Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rules for Synology apps fail to match traffic

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 602 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      Hi,

      I'm running pfSense 2.4.4p1 with several network segements at home. These include a LAN segement (mainly for Windows PCs and my Synology NAS), a LAN2 (mainly for mobile devices) and an IPSEC VPN.

      Both on the LAN2 interface and on the IPSEC tab there are rules allowing my mobile phone to access ports 6690 and 7001 on the NAS via TCP for access via DS cloud and DS file. Logging into the NAS and downloading data works without any problems, however if I try to upload a file this only works on the IPSEC VPN.

      For an upload on LAN2 I get the follwing kinds of log entries:
      0_1548615525730_a0554e19-8abd-44a3-86a0-9042b23aeb56-image.png
      0_1548615553211_7fed996b-c0c4-41c8-8022-4257fbe9d1aa-image.png

      The block is caused by a rule that dismisses all traffic to private network not explicitly allowed by other rules.

      On IPSEC everything looks as expected:
      0_1548615961672_f07f0d06-62aa-4e90-972e-5ea7367cf3fa-image.png

      The same happens when DS cloud tries to upload a changed files.

      At first I suspected that the synology apps try to use the default port 5001 for transfers but the logs clearly indicate that the manually configured port 7001 is used.

      I'd be very grateful for any hints why pfsense failes to match the allow rule on the LAN2 interface.

      Regards
      Alexander

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        The most common cause blocked flagged TCP traffic like that is an asymmetric route.
        https://www.netgate.com/docs/pfsense/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html

        Does the NAS have interfaces in more than one subnet?

        Was the client connected via IPSec at the same time?

        Steve

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          Hi Steve,

          thank you for your reply. I actually forgot that the NAS still had an active interface in the same network my mobile phone is connected to. Since the phone uses the NAS-IP in the .10 network but both phone and NAS were in the .15 network the TCP connection got messed up.

          If only Synology would allow to bind sevices to one or more specific interfaces...

          Anyway, now it's working. ☺

          Alex

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.