Unable to externally access Synology DS1512+ via NAT and Static IP on SonicWall NSA 3500

I have an external IP NATing to an internal IP. I have verified the NAT is working by pointing it to an internal PC and testing various ports (mainly 6690, Synology's Cloudstation port). Currently for testing, I have all ports open for this IP so I do not think it is a port issue.

Internally the synology DSM and Cloudstation are accessible. The SonicWall and Synology syslog logs are surprisingly not of much help. I also called Synology and worked through some of their pre-tech support steps and ultimately they were not of much help other than to suggest buying a low-end home-based router.

Any help would be greatly appreciated,
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Henk van AchterbergSr. Technical ConsultantCommented:
when you open 5000 from the outside to the synology, can you access the webinterface from the outside?
Sean_MurphyAuthor Commented:
I cannot. Externally, port 5000 is open just like 6690 but I can't access the DSM or the cloudstation.
Henk van AchterbergSr. Technical ConsultantCommented:
In the sonic wall did you open the port in the NAT section AND in the firewall (access rules) section?
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

Sean_MurphyAuthor Commented:
I want to say of course, but since it isn't working...
For this issue, I'll use these dummy IPs in this thread: = internal IP of Synology = external static IP assigned to the Synology

Here are the NAT Policy rules:
NAT Rule #1
Original Source:
Translated Source:
Destination Original: Any
Destination Translated: Original
Service Original: Any
Service Translated: Original
Interface Inbound: Any
Interface Outbound: Any

NAT Rule #2
Original Source: Any
Translated Source: Original
Destination Original:
Destination Translated:
Service Original: Any
Service Translated: Original
Interface Inbound: Any
Interface Outbound: Any

Here is the Firewall Access Rule:
From: WAN
Priority: 31 (FYI, the deny priority is 33)
Source: Any
Service: Any (Ultimately, this will just be Synology ports like 5000, 6690, etc)
Action: Allow
Users Incl: All
Users Excl: None

Thanks for your attention to this thread, henkva.
I'm not positive, but in the Firewall Access Rule, shouldn't the destination be rather than
Sean_MurphyAuthor Commented:
akahan, I do not believe so as the destination in this case is the destination the user is accessing, which is the external IP. The NAT rules then handle the translation of that data. That said, I tried it with with no luck. I also tried having a Firewall rule for both and No success there either.
FYI, I have this sequence of NAT/Firewall rules for over a dozen other Windows and Linux servers and it works well translating all ports from the external IP to the internal IP. Just not for the Synology. I was hoping I was just missing something when it comes to "Port Forwarding" vs. NAT.
A second FYI, if I change the internal IP address in the NAT rules to point to an internal Windows pc, e.g., running a service on port 5000 or 6690 and then go to http://www.yougetsignal.com/tools/open-ports/ to check the status I see the ports as open. However, when the NAT rules connect to the Synology that test shows the ports closed even though I know they are open because I can connect via the internal network.

Thanks for the assistance,
By any chance is the IP address from which you're doing the testing listed as among those which have been "auto-blocked" by the Synology in Control Panel/Network Services/Autoblock?
Sean_MurphyAuthor Commented:
No, and after I checked per your request I have disabled Auto-block altogether.
I am unable to think of any setting on the Synology that would cause it to treat packets from the WAN differently from packets from the LAN, other than auto-block.

Are you able to temporarily put the Synology in the DMZ on the SonicWall (or temporarily connect the Synology upstream from the SonicWall) to determine whether the SonicWall or the Synology is the problem?
Blue Street TechLast KnightCommented:
Hi Sean_Murphy,

Use the Public Server Wizard located at the top right named Wizards. Once the Wizards' pops up, select Public Server Wizard, Next then for Server Type select Other and specify the custom Service Objects under Create New Service or Group. This will auto create all the necessary NAT Policies and Access Rules needed for communications to flow. Here is a step-by-step: https://www.sonicwall.com/us/en/support/2213.html?fuzeurl=https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.asp?kbid=7027

It is a recommended best practice for setting up public servers.

Verify both the Synology DSM and Cloudstation are located in the LAN Zone.

Let me know how it goes!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sean_MurphyAuthor Commented:
My apologies. I have been unable to attend to this until today. I will try the suggestions above and report back.

Thanks for your attention to this!
Sean_MurphyAuthor Commented:
diverseit, I deleted all the rules I had in place for the Synology and then setup the Synology using the wizard as you suggested. It still does not create a connection. I even tried to create a connection for the second NIC2 hoping it was related to the first NIC I was using for the private/public NAT but no avail. I can't help but think this is Synology related since changing the private IP to an internal pc (instead of the synology) verifies that the ports are indeed being properly translated.

In the Synology's firewall (Control Panel/Firewall and QOS), under Allow/Deny, do you happen to have any rules there, or, alternatively, if there are no rules, is "Deny access" selected at the bottom of the page?
Sean_MurphyAuthor Commented:
No, All rules are disabled and each NIC has the option of Allow all if no rules match.
Blue Street TechLast KnightCommented:
Can you enable ping on the SonicWALL Interfaces or Access Rules in question and ping the devices' IPs?
Sean_MurphyAuthor Commented:
Under Interfaces the only option regarding Ping I see is under Management (States Allow Remote Management through Ping). Is this what you're referring to? In the Access Rules, all services are allowed for this IP. FYI, I am running SoincOS 5.9
Blue Street TechLast KnightCommented:
Yes, you may need to create an Access Rule in order to test ping...like WAN>LAN, service Ping. This is obviously only for testing so you limit your access by IP or simply remove thereafter your testing is complete.

BTW: Also, it's a security best practice to place public facing servers/resources in the DMZ rather than LAN that way if compromised the threats are isolated.
Sean_MurphyAuthor Commented:
Can Ping be disabled elsewhere in the SonicWall? Creating an Access Rule like the one you suggest doesn't work for any IPs even if I set the rule to allow from all WAN to all LAN.
From>To            Priority          Source     Destination      Service      Action      Users Incl Users Excl.
WAN>LAN      4            Any            Any                  Ping            Allow      All              None
Is there a way you could temporarily bypass the SonicWall for the Synology and expose the Synology box directly to the internet, so you can determine whether the problem is with the SonicWall or the Synology?
Blue Street TechLast KnightCommented:
OK. Delete that rule you created and follow the steps below:
1. Go to Network > Interfaces.
2. Click on the Notepad icon in the Configure column for the WAN or other Interface you want to configure.
The Edit Interface window is displayed.
3. To enable Ping on this interface, scroll down to Management and select the Ping checkbox.
4. Click OK.

Enabling Ping in this manner will automatically create the appropriate NAT policies and Access Rules.

This the default standard for enabling Ping. Let me know if you are still having issues, which could be an indication of other issues related to the firewall.
Sean_MurphyAuthor Commented:
I was able to expand the logs pushed to the syslog server. As a result info that used to look like
src= dst=
now looked like
src= srcZone=Untrusted dst= dstZone=Encrypted
All successfull traffic had a dstZone=Trusted
Following this rabbit hole lead to me to discover that a group of 10 LAN IPs,, were assigned to a L2TP IP Pool which is in the VPN zone instead of the LAN.
I reassigned the private LAN IP of the Synology to one outside this pool, recreated my original NAT/Access rules and all is now working as originally expected. Geesh :) Regardless, it's an early Halloween treat!
Thanks to all who assisted on this. I'll mark answers appropriately.
Sean_MurphyAuthor Commented:
Although the solution to this particular problem was not directly solved by those who participated in this resolution, the comments marked as assisted solutions are typically the way this problem would have been resolved.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.