Subscribe now and choose from over 30 free gifts worth up to £49 - Plus get £25 to spend in our shop
So - I have switched to a FTTH connection and now I can't access my Synology NAS using its DDNS address from either inside or outside my home network. Inside my home network I can access it via its internal IP address but it irritates me as it gives security errors due to the cert being issued to the DDNS domain.
I rang the ISP and they tell me I need a static IP address to be able to have external access to my own network as they do not have IPV6 configured. The static IP address is an additional £5 per month.
Now, I can configure port forwarders on my router app (eero) but they don't make any difference so I am thinking that there needs to be some NAT type stuff configured by the ISP and that will require me to have a static IP which is why they say that.
My problem is that I don't think I should have to pay for this as if they had IPV6 configured then it would work.
It worked fine (and still does as I have both connections available at the moment) on my BT account with no need for me to pay for a static IP.
Any thoughts?
Am I missing something
PlusNet is / was £5 one off, not £5 a month so double check the offer as it’s easy to assume a monthly cost.
Which link in the DDNS registration chain is failing? Something somewhere isn’t propagating the registration.
Are you using DSM 7?
Externally I use my quick connect ID.
But for extra security I would enable two factor authentication and on log on tell it to trust your devices.
https://kb.synology.com/en-in/DSM/help/DSM/SecureSignIn/2factor_authentication?version=7
The DDNS registration is not the issue as it works fine on my BT network.
My guess is that because I have a WAN IP which is different to my external IP that the ISP needs to make a NAT rule/route between the external IP and and my WAN IP.
My external IP is 154.xxx.xxx.xxx and my WAN IP is 100.xxx.xxx.xxx and my internal network is on a 192.168.4.0/22. My DDNS registration points at the 154 address and I can ping it from my internal network (if I ping the domain it resolves to the correct IP address). What I can't do is access it via the DDNS URL either internally or externally.
On my BT hub I opened up ports 5000 and 5001 which allowed it to work but my BT hub was using the same address as the DDNS registration. Now I have a different WAN ip which is the 100 address but I'm guessing that there needs to be a rule that sends the inboud traffic from the 154 address to my 100 address which obv will break if the address changes hence the requirement for a static one. Does that sound right/make sense?
PlusNet is / was £5 one off,
Yep, just paid for that last week......
My guess is that your ISP is using CGNAT. The shortage of IPv4 numbers means they put up to 254 subscribers on one subnet; you effectively have two IP addresses between your router and the internet. Your DDNS is trying to connect to your router's IP, but that's actually a private IP behind the CGNAT.
IPv6 makes CGNAT unnecessary. If you pay for a static IP it will be allocated direct to your router.
Is the issue a cert/SSL/TLS problem or a connectivity/plumbing problem? If you click through the cert warnings do you get connected to the NAS?
What @greybeard said sounds most plausible. My fibre modem has a WAN IP address that is different to my external address (as per above post) so I need to either get the external address assigned to my fibre router in place of the WAN address or get the traffic forwarded. I don't want to have to pay extra for it though as I should be able to access my home network externally if I want to (although a one off £5 would be OK but the chap on the phone definitely said £5 per month).
It's not an SSL issue @scuttler The SSL is setup correctly for the DDNS address and it works fine. The irritating bit is that I can only access the NAS by using its internal IP address and that gives certificate errors because the cert isn't registered to the IP address. I can click through (proceed to unsafe website etc etc) and get logged on but that's not what I want. Like I said it all works perfectly when plugged into my BT router.
Utilise one of the free dynamic dns services? It is how I got around not having a static IP address. Although to be clear it is a bit of a faff and I only needed it for a specific shortish time period.
Go with Zen, they give you a static IP by default 😏
Does your Synology quickconnectID not work? It's not much faff and you can then use the same ID from inside or outside your network and it works out the best IP address to use.
Go with Zen, they give you a static IP by default 😏
And you pay for that with the higher prices. I honestly don't understand why some people have a hard-on for zen.
The ISP that is, not the ancient philosophy.
They are just another ISP.
I can’t get zen anyway.
Yes the quick connectID does work, the DDNS lets me publish a photo sharing site for may family to access with different folders for different users which is why I like it. Not sure if the quick connect will do that. They would have to log on to the NAS and then launch the Photo app wouldn’t they(?)which is not as neat.
if what @greybeard says is correct then a dynamic DNS service wouldn’t help. The traffic isn’t getting to my internal network, the DNS name resolves to the correct external IP, it’s just that it’s not the address of my router!
I’m not on FTTH but I also paid a £5 one off fee to Plusnet (maybe around 2 years ago).
Yes, I had a free dynamic DNS, it worked with my Broadband ISP, but the Openreach drop wire to the house runs through a tree (long story, nobody will fix it and no cable available) so I bought a 4g cell modem as backup, which was fine until I tried accessing from outside.
Before I knew about CGNAT, I discovered that checkip.amazonaws.com returned my router's IP in the GGNAT subnet, while myexternalip.com/raw returned the public IP of the subnet, and I rewrote the DDNS app to use the public IP - which didn't work, because there was no way to identify the private IP.
I mention that because if you try those two urls and get different IPs it will (I think) confirm that the issue is GCNAT.
Also, I've just moved onto Gfast, which has a separate modem in front of my router, and I'm not having that problem.
And you pay for that with the higher prices. I honestly don’t understand why some people have a hard-on for zen.
The ISP that is, not the ancient philosophy.
They are just another ISP.
Because some people value quality of service over price?
Because some folk would rather support a business who keeps call centres in the UK?
Because some folk value the way they resolve issues rather that read scripts?
Anyway OP who is your isp?
@greybeard So both of those IP checkers return the same IP which is my external IP address. I have a separate fibre modem in front of my router and the fibre modem has the WAN IP.
tracert from my PC to the external IP shows hop to my router gateway IP (192.168.4.1), next to my modem WAN IP (100.xxx.xxx.xxx) and then a few hops on a 172 network before ending up at my external IP.
I reckon its more than likely an issue that the traffic doesn't reach my modem. So either a static IP on my modem and some NAT config on their routers will work or, as you say, they give my modem the external IP (not sure if they can do this though as my modem is clearly on their WAN so the external IP might be shared).
I'm going to ring them again today and ask some more questions based on what you suggest regarding CGNAT...
EDIT - My ISP is YouFibre btw.
Do you only care about the cert errors from inside your network? If so I don't suppose you can issue yourself one and include the internal IP as a SAN entry? I'm guessing the current one is self-signed and you can't re-issue + amend that from within the Synology box so you'd have to use something like OpenSSL to create a replacement
@oceanskipper - their support shows they use CGNAT, but has these instructions for port forwarding: https://www.youfibre.com/support/articles/how-do-i-set-up-port-forwarding
Alternatively, you might be able to configure manual DNS entries on your router (or setup your own internal DNS server like pihole) and then manually set your DDNS entry to point at the internal IP of your NAS. This will solve the certificate issue, but not the external access for your photo site.
@fuzzywuzzy - it’s a cert generated by the NAS using letsencrypt or similar and it’s registered to the *.synology.me domain name I registered when I set it up. Issuing another one won’t help as the external traffic isn’t even getting there (I could probably sort out the internal errors with a new cert though)
@tomnavman I.have tried the port forwarding but it has no effect on the DDNS (although it does work for Plex oddly enough) . Interesting that CGNAT is definitely in use though, thanks for that. 👍
@oceanskipper what IP do you get when you put your DDNS entry into https://www.whatsmydns.net/ ?
There are 2 separate parts here - the DDNS and then the port forwarding. If it's working for Plex, then it must be possible!
So I get the external IP returned using that tool. Which is the same IP that shows up in the DDNS config on the NAS. It’s odd that the Plex works but that’s an App rather than browser. I wonder if the Synology ports 5000 and 5001 are blocked at their end…🤷♂️
I don't think you can fix this if CGNAT is in use ... which based on the link above it is. I'd never heard of this, but I do know how NAT works in general.
The 100. address is in a private range (no different to 192. really, anyone could be using them), and actually created for CGNAT so confirms its use. https://en.wikipedia.org/wiki/Reserved_IP_addresses . It will only be routable to you once it's in your ISPs network, not from the internet.
The other address that you've found is the address which is routable from the internet, but it's shared with other people and translated back to your 100. address using a (different) port mapping. As you state somewhere, *if* you could reserve one of the incoming ports to route uniquely to your 100. address, and then added your own port forward at home to route to your 192. address then it would work. It seems unlikely to me that your ISP would or could allow you to do this. If nothing else, you would have to be the first to do it, as noone else in your 100. subnet would then be able to forward that port.
(btw, its possible to get a random port which routes directly into your network by taking advantage of the way NAT works, which is how some apps can be made to work, but the port mapping is transient https://en.wikipedia.org/wiki/UDP_hole_punching ).
That link to configure port forwarding is really odd, it can never work surely? It seems to be specific Eero kit, which is presumably what they give you for your house, so you're still stuck as you can't get external traffic to your 100. address. It is remotely possible I suppose that the app also does the port mapping higher up, but seems really unlikely to me.
TLDR, I think you need a static IP or an ISP that doesn't use CGNAT.
I'm at the limit of my technical knowledge here, so apologies if my terminology is a bit off. You have two layers of NAT, your own subnet and the CGNAT. When your html browser calls for a download, the outgoing packets record the route and the returned packets follow it using the ports opened for them. The routers know they are sending traffic your system has requested so there's no security issue. I don't use Plex but maybe it's a similar process. Packets initiated from outside won't have that routing information, and if they did, there's no knowing where they've come from and it would be a security breach.
Port forwarding on your router gets round that for your subnet. You'd need to set up port forwarding for the ISP's CGNAT for your DDNS to work, and that's not feasible. On your own router, you forward one type of traffic to a specific device; if they forwarded all the traffic on whatever port your NAS uses to you, you'd end up with all that traffic for everybody on the CGNAT subnet.
The ISP will have a limited number of public IPs available. They will either be allocated to an individual user, or to a CGNAT subnet. If you pay for a static IP, they'll allocate one of those IPs to you, separately from the CGNAT IPs.
The Plex thing is most odd. If I open 32400 using the eero app the Plex App can see my library stored on the NAS and if I disable that port forward rule on the eero app, it stops immediately and vice-versa. Applying the same principle with 5000 and 5001 doesn’t make any difference. The CGNAT use would explain why (as per above) but that doesn’t explain why Plex DOES work….
EDIT I’ve also tried using my external IP xxx.xxx.xxx.xxx:5001 typed into the browser but still no cigar!
the other odd thing is if I ping the DDNS registered subdomain I get a reply.
Dynamic DNS is a kludge around not having a static IP, and as you say tends to break with carrier-grade NAT. If you've had CGNAT enforced upon you, then either switch provider to one that doesn't use CGNAT, or pay for a static IP and avoid the Dynamic DNS thing entirely.
FWIW my rule of thumb is that if an ISP can't do IPv6 in 2022, avoid them.
I had to look at ways round this cgnat challenge some time back for a friend and came across folk using free was/Google servers as vpn devices to create site to site VPN’s and allow access to there home network.
I decided this was far to clunky / fraught with ongoing foc support issues for a mates solution but these posts might give you some insight
https://superuser.com/questions/1579924/site-to-site-vpn-with-cgnat
https://hardforum.com/threads/how-to-bypass-cgnat-using-a-vpn-to-access-my-web-server.2014654/
Not sure if the quick connect will do that
I think it does. I use it for our comms team and they have to log in but the login is direct to the photostation, not to the NAS. Ive got a standard domain name (photostation.leffboy.com) that redirects to the more complicated quickconnect one but that's it
Another possibility is to open an account with an external host (I use Krystal) and put anything you want to be accessible on there. Hosting on a consumer broadband IP is getting increasingly difficult, as most spam comes from such IPs (usually hijacked) and some ISPs block ports.
I can't help but think that this seems like an awful lot of faff to punch a hole into your internal network so your family can look at your photos, when cloud services are readily available. Where are you backing up to?
Possibly, but punching a hole in a firewall SHOULD be simple!
Cloud services are available, but I also have the NAS folders mapped to my PC so when I want to add photos I simply drag and drop, takes seconds as the photo upload is configured to drop them straight in the correct folder when I plug the camera in and click import.
Also it’s not just photos, it’s videos too and Synology has Apps that mean you don’t have to use the browser.
It wasn’t a faff at all until it stopped working! I wanted to understand why though and If it turns out it is too much of a faff to reenable it then I’ll look at alternatives.
If you are a business customer it looks like you get a static IP, not sure if there is a price difference but might be worth a look?
punching a hole in a firewall SHOULD be simple
But the firewall is not the problem. The problem is that (inadvertently, and I sympathise) you've contracted with an ISP that doesn't support IPv6 and has had to use CGNAT as a workaround, which isn't suitable for hosting. There might be a VPN solution, but it's likely to get complicated.
I've just checked and I have photostore.leffeboy.com do a webredirect to our quickconnect address which is leffeboy.quickconnect.to/https_first/photo
That takes people straight to the photo station on our NAS. Given you already have your QuickconnectID working it might be worth checking if that is all you need to do.
Yes I realise that @greybeard thanks to all the useful info above - never knew anything about CGNAT before yesterday. If nothing else I know a bit more about ISP configurations and IPv6!
So YouFibre say they are working on an IPv6 solution and I am yet to discover if a static IP will make it work but I'm not about to configure a VPN or other such complicated workaround just for some photo/video hosting. It was a neat solution when I had it setup previously and it would have been great if it was a simple fix but it doesn't look that way (unless them giving me a static IP does in fact help - I'm tempted to try it just to find out actually).
I'm grateful for all the info provided though folks.
@leffeboy - that sounds like it would definitely work assuming I can get straight to the PhotoStation URL. I'll check it out. Thanks - EDIT Yup I can direct access to the photo site by using quickconnect.to/nas/photo
I can't help with the certs issue but if you want remote access I use https://tailscale.com/. It's a simple vpn and there is also a client for Synology. Its really easy to get setup and use.
I’ve got far too many clients for a VPN like that unfortunately, cameras, games consoles, smart devices etc.
I’ve got a solution by way of the Synology quick connect option now thanks to the helpful info above but I’m still interested to know if a static IP will resolve the original issue as I don’t think it will unless the ISP gives me my own external IP rather than a CGNAT private one…. For a fiver I might test it. Still waiting to hear back from them atm….
Update - so a static IP has resolved it. My WAN IP address is now the same as my external IP too.