I have a Synology DS920+ NAS with 2 LAN ports. I have a Ubiquiti Dream Machine (UDM) running the UniFi Network along with a UniFi managed switch. This is my home network setup.
Using the great tutorials offered by Lawrence Tech Services, I have setup a main LAN and 3 additional VLAN’s. One VLAN is for IoT devices (cell phones, tablets, game systems, chromecasts, etc.), one is for guests, and the other is for security cameras. I use Synology’s Surveillance Station and all my cameras run on ethernet back to a UniFi managed switch for now. Wireless cameras may be added in the future.
Here’s my problem and where I’m asking for help. I have 2 LAN ports on my NAS with 3 LAN’s that need access to it; Main, IoT’s, and cameras. I have setup Synology firewalls to only allow access to the Synology DSM via the main LAN while the other port on the NAS is setup on the VLAN with IoT’s so other Synology services can be accessed (PLEX for instance). Is there a way for me to maintain my cameras on the 3rd VLAN and give them access to the NAS for use with Surveillance Station?
You can do this with your router/firewall rules. Allow the camera network to have access to the specific IP address on either the LAN or IOT network used by the synology. What router are you using?
However, if it’s on a different network to your NAS it has to go via your router, that may or may not make a difference in performance depending on what you are doing. Though it’s better to keep it on the same network.
Don’t think you need a firewall on your NAS, but it doesn’t do any harm as long as you understand your rules.
Personally I wouldn’t bother with the LAN, I would keep everything on vlans, then use the LAN as an emergency option to get to your router. Then your network is much more flexible if you start adding more switches around the house.
By the way, if your IoT can see your NAS, then it can see your NAS! If your IoT is untrusted then you probably don’t want to allow it access to your NAS. If you want to access your movies, then I would probably switch the end devices between vlans (not great) or have devices that access your NAS only via Main.
Thank you neogrid. I use the firewall rules on the NAS to disallow any clients on the IoT VLAN from accessing other areas of the NAS. The IoT VLAN can only access Plex currently. Synology firewall blocks any traffic on the IoT VLAN from accessing DSM or other critical services. Only the Main LAN can access the DSM and other important data.
Thanks Tom. I’ve followed the firewall rules setup tutorial for the NAS I’m just one LAN short I guess. Sounds like I’ll need to follow jeff3820’s recommendation of allowing the camera VLAN onto the IoT VLAN in order to access the NAS. Then I’ll allow LAN 2 on the NAS to access Surveillance Station using the firewall rules on the NAS.
I was trying to keep the cameras themselves off the internet completely. It might just be easier to move the cameras to the IoT VLAN and block each camera from accessing the WAN and get rid of the camera VLAN. Just thinking out loud here.
Or just use firewall rules to block any device on the camera network from accessing the internet. A rule on the camera network blocking the gateway address will do that and if you have a rule ABOVE the gateway block rule with a hole to the synology on the IOT network then mission accomplished.
Ok, so if I understand this correctly the issue seems to be that your NAS only has 2 NICs, but you want to connect it to 3 networks. I don’t have a Synology NAS, but from what Google tells me they support VLAN. So regardless of the number of NICs, you can have your NAS connected to as many networks as you like. If both NICs are at GbE speed, you can team them (if Synology supports that) and then you have a virtual link between your NAS and your switch with a capacity of 2 Gbit/s which is shared among however many networks (VLANs) you like.
Thanks paolo. Synology does seem to have VLAN capability but in my search of the interwebs I can’t find clear instructions on how to set it up. I’m a noob to networking and learn by doing. I included a picture of the LAN Edit screen in Synology DSM for reference. I’ll try playing around with enabling VLAN and see if I can sync everything up.
I spun up a demo DSM (props to Synology for that option), but it seems the software is more restricted than I imagined it to be. Usually I would expect an option to add a network interface, where you can then assign the parent and VLAN id. But I didn’t find such an option. Shame. So apparently you can only configure one VLAN per NIC.
