Firewall rules for Synology apps fail to match traffic
-
Hi,
I'm running pfSense 2.4.4p1 with several network segements at home. These include a LAN segement (mainly for Windows PCs and my Synology NAS), a LAN2 (mainly for mobile devices) and an IPSEC VPN.
Both on the LAN2 interface and on the IPSEC tab there are rules allowing my mobile phone to access ports 6690 and 7001 on the NAS via TCP for access via DS cloud and DS file. Logging into the NAS and downloading data works without any problems, however if I try to upload a file this only works on the IPSEC VPN.
For an upload on LAN2 I get the follwing kinds of log entries:
The block is caused by a rule that dismisses all traffic to private network not explicitly allowed by other rules.
On IPSEC everything looks as expected:
The same happens when DS cloud tries to upload a changed files.
At first I suspected that the synology apps try to use the default port 5001 for transfers but the logs clearly indicate that the manually configured port 7001 is used.
I'd be very grateful for any hints why pfsense failes to match the allow rule on the LAN2 interface.
Regards
Alexander -
The most common cause blocked flagged TCP traffic like that is an asymmetric route.
https://www.netgate.com/docs/pfsense/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.htmlDoes the NAS have interfaces in more than one subnet?
Was the client connected via IPSec at the same time?
Steve
-
Hi Steve,
thank you for your reply. I actually forgot that the NAS still had an active interface in the same network my mobile phone is connected to. Since the phone uses the NAS-IP in the .10 network but both phone and NAS were in the .15 network the TCP connection got messed up.
If only Synology would allow to bind sevices to one or more specific interfaces...
Anyway, now it's working.
Alex
