Dreakon13 132 Posted May 28, 2023 Share Posted May 28, 2023 (edited) Hi, this is probably more of a general Synology question, but whenever I try to ask questions on most tech/security-oriented subreddits or forums, I get absolutely ripped to shreds by people that have more interest in showing me how great they are, then actually humoring me and answering a question... so I'm hoping I can maybe get some kinder responses here since it is vaguely Emby related. I have Emby running through the reverse proxy functionality on my Synology DS220+, along with a domain and cert provided by Synology/Lets Encrypt. I have Emby disabled for remote access in the software itself, accessing it through the https://emby.synology.domain.name that was setup through the reverse proxy pointing to Emby's local port. I know this isn't really a supported way of doing secure remote access and there's quite a bit I probably don't really know about reverse proxies... but it's quick, clean, easy and it seems to work. I'd like to restrict access to my NAS entirely (including Emby) to only US IP addresses. In a perfect world I'd only allow access to a handful of specific IP's but given how public IP's can change, this seems like the next best thing... I have no reason to open the NAS up to connections outside of the US. If I try to do this through Synology's firewall, I lose access to Emby since presumably everything through the reverse proxy is seen as the local IP. And if everything looks like the local IP, I can't block specific ones. That's my guess though. If I block all non-US IP's it doesn't work, if I allow the local IP it does. Long story short... anyone with some deeper understanding of Synology NAS's, is there a way to block all access to the NAS, Emby, etc from all non-US IP's? In particular also applying to Synology's reverse proxy and domain/cert? Edited May 28, 2023 by Dreakon13 Link to comment Share on other sites More sharing options...
Luke 37106 Posted May 28, 2023 Share Posted May 28, 2023 Hi, does this help? https://mariushosting.com/how-to-set-up-synology-firewall-geoip-blocking/ Link to comment Share on other sites More sharing options...
Dreakon13 132 Posted May 28, 2023 Author Share Posted May 28, 2023 (edited) Thanks, I'll go through that more tomorrow morning when the server is less actively used, but it's my (probably incorrect) understanding that the reverse proxy interprets the external connections as the local IP (using the local ports)... so allowing my local IP, since that'd encompass everything coming through, and blocking external IP's wouldn't really accomplish anything. At least that's kinda the impression I was getting tinkering with it prior to posting the OP. Edited May 28, 2023 by Dreakon13 Link to comment Share on other sites More sharing options...
Solution A32 15 Posted May 29, 2023 Solution Share Posted May 29, 2023 Hi, You’ll need to enable the firewall with three simple rules: Allow the local subnet (e.g. 192.168.1.0/24). This will allow unfiltered access on your LAN for all hosts and all protocols. Allow the reverse proxy for U.S. only. Select it from the built-in applications (reverse proxy, https) and set the location to U.S. Deny all. This rule should always be at the bottom of the list. The firewall rules are parsed top to bottom. Execution of the rules stops when a match is found. I can provide more details if needed. 1 1 Link to comment Share on other sites More sharing options...
Dreakon13 132 Posted May 29, 2023 Author Share Posted May 29, 2023 10 hours ago, A32 said: Hi, You’ll need to enable the firewall with three simple rules: Allow the local subnet (e.g. 192.168.1.0/24). This will allow unfiltered access on your LAN for all hosts and all protocols. Allow the reverse proxy for U.S. only. Select it from the built-in applications (reverse proxy, https) and set the location to U.S. Deny all. This rule should always be at the bottom of the list. The firewall rules are parsed top to bottom. Execution of the rules stops when a match is found. I can provide more details if needed. Worked perfectly, thank you! I jumped around via VPN to a few different places and back to the US, and it worked/didn't work as expected after those changes. I didn't realize there was a reverse proxy selection in the built in applications... but I should've figured allowing US only for HTTPS would've done the trick too. Live and learn. Thanks again Link to comment Share on other sites More sharing options...
A32 15 Posted May 29, 2023 Share Posted May 29, 2023 Glad it worked Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now