I’m new to NAS and have joined these forums in hopes of understanding what—to me—is a very disturbing aspect of my NAS device’s operation. Here’s my situation:
I set up my new Synology DS218 as a shared storage device on my home LAN … and disabled every setting I could see that would allow it to communicate with the outside (of my LAN) world. I thought it was “secured … locked down … private” … however you want to describe that.
But lo’ and behold, the first time I logged onto the DS218 from my browser (using the static IP I had entered) and viewed the help pages, the device apparently went to the Internet and downloaded content from some website. Just to be clear, it did not redirect my browser to a Synology webpage or anything like that. The browser url pointed to the static IP address the entire time. I immediately changed the help source to local.
Upon going to the Synology site to investigate, I happened upon this line from their release note for DMS v7.0:
“Added the ability to automatically install important DSM and package updates.”
Is this possible? IOW, do I now have a rogue Linux PC communicating through my LAN and broadband to the Internet? I certainly don’t want that. Is there a way to prevent—in a wholesale manner—ANY such communications?
Can someone help me understand what I’m seeing and concluding? … or point me to some relevant documentation?
If the network it’s on has an internet connection it can get out. Also Synology has a feature called QuickConnect that can also provide outside access to the NAS.
If you want it locked down and still locally available do it via your firewall by blocking all traffic to non internal IPs.
Yes, I know about QuickConnect … and have disabled every aspect of it that I can find.
Regarding ways to block outbound IP traffic, each PC on my LAN runs the standard Windows firewall. But the DS218 has a firewall as well (It is not enabled. Should it be?) And, of course, my broadband connection is supposed to have a firewall function in the router.
So, how do I go about blocking the NAS from communicating? (I’ll mention that I’ve run a scan from a highly-regarded security site, and that scan shows “no ports exposed”.)
I don’t believe it will let you fully do that from its internal firewall. You’ll likely need to look at your routers firewall to stop it from leaving your network.
It’s not ideal but you could manually set the NAS network’s dns address to an internal IP that doesn’t exist. If the services depend on a DNS lookup this would break that communication path.
If you are concerned that your NAS is dialling out, you can put it on its own LAN, then block WAN access, but allow other LANs to access the NAS LAN. Obviously you’ll need to manually download firmware updates. To do this you only need a second router.
Normally you would do this via your network firewall by creating rules that block outbound access. Another simple option would be to statically assign the IP address of the Synology and don’t give it a gateway which will stop it from all routing.
Yes, that sounds like what I should do. And, indeed, I found the same suggestion at the end of a thread (over on reddit?). Oddly—to me—this subject isn’t talked about very much. I thought isolating the NAS would be a top-level setup option.
This is one that I can’t quite understand. The DSM version I downloaded is V6.2 … which I understand has been around for 3 years and is probably as stable as NAS software gets. My NAS uses don’t involve any synchronization, automated backups, 3rd-party software or access from the internet. I don’t see why I want anything to “improve”.
I keep my Synology online and connected because I want to keep the system up to date with all the apps I use on it. This is why most people don’t block it form going online.
I can understand that. Indeed, it’s exactly why MSFT takes the position they do for the operating system: “updates are mandatory”.
But my situation is the opposite. And my need is simple: prevent all communications by the NAS to the outside world.
(Granted, I can foresee the eventuality that a new storage device comes out that V6.2 doesn’t support. But, really, that’s a different issue … and one that I would expect to have to be involved in.)
After declaring “Use Manual Configuration” (no IP assignment via DHCP) and setting a static IP address for the NAS on my LAN, I left the Default Gateway and DNS Server fields blank.
The NAS responds and communicates fine on my LAN. But the only ways I have found to confirm that it is not talking to the Internet are 1) the help source cannot be set to “Online” and 2) an attempt to use the Google Time Service fails. The only troubling aspect is that DMS reports that “your current version is up to date”. How does it know that?
Until some further development—if any—I will consider this a solved problem. (It does help that I found the “remove gateway” recommendation on 3 different forums.)
If you do not have a default gateway the device cannot route outside of its layer 2 network, hence the VLAN statement in my comment. Without the gateway it’ll be stuck with layer 2, without layer 3+ it can never reach the internet.
Everything should work fine on your LAN, but if you were to add a VLAN or something like that you’d need to move to alternative means of denying it to the internet.
For what its worth, the firewall should be fairly robust and unless you enable the cloud connect features your NAS isn’t accessible from the internet. Short of holding state secrets or cooperate Intellectual Property, these steps are extremely drastic.
You can also just SSH into the NAS and ping 1.1.1.1 or any other public IP address to verify no internet connectivity. It may be worth a brush up on some of the protocols and basic TCP/IP functionality if you have this much concern with the NAS.
Sounds good to me. Indeed, I hope it’s as simple as “no default gateway”. But I do worry that—in the A.I. sense—NAS devices might (someday, anyway) be able to learn their network environment. (Smartphones appear to be leading the way).
Regarding access to/from the Internet, it’s clear that quite a few people are concerned about privacy. As a result, the features and steps to block remote access are well documented. What isn’t well documented is how to prevent the NAS from initiating transmissions. It’s a two-way street that I want to know is blocked.
This is definitely the way to go. Another way to ensure that device dosen’t get net access is set a false gateway on the Synology device, essentially “blackholing” any traffic to an unused IP. So clients can still find the device on the local network, set a static DNS entry related to the device name and IP address.
Example
Internet connected router is 192.168.1.1
Synology has a static IP of
192.168.1.20 with the gateway set to
192.168.1.1 and has internet connectivity
Change the gateway on the Synology
to a fake non-existent gateway
192.168.1.77
Then on your DNS server set a static entry
pointing to the Synology
Forward DNS look up would be
(hostname of the Synology) = 192.168.1.20
Reverse DNS lookup or pointer (ptr) would be
192.168.1.20 = (hostname of the Synology)
All traffic originating from the Synology (i.e attempted web access) has a short trip into oblivion but clients on the local network can still find it and function normally
I know enough about networking to almost follow your logic. But, overall, I don’t see a clear advantage over not assigning a gateway for the synology to use. Are you suggesting that the synology might resort to some other action if it detects a missing gateway? … and that a false gateway can keep that from happening?
Am I overthinking what you describe? Is it simply an equivalent (maybe speedier?) method? (I’ll mention that my browser doesn’t have any trouble finding the NAS at its static IP.)
Another way to look at your problem, if you are unsure what your NAS device is doing, and who knows what it will do once updates are applied, then it’s easier to place it on a vlan where WAN access is denied. It’s basically what I’ve done with my IPcams, no chance of them dialing out.
Many things in IT have more than one way of getting the results you want, you are correct in not over thinking stuff. It’s just another way to block access, nothing more.
To simplify the explanations presented here;
Use firewall rules to block the Synology from accessing the internet
If you don’t have access to the firewall or understand how to configure firewall rules, you can set a false gateway to prevent the Synology from getting out to the internet
We are close … very close.Everything makes sense if I can just get that final point clarified:
Functionally, is there any difference between a false gateway and a null/blank gateway?
I can only think of two possibilities: 1. a NAS would not accept a blank, and therefore a false IP would be the answer.
2. for aesthetics, you might want a common false gateway to use across multiple devices.
Think you got it, the result is the same and yes have seen some devices restrict leaving configuration fields blank, so entering a false gateway gets around this issue. Also for paranoid setups in enterprise environments I have seen legacy devices set to a false gateway IP address so there is never a question about something getting out on the net.