Port Forwarding
At Network Center > Port forwarding, you can configure port forwarding, port triggering, and NAT pass-through. These functions enable you to access Synology Router's services outside your local networks. Besides, you can also create a DMZ network at the DMZ tab, adding extra security to your internal network from untrusted traffic.
Contents
- Set up port forwarding rules
- Set up port triggering rules
- Allow port forwarding setup from connected devices
- Create a DMZ
- Enable NAT pass-through
Set up port forwarding rules
Port forwarding specifies your Synology Router's ports that transmit packets from the Internet to ports of local devices. It allows you to share local services (e.g., a web server) with Internet users while keeping your local networks safe. For more information about port forwarding, please refer to this article.
Follow the steps below to set up a port forwarding rule:
- Go to Network Center > Port Forwarding > Port Forwarding.
- Click Create to open the setup window.
- Specify the Name, Private IP address, Public port, Private port, and Protocol (TCP or UDP). You can use the following syntax to specify port numbers and range:
- Use "-" to describe the port range, e.g., "6881-6890".
- Use "," to separate ports, e.g., "21,22", "21,55536-55663".
- Click Create to complete the settings.
Set up port triggering rules
Port triggering is a dynamic version of port forwarding. It's safer than port forwarding because it opens ports only for a short period.
When a local device delivers outbound traffic requests over a "trigger port," your Synology Router records the device's IP address and temporarily opens "incoming ports." If the data from the Internet returns to the incoming ports, the Synology Router routes them back to the local device.
Follow the steps below to set up a port triggering rule:
- Go to Network Center > Port Forwarding > Port Triggering.
- Click Create to open the setup window and fill in the following fields:
- Specify the Name, Protocol (All, TCP or UDP), Trigger port, Incoming port, Source IP, and MAC.1 You can use the following syntax to specify port numbers and range:
- Use "-" to describe the port range, e.g., "6881-6890".
- Use "," to separate ports, e.g., "21,22", "21,55536-55663".
- Click OK to complete the settings.
- Specify the Name, Protocol (All, TCP or UDP), Trigger port, Incoming port, Source IP, and MAC.1 You can use the following syntax to specify port numbers and range:
Note:
- The Source IP and MAC fields are optional. To make your rule only triggered by a specific local device, enter the device's IP address and MAC address in these two fields, respectively.
Allow port forwarding setup from connected devices
SRM also allows the setup of port forwarding rules simply from connected devices. For example, if you have a Synology NAS within the Synology Router's network, you can set up its port forwarding rules on the NAS operating system: DSM.
To enable port forwarding setup from connected devices, follow the steps below:
- Go to Network Center > Local Network > Network.
- Select the local network where your device is located. Click Edit.
- At the Advanced tab, tick Enable UPnP and click OK.
- Return to the connected devices and set up their port forwarding rules.
Note:
- To modify the port forwarding rules set up through the method above (i.e., UPnP), return to the connected devices to make relevant changes.
- When in conflict, different types of rules on SRM are prioritized for enforcement in the following order: firewall rules > port forwarding rules > UPnP client list rules.
Create a DMZ
A DMZ (demilitarized zone) is a subnet containing external-facing services, e.g., web servers or mail servers. It functions as a node to untrusted networks, commonly the Internet.
Setting up a DMZ is to add an extra layer of security to local networks. You can set up your server as a DMZ host, which can be accessible from the Internet, while remaining the rest of your local networks unreachable.
Follow the steps below to create a DMZ:
- Go to Network Center > Port Forwarding > DMZ.
- Configure the following and click Apply:
- Enable DMZ: Select Enabled.
- DMZ Host IP address: Select a device from the drop-down menu. It'll become the DMZ host.
- Generate firewall rules automatically: We recommend ticking this option, so that a firewall rule allowing external access to your DMZ host will be created.
Note:
- To connect to your DMZ host from the Internet, you will need an external IP address retrieved by your Synology Router.
Enable NAT pass-through
NAT pass-through allows client traffic to pass through your Synology Router. You can enable the following options according to protocols used by your client devices.
- PPPoE pass-through (PPPoE Relay): Tick this option to allow client devices' PPPoE connections.
- SIP Pass-through: Tick this option to allow client devices' SIP connections.
- VPN pass-through: Tick this option and the following to allow the VPN use of client devices:
- PPTP pass-through (for PPTP VPN)
- IPSec pass-through (for IPSec VPN)
- L2TP pass-through (for L2TP VPN)
Note:
- If a VPN client uses mixed VPN protocols, make sure to tick the relevant options to prevent connection failure.