 Tom here from Orange Systems and we're going to talk about how to configure and lock down your Synology NAS. Now specifically what this is about is many Synology NASs have multiple interfaces. Now they can be used for things like LACP and link bonding and maybe even some redundancy, but the other really important use case of having more than one network interface on a NAS is so you can have each segment of the NAS belong to each network where the devices that are going to be talking to the NAS directly are set up. For example if you had a series of cameras and you're running Synology with a Synology surveillance station set up you would ideally put at least one of those interfaces in the same network and subnet as the cameras, but you're thinking well I like the camera subnet locked down without internet and I want to be able to get to my Synology and of course you could just punch a firewall rule to get through over there but of course you also don't want the cameras if something were to happen and somehow something to various where the cameras were taken over or someone was able to get on your camera network to be able to get to the interface for like DSM or the Synology surveillance station interface. This can all be controlled with a series of firewall rules. This way you can even have a segment where maybe it's on the same network as your devices that do things like casting media so you want to have Plex be able to talk to it but not routing through the firewall. Routing things through the firewall creates some inefficiencies and sometimes just some barriers to getting them working properly. So this is all about configuring the network interfaces in different segments and then creating firewall rules so you can limit the level of access that those networks will have to it and then creating a network where you want the access or even an implicit rule where only you or only a specific IP has access to the Synology interface. This is just a matter of tightening up security and practicing principles of least privilege. You just have to define that privilege implicitly inside a Synology. Before we get started in this video, if you'd like to learn more about me and my company, head over to laurancesystems.com. If you'd like to hire a short project, there's a hires button right at the top. If you'd like to support this channel in other ways, there's affiliate links down below to get your deals and discounts on products and services we talk about on this channel. Now let's start with our network topology and layout. Here's my computer at 192.1683.9. Here's LAN 1 at 192.1683.215 assigned to the LAN 1 interface of the Synology. This is 192.1683.0 slash 24. So this entire subnet I'm going to refer to as our trusted device network. These are the devices that I think are okay to be on the same Synology and are not worried about anything on this network trying to attack it or trying to get to the web interface. No problem. The network down here is our less trusted network. Now I only did one just to keep it simple, but it could be a series of different networks. But for simplicity, whether this is a network where you have your streaming media devices like Chromecast, Sonos, or insert name of your favorite streaming media device, your phones that you may want to also stream media on that is located on your Synology and maybe some file sharing gaming systems, or it's your camera network that you want completely locked down. That is where this is the less trusted network. And the firewall itself in my case, I'm using PF Sense and I have a separate video on how to define PF Sense firewall rules, but this is not about those rules. But I want to make clear nothing from here has access to this. This trusted, less trusted network does not have access to the trusted network because of the firewall rules that the firewall level has. Like I said, in my case, PF Sense, but these devices are allowed if needed to get over to here now onto the configuration, because it's actually really easy to set this up. Right now we have land one, land two, and they've set up ones on static IP ones DHCP. But as long as you understand what subnets they're in, and it matches just like the diagram. Now let's actually talk about the system I have over here, which is a Windows computer on the same network that 10, 13, 37. Now right now everything's at default in the Synology. I have access to the web interface here. I can go and ping it at this address right here. So we'll go ahead and pull this up and hit ping. I'm able to talk to it. So I have full access because that's the default how Synology does this. There's no firewall rules on Synology out of the box. Everything has to be configured implicitly. So once we have the IP addresses and the lands set up, we go over here to security, firewall, enable firewall, we can go ahead and apply. Now, the default rules are pretty simple. It allows all. So here's your all interfaces, land one, land two, and the default rule in Synology for everything is allow. So that's not exactly what you want. So we're gonna go ahead and manage firewall rules. You could add to the default, but for purposes of just doing things here. So I don't have to do anything like to fix the default rules later. This is YouTube demo. And now we can start creating rules. The all interfaces, I'm going to leave empty. Land one, I'm going to leave like this allow access because it's my trusted network. So just it has access to everything. I'm not going to create any lockdown rules on their land too. All right, let's start with this scenario of maybe I'm doing some file sharing, maybe I'm doing some media streaming, maybe I have MB or Plex and I want those interfaces accessible. But on the less trusted network, I don't want accessible is the admin interface. That way, you know, none of the kids computers or whatever devices are over there that people that you don't want even attempting to admin the machine only have access to the other services that are running in our technology. So we're going to go ahead and create. And we're going to create a block rule. So go here and select applications. And we'll go management UI. So that's actually 5000 5000 one that's your DSM, you can block other things to if there's maybe other things you don't want them to have access to. Yeah, if you got SSH enabled, maybe that as well. And any other services that you go, you know, I do have these other things enabled, but generally speaking, unless you've enabled SSH, which is not enabled by default, or you just have the management interface, which is enabled by default, you just check these boxes here and okay. So now we've decided those are the things we want to deny access to. Then we're going to head, leave it at that. So it's a deny. So management UI, and done, those things are blanked. Now down here, if no rules are matched, allow. So the first rule is going to match things trying to hit that management interface, we're going to okay, close changes to the UT demo ones apply. So now it's turned onto these rules. Go back over here. We're going to go ahead and ping it. I'm still able to talk to it. I'm still going to ping it. But let's go ahead and reload this management interface doesn't log. This is it just gonna sit here for a second and it's going to fail because we've now implicitly blocked on this network, the management interface. And obviously, we know we haven't blocked it over here on my computer, because I'm still in here, I'm still able to get to it. Pretty simple how the rule system works, just go to each interface and then implicitly list or deny the different things that you want access to. Now, as I said, we can always make an exception, we'll even add another rule. So if we create another rule, specific IP. So 10.13.37.10 hit okay. And we want to say all. And we put it above this. Right now it's below it. So we have to actually drag the rule up, put it above it all any other device except this one IP address can get to this. So hit okay again, reload the page again. And now it's able to get to it. But if any other system tries, it wouldn't work. Now the problem with doing this, of course, is if any other device knows what IPs have access, if you were to switch an IP address on this network, they'd be able to get to interface. So we wouldn't really be that secure. So I really recommend having a separate management network where you do the management for the DSM and set the rules up. Now, what about if this was for cameras? I wanted to cover that because they're a little bit different when you do it for cameras, because it's actually simpler. Let me go over here to land two, and we're going to see delete these. So we'll go ahead and delete this and delete this. And the question would be what rules do I need for cameras? Nothing at all. You can build a camera network. And if land two is a camera network, we can say deny access, hit okay. And it would actually work. And let me explain by showing you how my system at home is set up. As I referenced in my previous video where I talked to my home firewall rules and literally showed you my home firewall rules, my camera land is 192.168.60.10. So if we go over here security, and we go to firewall rules, and we're going to go ahead and edit the rules. And I left them just called basic. If we go and switch over to that land four, which is the camera, you'll see there are no rules. It's completely denied. And the reason this works is because the way Synology handles rules is these are all inbound rules coming into this knowledge system. When you're doing something and specifically we mentioned cameras, you're reaching out from the system and going to the cameras to log into them. By doing that, you are creating the connection that sourced at the Synology to the cameras, log in, grab the camera data at the request of the Synology, streaming it back to the Synology. So if you're worried about your camera network, it is nice to keep it very narrowly locked down. But then my other networks, for example, my, if you want to call it less trusted network where all the devices and Chromecasts are, I've only denied the management interface because no one on that network needs to try to manage my Synology. That is restricted to the LTS Tom, as I call it, or the trusted network that I have, which only has just my laptop in it. So if you're looking at a better way to lock it down, just take the time to learn a Synology firewall rules. They're rather simple to implement, they can boost your security. And if you need to have remote access to your Synology, do that off of the trusted network as well. For example, if you were to any part forwarding, because just so you know, if, for example, I wanted to put forward, I wouldn't want to use the network where I've also denied anything coming in from that network. It's a little side note that may be really important when you're setting these things up. Secondary, if you're setting up a static IP in each of these networks, you don't need a gateway in each of these for it to broadcast on that network. The gateways only needed if you needed to go out the internet via that interface, you can actually leave, for example, on the camera network or the interest network, you can omit the gateway, just put a static IP address to assign the Synology and IP address in that interface. And obviously, each interface is plugged in directly to wherever you have those ports on your network, whether it's a separate switch or a series of VLANs goes on a scope to describe the physical layer of network or where you're plugging these in. But essentially, you're plugging them into however you've segmented up your network, whether you've segmented with a series of unmanaged switches that are completely separate, or you've created a more advanced network with a series of VLANs, it's all about what subnet it's in and restricting it to that. Those, like I said, a little obstacle for this video, but hopefully this is helpful and has you a better understanding of how to better secure your Synology through firewall rules built in with the Synology. All right, thanks. And thank you for making it all the way to the end of this video. If you've enjoyed the content, please give us a thumbs up. If you would like to see more content from this channel, hit the subscribe button and the bell icon. If you'd like to hire a short project, head over to laurancesystems.com and click the hires button right at the top. To help this channel out in other ways, there's a join button here for YouTube and a Patreon page where your support is greatly appreciated. For deals, discounts and offers, check out our affiliate links in the description of all of our videos, including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly, so check back frequently. And finally our forums. Forums.LauranceSystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel. Thanks again for watching and look forward to hearing from you.