Solved

Security/login issue

Posted on 2013-12-26
24
484 Views
Last Modified: 2013-12-28
Here's one I've never run into before.

I have a Synology NAS drive that has worked flawlessly for 2 years. I use it primarily to share movies with my family using Synology app DS Video.
Yesterday I went to watch a movie on my iPad and received a message I didn't have permission to access. I rebooted both my cable modem and router and tried again - same result. Then I powered down my Synology - same result. My iPad is set using an external, fixed Ip.

If I set my DS Video login to the internal Ip, it works fine. I had my daughter try it from her house with the same app and it worked fine. I then took my iPad to a friends house and logged into the DS Video on my Synology successfully as I've always done.

So the bottom line suggests a problem with my wifi. I draw that conclusion because I only get the login failure when using the external Ip in my own network. As I said previously, the external Ip works fine when not connected to my own wifi. The problem with this theory is, however, except for attempting to login to my Synology box, my wifi works fine for everything else i.e. surf the web, receive mail, etc.

I'm at a point now of no ideas left so I'm turning to the experts. I hope someone has a clue what's going on.
0
Comment
Question by:SpaceCoastLife
  • 9
  • 6
  • 3
  • +3
24 Comments
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
Hi

From what i read there could be some possible solutions.

Check if system time/date differ between Ipad en Synology box.
Second check if “Auto Block” in the network services of the Synology server is enabled and your ipad is listed there.
0
 
LVL 11

Expert Comment

by:Miftaul
Comment Utility
I believe the issue could be with the routers port forwarding. May be the loopback configuration to access the synology from within the internal network using WAN ip is not correct.

What router are you using?
0
 

Author Comment

by:SpaceCoastLife
Comment Utility
The router I'm using is a Linksys EA4500. Keep in mind this all happened overnight. It's not the case of a parameter being set incorrectly because however it's set, it's worked that way for a long time.
0
 
LVL 11

Expert Comment

by:Miftaul
Comment Utility
Could you please see if necessary ports are forwarded on this page -http://screenshots.portforward.com/routers/Linksys/EA4500/Port_Range_Forwarding.htm
It would be easier if you post your findings here on his page.
Also make sure the wan ip is not changed on your router by the isp.
You can follow this page just to make sure all configs are correct - http://forum.synology.com/wiki/index.php/Manual_Port_Forwarding_with_a_Linksys_Router
0
 
LVL 26

Expert Comment

by:akahan
Comment Utility
If I understand your problem correctly, you are not able to access DSVideo on the Synology using the WAN IP address from within your LAN, but otherwise things work.

In other words, if you're at home, and you use the LOCAL address for the Synology, it's fine.
If you're somewhere else, and you use the WAN address for the Synology, it's fine.
But if you're at home and you use the WAN address for the Synology, it's not fine.

If that's the case, then "Filter Internet NAT Redirection" may have somehow gotten turned on in the router.    Per the EA4500 manual, "This filter prevents a local computer from using a URL or Internet IP address to access the local server."  

Check and make sure this is DISABLED in the router:  

Router Settings/Security/Internet Filters/Filter Internet NAT Redirection - make sure this is DISABLED; if it is enabled, Disable it, and click "Save".

If that doesn't solve it, try accessing DSVideo using your NUMERIC WAN IP address rather than the domain name you might have set up using DDNS or a similar service to see if this is a DDNS issue.
0
 

Author Comment

by:SpaceCoastLife
Comment Utility
akahan: Your summary exactly summarizes my problem. I tried your suggestions with no positive result. The NAT redirection control in my router is off and entering the numeric Ip in the DSVideo app yielded the same log-in failure.
0
 

Author Comment

by:SpaceCoastLife
Comment Utility
A bit more info.: In addition to the DSVideo app I also use DSPhoto and DSAudio, all of which use the same log-in and all fail in the same manner. In addition, I have tried multiple iPads just to make sure I'm not missing something obvious. They all behave the same way.
0
 
LVL 10

Expert Comment

by:tmoore1962
Comment Utility
The only way the WAN ip on the ipad will probably work is if the dsvideo is in a DMZ on your network.  The proper way to connect to a device inside a firewall from a device inside the same firewall is to use the internal IP address, especially on a typical home soho such as the ea4500.
0
 
LVL 26

Expert Comment

by:akahan
Comment Utility
tmoore is correct about what's "proper" - I'm just trying to figure out why it apparently used to work but no longer does.  It shouldn't really ever have worked.  

SpaceCoast, what would be the problem with using the LAN address for the Synology on the iPad when you're at home?
0
 

Author Comment

by:SpaceCoastLife
Comment Utility
It is, of course, doable. The problem I have with it is (1) it has always worked just fine using the WAN address and (2) every time I leave the house with the intent of connecting back to my server I have to change the parameters to log-in. Conversely, every time my kids and grand kids - all of which have iPads, come to my house, they would have to change the parameters on their tablet.

Doable? Yes. Desirable? No. If it had never worked I probably wouldn't spend a lot of energy trying to figure it out but since I know it does work that way (convention be damned as they say), I will continue to get it resolved.

As an aside - I don't understand the statement "dsvideo is in a DMZ on your network". Please explain?
0
 
LVL 26

Expert Comment

by:akahan
Comment Utility
The DMZ suggestion is to put the Synology box in the DMZ in your network, meaning that the router doesn't "protect" it from any incoming traffic.

To do this, in the router, to go Security, then the DMZ tab, then turn on the DMZ, and set the source IP address to "any" and the destination IP address to the LAN address of the Synology box.

The router's firewall then wouldn't block anything coming to the Synology box...it's a security risk, but it might solve your problem.

Apart from that, it would be helpful to know, when you aim your iPad at the Synology box over the internet, whether you're doing it using a numeric IP address, or whether you have a domain name, and, if so, whether that domain name is through DDNS or something else, and whether you're able to reach any other servers or other resources inside your network using the WAN address.

And have you made ANY changes to your router, your DNS provider, or the Synology AT ALL between the time things were working and now?  Upgraded any firmware?  Upgraded the Synology's DSM operating system?  Anything?
0
 

Author Comment

by:SpaceCoastLife
Comment Utility
Ok, I placed the Synology box in the DMZ in my network as you suggested but it doesn't help. Insofar as my iPad, I've tried it both ways: Ip 50.88.0.118 and 7duffs.com through GoDaddy.com. If I try either from my iPad or laptop, the result is the same. As far as reaching other servers, if I understand your question, then yes, I can go pretty much anywhere I want i.e. msn.com, etc. I've not made any changes to any devices in quite some time except for a DSM Operating System upgrade a few days ago but that was before I started having problems.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 26

Expert Comment

by:akahan
Comment Utility
No that's not what I meant. I meant can you reach other servers IN your LAN from within your LAN.
0
 

Author Comment

by:SpaceCoastLife
Comment Utility
That too. I have a VPN setup on my laptop that connects to our office servers and I can connect to those fine.

I also posted a problem log with Synology Tech Support just on the outside chance there's an issue with their latest DSM release
0
 
LVL 10

Expert Comment

by:tmoore1962
Comment Utility
You could down load nice trace from the apple store to do a trace route to the synology box to see where the traffic bound to it is going.  I am not familiar with the firewall in question so I don't know if there is any traffic monitoring capability on it.  You may also want to verify its configuration, an upgrade done by your ISP could definitely impact the ability to 'bounce' the traffic back at its self their equip could see it as a DOS and drop the traffic since the source IP would be the same as the destination IP.  It would be great if  the fw had traffic monitoring so you could 'see' the traffic and see if it is actually being returned to fw from ISP.  If you REALLY want to find out, a small HP managed switch, laptop with wireshark and then use port mirroring on the synology , firewall, AP (if not integrated in fw) to trace the traffic and find out what's going on.  You should be able to see the routing table for the fw.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
akahan: Your summary exactly summarizes my problem. I tried your suggestions with no positive result. The NAT redirection control in my router is off and entering the numeric Ip in the DSVideo app yielded the same log-in failure.
That tells me the IP block list is telling the NAS to deny your login.  The fact that you're getting a response at least tells me that routing or NAT isn't the problem.
0
 
LVL 26

Expert Comment

by:akahan
Comment Utility
You might want to check the Synology box at Control Panel/Autoblock, and see if your IP address is being blocked by the Synology (under Block List).  This will happen if you've mistyped your password a few times in succession.
0
 

Author Comment

by:SpaceCoastLife
Comment Utility
No, Auto Block was the first thing I checked to make sure it wasn't listed. I just received the following response from Synology:

"Could you access your Diskstation through external ip while you were connected to your home network? It seems that your router doesn't have NAT Loopback capability. So you will need either use your internal ip when you are conected to your home network, or you can use quickconnect, which will automatically decide what ip to use."

I'm not familiar with the terms NAT Loopback or QuickConnect
0
 
LVL 11

Expert Comment

by:Miftaul
Comment Utility
Back to my first reply to this thread, its definitely got something to do with the NAT loopback configuration.
Could you please disable "Filter Internet NAT Redirection" from the "security tab" on the LinkSys EA4500 administration page.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
I don't see how it can be a NAT loopback issue if the author has tried to connect to the NAS via its internal IP via wireless and it still didn't work...

akahan: Your summary exactly summarizes my problem. I tried your suggestions with no positive result. The NAT redirection control in my router is off and entering the numeric Ip in the DSVideo app yielded the same log-in failure.
...unless the IP the author entered was the external IP?

But, that doesn't explain why it did work for so long, then just stopped working.
0
 

Author Comment

by:SpaceCoastLife
Comment Utility
Filter NAT Redirection is - and has been along disabled.
0
 
LVL 26

Assisted Solution

by:akahan
akahan earned 250 total points
Comment Utility
Enable Quickconnect on the Synology box (Control Panel/Quickconnect), and set the Synology apps (DSVideo,  etc.) on the ipads to connect using Quickconnect, and that should solve the problem, though it doesn't explain why loopback was formerly working and now isn't.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 250 total points
Comment Utility
I agree.  Quickconnect should solve this.
0
 

Author Closing Comment

by:SpaceCoastLife
Comment Utility
You both educated me on this subject and for that I thank you. I did not implement Quickconnect as I was bothered by the fact it was never necessary previously. Instead, I purchased and Installed a new router (NetGear R7000 Nighthawk).

Problem solved!

I have no idea why or what happened to my existing router but something very subtle obviously changed or failed that threw all of us down a big hole.

Thanks for the help.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I recently purchased a Bluetooth headset called the Music Jogger (model BSH10). The control buttons on it look like this: One of my goals is to use it as the microphone and speakers for Skype calls. In that respect, it works well. However, I …
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
This video discusses moving either the default database or any database to a new volume.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now