Basic configuration for Synology NAS - r7800 switch

Hello OpenWrt Community,

I just bought a used Netgear R7800 and installed OpenWrt without any problems. My WiFi is also working fine on 2.4GHz and 5GHz. I read through the basic documentation and the forums, but when it comes to accessing my Synology NAS, I seem to overlook something (basic).

This is the current situation:

  • The Router is connected to my ISP Modem (which is in Bridge Mode).
  • The Synology NAS is connected via Ethernet to the first port on the R7800.
  • I added a static lease for the NAS, it has the address 192.168.1.2.
  • I forwarded the ports 5000-5001. Here I am not quite sure whether the configuration is correct. I have already tried several settings:
  • When I want to access the NAS web interface via 192.168.1.2:5000, nothing happens. Not over Ethernet and not over WiFi.

I look forward to your support, thanks in advance :)!

It should not be necessary to configure any port forwards when you are accessing the NAS on your local network. You might try rebooting your NAS to make sure that it has picked up the IP address (especially if you just changed your router, the subnet and DHCP range, and possibly the actual IP address of the unit itself may have been different -- a reboot or unplugging the ethernet cable and plugging it back in should get them talking again).

The port forwarding rule is certainly wrong, though. It is only necessary if you want the NAS to be able to receive and respond to requests coming from the internet (vs your local LAN) -- useful if you need remote access to your NAS (but also a potential vector for security threats, although usually not much of an issue).

Otherwise, for troubleshooting further, we need to see your config files.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip6tables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
1 Like

Thank you for your answer, @psherman!

The IP address seems to be the correct one, I did already reboot the NAS and reattached the cable:

Hostname    MAC-Address    IPv4-Address    Lease time    DUID    IPv6-Suffix (hex)
----------------------------------------------------------------------------------
bimanas	   [MAC ADDRESS]   192.168.1.2     none	        [DUID]   none

I definitely want to make the NAS accessible from outside again later, but more important for now is access from the same network. I have removed the port forwarding for now.

Here's the output of your provided commands. If I have obfuscated too much, please let me know and I will edit the line(s).

package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'IPADDRESS/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'eth0'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option hostname 'uplink'
	option type 'bridge'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option country 'AT'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option key 'PASSWORD'
	option ssid 'SSID'
	option encryption 'psk2'
	option network 'lan'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
	option htmode 'HT20'
	option country 'AT'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option key 'PASSWORD'
	option ssid 'SSID'
	option encryption 'psk2'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option mac 'MAC ADDRESS'
	option duid 'DUID'
	option dns '1'
	option name 'bimanas'
	option ip '192.168.1.2'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'wan'
	option src 'lan'

config zone
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'

config forwarding
	option dest 'wan'

config forwarding
	option src 'wan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Thu May 14 17:05:21 2020
*nat
:PREROUTING ACCEPT [345:66264]
:INPUT ACCEPT [64:4497]
:OUTPUT ACCEPT [40:2873]
:POSTROUTING ACCEPT [1:71]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[345:66264] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[324:64976] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[21:1288] -A PREROUTING -i br-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[177:22039] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[176:21968] -A POSTROUTING -o br-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[324:64976] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[176:21968] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[176:21968] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[21:1288] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu May 14 17:05:21 2020
# Generated by iptables-save v1.8.3 on Thu May 14 17:05:21 2020
*mangle
:PREROUTING ACCEPT [9999:7787375]
:INPUT ACCEPT [346:30872]
:FORWARD ACCEPT [9509:7713910]
:OUTPUT ACCEPT [324:52881]
:POSTROUTING ACCEPT [9829:7766595]
[352:22528] -A FORWARD -o br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu May 14 17:05:21 2020
# Generated by iptables-save v1.8.3 on Thu May 14 17:05:21 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[38:3535] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[309:27389] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[218:21580] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[13:576] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[61:4161] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[30:1648] -A INPUT -i br-wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[9509:7713910] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[9107:7674661] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[402:39249] -A FORWARD -m comment --comment "!fw3: Zone * to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i br-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[38:3535] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[288:51210] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[249:48408] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[39:2802] -A OUTPUT -o br-wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[20:808] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[13:576] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[61:4161] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[61:4161] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[61:4161] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[4:196] -A zone_wan_dest_ACCEPT -o br-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[437:41855] -A zone_wan_dest_ACCEPT -o br-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o br-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to * forwarding policy" -j ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[30:1648] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[10:840] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[20:808] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[39:2802] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[39:2802] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[20:808] -A zone_wan_src_REJECT -i br-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu May 14 17:05:21 2020
# Generated by ip6tables-save v1.8.3 on Thu May 14 17:05:21 2020
*mangle
:PREROUTING ACCEPT [20:2648]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:460]
:POSTROUTING ACCEPT [3:460]
[0:0] -A FORWARD -o br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu May 14 17:05:21 2020
# Generated by ip6tables-save v1.8.3 on Thu May 14 17:05:21 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i br-wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -m comment --comment "!fw3: Zone * to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i br-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[3:460] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:160] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o br-wan -m comment --comment "!fw3" -j zone_wan_output
[2:300] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:160] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1:160] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1:160] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o br-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o br-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[2:300] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o br-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to * forwarding policy" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[2:300] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[2:300] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i br-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu May 14 17:05:21 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
16: br-wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet IPADDRESS/24 brd IPADDRESS scope global br-wan
       valid_lft forever preferred_lft forever
default via IPADDRESS dev br-wan  src IPADDRESS
IPADDRESS/24 dev br-wan scope link  src IPADDRESS
IPADDRESS/24 dev br-lan scope link  src 192.168.1.1
broadcast IPADDRESS dev br-wan table local scope link  src IPADDRESS
local IPADDRESS dev br-wan table local scope host  src IPADDRESS
broadcast IPADDRESS dev br-wan table local scope link  src IPADDRESS
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 IPADDRESS/64 scope link
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 IPADDRESS/60 scope global
       valid_lft forever preferred_lft forever
    inet6 IPADDRESS/64 scope link
       valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::8e3b:adff:feba:1560/64 scope link
       valid_lft forever preferred_lft forever
11: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 IPADDRESS/64 scope link
       valid_lft forever preferred_lft forever
16: br-wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 IPADDRESS/64 scope link
       valid_lft forever preferred_lft forever
17: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 IPADDRESS/64 scope link
       valid_lft forever preferred_lft forever
IPADDRESS/64 dev br-lan  metric 1024
unreachable IPADDRESS/48 dev lo  metric 2147483647  error -113
fe80::/64 dev br-lan  metric 256
fe80::/64 dev eth0  metric 256
fe80::/64 dev eth0.2  metric 256
fe80::/64 dev wlan1  metric 256
fe80::/64 dev br-wan  metric 256
fe80::/64 dev wlan0  metric 256
local ::1 dev lo table local  metric 0
anycast IPADDRESS dev br-lan table local  metric 0
local IPADDRESS dev br-lan table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev eth0.2 table local  metric 0
anycast fe80:: dev wlan1 table local  metric 0
anycast fe80:: dev br-wan table local  metric 0
anycast fe80:: dev wlan0 table local  metric 0
local IPADDRESS dev br-lan table local  metric 0
local IPADDRESS dev eth0 table local  metric 0
local IPADDRESS dev eth0.2 table local  metric 0
local IPADDRESS dev br-wan table local  metric 0
local IPADDRESS dev wlan0 table local  metric 0
local IPADDRESS dev wlan1 table local  metric 0
ff00::/8 dev br-lan table local  metric 256
ff00::/8 dev eth0 table local  metric 256
ff00::/8 dev eth0.2 table local  metric 256
ff00::/8 dev wlan1 table local  metric 256
ff00::/8 dev br-wan table local  metric 256
ff00::/8 dev wlan0 table local  metric 256
0:	from all lookup local
32766:	from all lookup main
4200000001:	from all iif lo lookup unspec 12
4200000007:	from all iif br-lan lookup unspec 12
4200000016:	from all iif br-wan lookup unspec 12
lrwxrwxrwx    1 root     root            16 Feb 27 21:05 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 May 14 16:14 /tmp/resolv.conf
-rw-r--r--    1 root     root            82 May 14 15:14 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver NS1
nameserver NS2
search ISP

I don't see any specific issues. Are you having issues with connecting to the NAS over wired, wireless, or both? Can you ping it from the router (within the ssh session)? How about from another system on the wired network? And wirelessly?

You may need to check the local firewall on the NAS -- some systems (Windows is known for this) may default back to a strict firewall (assuming an untrusted network) when they detect a new router

The lines below are not part of your problem, but should be removed... they seem to be defining a firewall zone, but are missing the actual zone info. Since you are only using a LAN and a WAN, these clearly are not needed.

config zone
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'

config forwarding
	option dest 'wan'

config forwarding
	option src 'wan'

Thank you again, I removed the lines in the firewall config.

I had issues connecting over wired AND wireless. The ping from the router didn't work either. I tried it from another machine as well, same thing.

I just managed to find the NAS over wired connection with the Synology Assistant App. The strange thing is, that both my MacBook and the NAS have an IP address that looks like this: 169.254.X.X. Where does that come from? The NAS and my MacBook are connected to the Ethernet ports 1 and 2 of my R7800.

auto(client)-assigned = dhcp issues ( or lower level connectivity )

@anon50098793 You mean DHCP issues in my OpenWrt settings or on the Synology NAS and my MacBook?

openwrt... see if it gets one without the 'host' entry... then again.. macbook also is more likely firewall or fail.... whats in ;

logread | grep dnsmasq | tail -n25
Fri May 15 06:04:29 2020 daemon.info dnsmasq[15288]: using local addresses only for domain localhost
Fri May 15 06:04:29 2020 daemon.info dnsmasq[15288]: using local addresses only for domain local
Fri May 15 06:04:29 2020 daemon.info dnsmasq[15288]: using local addresses only for domain invalid
Fri May 15 06:04:29 2020 daemon.info dnsmasq[15288]: using local addresses only for domain bind
Fri May 15 06:04:29 2020 daemon.info dnsmasq[15288]: using local addresses only for domain lan
Fri May 15 06:04:29 2020 daemon.info dnsmasq[15288]: using nameserver NAMESERVER1#53
Fri May 15 06:04:29 2020 daemon.info dnsmasq[15288]: using nameserver NAMESERVER2#53
Fri May 15 06:04:29 2020 daemon.info dnsmasq[15288]: read /etc/hosts - 4 addresses
Fri May 15 06:04:29 2020 daemon.info dnsmasq[15288]: read /tmp/hosts/odhcpd - 0 addresses
Fri May 15 06:04:29 2020 daemon.info dnsmasq[15288]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Fri May 15 06:04:29 2020 daemon.info dnsmasq-dhcp[15288]: read /etc/ethers - 0 addresses
Fri May 15 06:04:31 2020 daemon.info dnsmasq[15288]: read /etc/hosts - 4 addresses
Fri May 15 06:04:31 2020 daemon.info dnsmasq[15288]: read /tmp/hosts/odhcpd - 0 addresses
Fri May 15 06:04:31 2020 daemon.info dnsmasq[15288]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Fri May 15 06:04:31 2020 daemon.info dnsmasq-dhcp[15288]: read /etc/ethers - 0 addresses
Fri May 15 06:09:38 2020 daemon.info dnsmasq-dhcp[15288]: DHCPREQUEST(br-lan) 192.168.1.125 MACADDRESS
Fri May 15 06:09:38 2020 daemon.info dnsmasq-dhcp[15288]: DHCPACK(br-lan) 192.168.1.125 MACADDRESS Zwiephone-S8
Fri May 15 06:10:29 2020 daemon.info dnsmasq-dhcp[15288]: DHCPREQUEST(br-lan) 192.168.1.227 MACADDRESS
Fri May 15 06:10:29 2020 daemon.info dnsmasq-dhcp[15288]: DHCPACK(br-lan) 192.168.1.227MACADDRESS manuBook
Fri May 15 06:11:32 2020 daemon.info dnsmasq-dhcp[15288]: DHCPREQUEST(br-lan) 192.168.1.116 MACADDRESS
Fri May 15 06:11:32 2020 daemon.info dnsmasq-dhcp[15288]: DHCPACK(br-lan) 192.168.1.116 MACADDRESS HPD79C30
Fri May 15 06:17:21 2020 daemon.info dnsmasq-dhcp[15288]: DHCPDISCOVER(br-lan) MACADDRESS
Fri May 15 06:17:21 2020 daemon.info dnsmasq-dhcp[15288]: DHCPOFFER(br-lan) 192.168.1.240 MACADDRESS
Fri May 15 06:17:21 2020 daemon.info dnsmasq-dhcp[15288]: DHCPREQUEST(br-lan) 192.168.1.240 MACADDRESS
Fri May 15 06:17:21 2020 daemon.info dnsmasq-dhcp[15288]: DHCPACK(br-lan) 192.168.1.240 MACADDRESS Samsung-Galaxy-S7

ok, dhcp looks good... so seems like the assistant was using an auto-ip on purpose...

as there is no nas there... i'd just give it a real static ip and test with that...

I did that and now I can't see it in my list of connected devices and I also can't find it with the Synology Assistant App over a wired connection. It is completely "gone" now. Only thing I could do is reset the NAS network settings with the reset button I guess.

Do you have data on it?
Does it have two nics and your testing both?

Either way... synology support / forums might be worth a shot... because this does not appear to be an openwrt issue (edit: i was wrong). Those guys will know more so you can proceed with confidence.

1 Like

Yes, I have data on it. There's only one NIC that I can work with.

Anyway, thanks a lot, I'll check the Synology forum for a solution. Good to know that it is not because of my OpenWrt config :).

Okay, now I have to write again, because there's one more (major?) thing I just noticed:
When I connect my MacBook to the R7800 by cable, I get an IP address 169.254.x.x as well, and I don't have a connection to the internet. This means that the device(s) on the Ethernet ports are not assigned an IP via DHCP, but rather get a self-assigned IP address. Am I seeing this correctly?

1 Like

what method did you use to install? has wired ever worked? ( eliminate hardware )

also post;

cat /etc/config/firewall

again

I used the GUI to upload the .img file. I think it worked before, because I saw the NAS in the connected devices list before. Maybe I screwed up the OpenWrt config somehow.

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'wan'
	option src 'lan'

don't see any issues in that file... so my call is hardware fault...(edit: i was wrong again ) ( when you said the laptop found it with 169. was that through the switch or direct wired? )

you can give your laptop 192.168.1.5 (temporarily) and use a cable direct to the nas to get back into it ( seeings as i told you to give it a static address )...

don't reset it... especially if the drives are in ( at least until a known good source says it's safe )

1 Like

First I followed my gut feeling and looked at the interfaces. At the LAN I now have the following settings under "Physical Settings". I'm sure this is not correct, but now my NAS gets the correct IP (192.168.1.2) and I can access it!

Can you tell me which interfaces I can safely disable again? Do I need eth0.2 for example?

1 Like

i think this might have been the original issue... eth0 is not right here.

1 Like

Ok, so I now have left

  • eth1
  • eth1.1
  • wlan0
  • wlan1

Is that how it is supposed to be :)?

1 Like