Messages

I'm ready for the big gun ! However, I'm not sure what settings to use to get a relevant result.

For the moment, I've tested the blocked IP 192.168.20.45 on port 443.
I've also tested a local IP that works, 192.168.20.65 on port 443.

The only difference I can interpret in the results is that on the blocked IP the response comes from my public IP, whereas on the working IP it comes from the firewall (192.168.0.1).

I'm going to sound like a total beginner, but I don't know how best to share the tcpdump results with you and what potentially sensitive information needs to be masked...

The problem occurred again last night and I had to change my IP to regain access.

I'm interested in any tips you can think of 🙏

Cursory search:
https://www.reddit.com/r/synology/comments/j3thgs/please_explain_what_enable_multiple_gateways_does/

Thank you! I'll keep this information somewhere, even if I don't fully understand everything explained.

I ended up implementing viragomann proposal with an outbound NAT rule and it works perfectly.

1 problem out of 2 solved, great, thanks!
Now I just need to solve an access problem with Caddy for private IP and the network will be fully functional :-)

So the problem was indeed with the NAS.
On Synology, in Network > General > Advanced settings, the "enable multiple gateways" was unchecked.

I had disabled this function because it was causing me problems with my Docker networks, which could no longer communicate with each other.

I ended up leaving this function disabled but added a static route to 192.168.20.0
I don't know if this is the right way to do it, but it works.

Anyway, thanks a lot for the help! I've learned more how to use tcpdump and other tools, and I'm very grateful :-)

Ok, make sense

I'll run a tcpdump on the NAS side this evening and get back to you with the results

Yes, of course. This is why I tried to disable firewall on the NAS side, but it didn't change anything.
And, it was working flawless until ~1 month.

So, to give a little more context on the network configuration, Opnsense has been configured following this tutorial: https://homenetworkguy.com/how-to/set-up-a-fully-functioning-home-network-using-opnsense/

This means that all vlan pass through the lagg. This is presumably configured correctly on the switch (cisco sg300-10). No recent changes have been made to the switch and it was working well until recently.
The NAS is also configured with a lagg on the switch, in vlan10 access mode.

Among the things I've tried :
- reboot the NAS, switch and router
- connect the NAS with a single port and remove the lagg
- change the NAS ip
- check the firewall settings on the NAS
- Try SSH from other laptops in vlan.USER to NAS without success.

I'd like to point out that in this vlan.DMZ I have 2 other devices to which I connect via ssh from vlan.USER without any problems.

On the NAS in question :
Fixed IP: 192.168.10.10
Gateway: 192.168.10.1
Network mask: 255.255.255.0

On my Laptop, no particular configuration other than a fixed ip in my network

On the firewall, I have a rule in USER that authorizes 192.168.20.45 to talk on any port in DMZ net

One of the things I've been testing over the past month is enabling Layer4 Proxy in Caddy for SSH access on my NAS. This works fine. However, I'm not at home right now to test disabling this.

Thanks for your feedback :-)

Here is what I got with Packet Capture:

On the vlan01.DMZ

No.   Time   Source   Destination   Protocol   Length   Info
1   0.000000   192.168.20.45   192.168.10.10   TCP   78   60299 → 441 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=2164839612 TSecr=0 SACK_PERM
2   1.002296   192.168.20.45   192.168.10.10   TCP   78   [TCP Retransmission] 60299 → 441 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=2164840612 TSecr=0 SACK_PERM
3   2.000752   192.168.20.45   192.168.10.10   TCP   78   [TCP Retransmission] 60299 → 441 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=2164841612 TSecr=0 SACK_PERM
4   3.002084   192.168.20.45   192.168.10.10   TCP   78   [TCP Retransmission] 60299 → 441 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=2164842613 TSecr=0 SACK_PERM
5   4.000046   192.168.20.45   192.168.10.10   TCP   78   [TCP Retransmission] 60299 → 441 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=2164843613 TSecr=0 SACK_PERM
6   5.000820   192.168.20.45   192.168.10.10   TCP   78   [TCP Retransmission] 60299 → 441 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=2164844614 TSecr=0 SACK_PERM
7   7.003733   192.168.20.45   192.168.10.10   TCP   78   [TCP Retransmission] 60299 → 441 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=2164846614 TSecr=0 SACK_PERM


And on the vlan02.USER

No.   Time   Source   Destination   Protocol   Length   Info
1   0.000000   192.168.20.45   192.168.10.10   TCP   78   60299 → 441 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=2164839612 TSecr=0 SACK_PERM
2   1.002349   192.168.20.45   192.168.10.10   TCP   78   [TCP Retransmission] 60299 → 441 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=2164840612 TSecr=0 SACK_PERM
3   2.000814   192.168.20.45   192.168.10.10   TCP   78   [TCP Retransmission] 60299 → 441 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=2164841612 TSecr=0 SACK_PERM
4   3.002150   192.168.20.45   192.168.10.10   TCP   78   [TCP Retransmission] 60299 → 441 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=2164842613 TSecr=0 SACK_PERM
5   4.000108   192.168.20.45   192.168.10.10   TCP   78   [TCP Retransmission] 60299 → 441 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=2164843613 TSecr=0 SACK_PERM
6   5.000877   192.168.20.45   192.168.10.10   TCP   78   [TCP Retransmission] 60299 → 441 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=2164844614 TSecr=0 SACK_PERM
7   7.003805   192.168.20.45   192.168.10.10   TCP   78   [TCP Retransmission] 60299 → 441 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=2164846614 TSecr=0 SACK_PERM


I don't know how to interpret the results, but it seems to talk both ways...

And the live view :

You cannot view this attachment.

FWIW, the DMZ term is typically used for the subnet containing the external-facing services of an org (web, ftp, ...), separate from the more protected LAN.

It seems to me that this is precisely the idea in this situation because all the services exposed to the Internet run on my NAS, which is in the DMZ? Or am I mistaken in my understanding?

My laptop IP is 192.168.20.45

Regarding IPv6, I have to admit that I'm really not comfortable with it. I haven't really looked into how it works.

I do have an IPv6 address, here's the info I get :

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
   options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
   ether 52:50:98:ef:ab:ad
   inet 192.168.20.45 netmask 0xffffff00 broadcast 192.168.20.255
   inet6 fe80::8ce:8fce:921c:14b0%en0 prefixlen 64 secured scopeid 0xe
   nd6 options=201<PERFORMNUD,DAD>
   media: autoselect
   status: active

Hello

I need your help :-)
First, I'd like to point out that I'm a beginner and that I was able to set up my setup thanks to the various tutorials on the internet. Please forgive me for using terms that may be incorrect or imprecise when defining certain things. I'm a fast learner, but I still have a lot of gaps ...

I have installed and configured Caddy as described in the documentation, and it works perfectly well in general.

However, for some time now, I've been having problems with certain domains that I've configured to be accessible only by local ip's (Access list). At first, everything worked fine, then, after a while, ~1 month, I couldn't access them, as my ip address was no longer considered local. My laptop is configured with a fixed ip and when I change it, I can access the protected url again. This problem also arises with vpn ip addresses.

I have Crowdsec, Suricat and Zenarmor installed and configured on the router. My first thought was that somehow my ip was banned somewhere, but I couldn't find any trace in the aliases. I've also deactivated all 3 without success.

When I come back to an old fixed ip after some times, it works again and for a while, before being blocked again. I confess I don't know where to look.

Here's my access list setting:

192.168.10.0/24
10.10.10.0/24
192.168.0.0/24
192.168.30.0/24
192.168.20.0/24

Any help would be very much appreciated
Thanks

Hello,

I need your help :-)
First, I'd like to point out that I'm a beginner and that I was able to set up my setup thanks to the various tutorials on the internet. Please forgive me for using terms that may be incorrect or imprecise when defining certain things. I'm a fast learner, but I still have a lot of gaps ...

For about 10 days now, I've been unable to access the various internal services on my NAS (SMB, ssh, etc.). I can't pinpoint the exact change that led to this problem, but I'm guessing it's been happening since the latest Opnsense 25.1.5 upgrade.
All services exposed via reverse proxy are accessible without problems, but I can no longer mount shared volumes locally or connect via ssh on my NAS when I'm on the current VLAN.

I have 4 VLAN in my network. The main NAS (Synology DS920+), another NAS and a raspberry are on the DMZ VLAN. All other laptop-type devices are on a USER VLAN, and the various firewall rules for accessing devices in the DMZ VLAN have always worked well so far. I can still access the other NAS and the Raspberry via ssh without any problems.

I've turned the problems upside down, suspected lag, the switch, the settings on the Synology, I can't get anywhere. I can access without problems when I'm connected to the LAN for testing, but not from the VLAN. Surprisingly, I can also connect to the NAS using ssh or SMB when I'm on the wireguard vpn (I have a firewall rule that allows this).

Anyway, if anyone could help me find the problem with methodology, I'd be infinitely grateful :-)