Community discussions

 
Krisken
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Thu Oct 25, 2012 11:35 am

Port forward problem

Fri Jul 03, 2015 1:20 am

Hello,

I have two Synology NAS systems. One in the datacenter (directly with fixed IP) and one at home (using NAT with DHCP, WAN has fixed IP using xDSL). Synology uses port 5000 (or 5001) to access the NAS.

This is the situation:
- I can use the NAS at home correctly using the internal IP 10.0.0.110
- I can use the NAS at home from other networks
- From outside I can connect to the NAS in the datacenter and the NAS at home
- But since i've created the port forward at home (to make my NAS reachable from outside) I can't connect to the NAS in the datacenter anymore.
- When I disable the NAT rule, I can access the NAS in the datacenter

So ... The NAT rule i've created will be bad :-)

In IP > Firewall > NAT, i've created this input:
Tab "General"
Chain : dstnat
Protocol : 6 (tcp) (unchecked)
Dst. Port : 5000 (unchecked)

Tab "Action"
Action : dst-nat
To Addresses : 10.0.0.110
To Ports : 5000

Does somebody see a mistake?
I want to :
- Connect to the NAS in the datacenter using external.ip.address:5000
- Connect to the NAS at home, using my.xDSL.ip:5000 (doing NAT to 10.0.0.110:5000)
- Connect to the NAS at home when I am at home, using 10.0.0.110:5000
- Connect to the NAS in the datacenter when I am at home, using fixed.ip.address:5000
 
JanJoh
newbie
Posts: 49
Joined: Tue Nov 26, 2013 10:14 pm

Re: Port forward problem

Fri Jul 03, 2015 10:27 am

"Does somebody see a mistake?"

Yeah... You are asking your unit to send ALL traffik to port 5000 to the internal NAS.

Think about that a moment... ALL traffic to port 5000. REGARDLESS of destination address and REGARDLESS of source address will be processed by your rule.

So, the rule does exactly what you have told it to do.

You want to use either SRC-address, or In-interface as a part of your rule. Personally i would probably be lazy and slap a !10.0.0.0/24 as a source qualifier. Or less lazy and define an andress list for your internal networks, and use a !adresslist as qualifier.,
 
User avatar
pukkita
Trainer
Trainer
Posts: 2981
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Port forward problem

Fri Jul 03, 2015 11:36 am

Or specify in-interface for that dst-nat.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum

Who is online

Users browsing this forum: No registered users and 27 guests