Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Security/login issue

Posted on 2013-12-26
24
485 Views
Last Modified: 2013-12-28
Here's one I've never run into before.

I have a Synology NAS drive that has worked flawlessly for 2 years. I use it primarily to share movies with my family using Synology app DS Video.
Yesterday I went to watch a movie on my iPad and received a message I didn't have permission to access. I rebooted both my cable modem and router and tried again - same result. Then I powered down my Synology - same result. My iPad is set using an external, fixed Ip.

If I set my DS Video login to the internal Ip, it works fine. I had my daughter try it from her house with the same app and it worked fine. I then took my iPad to a friends house and logged into the DS Video on my Synology successfully as I've always done.

So the bottom line suggests a problem with my wifi. I draw that conclusion because I only get the login failure when using the external Ip in my own network. As I said previously, the external Ip works fine when not connected to my own wifi. The problem with this theory is, however, except for attempting to login to my Synology box, my wifi works fine for everything else i.e. surf the web, receive mail, etc.

I'm at a point now of no ideas left so I'm turning to the experts. I hope someone has a clue what's going on.
0
Comment
Question by:SpaceCoastLife
  • 9
  • 6
  • 3
  • +3
24 Comments
 
LVL 20

Expert Comment

by:Patrick Bogers
ID: 39739932
Hi

From what i read there could be some possible solutions.

Check if system time/date differ between Ipad en Synology box.
Second check if “Auto Block” in the network services of the Synology server is enabled and your ipad is listed there.
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39739940
I believe the issue could be with the routers port forwarding. May be the loopback configuration to access the synology from within the internal network using WAN ip is not correct.

What router are you using?
0
 

Author Comment

by:SpaceCoastLife
ID: 39740164
The router I'm using is a Linksys EA4500. Keep in mind this all happened overnight. It's not the case of a parameter being set incorrectly because however it's set, it's worked that way for a long time.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 11

Expert Comment

by:Miftaul
ID: 39740243
Could you please see if necessary ports are forwarded on this page -http://screenshots.portforward.com/routers/Linksys/EA4500/Port_Range_Forwarding.htm
It would be easier if you post your findings here on his page.
Also make sure the wan ip is not changed on your router by the isp.
You can follow this page just to make sure all configs are correct - http://forum.synology.com/wiki/index.php/Manual_Port_Forwarding_with_a_Linksys_Router
0
 
LVL 26

Expert Comment

by:akahan
ID: 39740294
If I understand your problem correctly, you are not able to access DSVideo on the Synology using the WAN IP address from within your LAN, but otherwise things work.

In other words, if you're at home, and you use the LOCAL address for the Synology, it's fine.
If you're somewhere else, and you use the WAN address for the Synology, it's fine.
But if you're at home and you use the WAN address for the Synology, it's not fine.

If that's the case, then "Filter Internet NAT Redirection" may have somehow gotten turned on in the router.    Per the EA4500 manual, "This filter prevents a local computer from using a URL or Internet IP address to access the local server."  

Check and make sure this is DISABLED in the router:  

Router Settings/Security/Internet Filters/Filter Internet NAT Redirection - make sure this is DISABLED; if it is enabled, Disable it, and click "Save".

If that doesn't solve it, try accessing DSVideo using your NUMERIC WAN IP address rather than the domain name you might have set up using DDNS or a similar service to see if this is a DDNS issue.
0
 

Author Comment

by:SpaceCoastLife
ID: 39740412
akahan: Your summary exactly summarizes my problem. I tried your suggestions with no positive result. The NAT redirection control in my router is off and entering the numeric Ip in the DSVideo app yielded the same log-in failure.
0
 

Author Comment

by:SpaceCoastLife
ID: 39740427
A bit more info.: In addition to the DSVideo app I also use DSPhoto and DSAudio, all of which use the same log-in and all fail in the same manner. In addition, I have tried multiple iPads just to make sure I'm not missing something obvious. They all behave the same way.
0
 
LVL 10

Expert Comment

by:tmoore1962
ID: 39740446
The only way the WAN ip on the ipad will probably work is if the dsvideo is in a DMZ on your network.  The proper way to connect to a device inside a firewall from a device inside the same firewall is to use the internal IP address, especially on a typical home soho such as the ea4500.
0
 
LVL 26

Expert Comment

by:akahan
ID: 39740465
tmoore is correct about what's "proper" - I'm just trying to figure out why it apparently used to work but no longer does.  It shouldn't really ever have worked.  

SpaceCoast, what would be the problem with using the LAN address for the Synology on the iPad when you're at home?
0
 

Author Comment

by:SpaceCoastLife
ID: 39740527
It is, of course, doable. The problem I have with it is (1) it has always worked just fine using the WAN address and (2) every time I leave the house with the intent of connecting back to my server I have to change the parameters to log-in. Conversely, every time my kids and grand kids - all of which have iPads, come to my house, they would have to change the parameters on their tablet.

Doable? Yes. Desirable? No. If it had never worked I probably wouldn't spend a lot of energy trying to figure it out but since I know it does work that way (convention be damned as they say), I will continue to get it resolved.

As an aside - I don't understand the statement "dsvideo is in a DMZ on your network". Please explain?
0
 
LVL 26

Expert Comment

by:akahan
ID: 39740595
The DMZ suggestion is to put the Synology box in the DMZ in your network, meaning that the router doesn't "protect" it from any incoming traffic.

To do this, in the router, to go Security, then the DMZ tab, then turn on the DMZ, and set the source IP address to "any" and the destination IP address to the LAN address of the Synology box.

The router's firewall then wouldn't block anything coming to the Synology box...it's a security risk, but it might solve your problem.

Apart from that, it would be helpful to know, when you aim your iPad at the Synology box over the internet, whether you're doing it using a numeric IP address, or whether you have a domain name, and, if so, whether that domain name is through DDNS or something else, and whether you're able to reach any other servers or other resources inside your network using the WAN address.

And have you made ANY changes to your router, your DNS provider, or the Synology AT ALL between the time things were working and now?  Upgraded any firmware?  Upgraded the Synology's DSM operating system?  Anything?
0
 

Author Comment

by:SpaceCoastLife
ID: 39740765
Ok, I placed the Synology box in the DMZ in my network as you suggested but it doesn't help. Insofar as my iPad, I've tried it both ways: Ip 50.88.0.118 and 7duffs.com through GoDaddy.com. If I try either from my iPad or laptop, the result is the same. As far as reaching other servers, if I understand your question, then yes, I can go pretty much anywhere I want i.e. msn.com, etc. I've not made any changes to any devices in quite some time except for a DSM Operating System upgrade a few days ago but that was before I started having problems.
0
 
LVL 26

Expert Comment

by:akahan
ID: 39740804
No that's not what I meant. I meant can you reach other servers IN your LAN from within your LAN.
0
 

Author Comment

by:SpaceCoastLife
ID: 39740819
That too. I have a VPN setup on my laptop that connects to our office servers and I can connect to those fine.

I also posted a problem log with Synology Tech Support just on the outside chance there's an issue with their latest DSM release
0
 
LVL 10

Expert Comment

by:tmoore1962
ID: 39742347
You could down load nice trace from the apple store to do a trace route to the synology box to see where the traffic bound to it is going.  I am not familiar with the firewall in question so I don't know if there is any traffic monitoring capability on it.  You may also want to verify its configuration, an upgrade done by your ISP could definitely impact the ability to 'bounce' the traffic back at its self their equip could see it as a DOS and drop the traffic since the source IP would be the same as the destination IP.  It would be great if  the fw had traffic monitoring so you could 'see' the traffic and see if it is actually being returned to fw from ISP.  If you REALLY want to find out, a small HP managed switch, laptop with wireshark and then use port mirroring on the synology , firewall, AP (if not integrated in fw) to trace the traffic and find out what's going on.  You should be able to see the routing table for the fw.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39742526
akahan: Your summary exactly summarizes my problem. I tried your suggestions with no positive result. The NAT redirection control in my router is off and entering the numeric Ip in the DSVideo app yielded the same log-in failure.
That tells me the IP block list is telling the NAS to deny your login.  The fact that you're getting a response at least tells me that routing or NAT isn't the problem.
0
 
LVL 26

Expert Comment

by:akahan
ID: 39742587
You might want to check the Synology box at Control Panel/Autoblock, and see if your IP address is being blocked by the Synology (under Block List).  This will happen if you've mistyped your password a few times in succession.
0
 

Author Comment

by:SpaceCoastLife
ID: 39743413
No, Auto Block was the first thing I checked to make sure it wasn't listed. I just received the following response from Synology:

"Could you access your Diskstation through external ip while you were connected to your home network? It seems that your router doesn't have NAT Loopback capability. So you will need either use your internal ip when you are conected to your home network, or you can use quickconnect, which will automatically decide what ip to use."

I'm not familiar with the terms NAT Loopback or QuickConnect
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39743430
Back to my first reply to this thread, its definitely got something to do with the NAT loopback configuration.
Could you please disable "Filter Internet NAT Redirection" from the "security tab" on the LinkSys EA4500 administration page.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39743434
I don't see how it can be a NAT loopback issue if the author has tried to connect to the NAS via its internal IP via wireless and it still didn't work...

akahan: Your summary exactly summarizes my problem. I tried your suggestions with no positive result. The NAT redirection control in my router is off and entering the numeric Ip in the DSVideo app yielded the same log-in failure.
...unless the IP the author entered was the external IP?

But, that doesn't explain why it did work for so long, then just stopped working.
0
 

Author Comment

by:SpaceCoastLife
ID: 39743459
Filter NAT Redirection is - and has been along disabled.
0
 
LVL 26

Assisted Solution

by:akahan
akahan earned 250 total points
ID: 39743621
Enable Quickconnect on the Synology box (Control Panel/Quickconnect), and set the Synology apps (DSVideo,  etc.) on the ipads to connect using Quickconnect, and that should solve the problem, though it doesn't explain why loopback was formerly working and now isn't.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 250 total points
ID: 39743739
I agree.  Quickconnect should solve this.
0
 

Author Closing Comment

by:SpaceCoastLife
ID: 39743859
You both educated me on this subject and for that I thank you. I did not implement Quickconnect as I was bothered by the fact it was never necessary previously. Instead, I purchased and Installed a new router (NetGear R7000 Nighthawk).

Problem solved!

I have no idea why or what happened to my existing router but something very subtle obviously changed or failed that threw all of us down a big hole.

Thanks for the help.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

iPad in the Business – Quick Start Part 1 Getting Started with Active Sync Mail Many people seem to have issues connecting their iOS device to their company Exchange Server and this article covers the steps for Active Sync configuration as wel…
Learn about the eCommerce marketing trends for the year ahead.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question