Hi, I'm currently struggling with connection refused/reset when trying to reach NAS via FQDN nas.synology.me
Route [ Device -- (Interface) -- … ] : Internet -- (DSL) -- Fritzbox 7412 -- (LAN) -- (WAN) -- OpenWrt router -- (DMZ VLAN) -- (LAN 1) -- NAS
Port forwarding seems not to work, although it's configured both on router and on Fritzbox.
Neither QuickConnect nor DDNS show any issue.
Router has a Wireguard tunnel set up.
Thanks in advance for your attention.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5c:dc7e:d327::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth1'
option ipaddr '192.168.99.1'
option dns '192.168.254.253'
config interface 'wan'
option proto 'static'
option ipaddr '192.168.254.254'
option netmask '255.255.255.252'
option gateway '192.168.254.253'
option ifname 'eth0.2'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option auto '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2t'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '67'
option ports '0t 2t'
config interface 'Home'
option proto 'static'
option ifname 'eth1.67'
option ipaddr '192.168.67.1'
option netmask '255.255.255.0'
option type 'bridge'
config interface 'DMZ'
option proto 'static'
option ifname 'eth1.10'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config interface 'Guest'
option proto 'static'
option ifname 'eth1.254'
option ipaddr '192.168.254.1'
option netmask '255.255.255.128'
option broadcast '192.168.254.127'
option type 'bridge'
config interface 'Mgmt'
option proto 'static'
option ipaddr '192.168.255.1'
option netmask '255.255.255.240'
option ifname 'eth1.1'
config switch_vlan
option device 'switch0'
option vlan '5'
option vid '10'
option ports '0t 2t'
config switch_vlan
option device 'switch0'
option vlan '6'
option vid '254'
option ports '0t 2t'
config wireguard_WGINTERFACE
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_port '51820'
option public_key '[…]'
option endpoint_host '[…]'
config switch_vlan
option device 'switch0'
option vlan '7'
option vid '255'
option ports '0t 3 4'
config interface 'WGINTERFACE'
option proto 'wireguard'
option force_link '1'
list addresses '[…]'
option private_key '[…]'
option listen_port '51820'
# cat /etc/config/firewall
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config include
option path '/etc/firewall.user'
config zone
option name 'dmz'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'DMZ'
option forward 'ACCEPT'
config zone
option name 'home'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'Home'
option forward 'ACCEPT'
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'Guest'
option forward 'ACCEPT'
config zone
option name 'mgmt'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'Mgmt'
option forward 'ACCEPT'
config redirect
option target 'DNAT'
option src 'wan'
option proto 'tcp'
option dest_ip '192.168.10.10'
option name 'WAN to NAS Web S'
option src_dport '0-65535'
option dest 'dmz'
option dest_port '5001'
config redirect
option src 'wan'
option src_dport '0-65535'
option name 'WAN to NAS Web'
option target 'DNAT'
option dest 'dmz'
option proto 'tcp'
option dest_ip '192.168.10.10'
option dest_port '5000'
config zone
option name 'WGZONE'
option forward 'REJECT'
option output 'ACCEPT'
option network 'WGINTERFACE'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option dest 'lan'
option src 'mgmt'
config forwarding
option dest 'dmz'
option src 'lan'
config forwarding
option dest 'dmz'
option src 'home'
config forwarding
option dest 'WGZONE'
option src 'dmz'
config forwarding
option dest 'WGZONE'
option src 'home'
config forwarding
option dest 'WGZONE'
option src 'lan'
config forwarding
option dest 'WGZONE'
option src 'guest'
pretty sure you dont want to dnat everything to one port here...
also, something seems off with your forwarding... cant find anything with 'wan'... not sure whether the DMZ-DNAT rule circumvents this requirement... ( wan <> dmz forwarding rule )... either way... can't find a lan <> wan either... maybe I'm short caffiene tho' 
Move this to wan interface
You are redirecting eveything to the wg tunnel. Do you have some rule to exclude the traffic that is port redirected?
My suggestion is to remove route_allowed_ips from wg peer. Then install pbr package to configure which devices will use the tunnel. You need the router local services to be served from wan.
I'd like to avoid a policy-based routing that excludes NAS from VPN tunnel, since Download Station is in use.
The only reason for NAS to get external access is use of calendar as a more reliable (and more privacy-friendly) alternative to Google.
If you port forward traffic from the ISP, then you need to have some rule to return that traffic from the same interface. If you don't want to install pbr, you can try to accomplish that yourself with iptables, ip rules, and ip routes.
WAN isn't allowed forwarding, as per VPN configuration.
Could extra arguments be an option for WAN zone?
Port redirect is not connected to zone forwarding.
I have (almost) the same config, You can't put your nas over VPN and use portforwarding. If you wan't to use portforwarding to your nas, you have to excude it from the vpn tunnel.
As suggested use policy bases routing for this.
You can use the pbr for specific ports, the ones that you redirect., towards the ISP link, while the rest will be using the vpn. You can match ports/protocols, not just IPs.
@trendy, so what you are saying is that I can put my nas in the vpn tunnel, and exlude the ports that I need in portforwarding? Never to old to learn 
going to give it a try.
Sorry for hijcking the thread..
two other options are multihoming(virtual@alias if need be) the nas/router ( i.e. dmz2-altsubnet ) and tcpproxy...
probably already been mentioned but accessing vpn@wan and keeping your webdav phone settings consistent is a much better option for this kind of thing...
@M4x_P0w3r, welcome to the community!
Currently, a HTTP and HTTPS server respond on port 443...running nginx. The cert is issued to https://syno-backup.gouin.me/.
If that's not your desire, I think you need to fix your firewall ASAP.
OK guys, now my NAS is reachable from Internet.
Following steps were necessary:
FritzBox configured with non-standard HTTPS Port Forwarding to Router WAN Interface
VPR Policy configured.
NAS to WAN Firewall Rule, any protocol, any destination
Port Forwarding Rule from any source host, any port in WAN to NAS, non-standard HTTPS destination port
For now VPR Policy uses all ports (both source and destination) with destination to all networks. Does anybody know which port(s) is/are used for communication between NAS and DDNS?
I'd like to know it in case I would route BT traffic over VPN.
Should be https or worst case http.
I've provided destination port 443 to this VPR rule and set another one for routing DNS traffic from NAS over WAN.
For BT traffic over VPN I've created two rules with the respective port numbers set in Download Station.
Just feel free to suggest me any adjustment, in order to avoid any potential security risk.
