Good day all. I have just purchased a second synology NAS and was curious about setup. I assume i need to give the second one a different port other than 5000/5001, but does it matter what number i give it so my second synology
Thanks in advance
Dave
You can look at this issue from different angles.
If you log in to a NAS with IPaddress:port_number or server_name:port_number, each NAS differentiates with its IP or server name from the other, and identical port numbers are not an issue.
However, when you use the port for port forwarding to log in to DSM, you must differentiate by port number. Each NAS must have a unique port number for a service.
That said, it is always good to change the default 5000/5001 port numbers, even for your first NAS or every NAS.
Thanks Paul. That makes sense to me. I guess if i setup external access, when i get in the router needs to know which NAS to go to by its port number.
Just don’t pick something that Synology already uses elsewhere. Pick two numbers in the thousands and you should be OK, like 7575 and 7676. For what not to use see: What network ports are used by DSM services?
If you use Let’s Encrypt, you’ll have to “spoon feed” the 90-day renewals. Let’s Encrypt will only use standard 80/443 ports (http/https) for their automatic verification at certificate renewal time. Obviously you can’t forward those ports to both NASes at the same time. It would be nice if you could give Let’s Encrypt a unique port for verification and forward that to the appropriate NAS but I haven’t found anything in their documentation to explain how to do that.
Personally, I’ve never gotten port 443 to work on its own; if port 80 isn’t forwarded to the NAS that’s trying to renew, it fails. Would be nice if it where an either/or situation on my network because I could forward those individually to different NASes.
So four times a year I do a manual renewal on the NAS that’s currently the forwarded IP for port 80, and then I change the port forwarding rule to point to the other NAS and renew the certificate there. If anyone has a better method for setting up Let’s Encrypt auto renewal, I’d love to hear it.
I don’t run a publicly facing website so it’s not an issue for me that I can’t leave 80/443 open for that type of usage.
They fixed the 90-day issue in DSM 7.2.x for LE cert’s you get via DSM. (hooray!) If you manually add certs this may not be true.
It’s also a good idea to leave the default ports alone while you’re getting everything setup and making sure it works. After you’ve thoroughly tested everything and are certain it all works, then change the ports one-at-a-time and test each port for each service one-at-a-time. It’s a bit time consuming, but it makes troubleshooting a lot easier, especially for a newbie, and troubleshooting can be a very lengthy process indeed.
In addition to the DSM port services mentioned by @SpiceRex, here are a couple more resources that can aid you in selecting ports for your purposes. CAVEAT: there are services that will not work if they’re not using the expected registered ports.
As an fyi, one of the reasons some people like QuickConnect is b/c DSM does not play well with port triggering. Port Triggering only opens a port as-needed, then closes it again when finished; Synology’s QuickConnect does essentially the same thing.
Private ports 49152-65565 can be your friend if obfuscation is the goal, but 65536:66047 are invalid — or were the last time I looked into it anyway.
You can also poke around the internet for a complete list of all ports and go from there.
Nobody really mentions it but it’s also a very good idea to document your configurations. Once you’re set up and everything is the way you want it you should document the set up. I always create a word processing document explaining to myself what and why I did what I did. I also include screenshots of each tab/window relevent to the set up so I can see the actual settings. There is nothing worse than having to fix something 8 months later and trying to remember what the hell you did to get it to work the first time.
What was the fix you’re referring to? How does it obviate the need to play the shell game with which NAS on your network gets the port 80 forwarding?
Scanning over the DSM release notes at https://www.synology.com/en-us/releaseNote/DSM, I see:
Fixed issues #10 1. Updated the OpenSSL setting in response to new rules of Let’s Encrypt certificates.
Is that the fix you’re talking about? If so, the release note doesn’t shed much light on what’s better/fixed. I don’t know what the LE “new rules” are.
There are a few other LE fixes in other versions/updates that address QuickConnect certs, so I don’t think those are relevant here.
Thanks!
I was referring to DSM 7 and more specifically to DSM 7.2x. DSM 6.x is too far removed for me to comment on.
I don’t see any reason you’d have to play any shell games with any port regarding the certificate issue. Once you have the corrected version of DSM onboard and get your certificate setup, it should be good regardless of the port involved.
That said, if you use QuickConnect to connect to the NAS you will always get a warning the site certificate is foul. That’s because until the connection is settled out you’re viewing the site through a random relay server. Only once the connection is set does the relay server pass off the connection and let go, assuming it works better that way as in, the connection is local, e.g., 192.168.x.x. or it hooks via DDNS something like DSCloud, e.g., mysite.dscloud.biz. If you go straight to the DSCloud, etc., regardless of the port, it will work and show as a properlys ecure connection.
Also…
TAKE THIS ADVISE AS GOSPEL! Always document your changes and reasons for them.