0 x.y.23.78 UDP 0 65535
Checked syno3 x.y.23.79 x.y.23.79 UDP 0 1193
Checked syno4 x.y.23.79 x.y.23.79 UDP 1195 65535
Checked syno5 x.y.23.80 255.255.255.255 UDP 0 65535

But I don't think it's a good choice to work with this single address because VPN connection setup will fail if your VPN provider changes this address. In this case you would have to figure out which new set of addresses is valid, pick one of them and then adapt your ruleset to this new address. I think this is not what you want, but of course it's your choice.

I Could track the activity with tcpdump but now it seems unnecessary.. right?

Not really, because it would be interesting to figure out why VPN connection setup fails if you use a hostname instead of an IP address in your NAS's VPN profile.

But I think I know the reason, and if I'm right a packet trace isn't needed.

Here is my theory:

If you use a hostname in your VPN profile, the VPN client first has to resolve this name via DNS into IP addresses. Of course this name resolves into the four well known IP addresses (you could check this via the Windows nslookup command or the Linux dig command). And no matter if these addresses will change, what remains constant is the VPN profile's hostname which always resolves into the four IP addresses actually valid. The advantage of using four addresses (from the point of view of your VPN provider) is that the sequence these addresses are presented in the DNS reply will change in a round robin manner so you always use another address for any new VPN connection setup. The result is a kind of load balancing the work load of many VPN connections from different customers among those four VPN servers.

My assumption is, that this DNS resolution fails even if your DIR-655 is working as a DNS relay, because the 8th filter rule in my last post (Checked syno8 x.y.23.128 255.255.255.255 UDP 0 65535) will drop DNS requests to port 53/udp at 192.168.1.1 (your router's LAN address). If so this would really be a poor filter implementation because I would expect that only traffic forwarded to the Internet via the WAN interface is subject to filtering but not any traffic sent to the router's LAN side address only.

Hence following this theory we would have to complement the ruleset in order to allow 53/udp traffic sent from your NAS to your router's LAN address 192.168.1.1.

Unfortunately we can't do that, because the maximum of 8 filters is already reached, so we can't add any additional ones. Hence we have to summarize the two /26 ranges x.y.6.0 - x.y.6.63 and x.y.23.64 - x.y.23.127 to a single range x.y.6.0 - x.y.23.127 (which amounts to 4480 addresses instead of 2x64=128 addresses). But since your VPN provider might also change to addresses even outside this bigger range, I would recommend to work with the maximum range x.y.0.0 - x.y.255.255 of 65536 addresses that belong to your VPN provider.

So I would ask you to return to the original VPN profile using the hostname and try the following ruleset:

[Enable] [Name] [Dest IP Start] [Dest IP End] [Protocol] [Dest Port Start] [Dest Port End]
Checked syno1 0.0.0.0 192.167.255.255 TCP 1 65535
Checked syno2 192.169.0.0 255.255.255.255 TCP 1 65535
Checked syno3 0.0.0.0 x.y-1.255.255 UDP 1 65535
Checked syno4 x.y.0.0 x.y.255.255 UDP 1 1193
Checked syno5 x.y.0.0 x.y.255.255 UDP 1195 65535
Checked syno6 x.y+1.0.0 192.167.255.255 UDP 1 65535
Checked syno7 192.169.0.0 255.255.255.255 UDP 1 65535

This ruleset restricts your NAS to talk to 1194/udp at any possible VPN provider address lying in the range x.y.0.0 - x.y.255.255. In addition your NAS may talk TCP and UDP to any local (!) IP address lying in the range 192.168.0.0 - 192.168.255.255 including DNS requests using 53/udp or 53/tcp. Choosing the complete range 192.168.0.0/16 gives you the freedom to renumber your network to any new range 192.168.x.0/24 without adapting the ruleset.

PT

[Dannermax]

Wow once again thanks for all your hard work. I will try to apply the rules as soon as I can and see what happens. I think it makes sense to use the last set of rules you posted so I will sureely try to do that.

[FurryNutz]

Any status on this? 

[Dannermax]

Ahh sorry for not getting back sooner... I'm still using the old ruleset.. And when I'm getting back from vacation in 10 days or so I will try and implement the rules you gave me.. It just takes a long time to enter the rules because the router throws me off when there is inactivity for a short while.. It took me a long time to write one old ones you gave me.. I can tell you that the rules I have so far are working great.. But I have to restart the NAS from time to time...

Again, I cant tell you how glad I am for your help! Wish there were more people like you!!:)

[Dannermax]

Right, now i just added the rules to my router. Im in a summerhouse atm. And i cannot access the webinterface of my synology diskstation from outside my LAN. But when i get home i will enter the hostname instead of an ipaddtess, ,into the VPN profile...😃 and hope for the best!!!

[Dannermax]

Hey Furry!

Im back from Holiday, and i have applied the last rule-set you suggested, and i entered the hostname, in my VPN profile (instead of a single IP address. And guess what?  IT WORKS!!! yaa.. So far its been connected for 2 hours.. soo the only thing that could ruin this setup, is if an IP address got changed..But ill cross that bridge when i get to it!

One think thou, any idea why i cant do:

curl ifconfig.me

I want to get my external IP address for my diskstation, but im returned with:

DiskStation> curl ifconfig.me
curl: (7) Failed to connect to ifconfig.me port 80: Connection timed out

In ny synology diskstation, i have entered 8.8.8.8 as dns server... hey perhaps i just answered my own question.. the rules in my router are not allowing this? So if i removed the DNS, and used my routers, i guess ill be fine? But on the other hand, im able to download files from the internet with my NAS.. so i guess its working as it should now!!