There are a lot of examples and terms in this video that you may or may not be familiar with, so here is some additional context if you're interested: 1. IoT devices (like the thermostat example) are generally "risky" because they may or may not receive security patches. Segregating your network will ensure the untrusted devices which may not receive patches cannot communicate with the trusted devices. 2. Passkeys function by pairing a private and public key. The private key stays on your device (YubiKey, password manager, browser, etc), and the public key is provided to the service. For this reason, nothing other than the device that is storing the passkey can access the service, which is why it can't be phished.
Thank you, Tony. I was always somewhat paranoid about switching to YubiKeys because I was afraid of losing them, but after implementing them, I agree - I can't imagine going back to using an authenticator app! Especially with PassKeys!
This is great!! Would be fantastic to have a video from you on pfsense or opensense or openwrt - love the way you explain things, and networking is not the most straight forward thing. Maybe, to bring the concepts and techniques to life, use the setup you put together with the N100 mini PC with Proxmox and docker, feeding from the Synology NAS.
Super excellent video and it is so important these days! i loved the explanations as always, you were able to take a fairly complex topic and bring it down to earth!
If you block the IoT network from access to the LAN, how would you allow security cameras to store jpg and mp4 files on the LAN ? ( currently my cameras use FTP ) And allow the smart TV to access movies on the LAN ? Firewall rules ?
Generally, a least permissive approach is best. If they're using FTP, you can limit access down with the firewall to that specific LAN device on the FTP port(s). Smart TVs are harder if you're looking to have things like casting working, but if it's just to play movies on the LAN with something like Plex, the same would be true. I tried to keep the video "simple", but if I had a preference, all cameras would go on a camera VLAN which would make handling the first option easier.
As added security, which cloud storage would you use for backup (syncing)? There are so many, Google, Onedrive, iDrive, Box, Dropbox, C2 ... etc etc etc. Have you done a video comparing cloud storage for Synology?
I compared Backblaze and C2 (here is the link: ua-cam.com/video/HrNEMfkgWWk/v-deo.html), but I'd go with the cheapest option and use encryption. This is assuming you don't want to access the data on that cloud location and just want the data being synced, but for a true backup, I'd use Hyper Backup + Backblaze B2 for shared folders, and Hyper Backup + C2 for the "entire NAS" option (for block-level deduplication as explained in the video above).
I was wondering what your video would look like if you bumped up the front lighting just a tad -- each of the two soft boxes to each side of you. Seems a little underexposed.. but perhaps not I dunno.. just curious.
You're probably right! I know very little about A/V, but I keep them fairly low because I kept blinking from being blinded when they were higher 😂. I'll try and increase them a little - thanks for the suggestion!
Question. I’ve been wanting to V-LAN my network so I can separate iOT and LAN. I understand this will create separate SSID and that’s fine. But say I need to connect to my Nest thermostat on my phone do I need to connect to the iOT SSID to control it or can I just stay connected to my normal SSID and be able to control it. Thanks
Normally, devices like that connect to a cloud service and then you connect to the cloud service, not directly to the device. I don't own a Nest, but I assume it's the same way, so the IoT network would allow internet access, and no matter what network you're on, you'd still be able to access it.
Before I stopped port forwarding my NAS with external accessible ports it was scanned like crazy by bots on the internet. At first I put it behind a PFSense Firewall and would only allow traffic coming from a Dynamic DNS domain's IP Address to access the open ports of the NAS by using a Dynamic DNS on the NAS and then specifying in the firewall rules that only incoming traffic from the IP Address associated with this Domain, but later I ended up setting up Tailscale and now I don't need to worry because all the ports are only open on the VPN Tunnel. This way the NAS isn't exposed to the public internet, only to the VPN Tunnel which is only my trusted devices. I still keep the firewall turned on, on my NAS just incase there is some other undiscovered vulnerability, and I also keep other things turned on like 2FA for the logins and also the feature that locks out an IP Address after so many failed login attempts. Just for increased security.
Instead of buying a router for VLAN I could buy a switch and configure the VLAN that way. What are the advantages and disadvantages? In terms of security and price?
You would have to buy a layer-3 switch to do that, and access is generally (in my experience) controlled through access control lists (ACLs) as opposed to firewall rules. IMO, firewall rules are easier to work with and firewall devices are designed to be security appliances so I generally default to that, but technically, you can use a layer-3 switch.
I've had my nas for over two years and been trying to secure it using Open VPN for my phone. It works with only one exception. I have to forward my nas dsm ports in the router. Otherwise, I can't access anything. It's obvious I'm missing something but can't figure out what! Am using a ddns address in my apps.
That's your problem - you shouldn't be using the DDNS address in the apps. You need to use the local IP of the NAS, then connect to the VPN to access the services through the local IP. I'd get rid of the NAS port forwarding ASAP.
A UDM Pro will be a lot more powerful than the RT6600ax from a software perspective. There's simply more that you can do on them, there are more online resources to follow, and it's more of a "fully featured" firewall than Synology offers. Just keep in mind that a UDM Pro requires an access point for WiFi, so if you want an "all-in one" solution, look at a UniFi Cloud Gateway Max, Express, or Dream Router., but out of those three options, the Gateway Max is probably the "best".
The RT2600AC is fine. Uniquity is much harder to understand and the only support is on the forum where you will get 🔥for asking a “beginner” question 🫣
@@BenState no, it's not. Might be synology or whatever. But in most cases NAS is used to access your files remotely. For example, I use synology drive, so it must be aceesible remotely. I also use other NAS for off-site backup, which also must be remotely accessible. Many other use cases require it to be connected to Internet...
@@JackupTraining Many other use cases. Sure. But there is also that little use case of LAN storage of files. The primary use case. Not everyone is you and you're making assumptions based on what you do. So those that aren't you and don't need internet facing NAS, then not exposing it to the internet is the most secure way of dealing with this. Facts. Also, Synology Drive is a known security risk that is not used by anyone serious.
@@BenState dude, unplugging the router is even more secure - fact! 😂 😂 😂 But that's not the point of this video. Also, your use case is not everyone's use case, so your advice is useless for people watching this video, since the point is to protect NAS which is remotely accessible. Synology works as a VPN server, remote backup, office suite, notes, photos, media player, etc. - all that services people use remotely. If you don't, you might as well run a network share on other PC connected to your LAN. Why buy synology NAS then? Anyways, watch the video and try to understand it's purpose.
There are a lot of examples and terms in this video that you may or may not be familiar with, so here is some additional context if you're interested:
1. IoT devices (like the thermostat example) are generally "risky" because they may or may not receive security patches. Segregating your network will ensure the untrusted devices which may not receive patches cannot communicate with the trusted devices.
2. Passkeys function by pairing a private and public key. The private key stays on your device (YubiKey, password manager, browser, etc), and the public key is provided to the service. For this reason, nothing other than the device that is storing the passkey can access the service, which is why it can't be phished.
I think this is hands down your best video yet! Thank you for putting this together!
Thank you very much!
Ironic you just released this. I just Passkey'd everything related to my synology's and other accounts. And it's beautiful.
They're awesome! Hard to go back once you start using them.
Outstanding video Frank. Well explained as usual. Love my Yubikeys. Can’t imagine not using them.
Thank you, Tony. I was always somewhat paranoid about switching to YubiKeys because I was afraid of losing them, but after implementing them, I agree - I can't imagine going back to using an authenticator app! Especially with PassKeys!
This is great!! Would be fantastic to have a video from you on pfsense or opensense or openwrt - love the way you explain things, and networking is not the most straight forward thing. Maybe, to bring the concepts and techniques to life, use the setup you put together with the N100 mini PC with Proxmox and docker, feeding from the Synology NAS.
Super excellent video and it is so important these days! i loved the explanations as always, you were able to take a fairly complex topic and bring it down to earth!
Thanks, Avi! Appreciate you watching!
Synology routers are great!
If you block the IoT network from access to the LAN, how would you allow security cameras to store jpg and mp4 files on the LAN ? ( currently my cameras use FTP ) And allow the smart TV to access movies on the LAN ? Firewall rules ?
Generally, a least permissive approach is best. If they're using FTP, you can limit access down with the firewall to that specific LAN device on the FTP port(s). Smart TVs are harder if you're looking to have things like casting working, but if it's just to play movies on the LAN with something like Plex, the same would be true.
I tried to keep the video "simple", but if I had a preference, all cameras would go on a camera VLAN which would make handling the first option easier.
@@WunderTechTutorials Thanks as always Frank.
As added security, which cloud storage would you use for backup (syncing)? There are so many, Google, Onedrive, iDrive, Box, Dropbox, C2 ... etc etc etc. Have you done a video comparing cloud storage for Synology?
I compared Backblaze and C2 (here is the link: ua-cam.com/video/HrNEMfkgWWk/v-deo.html), but I'd go with the cheapest option and use encryption. This is assuming you don't want to access the data on that cloud location and just want the data being synced, but for a true backup, I'd use Hyper Backup + Backblaze B2 for shared folders, and Hyper Backup + C2 for the "entire NAS" option (for block-level deduplication as explained in the video above).
If you're security conscious, you have the option of encrypting your off site backups.
Have you done anything with segregation with NAS LAN PORTS? IE a 4 port nas :management port1, media port 2/3, cameras port 4?
No, I haven't. I tend to do everything with VLANs on my network.
Great Video..... Thanks
Good stuff thanks
I was wondering what your video would look like if you bumped up the front lighting just a tad -- each of the two soft boxes to each side of you. Seems a little underexposed.. but perhaps not I dunno.. just curious.
You're probably right! I know very little about A/V, but I keep them fairly low because I kept blinking from being blinded when they were higher 😂. I'll try and increase them a little - thanks for the suggestion!
@@WunderTechTutorials I love your props, led lighting and audio. The quality of the light from the front looks good too.
@@jenniferw8963 Thank you very much!
Question. I’ve been wanting to V-LAN my network so I can separate iOT and LAN. I understand this will create separate SSID and that’s fine. But say I need to connect to my Nest thermostat on my phone do I need to connect to the iOT SSID to control it or can I just stay connected to my normal SSID and be able to control it. Thanks
Normally, devices like that connect to a cloud service and then you connect to the cloud service, not directly to the device. I don't own a Nest, but I assume it's the same way, so the IoT network would allow internet access, and no matter what network you're on, you'd still be able to access it.
Before I stopped port forwarding my NAS with external accessible ports it was scanned like crazy by bots on the internet. At first I put it behind a PFSense Firewall and would only allow traffic coming from a Dynamic DNS domain's IP Address to access the open ports of the NAS by using a Dynamic DNS on the NAS and then specifying in the firewall rules that only incoming traffic from the IP Address associated with this Domain, but later I ended up setting up Tailscale and now I don't need to worry because all the ports are only open on the VPN Tunnel. This way the NAS isn't exposed to the public internet, only to the VPN Tunnel which is only my trusted devices. I still keep the firewall turned on, on my NAS just incase there is some other undiscovered vulnerability, and I also keep other things turned on like 2FA for the logins and also the feature that locks out an IP Address after so many failed login attempts. Just for increased security.
Instead of buying a router for VLAN I could buy a switch and configure the VLAN that way. What are the advantages and disadvantages? In terms of security and price?
You would have to buy a layer-3 switch to do that, and access is generally (in my experience) controlled through access control lists (ACLs) as opposed to firewall rules. IMO, firewall rules are easier to work with and firewall devices are designed to be security appliances so I generally default to that, but technically, you can use a layer-3 switch.
I've had my nas for over two years and been trying to secure it using Open VPN for my phone. It works with only one exception. I have to forward my nas dsm ports in the router. Otherwise, I can't access anything. It's obvious I'm missing something but can't figure out what! Am using a ddns address in my apps.
That's your problem - you shouldn't be using the DDNS address in the apps. You need to use the local IP of the NAS, then connect to the VPN to access the services through the local IP. I'd get rid of the NAS port forwarding ASAP.
@@WunderTechTutorials beyond my skill level, thank you though. maybe in a future tutorial
In the application where you typed in the DDNS hostname, you'd type in the local IP of the NAS instead.
If I do, it doesn't connect. Screwed up somewhere.
ok so i have the RT2600ac... if I'm gonna upgrade what would be better? The Synology RT660ax or the unifi Dream Machine Pro?
A UDM Pro will be a lot more powerful than the RT6600ax from a software perspective. There's simply more that you can do on them, there are more online resources to follow, and it's more of a "fully featured" firewall than Synology offers. Just keep in mind that a UDM Pro requires an access point for WiFi, so if you want an "all-in one" solution, look at a UniFi Cloud Gateway Max, Express, or Dream Router., but out of those three options, the Gateway Max is probably the "best".
The RT2600AC is fine. Uniquity is much harder to understand and the only support is on the forum where you will get 🔥for asking a “beginner” question 🫣
@@WunderTechTutorials i've taken the plunge... got a Gateway Max 😅
So dark. How about another light in your room?
I'll see what I can do.
Nah, darkness is your friend. Don't change anything :)
Simple solutions: don’t expose your nas to the internet. Set the firewall on your nas to only talk to certain internal IP addresses.
I have synology due to its remote access capabilities, so "don't expose it to Internet" is not an advice that most people are looking for.
@@JackupTraining What? All NAS devices can be exposed to the internet. Synology is not unique.
@@BenState no, it's not. Might be synology or whatever. But in most cases NAS is used to access your files remotely. For example, I use synology drive, so it must be aceesible remotely. I also use other NAS for off-site backup, which also must be remotely accessible. Many other use cases require it to be connected to Internet...
@@JackupTraining Many other use cases. Sure. But there is also that little use case of LAN storage of files. The primary use case. Not everyone is you and you're making assumptions based on what you do. So those that aren't you and don't need internet facing NAS, then not exposing it to the internet is the most secure way of dealing with this. Facts.
Also, Synology Drive is a known security risk that is not used by anyone serious.
@@BenState dude, unplugging the router is even more secure - fact! 😂 😂 😂
But that's not the point of this video.
Also, your use case is not everyone's use case, so your advice is useless for people watching this video, since the point is to protect NAS which is remotely accessible.
Synology works as a VPN server, remote backup, office suite, notes, photos, media player, etc. - all that services people use remotely. If you don't, you might as well run a network share on other PC connected to your LAN. Why buy synology NAS then?
Anyways, watch the video and try to understand it's purpose.