Protecting my surveillance station

Hi, Everyone.

May I seek your advice on how can I further protect my surveillance station. Currently I have forwarded ports to allow users(me and my family when we are out of the house) from the Internet to access my Surveillance station. Here is what I have and what configuration I have applied.

On my pfsense, created a VLAN where the Surveillance Station is hosted. I have installed Suricata and assign it to the VLAN interface where the surveillance station is hosted. Installed Pfblocker and using GeoIP Inbound blocking to countries that is different from mine.

On Synology, disabled the administrator account and created another administrator account. Using HTTPS protocol to access my site. Enable 2fa on all users. Assign different ports per application. Made sure using the most current DSM version (not using Beta).

Do you have any suggestion aside from configuring a vpn and access it behind vpn? The reason is I am waiting for the wireguard to comeback on pfsense but that’s a different topic.

Thank in advance for any suggestion.


Those steps are fine, not really anything more to do unless you add that VPN.

Good morning Tom. Thank you so much for the quick response. I appreciate your response :slight_smile:

While I have a QNAP, these NAS units do seem under constant attack. Opening it up to the internet seems like a pretty bad idea. Why wait for wireguard that’s a false economy? OpenVPN works well on pretty much any device. You have pfsense so you have all you need.

If you have your NAS on an isolated vlan might be ok, just depends on whether you want to deal with the aftermath of an attack :wink:

Synology has a better history of security than QNAP, but any time you open up something to the internet there is a risk. As long as you are aware of that risk then it’s yours to take.

Hi, Neogrid.

I was waiting for wireguard because if it will come up within this year then it will save me time migrating my VPN configuration. That is the only reason I have, as long as I follow the best practices to mitigate the posibility of me getting breach I think I will be safe for now.

Pays your money takes your pick :slight_smile:

I’m a fan of OpenVPN it’s a great product and the implementation on pfSense is excellent.

Though I would add you might want to think about 2FA, but your users might be annoyed by that.

are you pertaining to 2fa on synology or on Openvpn. If you are pertaining to my Synology. I have that enabled just forgot to indicate that on my initial post.

Actually meant for synology access. (however, you can also use it for OpenVPN though I do not as having the cert, and 31 char password ought to be fairly secure, plus it’s fiddly on my crappy old android phone, which is a risk in itself ) :slight_smile: