Setup issues with Synology NAS
-
@johnpoz
Thank you for the suggestion regarding the first question, but the main problem remains the second question:
If I connect to a VPN from the NAS, although the local IP of the NAS remains unchanged, the PC (and the entire LAN2) is no longer able to access the NAS in any way even if it remains visible in the ARP Table. To restore the connection I have to connect the NAS directly to the PC and cancel the VPN connection set. Ideas about it? -
@Airone-0 Why would you be connecting to a vpn on the nas - if you want to use a vpn for whatever - then setup the vpn on pfsense and route whatever traffic you want via that vpn connection on pfsense.
-
@johnpoz
Easy said, but not done. I don't know pfSense so well to be able to install a VPN on the Netgate and then route only NAS traffic. Can you help me or is there a step by step documentation to follow? And are you sure that this doesn't create problems for Split DNS?
Thanks again. -
@Airone-0 yeah I am sure..
What vpn service are you using? Or do you just want remote in to your network.. Most of the services have instructions for connecting to them. It really as simple as putting in your connection details and adding any certs etc.. to the config.
Here is a vpn connection I run on pfsense to openvpn server I run on a vps of mine out on the internet.
Notice the certs.. Those you would install into the cert manager on pfsense, and then you can just select them.
-
@johnpoz
Thank you very much for these instructions, as soon as I have some time I will analyze them. However, I don't seem to see how to allow only the NAS to use this outgoing VPN. However, I hope it doesn't conflict with the OpenVPN of the Netgate which allows clients to access the NAS.
As outgoing VPN I use Surfshark.I tried setting Host Override to use the DNS of the NAS from within LAN2, but something must be wrong because pinging from the PC fails to resolve the DNS address. This is the setting:
Thank you.
-
-
@johnpoz
No, I use NAS for DNS.
-
@Airone-0 Well than why would you think some entry you created on unbound would have anything to do with anything?
That is not "dns" - that is it registering your public IP with them.. So you installed the dns
clientserver package, and are running that? And your clients point to your nas IP for dns?if you create a host override in unbound, for that to work - it has to be asked.. Either directly by your client, or by some other dns you run on your network that forwards to unbound for dns, etc.
-
@johnpoz
Thank you for the help you are giving me, but in all this you are asking me to transfer both the SurfShark VPN and the DNS management from NAS to Netgate. The management of the SurfShark VPN I have verified that it is much more complex to do with pfSense rather than the NAS, so I would prefer to find a solution to the initial problem rather than complicate my life with something I don't know well. Even with DNS, isn't there a way for pfSense to handle an external address that hasn't been generated by itself? If I knew pfSense well, I would have no problems executing your very good suggestions, but having to enter parameters in screens not knowing what I'm doing honestly doesn't suit me. That's why I'd prefer to find a workaround to the two initial problems for now and leave the suggested changes in the future, when I have more experience with Netgate. If you could find a solution to the initial problems anyway I would be grateful. Thank you -
@Airone-0 said in Setup issues with Synology NAS:
isn't there a way for pfSense to handle an external address that hasn't been generated by itself?
Yeah - but it has to be asked..
That is what an override is - you could make www.google.com resolve to some local IP. But its not going to do anything if its not asked for www.google.com
If you have some vpn setup on your nas - it prob blocking all access from any local anything even if you pointed some fqdn to its IP.
That vpn services has instructions for pfsense
There are not really any changes in how you connect to a vpn from that version of pfsense to 2.7 version.
edit:
Not sure why anyone would trust these vpn services with anything - they can't even write coherent instructions. And tell the user to use the web config cert.."Client certificate: webConfigurator default (59f92214095d8)(Server: Yes, In Use) (please note that the numbers on your machine could be different);"
Which sure and the F would never work.. But clearly they provide enough details to get you connected..
edit: why don't you disable the vpn on your nas.. And validate your override is working from a client pointing to pfsense for its dns. Again you showed just that your nas was updating its synology.me record via dynamic dns. Not that you were actually using your nas for your clients dns.
For clients to use your nas for dns - you would of had to install the dns server
here - I have dns running on my nas 192.168.9.10, it forwards to pfsense... See it resolves my host override just fine
-
I just transferred the DDNS configuration from the NAS to the Netgate, but it doesn't seem to have solved the problem. I registered on duckdns and set the new address on pfSense:
After that I set the new address to Host Overrides hoping then that the ping from PC would have answered me, but it didn't: where did I go wrong?
-
@Airone-0 and again let is ask this very basic question. What are you clients using for dns? If they are not using pfsense then know they would never get that answer.. Browsers love to do doh, and would never ask pfsense.
Lets see your simple test of creating the record, and then using your fav dns client, nslookup, dig, host - where does it ask.. What does it get back.
Notice - in all my example, these dns clients actually are asking unbound running on pfsense (192.168.9.253) if they ask for example google they are not going to get that answer.
-
And so what? I explained to you that I'm new to pfSense and I don't know it well. If you don't come up with a practical solution (step by step) beyond the excellent explanation you gave me, I will never solve this problem.
-
@Airone-0 What part are you not getting about what your client is using for dns?
If your are not using pfsense as your dns - then no host overrides will never work. Could you please post the output of say a nslookup on your client asking for your host override. as per my example.
