Synology Backup to Vlan

Networking & Firewalls
1

I’m pretty sure I have a routing issue, but I’m not very strong in that category. I currently have two Synology NAS’ on separate vlans. One is on the graphic design vlan (vlan 10) and the other on the production vlan (vlan 20). When configuring Hyper Backup they see each other if they are on the same vlan (obviously) and via a ddns with port 6281 port forwarded to the individual Synology. They do not see each other if I use the address in their respective vlan (192.168.10.50 -> 192.168.20.50). What routing or NAT rule do I need to setup to get this to work internally from their own vlan? Or does pfSense not pass any traffic to the internet knowing the ddns is pointing to the WAN address?

Thanks in advance for your help!

2

Do you have firewall rules on each VLAN to allow traffic? Do you have the correct gateway IP and subnet mask assigned to each NAS? Can you ping each NAS from the firewall?

3

“They do not see each other if I use the address in their respective vlan (192.168.10.50 -> 192.168.20.50).”

By design inter VLAN traffic / comm is prohibited.

From a disaster recovery POV I would have 1 of those NAS units offsite (assuming you dont already have this in place).

I don’t think you’ll need any NAT rules, but rather some firewwall rules to allow inter VLAN comm for those 2 devices. One concern here if is someone manages to spoof one of those IP’s / MAC addies…

4

I do not have any firewall rules prohibiting traffic to eliminate this as a potential problem. The firewall can ping both NAS and the gateway is set to the IP for the vlan.

I agree that offsite is best, but think I would be in the same boat with a site to site VPN, right?

5

  1. Disable firewall / whitellist the VLAN’s.

  2. IF 1) fails, then watch the firewall logs, with the firewall on & then off, and see what the log says when you try XYZ. Compare the results.

  3. IF you move both NAS’s to the same VLAN can they comm / can you complete your task successfully? Sometimes the utmost basics fail. Once had a VIsta PC that could not ping 127.0.0.1 & other (weird) issues that I’m suire were related to this. I had to uninstall from IE(11?) down to IE 6/ 7 / whatever base IE install shipped with that Vista version. Then I had to manually install IE(11?) , reboot & all was good with the world.

  4. “The firewall can ping both NAS and the gateway is set to the IP for the vlan.” - Which VLAN? What if you set the gateway to the actual gateway IP?

6

  1. Does not work with firewall disabled. Not sure how to whitelist a VLAN.

  2. Can you school me on how to monitor the firewall logs?

  3. If both NAS’s are on the same VLAN they can comm and complete my task.

  4. Synology will not allow the gateway IP to be in a different subnet.