Synology RT6600ax Router and Synolgy NAS (DS920+) in same network - managing two firewalls?

Hi WIll (and Forum members). I have been watching many of your YouTube videos over the last couple of years and have found them to be very helpful - thank you. I have a suggestion for a video.

Having been using a Synology NAS of one sort or another for the last ten years and having been impressed with the performance and user interface, I recently went ahead and added the RT6600ax Router to my network in place of the ISP provided one to improve my network security. Having set it up and got it working with VLANs for IoT, Guest etc, all seems good, I like it.

However, I have realised there’s an overlap in functionality i.e. the RT6600 has a firewall and so does the NAS. There’s room here through poor configuration to create firewall rule contention. Maybe this is something that others are pondering too? Maybe enough interest for a video on a strategy for managing two firewalls (or maybe just switch off the NAS firewall … or whatever)?

Also, in the same network as above (i.e. having an RT6600ax and a DS920+) and having VLANs setup for IoT and so on, how would the Media Server content on the NAS be made available to the specific IoT devices requiring it (such a s TV’s, streamers), whilst otherwise maintaining separation of the IoT network from the Primary Network (i.e. the one having the NAS on it). Im struggling with this bit of my set up. I suspect it centres aroung firewall rules involving specific ports, but I cant get it to work. Again, maybe others are having similar issues?

Thanks for reading this. Any advice would be appreciated.

1 Like

I am having the exact same problem with sending media from one VLAN subnet to another using my DiskStation. I have been working with Synology developers on this and another problem I have with my router. They said that DLNA cannot work across VLANs, so there is no way for your media devices to get movies, music or pics. They suggested that I move the NAS to the IoT. My first response was if I do that then I compromise all of my private info on the NAS.

I saw a YouTube video from Lawrence Systems about assigning a 2-interface NAS (like your DS920+) to bridge the subnets. Essentially, he connected LAN interface 1 (on the back of the NAS) to the primary (secure) network and LAN 2 to the IoT. Here is where your firewall question is answered. You can create separate firewall rules for each LAN port interface or you can create rules that apply to both at the same time. On the NAS he created a firewall rule for LAN 1 only that allows complete access to the NAS. Then he created a separate firewall rule for LAN 2 only that gives the same access except there is no access to the Management UI (basically that’s DSM access) and no access to the SSH port. So now he had a NAS on both subnets (IoT & primary) at the same time. I could even see it ion my router table. He never demonstrated the results but it’s worth watching the video. I tried it but it didn’t work for me. I’m having separate problems with my RT2600ac router (UPnP port forwarding issues) so it still might work. Since your router is new it’s definitely worth a try. Here is the link to the video. Take a look at the video. It makes perfect sense that it should work.

If, ultimately, it doesn’t work for me, I am thinking of moving one of my 4 Synology NAS to IoT and removing all private information out of it and basically using it as a media server. I just hope if I do that, I can still back up my media to a NAS on my secure subnet. So, far nobody else in this blog seems interested. I’m wondering if it’s because they solved the problem so there’s a lack of interest. I wish Will would weigh in on this. I’m sure he’s faced this issue before.

Hi, thanks for your reply.
Yes, I had considered using the second network port on my NAS to provide MediaServer content to my IoT VLAN and Im sure it would work, but I have already used the second network port exactly in the way Lawrence Systems describes i.e. as part of my Camera VLAN.
I guess I could do with a NAS that has 3 network ports but i’m not going to buy another NAS just for that purpose.
I dont like the idea of putting my NAS on my IoT network. Like you, I dont want to compromise the security of my NAS and its contents. It kind of the whole reason I segregated my network in the first place.
From what you said about DLNA not working over subnets, I suspect its down to DLNA protocols (e.g. Discovery) only working on the subnet in which the DLNA device sits therefore DLNA devices on separate networks (VLANs) won’t work. That’s my theory right now.
I’ll ponder it a bit more. It’s a good winter project, and as were just heading into winter here maybe i’ll get some time on it.
I’ll post here if I discover anything that works.

Hi Steve,
My case is still a work in progress. We’ve been going at this for 6 weeks now with Synology. I did some Wireshark captures on my router for the Synology tech team and in my case my media devices aren’t connecting to the IoT gateway so it makes sense that I might not have any DLNA connection. I have an RT2600ac that’s about 5 years old. I might do what you did and get the RT6600ax. Just some thoughts. How many cameras did you set-up? Is it feasible to combine your surveillance and IoT devices onto one subnet? Presumably, your watching movies at night when you’re home and you need surveillance during the day when you’re not. So, it’s unlikely you will need to have both cranking at the same time; especially if the cameras have motion sensors. That being the case, you shouldn’t have a bandwidth problem, especially if you’re just playing audio.

Got another wild idea. Winter project. The back of your DS920+ has a USB 3.0 port. It might be possible (then again it might not), with some fancy hacking, to use a USB 3.0 to ethernet adapter and then with Command Line, make it an access port for IoT. The DS 920+ manual says the USB 3.0 port can be used to, " Connect external drives or other USB devices to the Synology NAS here." It might be far fetched. I couldn’t tell you for sure but it’s a matter of asking Synology tech team (or Will) if they thought it could be done. There might even be an online video on it. Anyway, I’d be interested in learning what you did as a workaround. I will let you know if/when Synology and I get things working on my network.

It looks like there is a lot of chatter online about using Synology USB 3 port to adapt an ethernet port. The question is if there is a driver available for it already in DiskStation. Also wondering if you can a use a cheap single board computer like a Raspberry Pi (but with USB 3) running Promox with a fileserver + a media server to access Synology folders and then using its ethernet port to connect your IoT. Just a crazy thought.