How to setup Reverse Proxy Server with Synology NAS and 2 routers inbetween

Johanvh · December 20, 2021, 6:44am

I use HA on a VM (HA has internal IP 192.168.100.146) with DuckDNS enabled.
In my providers router port 443 is forwarded to WAN port of my router (192.168.0.120).
In my router external port 443 is forwarded to internal IP of HA (192.146.100.146 on port 8123).
This works since 1 year without any problem but from time to time I get unauthorized logins from external IP’s, so I’d like to make it more secure.
So far I could access from external side on https:myname.duckdns.org.

I’d like to install a proxy server on my Synology NAS (192.168.100.250) and also use the DDNS service of Synology. I’ve setup https//:myname.synology.me with state ‘normal’, this works
In my providers router I forwarded external port 8173 to internal port 8175 to the WAN of my router. On my own router I added additional port forwarding from external 8175 to internal 192.168.100.250:8177 (Synology).
In my Synology I enabled ‘Proxy Server’ from
Source: https
IP: myname.synology.me
port: 8177
to internal 192.168.100.146:8123 (HA).

I try to access on https://myname.synology.me:8173 but can’t get access.
What’s wrong?

mirekmal · December 20, 2021, 8:16am

I have very similar setup, with ISP router that can’t be configured in bridged mode, so I have router after router setup (double NAT). Configuration I have is though slighlty different:

on my ISP router I configured my router as DMZ. This way all traffic is by default redicter to my device and I do not need to take care about ports.
on my router I configured redirection of ports 80 and 443 to SYnology NAS.
on Synology NAS I configured reverse proxy, but here is major difference: I use subdomain names to redirect different services to appropriate appliances on my network. E.g https://hassio.mydomain.com is redirected to internal IP of my HA on port 8213.

I’m not sure if redirection you try to do on Synology will work. I think myname.synology.me is always pointing to DSM itself and accepts connections on port 5000/5001 (unless changed). The whole purpose of reverse proxy is to use subdomain names rather, to identify required redirection, than specific ports. Some details of my config are here.

Johanvh · December 20, 2021, 1:42pm

Thanks for your detailed answer.
I don’t have a sophisticated router, only a TP-Link mesh network (TP Link Deco M9) with 3 access points. 1 WAN port is connected to my ISP router. 1 Lan port goes to my Synology Nas.

Would it be safe to enable DMZ and request all ‘firewall’ and safety stuff from the M9 and my Synology Nas?