No Internet access for my Synology
-
You haven't done anything you haven't mentioned yet? Like put the Synology box on a separate VLAN or something? Is it using the same network address range as the machines which can get out? Can you ping the Synology box from your firewall?
-
I didn't do anything that's why it is strange and becoming "personal". no VLAN, all my devices like pc, raspberry pi, tv and av receiver are connected to an 8 port switch and all of them have internet access.
I can ping my Synology from the firewall
 -
You have jumbo frames enabled.. Why?? But that is most likely your problem. Did you set pfsense to be jumbo frames?
-
man you are right :). :o jumbo frames was enabled on the old configuration and now with the new configuration the NIC doesn't support jumbo frames. thank you for your help
-
Now I have another problem, I cannot connect to my QuickConnect account meaning that I cannot use the cloud station, download station (all the services that use quickconect external access). I noticed that on the download station I can download but I cannot make upload. see the photos attached, in the one with QuickConnect I tried with both settings checked and unchecked the box "Automatically create port forwarding rules".
any ideas on how to resolve this problem?
-
""Automatically create port forwarding rules"."
So you have UPnP enabled on pfsense if you want automatic port forwarding to happen?
Clicked the advanced button - what are the ports it wants?
-
the UPnP is enable on pfSense. I managed to connect all my apps to the synology via ddns but quickconnect and updates still don't work. for the moment I will use the ddns account
-
what are updates - the syg going out and finding them? not sure what quickconnect is.. is that something that suppose to work remotely or while your on the same l2?
-
DSM updates - automatically updates. With QuickConnect, you can easily connect to your Synology NAS over the Internet without the hassle of setting up port forwarding rules or other complicated network settings. QuickConnect allows you to connect to DSM or some Synology packages using a customizable ID or address like quickconnect.to.
https://www.synology.com/en-us/knowledgebase/DSM/tutorial/General/How_to_make_Synology_NAS_accessible_over_the_Internet
-
well sounds like it has a problem finding home or phoning home that would allow for it too update and check in to let you know where to go for your quickconnect.
So manually checking for update doesn't work either I assume - if so sniff on pfsense when you do that and see what its trying to do that is not doing..
Maybe its trying to look up something via dns that you have blocked, or if your using unbound and their dnssec is broken will not return anything, etc. Do you have any outbound rules blocking anything? Are you using captive portal or proxy or something like snort or suricata, pfblocker?
-
Don`t use QC myself and never felt the need.
It can slow down speed substantially when going over the relay.
It uses various ways to try to establish a connection:https://global.download.synology.com/download/Document/WhitePaper/Synology_QuickConnect_White_Paper.pdf
-
Great link Pippin that seems to go over exactly how the qc works.. I just did a quick breeze and looks like from start it tries to do a nat hole punch.. That should fail since the client IP would not be the IP the state was opened too. I think there might be a way to lower the restrictions on that. But AFAIK that sort of method of opening up connection from the outside should fail..
The nat should be strict, if I syn opens a connection through pfsense to IP-A so my source port in that conversation is pfsenepublicIP:12345 –- publicIPA:qcport someone trying to use that connect from publicB should fail.. even if using the qcport as their source
publicIP-B:qcport ----> pfsenepublicIP:12345 should not be allowed.
If it is that is not a strict nat.. I will have to read over it more detail to try and figure out if any of their options should work or what you would have to do to allow them to work. But real quick gut reaction to the first method and nat hole punching.. To be honest pfsense out of the box should block that. Atleast I hope it does. I have never actually tested it in a lab.
-
I'm not using anything for the moment (I'm new to pfSense :) ), no outbound or captive portal or proxy. for the moment I will connect via ddns and I will look into the pdf that Pippin give us to see other ways and maybe more secure then free ddns :)
-
If you want my 2 cents, not a fan of opening this sort of stuff open to the public. I just vpn into if need to access anything on my network be it files or plex server, etc.
