I have setup my Synology drive to be behind PIA VPN, but now, port 5000 forwarding no longer work. I am a newbie so I am sure the fix should be simple and just that I don't understand all the NAT/Firewall/Route configurations that is needed.
Here is my Config.boot file.
firewall {
all-ping enable
broadcast-ping disable
group {
network-group BOGONS {
description "Invalid WAN networks"
network 10.0.0.0/8
network 100.64.0.0/10
network 127.0.0.0/8
network 169.254.0.0/16
network 172.16.0.0/12
network 192.0.0.0/24
network 192.0.2.0/24
network 192.168.0.0/16
network 198.18.0.0/15
network 198.51.100.0/24
network 203.0.113.0/24
network 224.0.0.0/3
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify OPENVPN_ROUTE {
rule 10 {
action modify
description "traffic from Synology to vtun0"
modify {
table 1
}
source {
address 192.168.2.21/32
}
}
}
name LAN_IN {
default-action accept
description "Wired network to other networks."
}
name LAN_LOCAL {
default-action accept
description "Wired network to router."
}
name WAN_IN {
default-action drop
description "Internet to internal networks"
enable-default-log
rule 20 {
action accept
description "allow established/related"
log disable
state {
established enable
related enable
}
}
rule 30 {
action drop
description "drop invalid"
log enable
state {
invalid enable
}
}
rule 40 {
action drop
description "drop BOGON source"
log enable
protocol all
source {
group {
network-group BOGONS
}
}
}
}
name WAN_LOCAL {
default-action drop
description "Internet to router"
enable-default-log
rule 1 {
action accept
description "allow established/related"
log disable
state {
established enable
related enable
}
}
rule 2 {
action drop
description "drop invalid"
log enable
state {
invalid enable
}
}
rule 3 {
action drop
description "drop BOGON source"
log enable
protocol all
source {
group {
network-group BOGONS
}
}
}
rule 4 {
action accept
description "rate limit ICMP 50/m"
limit {
burst 1
rate 50/minute
}
log enable
protocol icmp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.1.1/24
description LAN
duplex auto
firewall {
in {
name LAN_IN
}
local {
name LAN_LOCAL
}
}
poe {
output off
}
speed auto
}
ethernet eth1 {
address dhcp
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
ip {
}
poe {
output off
}
speed auto
}
ethernet eth2 {
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth4 {
duplex auto
poe {
output 48v
}
speed auto
}
loopback lo {
}
openvpn vtun0 {
config-file /config/auth/ChicagoPIA.ovpn
description "Private Internet Access VPN"
}
switch switch0 {
address 192.168.2.1/24
firewall {
in {
modify OPENVPN_ROUTE
name LAN_IN
}
local {
name LAN_LOCAL
}
}
mtu 1500
switch-port {
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface switch0
rule 1 {
description Plex
forward-to {
address 192.168.2.20
port 32400
}
original-port 32400
protocol tcp_udp
}
rule 2 {
description Synology
forward-to {
address 192.168.2.21
port 5000
}
original-port 5000
protocol tcp_udp
}
wan-interface eth1
}
protocols {
static {
table 1 {
interface-route 0.0.0.0/0 {
next-hop-interface vtun0 {
}
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name switch {
authoritative enable
description switch
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 8.8.8.8
dns-server 192.168.2.1
lease 86400
ntp-server 192.168.2.1
start 192.168.2.60 {
stop 192.168.2.254
}
static-mapping macmini {
ip-address 192.168.2.20
mac-address 28:37:37:15:97:91
}
static-mapping pidora {
ip-address 192.168.2.53
mac-address 74:da:38:6d:27:f9
}
time-server 192.168.2.1
}
}
shared-network-name wired-eth0 {
authoritative enable
description "Wired Network - Eth0"
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
ntp-server 192.168.1.1
start 192.168.1.10 {
stop 192.168.1.254
}
time-server 192.168.1.1
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth0
listen-on eth1
listen-on switch0
system
}
}
gui {
http-port 80
https-port 443
listen-address 192.168.1.1
listen-address 192.168.2.1
older-ciphers enable
}
nat {
rule 5000 {
description PIA
log disable
outbound-interface vtun0
protocol all
source {
address 192.168.2.21/32
}
type masquerade
}
rule 5001 {
description "WAN MASQ"
log disable
outbound-interface eth1
protocol all
type masquerade
}
}
ssh {
listen-address 192.168.1.1
listen-address 192.168.2.1
port 22
protocol-version v2
}
upnp {
listen-on eth0 {
outbound-interface eth1
}
listen-on switch0 {
outbound-interface eth1
}
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name ubnt
ipv6 {
disable
}
login {
banner {
post-login "Welcome to EdgeMAX"
pre-login "\n\n\t UNAUTHORIZED USE OF THE SYSTEM\n\n\t IS PROHIBITED! \n\n "
}
user ubnt {
authentication {
encrypted-password $6$R0tERhM5JPDg$w808vSeWV1JJICgvhFGt81Vfxx6HiM3ErQ7V1nkpx1V16sPBNM01taOj60AjyXdPx493hbWugpjS8I1V/XBPW.
plaintext-password ""
public-keys etse@Edwards-MacBook-Pro.local {
key <I erased this>
type ssh-rsa
}
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
}
ipv6 {
forwarding disable
}
}
package {
repository squeeze {
components "main contrib non-free"
distribution squeeze
password ""
url http://ftp.us.debian.org/debian/
username ""
}
repository squeeze-updates {
components "main contrib"
distribution squeeze/updates
password ""
url http://security.debian.org/
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.8.5.4884695.160608.1057 */