Putting the NO in Synology.
December 4, 2020 7:35 PM Subscribe
I'm having issues opening my firewall for my Synology server. Difficulty level: My ISP is the problem. And they're totally stumped.
Background in bullet points:
- I have AT&T Fiber gigabit internet at home. I'm using their Arris BGW210-700 combined modem/router because, as I'm widely led to believe, I don't have a choice.
- I routinely log in to my Synology DS212j when working remotely, or in my car for music streaming. Since switching to AT&T two months ago, I can't open the required port on my router to gain access, which means no Synology access outside the home.
- I've already taken the following steps, none of which have been fruitful:
* Contacted regular AT&T support online
* Paid $49.95 to AT&T ConnecTech to log in to my system remotely and troubleshoot
* Contacted Synology support
* Posted to AT&T Community Forums
Here's the longer explanation:
I have a Synology DS212j that I've been successfully and happily connecting to for remote work for years under TWC/Spectrum. Even during non-pandemic times, I work at home and away, so this access is essential to what I do.
Once I switched over to AT&T gigabit fiber, this functionality stopped working. I tried the usual recommended steps, i.e., logging into the Arris control panel and creating an Application Hosting Entry with the relevant device and ports on the Firewall > NAT/Gaming page. This didn't work, so I paid AT&T ConnecTech their $49.99 to have someone log in to my system remotely and basically do the same thing. Again, didn't work. They told me that was all they could do and kicked me over to Synology.
Synology asked for a schematic of my network and did their own test using this port checker. This showed that none of the ports on my network are open, despite AT&T's insistence otherwise. In Synology's words:
(Also, I'm not able to open ports on the Arris for torrent activity either, despite going through the same process, which leads me to believe it's definitely not just the Synology.)
(Also also, I know people generally frown upon opening ports to the wider Internet, to which I'm certainly sympathetic, but I really don't know how else to do this.)
Background in bullet points:
- I have AT&T Fiber gigabit internet at home. I'm using their Arris BGW210-700 combined modem/router because, as I'm widely led to believe, I don't have a choice.
- I routinely log in to my Synology DS212j when working remotely, or in my car for music streaming. Since switching to AT&T two months ago, I can't open the required port on my router to gain access, which means no Synology access outside the home.
- I've already taken the following steps, none of which have been fruitful:
* Contacted regular AT&T support online
* Paid $49.95 to AT&T ConnecTech to log in to my system remotely and troubleshoot
* Contacted Synology support
* Posted to AT&T Community Forums
Here's the longer explanation:
I have a Synology DS212j that I've been successfully and happily connecting to for remote work for years under TWC/Spectrum. Even during non-pandemic times, I work at home and away, so this access is essential to what I do.
Once I switched over to AT&T gigabit fiber, this functionality stopped working. I tried the usual recommended steps, i.e., logging into the Arris control panel and creating an Application Hosting Entry with the relevant device and ports on the Firewall > NAT/Gaming page. This didn't work, so I paid AT&T ConnecTech their $49.99 to have someone log in to my system remotely and basically do the same thing. Again, didn't work. They told me that was all they could do and kicked me over to Synology.
Synology asked for a schematic of my network and did their own test using this port checker. This showed that none of the ports on my network are open, despite AT&T's insistence otherwise. In Synology's words:
We wouldn't have anything we could do from the NAS's end to open the ports. The only thing that the NAS can do is block the ports from the NAS itself, via the firewall, that is disabled by default. You will need to contact Arris or AT&T if that still doesn't work, as they have features enabled that are blocking ports.So I'm back at square one, having paid AT&T for nothing. Is there another option here? Would it work to use the Arris as a passthrough to a different router? Is there another method to force access the Synology that I'm not considering?
(Also, I'm not able to open ports on the Arris for torrent activity either, despite going through the same process, which leads me to believe it's definitely not just the Synology.)
(Also also, I know people generally frown upon opening ports to the wider Internet, to which I'm certainly sympathetic, but I really don't know how else to do this.)
You probably do have a choice on the router, if you're technical and willing to spend some money. I have AT&T fiber as well. I use a Ubiquiti USG, with eap_proxy, and I bypass the AT&T router other than for authentication.
posted by primethyme at 9:11 PM on December 4, 2020
posted by primethyme at 9:11 PM on December 4, 2020
Does sound like a router problem. If upgrading/downgrading/resetting the router firmware doesn't work, switching the router to "modem mode" and using a different router for routing duties is the route I'd go. If you have an old router kicking around you can test this before spending any $$.
In terms of the end goal though, I have a Synology DS212j and wouldn't be comfortable exposing it to the internet. So many reports of ransomware and other security holes. I'd set up a separate VPN server — ideally Wireguard on a cheap Raspberry Pi running Raspberry Pi OS (Debian) with automatic updates enabled. Obviously this does require a (single, UDP) port to be opened on the router. Even just installing the VPN Server package on the DS212j and using it as an OpenVPN server is better than exposing Synology services via port forwards.
posted by Klipspringer at 3:31 AM on December 5, 2020 [1 favorite]
In terms of the end goal though, I have a Synology DS212j and wouldn't be comfortable exposing it to the internet. So many reports of ransomware and other security holes. I'd set up a separate VPN server — ideally Wireguard on a cheap Raspberry Pi running Raspberry Pi OS (Debian) with automatic updates enabled. Obviously this does require a (single, UDP) port to be opened on the router. Even just installing the VPN Server package on the DS212j and using it as an OpenVPN server is better than exposing Synology services via port forwards.
posted by Klipspringer at 3:31 AM on December 5, 2020 [1 favorite]
Although I'm not _specifically_ doing that (sharing Synology directly), I can confirm that I have an Arris BGW210-700 on AT&T Fiber that is doing exactly one thing: forwarding everything to my eero mesh for port forwarding and NAT translation, and my Plex is 100% stable and fine to the outside world. So making the router into a dumb modem via the Firewall->IP Passthrough menu and handing the actual networking off to something of your choosing is probably a viable option.
posted by Kyol at 10:10 AM on December 5, 2020 [1 favorite]
posted by Kyol at 10:10 AM on December 5, 2020 [1 favorite]
Response by poster: Hi friends. Thanks for your excellent thoughts. I tried a bunch of these solutions (the non-gear-purchasing ones, anyway), and still turned up empty-handed. Fortunately, a dear friend (and fellow MeFite) offered to poke around in the settings via screenshare. Turns out my Synology's ability to open ports is, in fact, borked! We got it open right away on my brand-new DS920+. I guess the 212j is just getting a little long in the tooth. Appreciate the ideas nonetheless!
posted by mykescipark at 7:07 PM on December 5, 2020 [1 favorite]
posted by mykescipark at 7:07 PM on December 5, 2020 [1 favorite]
This thread is closed to new comments.
From that Plex thread, there's also a link to an AT&T forum thread from a few years ago about a bad firmware version in which port forwarding was broken. It seems unlikely that your new modem came with a 2-year old firmware version, but it's worth checking if there are firmware updates. A newer thread has users there indicate that they got modems that were from 2017 as recently as this year, so perhaps the bad firmware is still around. It also has some additional instructions to remove packet filters which the user says is needed beyond the steps that AT&T has documented for port forwarding. Other users have reported success changing their DNS servers to Google's DNS, which is starting to feel more cargo cult than actual network configuration.
In short, I have no idea, and I don't have that modem, but it looks like you're by far not the only person who has had this issue. I wish you luck.
posted by yuwtze at 8:46 PM on December 4, 2020