Hi everyone
I’m fighting with a network issue, where my synology nas doesn’t accept any connection from outside it’s subnet.
So, here’s my setup:
-
Unifi Infrastructure with three separated subnets:
- default:
xxx.xxx.2.0/24
- no vlan - pool with all “safe” devices (notebooks, mobiles, servers etc.) - IoT:
xxx.xxx.83.0/24
- vlan 83 - here are all the IoT devices, including nvidia shield, multiple chromecast music devices etc.) - guest:
xxx.xxx.20.0/20
- vlan 20 - quarantined guest wlan - dns server are locally hosted at
xxx.xxx.2.42 and 43
- default:
-
my I got a new NAS and i designated my old DS214play (running DSM 7.1.1-42962 Update 6) as a Mediaserver that gets to live in the IoT net:
- changed the ip from
xxx.xxx.2.50
toxxx.xxx.83.50
- updated the gateway and subnet
- added the vlan tag 83 on the network port
- updated the firewall to allow all necessary ports from and to the default network (so I can stream plex to my notebooks etc.)
- changed the ip from
-
The Firewall on the NAS is not activated
Issue:
- My NAS doesn’t accept any outside connections after moving it to the IoT subnet, neither from my default network nor the internet.
What I tried:
- allowed full access between LAN and IoT subnet for the NAS.
- tried it with another port -> same issue
- connected another device to this port (and setup the same firewall rules) -> this one works fine.
- checked the
unifi firewall logs
--> requests get sent from the nas and answers from the other device - checked
logs of other devices (DNS, NetCat etc.)
--> they receive the requests outside of the subnet, and return their anser but the NAS seems to block/ignore any incoming packages.
What I didn’t try:
- setting the VLAN id under
"Network Interface" > "LAN" > "Enable VLAN(802.1Q)"
since, as far as I understand, the Unifi VLAN implementation terminates the VLAN tag at the port of the switch (and all other devices work without specifying it locally) - fully reset the NAS
I’m completely stuck how to solve the issue, so I have moved the NAS back to the default net, but some use cases are not working properly that way, so I’d really like to move it to the IoT subnet. Does anybody have (has?) any hints or knows of some obscure settings which need to be updated? I’d be really grateful for any pointers.
So if I understand this right you will need to change the network on the port attached to the synology in your UniFi configuration or set the vlan tag in the synology OS, I would do the former. It sounds like you just added a second network/vlan to the existing interface which means you actually created a trunk and are getting the old network untagged and the new network with vlan tags which the synology is dropping. Synology OS also doesn’t really support trunked ports through the UI (even though it does support a port that only uses a vlan tag) so it’s much easier to just leave them untagged.
doesn’t the switch terminate any VLAN tagging at the port? so if I add the VLAN to the DSM configuration it doesn’t receive any tagged packages and refuses them?
with all the other devices in the IoT subnet it works with setting the VLAN on the port of the switch. If I check back on the unifi site, I found this:
'Applying a VLAN to a Switch Port Native VLAN The Native VLAN is the VLAN assigned to "untagged" traffic passing through a switch port. Devices physically connected to a switch port will be placed on this Native VLAN. Tagged Networks and Trunk Ports Ports can be configured to allow traffic from other networks. Allowing specific networks/VLANs is referred to as “tagging” them on the switch port. You can see all ports’ VLAN tags in the VLAN Viewer, found in the Ports tab. Ports that have been tagged to allow traffic from multiple VLANs are referred to as “trunk” ports. By default, all ports on UniFi Switches are trunked to allow all VLANs. '
if I understand that in combination with your comment correctly: I set the native VLAN to
83
so everything tagged with83
is correctly forwarded to the NAS and accepted there, stuff tagged with1
are non native, the tag stays on and the NAS doesn’t accept it?But that would make the Synology NAS quite hard to use in any corporate setting with multiple VLANs which need to interconnect and why does it work the other way around? while being in the default net
1
it does accept stuff from VLAN83
which would mean, I can’t put it in the IoT net?
Did you change the native VLAN to IoT or just added the tag and left the native VLAN on the switch port set to default? You should be able to change the native VLAN and leave tagged VLANs as “allow all”.
My only other thought is how did you isolate the IoT network and are you able to access other devices from default to IoT?