SpaceCoastLife
asked on
Security/login issue
Here's one I've never run into before.
I have a Synology NAS drive that has worked flawlessly for 2 years. I use it primarily to share movies with my family using Synology app DS Video.
Yesterday I went to watch a movie on my iPad and received a message I didn't have permission to access. I rebooted both my cable modem and router and tried again - same result. Then I powered down my Synology - same result. My iPad is set using an external, fixed Ip.
If I set my DS Video login to the internal Ip, it works fine. I had my daughter try it from her house with the same app and it worked fine. I then took my iPad to a friends house and logged into the DS Video on my Synology successfully as I've always done.
So the bottom line suggests a problem with my wifi. I draw that conclusion because I only get the login failure when using the external Ip in my own network. As I said previously, the external Ip works fine when not connected to my own wifi. The problem with this theory is, however, except for attempting to login to my Synology box, my wifi works fine for everything else i.e. surf the web, receive mail, etc.
I'm at a point now of no ideas left so I'm turning to the experts. I hope someone has a clue what's going on.
I have a Synology NAS drive that has worked flawlessly for 2 years. I use it primarily to share movies with my family using Synology app DS Video.
Yesterday I went to watch a movie on my iPad and received a message I didn't have permission to access. I rebooted both my cable modem and router and tried again - same result. Then I powered down my Synology - same result. My iPad is set using an external, fixed Ip.
If I set my DS Video login to the internal Ip, it works fine. I had my daughter try it from her house with the same app and it worked fine. I then took my iPad to a friends house and logged into the DS Video on my Synology successfully as I've always done.
So the bottom line suggests a problem with my wifi. I draw that conclusion because I only get the login failure when using the external Ip in my own network. As I said previously, the external Ip works fine when not connected to my own wifi. The problem with this theory is, however, except for attempting to login to my Synology box, my wifi works fine for everything else i.e. surf the web, receive mail, etc.
I'm at a point now of no ideas left so I'm turning to the experts. I hope someone has a clue what's going on.
I believe the issue could be with the routers port forwarding. May be the loopback configuration to access the synology from within the internal network using WAN ip is not correct.
What router are you using?
What router are you using?
ASKER
The router I'm using is a Linksys EA4500. Keep in mind this all happened overnight. It's not the case of a parameter being set incorrectly because however it's set, it's worked that way for a long time.
Could you please see if necessary ports are forwarded on this page -http://screenshots.portforward.com/routers/Linksys/EA4500/Port_Range_Forwarding.htm
It would be easier if you post your findings here on his page.
Also make sure the wan ip is not changed on your router by the isp.
You can follow this page just to make sure all configs are correct - http://forum.synology.com/wiki/index.php/Manual_Port_Forwarding_with_a_Linksys_Router
It would be easier if you post your findings here on his page.
Also make sure the wan ip is not changed on your router by the isp.
You can follow this page just to make sure all configs are correct - http://forum.synology.com/wiki/index.php/Manual_Port_Forwarding_with_a_Linksys_Router
If I understand your problem correctly, you are not able to access DSVideo on the Synology using the WAN IP address from within your LAN, but otherwise things work.
In other words, if you're at home, and you use the LOCAL address for the Synology, it's fine.
If you're somewhere else, and you use the WAN address for the Synology, it's fine.
But if you're at home and you use the WAN address for the Synology, it's not fine.
If that's the case, then "Filter Internet NAT Redirection" may have somehow gotten turned on in the router. Per the EA4500 manual, "This filter prevents a local computer from using a URL or Internet IP address to access the local server."
Check and make sure this is DISABLED in the router:
Router Settings/Security/Internet
If that doesn't solve it, try accessing DSVideo using your NUMERIC WAN IP address rather than the domain name you might have set up using DDNS or a similar service to see if this is a DDNS issue.
In other words, if you're at home, and you use the LOCAL address for the Synology, it's fine.
If you're somewhere else, and you use the WAN address for the Synology, it's fine.
But if you're at home and you use the WAN address for the Synology, it's not fine.
If that's the case, then "Filter Internet NAT Redirection" may have somehow gotten turned on in the router. Per the EA4500 manual, "This filter prevents a local computer from using a URL or Internet IP address to access the local server."
Check and make sure this is DISABLED in the router:
Router Settings/Security/Internet
If that doesn't solve it, try accessing DSVideo using your NUMERIC WAN IP address rather than the domain name you might have set up using DDNS or a similar service to see if this is a DDNS issue.
ASKER
akahan: Your summary exactly summarizes my problem. I tried your suggestions with no positive result. The NAT redirection control in my router is off and entering the numeric Ip in the DSVideo app yielded the same log-in failure.
ASKER
A bit more info.: In addition to the DSVideo app I also use DSPhoto and DSAudio, all of which use the same log-in and all fail in the same manner. In addition, I have tried multiple iPads just to make sure I'm not missing something obvious. They all behave the same way.
The only way the WAN ip on the ipad will probably work is if the dsvideo is in a DMZ on your network. The proper way to connect to a device inside a firewall from a device inside the same firewall is to use the internal IP address, especially on a typical home soho such as the ea4500.
tmoore is correct about what's "proper" - I'm just trying to figure out why it apparently used to work but no longer does. It shouldn't really ever have worked.
SpaceCoast, what would be the problem with using the LAN address for the Synology on the iPad when you're at home?
SpaceCoast, what would be the problem with using the LAN address for the Synology on the iPad when you're at home?
ASKER
It is, of course, doable. The problem I have with it is (1) it has always worked just fine using the WAN address and (2) every time I leave the house with the intent of connecting back to my server I have to change the parameters to log-in. Conversely, every time my kids and grand kids - all of which have iPads, come to my house, they would have to change the parameters on their tablet.
Doable? Yes. Desirable? No. If it had never worked I probably wouldn't spend a lot of energy trying to figure it out but since I know it does work that way (convention be damned as they say), I will continue to get it resolved.
As an aside - I don't understand the statement "dsvideo is in a DMZ on your network". Please explain?
Doable? Yes. Desirable? No. If it had never worked I probably wouldn't spend a lot of energy trying to figure it out but since I know it does work that way (convention be damned as they say), I will continue to get it resolved.
As an aside - I don't understand the statement "dsvideo is in a DMZ on your network". Please explain?
The DMZ suggestion is to put the Synology box in the DMZ in your network, meaning that the router doesn't "protect" it from any incoming traffic.
To do this, in the router, to go Security, then the DMZ tab, then turn on the DMZ, and set the source IP address to "any" and the destination IP address to the LAN address of the Synology box.
The router's firewall then wouldn't block anything coming to the Synology box...it's a security risk, but it might solve your problem.
Apart from that, it would be helpful to know, when you aim your iPad at the Synology box over the internet, whether you're doing it using a numeric IP address, or whether you have a domain name, and, if so, whether that domain name is through DDNS or something else, and whether you're able to reach any other servers or other resources inside your network using the WAN address.
And have you made ANY changes to your router, your DNS provider, or the Synology AT ALL between the time things were working and now? Upgraded any firmware? Upgraded the Synology's DSM operating system? Anything?
To do this, in the router, to go Security, then the DMZ tab, then turn on the DMZ, and set the source IP address to "any" and the destination IP address to the LAN address of the Synology box.
The router's firewall then wouldn't block anything coming to the Synology box...it's a security risk, but it might solve your problem.
Apart from that, it would be helpful to know, when you aim your iPad at the Synology box over the internet, whether you're doing it using a numeric IP address, or whether you have a domain name, and, if so, whether that domain name is through DDNS or something else, and whether you're able to reach any other servers or other resources inside your network using the WAN address.
And have you made ANY changes to your router, your DNS provider, or the Synology AT ALL between the time things were working and now? Upgraded any firmware? Upgraded the Synology's DSM operating system? Anything?
ASKER
Ok, I placed the Synology box in the DMZ in my network as you suggested but it doesn't help. Insofar as my iPad, I've tried it both ways: Ip 50.88.0.118 and 7duffs.com through GoDaddy.com. If I try either from my iPad or laptop, the result is the same. As far as reaching other servers, if I understand your question, then yes, I can go pretty much anywhere I want i.e. msn.com, etc. I've not made any changes to any devices in quite some time except for a DSM Operating System upgrade a few days ago but that was before I started having problems.
No that's not what I meant. I meant can you reach other servers IN your LAN from within your LAN.
ASKER
That too. I have a VPN setup on my laptop that connects to our office servers and I can connect to those fine.
I also posted a problem log with Synology Tech Support just on the outside chance there's an issue with their latest DSM release
I also posted a problem log with Synology Tech Support just on the outside chance there's an issue with their latest DSM release
You could down load nice trace from the apple store to do a trace route to the synology box to see where the traffic bound to it is going. I am not familiar with the firewall in question so I don't know if there is any traffic monitoring capability on it. You may also want to verify its configuration, an upgrade done by your ISP could definitely impact the ability to 'bounce' the traffic back at its self their equip could see it as a DOS and drop the traffic since the source IP would be the same as the destination IP. It would be great if the fw had traffic monitoring so you could 'see' the traffic and see if it is actually being returned to fw from ISP. If you REALLY want to find out, a small HP managed switch, laptop with wireshark and then use port mirroring on the synology , firewall, AP (if not integrated in fw) to trace the traffic and find out what's going on. You should be able to see the routing table for the fw.
akahan: Your summary exactly summarizes my problem. I tried your suggestions with no positive result. The NAT redirection control in my router is off and entering the numeric Ip in the DSVideo app yielded the same log-in failure.That tells me the IP block list is telling the NAS to deny your login. The fact that you're getting a response at least tells me that routing or NAT isn't the problem.
You might want to check the Synology box at Control Panel/Autoblock, and see if your IP address is being blocked by the Synology (under Block List). This will happen if you've mistyped your password a few times in succession.
ASKER
No, Auto Block was the first thing I checked to make sure it wasn't listed. I just received the following response from Synology:
"Could you access your Diskstation through external ip while you were connected to your home network? It seems that your router doesn't have NAT Loopback capability. So you will need either use your internal ip when you are conected to your home network, or you can use quickconnect, which will automatically decide what ip to use."
I'm not familiar with the terms NAT Loopback or QuickConnect
"Could you access your Diskstation through external ip while you were connected to your home network? It seems that your router doesn't have NAT Loopback capability. So you will need either use your internal ip when you are conected to your home network, or you can use quickconnect, which will automatically decide what ip to use."
I'm not familiar with the terms NAT Loopback or QuickConnect
Back to my first reply to this thread, its definitely got something to do with the NAT loopback configuration.
Could you please disable "Filter Internet NAT Redirection" from the "security tab" on the LinkSys EA4500 administration page.
Could you please disable "Filter Internet NAT Redirection" from the "security tab" on the LinkSys EA4500 administration page.
I don't see how it can be a NAT loopback issue if the author has tried to connect to the NAS via its internal IP via wireless and it still didn't work...
But, that doesn't explain why it did work for so long, then just stopped working.
akahan: Your summary exactly summarizes my problem. I tried your suggestions with no positive result. The NAT redirection control in my router is off and entering the numeric Ip in the DSVideo app yielded the same log-in failure....unless the IP the author entered was the external IP?
But, that doesn't explain why it did work for so long, then just stopped working.
ASKER
Filter NAT Redirection is - and has been along disabled.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You both educated me on this subject and for that I thank you. I did not implement Quickconnect as I was bothered by the fact it was never necessary previously. Instead, I purchased and Installed a new router (NetGear R7000 Nighthawk).
Problem solved!
I have no idea why or what happened to my existing router but something very subtle obviously changed or failed that threw all of us down a big hole.
Thanks for the help.
Problem solved!
I have no idea why or what happened to my existing router but something very subtle obviously changed or failed that threw all of us down a big hole.
Thanks for the help.
From what i read there could be some possible solutions.
Check if system time/date differ between Ipad en Synology box.
Second check if “Auto Block” in the network services of the Synology server is enabled and your ipad is listed there.