this post was submitted on 27 May 2024
25 points (93.1% liked)

Selfhosted

40201 readers
966 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hi everyone

I'm fighting with a network issue, where my synology nas doesn't accept any connection from outside it's subnet.

So, here's my setup:

  • Unifi Infrastructure with three separated subnets:

    • default: xxx.xxx.2.0/24 - no vlan - pool with all "safe" devices (notebooks, mobiles, servers etc.)
    • IoT: xxx.xxx.83.0/24 - vlan 83 - here are all the IoT devices, including nvidia shield, multiple chromecast music devices etc.)
    • guest: xxx.xxx.20.0/20 - vlan 20 - quarantined guest wlan
    • dns server are locally hosted at xxx.xxx.2.42 and 43
  • my I got a new NAS and i designated my old DS214play (running DSM 7.1.1-42962 Update 6) as a Mediaserver that gets to live in the IoT net:

    • changed the ip from xxx.xxx.2.50 to xxx.xxx.83.50
    • updated the gateway and subnet
    • added the vlan tag 83 on the network port
    • updated the firewall to allow all necessary ports from and to the default network (so I can stream plex to my notebooks etc.)
  • The Firewall on the NAS is not activated

Issue:

  • My NAS doesn't accept any outside connections after moving it to the IoT subnet, neither from my default network nor the internet.

What I tried:

  • allowed full access between LAN and IoT subnet for the NAS.
  • tried it with another port -> same issue
  • connected another device to this port (and setup the same firewall rules) -> this one works fine.
  • checked the unifi firewall logs --> requests get sent from the nas and answers from the other device
  • checked logs of other devices (DNS, NetCat etc.) --> they receive the requests outside of the subnet, and return their anser but the NAS seems to block/ignore any incoming packages.

What I didn't try:

  • setting the VLAN id under "Network Interface" > "LAN" > "Enable VLAN(802.1Q)" since, as far as I understand, the Unifi VLAN implementation terminates the VLAN tag at the port of the switch (and all other devices work without specifying it locally)
  • fully reset the NAS

I'm completely stuck how to solve the issue, so I have moved the NAS back to the default net, but some use cases are not working properly that way, so I'd really like to move it to the IoT subnet. Does anybody have (has?) any hints or knows of some obscure settings which need to be updated? I'd be really grateful for any pointers.

you are viewing a single comment's thread
view the rest of the comments
[–] tuhriel@discuss.tchncs.de 1 points 5 months ago

It’s normal for a switch to strip a vlan tag when it sends a packet out, so that the endpoint doesn’t have to support vlans. Don’t worry about that. As far as the endpoint is concerned, it’s just normal subnetting.

okay that's what I thought

When it’s on the other vlan, can you even ping it? When you check the packet capture, can you see the ping and response? Where does it get dropped?

if I try to ping it it doesn't answer, the unifi logs do show that the packages have been forwarded to the subnet. If I use netcat to open a port on the other device it receives the connection request, but the NAS doesn't recognize it. Maybe I have to do some Wiresharking on a mirror port to see what exactly comes back, hoped I could get around it