Asus firewall delays connections from outside?

[protoncek]

I have somewhat strange issue: my router is RT-AX88U pro. I also have Synology NAS and running reverse proxy there, so port 443 is forwarded to synology internal IP. This way i access my "stuff": Home Assistant, synology portal, cameras etc. I experience occasional delayed first access ( 5+ seconds) , but i narrowed it down to the fact that it only happens if asus firewall is turned on. If i turn it off access is immediate. As said, this delay happens only at first access after a while. When first page opens after this delay all runs smoothly afterwards.
What's even worse: this doesn't happen all the time, only every now and then. But when it does it can happen that i must refresh site even two or three times before i get access.

Does this makes any sense at all? And, how "unsafe" it is to have this firewall turned off? I have AdGuard Home running on my Asus, too, but that's not the problem (at least it doesn't seem to).
Oh, i should also mention that i also have firewall turned on in Synology, but honestly i didn't try to turn it off, because all works if i turn off asus one... is having two firewalls turned on be a problem?

 

[ColinTaylor]

Do NOT turn off the Asus' firewall. You would be exposing the router to everyone on the internet.

 

[protoncek]

Yeah well... that's why i'm wondering what to do instead of this...

 

[bbunge]

Yeah well... that's why i'm wondering what to do instead of this...

Use a VPN to connect to the NAS instead of port forwarding. Your router has several VPN servers you can enable. You also do not need a firewall on the NAS inside your LAN.

 

[protoncek]

I do have vpn (two actually, openvpn and wireguard) and i use it for router access, admin Ha management etc... but for "common users" it's not an option. Others ( sister, niece, nephews... ) are using ha, too, and it's difficult to use vpn there. I tried, but it happened that my internet went down and consequently my niece was suddenly without phone internet, since she didn't know how to turn it off...
On the other hand, i'd like to find the cause of the problem, not use a "workaround". I can't find any asus's firewall settings... where are any kind of default white and blacklists...?

 

[ColinTaylor]

On the other hand, i'd like to find the cause of the problem, not use a "workaround". I can't find any asus's firewall settings... where are any kind of default white and blacklists...?

There aren't really any firewall black/white lists that you could edit. By default (with the firewall on) all outgoing traffic is allowed and all unsolicited incoming traffic is blocked. But that block is only for traffic destined for the router itself, not for anything on your LAN (like your NAS).

When you forward port 443 from the router to your NAS (WAN - Virtual Server / Port Forwarding) the router's firewall doesn't do anything other than forward the traffic. You say that even when the firewall is enabled the problem is intermittent, so I suspect that's also the case with the firewall off but you haven't run it like that for long enough to notice the same behaviour? So I suspect this is a NAS problem rather than a router problem.

Can you confirm my assumption that you have manually configured port forwarding on the router and disabled UPnP on the NAS?

Is it possible the random delay in first access is down to the NAS being in power save mode, or the HDDs having spun down or unmounted?

I've come across situations where an initial connection delay was caused by the server being unable to do a reverse DNS lookup on the IP address of the connecting client.

 

[protoncek]

Many thanks for explanation and your time!

- Yes, it could be that i didn't have firewall off for long enough to see if NAS is the problem or not. I didn't want to leave firewall off for too long, like overnight, or for a week.
- Yes, i have manually port forwarded ( in asus wan section) to local IP of NAS. Apart that i also have port forwarding for my alarm system and video NVR - it seems that these two doesn't work via syno's everse proxy, so i've had to enter those, too.
- uPnP: hm... i have upnp turned on on my Asus. Now i turned it off (is that ok - recommended?) and on my syno under "router configuration" only one entry was there - for quickconnect, but i removed it, so uPnP is now off on NAS, too.
- NAS is always on, no power save mode, but since it's model 920+ it has two SSD's as cache and 4 HDD's for storage, so even if HDD's would stop nas is still working, because it's working with SSD's.

You got me thinking... i'll explore in synology direction some more. One of checks (a bit risky though) would be to temporarily forward 443 port directly to home assistant. That way i'd bypass syno and access HA directly to see if delays are still happening.

 

[ColinTaylor]

Thanks for the update.

- uPnP: hm... i have upnp turned on on my Asus. Now i turned it off (is that ok - recommended?) and on my syno under "router configuration" only one entry was there - for quickconnect, but i removed it, so uPnP is now off on NAS, too.

It should normally be OK to leave UPnP enabled on the router. My concern was that the NAS might being trying to forward the ports to itself via UPnP and then conflicting with what you manually set on the router. But that doesn't seem to be the case.

If in doubt you can always log into the router and go to System Log - Port Forwarding. There you can see different lists for manual port forwards and UPnP.

 

[protoncek]

System Log - Port Forwarding.

Even after re-enabling asus uPnP this log has only forwards i entered manually, so that part is ok. I'll monitor synology more closely for next days.
Thanks!