Unable to open port

I am trying to get my Synology NAS (Drive app) working. It uses port 10003 by default, but no matter what I do, I just can't get any other ports to open past the one I already have working

I have the admin panel port open, it uses 5001, and I've confirmed the port forwarding works by disabling the forward, port closed, then re-enabled it, port open.

But when I try to open another port, it's just not working. I've tried opening different port numbers but nothing works.

Why is one set of ports open and working fine, but if I try to open another, it doesn't. I even tried using port 5002, and just appending the first rule that works to be 5000-5002, 5001 still works, but 5002 doesn't!

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

ubus call system board:

{
        "kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys E8450 (UBI)",
        "board_name": "linksys,e8450-ubi",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd3:26e1:7cee::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '192.168.8.1/22'
        option ipv6 'on'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option ipv6 'on'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Synology5000-5001'
        list proto 'tcp'
        option src 'wan'
        option src_dport '5000-5001'
        option dest_ip '192.168.8.110'
        option dest_port '5000-5001'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'SynologyDrive'
        option src 'wan'
        option src_dport '10003'
        option dest_ip '192.168.8.110'
        option dest_port '10003'

Is this rule supposed to apply to TCP or UDP (or both)?

Have you verified that the NAS is listening to connections on port 10003 when testing from inside your network (i.e. on the lan)?

How have you tested from the outside?

I checked, it's just TCP, I disabled UDP, didn't make a difference.

And yes it is listening, here's a SS:

Screenshot 2023-11-06 153602610×569 36 KB

I have tested it from outside, and using this: https://www.yougetsignal.com/tools/open-ports/

Port 5001 works fine, but 10003 doesn't. The alias ####.synology.me/drive works, but it's using 5001.

Showing your settings is not the same as verifying that the device is actually listening on those ports. What is the service that should be listening on that port? How would you connect to it normally? It looks like it is a web interface via https, right?

If you connect to

Https://192.168.8.110:10003

Does it work?

The service is running, because the alias mode works IE https://####.synology.me/drive

The other one using a custom port is just another method to access it. The direct port and alias just tell the NAS what service you're trying to access.

But now that you mention it, I didn't try using the internal IP and port, of course it doesn't work. There's not much really to configure, if you set the port, it's just supposed to work.

Pretty much have my answer but just to confirm, I can open/forward the port, but if the thing on the other end isn't listening, it will still show up as closed right?

Correct. There is nothing to answer the port probe.

I haven't dealt with alot of port based networking, new to it. Didn't think to try the internal IP. Thanks for the help!

You’re welcome. Glad I was able to help.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.