Asus firewall delays connections from outside?

[protoncek]

I have somewhat strange issue: my router is RT-AX88U pro. I also have Synology NAS and running reverse proxy there, so port 443 is forwarded to synology internal IP. This way i access my "stuff": Home Assistant, synology portal, cameras etc. I experience occasional delayed first access ( 5+ seconds) , but i narrowed it down to the fact that it only happens if asus firewall is turned on. If i turn it off access is immediate. As said, this delay happens only at first access after a while. When first page opens after this delay all runs smoothly afterwards.
What's even worse: this doesn't happen all the time, only every now and then. But when it does it can happen that i must refresh site even two or three times before i get access.

Does this makes any sense at all? And, how "unsafe" it is to have this firewall turned off? I have AdGuard Home running on my Asus, too, but that's not the problem (at least it doesn't seem to).
Oh, i should also mention that i also have firewall turned on in Synology, but honestly i didn't try to turn it off, because all works if i turn off asus one... is having two firewalls turned on be a problem?

 

[ColinTaylor]

Do NOT turn off the Asus' firewall. You would be exposing the router to everyone on the internet.

 

[protoncek]

Yeah well... that's why i'm wondering what to do instead of this...

 

[bbunge]

Yeah well... that's why i'm wondering what to do instead of this...

Use a VPN to connect to the NAS instead of port forwarding. Your router has several VPN servers you can enable. You also do not need a firewall on the NAS inside your LAN.

 

[protoncek]

I do have vpn (two actually, openvpn and wireguard) and i use it for router access, admin Ha management etc... but for "common users" it's not an option. Others ( sister, niece, nephews... ) are using ha, too, and it's difficult to use vpn there. I tried, but it happened that my internet went down and consequently my niece was suddenly without phone internet, since she didn't know how to turn it off...
On the other hand, i'd like to find the cause of the problem, not use a "workaround". I can't find any asus's firewall settings... where are any kind of default white and blacklists...?

 

[ColinTaylor]

On the other hand, i'd like to find the cause of the problem, not use a "workaround". I can't find any asus's firewall settings... where are any kind of default white and blacklists...?

There aren't really any firewall black/white lists that you could edit. By default (with the firewall on) all outgoing traffic is allowed and all unsolicited incoming traffic is blocked. But that block is only for traffic destined for the router itself, not for anything on your LAN (like your NAS).

When you forward port 443 from the router to your NAS (WAN - Virtual Server / Port Forwarding) the router's firewall doesn't do anything other than forward the traffic. You say that even when the firewall is enabled the problem is intermittent, so I suspect that's also the case with the firewall off but you haven't run it like that for long enough to notice the same behaviour? So I suspect this is a NAS problem rather than a router problem.

Can you confirm my assumption that you have manually configured port forwarding on the router and disabled UPnP on the NAS?

Is it possible the random delay in first access is down to the NAS being in power save mode, or the HDDs having spun down or unmounted?

I've come across situations where an initial connection delay was caused by the server being unable to do a reverse DNS lookup on the IP address of the connecting client.

 

[protoncek]

Many thanks for explanation and your time!

- Yes, it could be that i didn't have firewall off for long enough to see if NAS is the problem or not. I didn't want to leave firewall off for too long, like overnight, or for a week.
- Yes, i have manually port forwarded ( in asus wan section) to local IP of NAS. Apart that i also have port forwarding for my alarm system and video NVR - it seems that these two doesn't work via syno's everse proxy, so i've had to enter those, too.
- uPnP: hm... i have upnp turned on on my Asus. Now i turned it off (is that ok - recommended?) and on my syno under "router configuration" only one entry was there - for quickconnect, but i removed it, so uPnP is now off on NAS, too.
- NAS is always on, no power save mode, but since it's model 920+ it has two SSD's as cache and 4 HDD's for storage, so even if HDD's would stop nas is still working, because it's working with SSD's.

You got me thinking... i'll explore in synology direction some more. One of checks (a bit risky though) would be to temporarily forward 443 port directly to home assistant. That way i'd bypass syno and access HA directly to see if delays are still happening.

 

[ColinTaylor]

Thanks for the update.

- uPnP: hm... i have upnp turned on on my Asus. Now i turned it off (is that ok - recommended?) and on my syno under "router configuration" only one entry was there - for quickconnect, but i removed it, so uPnP is now off on NAS, too.

It should normally be OK to leave UPnP enabled on the router. My concern was that the NAS might being trying to forward the ports to itself via UPnP and then conflicting with what you manually set on the router. But that doesn't seem to be the case.

If in doubt you can always log into the router and go to System Log - Port Forwarding. There you can see different lists for manual port forwards and UPnP.

 

[protoncek]

System Log - Port Forwarding.

Even after re-enabling asus uPnP this log has only forwards i entered manually, so that part is ok. I'll monitor synology more closely for next days.
Thanks!

 

[protoncek]

Now it's happening... i turned on log for "dropped only" in firewall and this is result:

Apr 2 17:59:27 kernel: DROP IN=ppp0 OUT=br0 MAC= SRC=178.58.160.124 DST=192.168.0.240 LEN=60 TOS=0x18 PREC=0x20 TTL=59 ID=51260 DF PROTO=TCP SPT=7626 DPT=37777 SEQ=378750847 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405780402080AA34650430000000001030302) MARK=0x8000000
Apr 2 17:59:28 kernel: DROP IN=ppp0 OUT=br0 MAC= SRC=178.58.160.124 DST=192.168.0.240 LEN=60 TOS=0x18 PREC=0x20 TTL=59 ID=8047 DF PROTO=TCP SPT=2065 DPT=37777 SEQ=1871047421 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405780402080AA34655C90000000001030302) MARK=0x8000000
Apr 2 17:59:28 kernel: DROP IN=ppp0 OUT=br0 MAC= SRC=178.58.160.124 DST=192.168.0.240 LEN=60 TOS=0x18 PREC=0x20 TTL=59 ID=9464 DF PROTO=TCP SPT=7437 DPT=37777 SEQ=3913887011 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405780402080AA34655C90000000001030302) MARK=0x8000000
Apr 2 17:59:28 kernel: DROP IN=ppp0 OUT=br0 MAC= SRC=178.58.160.124 DST=192.168.0.240 LEN=60 TOS=0x18 PREC=0x20 TTL=59 ID=51736 DF PROTO=TCP SPT=3017 DPT=37777 SEQ=2555336141 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405780402080AA34655E40000000001030302) MARK=0x8000000
Apr 2 17:59:29 kernel: DROP IN=ppp0 OUT=br0 MAC= SRC=178.58.160.124 DST=192.168.0.240 LEN=60 TOS=0x18 PREC=0x20 TTL=59 ID=9465 DF PROTO=TCP SPT=7437 DPT=37777 SEQ=3913887011 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405780402080AA34659BF0000000001030302) MARK=0x8000000
Apr 2 17:59:29 kernel: DROP IN=ppp0 OUT=br0 MAC= SRC=178.58.160.124 DST=192.168.0.240 LEN=60 TOS=0x18 PREC=0x20 TTL=59 ID=51737 DF PROTO=TCP SPT=3017 DPT=37777 SEQ=2555336141 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405780402080AA34659E10000000001030302) MARK=0x8000000
Apr 2 17:59:30 kernel: DROP IN=ppp0 OUT=br0 MAC= SRC=178.58.160.124 DST=192.168.0.240 LEN=60 TOS=0x18 PREC=0x20 TTL=59 ID=9466 DF PROTO=TCP SPT=7437 DPT=37777 SEQ=3913887011 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405780402080AA3465DBF0000000001030302) MARK=0x8000000
Apr 2 17:59:31 kernel: DROP IN=ppp0 OUT=br0 MAC= SRC=178.58.160.124 DST=192.168.0.240 LEN=60 TOS=0x18 PREC=0x20 TTL=59 ID=51738 DF PROTO=TCP SPT=3017 DPT=37777 SEQ=2555336141 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405780402080AA3465DE00000000001030302) MARK=0x8000000

SRC IP is ip of my phone and DST is IP of synology. So, firewall DOES block this connections...?

 

[protoncek]

I can't edit my post.... this was trying to access my cameras, not home assistant, thus port 37777 (NVR port).

 

[ColinTaylor]

Can you show us the System Log - Port Forwarding page please?

 

[protoncek]

sure:

 

[protoncek]

Ah... i just noticed a "temporary" entry in my port forwarding table: normally 8123 is not there, i just put it there to test direct HA connection, and it works perfectly...

 

[ColinTaylor]

Your destination address looks wrong to me. But that might just be the way PPPoE works. On my router the destination address is my router's WAN IP address, not a LAN address (e.g. 192.168.0.240) and the OUT= interface is blank rather than br0.

It's very strange though. It's behaving like it's completely ignoring the port forwarding rule.

Ah... i just noticed a "temporary" entry in my port forwarding table: normally 8123 is not there, i just put it there to test direct HA connection, and it works perfectly...

Are you saying that port 8123 works but port 37777 doesn't? Those two devices appear to be on different subnets. Perhaps that's the problem.

 

[protoncek]

I hope i'll know how to explain my situation (it could be wrong, sure, i'm not a huge expert in networking...)
First, i have internal network mask 22, so my IP range is from 192.168.0.1 to 192.168.3.255.

Regarding port 37777: that's for cameras. Internal IP of NVR is 0.240 and dahua android app requires port 37777 (and 37778 for udp) forwarded to be able to access cameras. So for dahua app i only need to enter my main dns address and i must have port 37777 forwarded to 0.240 .

Home assistant works differently (no port forwarding here): for this i have just my main port forwarding to synology: ext 443 to int.443 and IP of synology (0.100) . Synology then has reverse proxy set up by pointing "https://home.mydomain.com" to local HA IP (2.10) and port 8123 (default HA port).

For testing purposes i entered this direct port forwarding, so that i can access my home assistant via "https://mydomain.com:8123".

Are you saying that port 8123 works but port 37777 doesn't? Those two devices appear to be on different subnets. Perhaps that's the problem.

as said, my mask is 22, so they should be in same subnet. Also, when it happens it happens either on cameras or on HA (randomly). But, something weird is set-up in my network, that's for sure. DIrect link via port 8123 also doesn't work, (connection not secure..)

 

[ColinTaylor]

Thanks for the clarification on the netmask.

If there's a lot of traffic hitting port 37777 it's possible that the router thinks it's a DoS attack and rate limiting the packets. Check whether "Enable DoS protection" is enabled on the Firewall - General page and if it is turn it off.

 

[protoncek]

IF you will know.... i'm just wondering... my sequence is following:
- in router i have port 443 forwarded to synology local ip and port 443 - that part is, i assume, correct, but what i wonder is this:
- in synology's reverse proxy manager i have entered reverse proxy external port 443 and my main domain to internal port 443 and syno's local IP --> is that double forwarding and a loop caused? (honestly i don't know why is that...i guess old leftovers from testing...)

and, yes, i do have dos protection enabled, ill turn it off

 

[ColinTaylor]

IF you will know.... i'm just wondering... my sequence is following:
- in router i have port 443 forwarded to synology local ip and port 443 - that part is, i assume, correct, but what i wonder is this:
- in synology's reverse proxy manager i have entered reverse proxy external port 443 and my main domain to internal port 443 and syno's local IP --> is that double forwarding and a loop caused?

Sorry, I'm not familiar with Synology kit and only know the basics of setting up reverse proxys. Perhaps if you posted a screenshot of your proxy settings someone more knowledgable will chime in.

and, yes, i do have dos protection enabled, ill turn it off

Let us know how you get on.

 

[protoncek]

Let us know how you get on.

First tests are promising, with dos protection off first loading appears way faster, cameras now load almost instantly, HA also. The moment i re-enable dos they are slow again. Let's wait a day and hope for the best. But if dos is the culprit... i guess it's THE ONLY THING i didn't change... stupid me...
Regarding reverse proxy it must be that i played with it these days trying everything and more to find the problem... but it's not the culprit.

I can't thank you enough for your help! As said, i'm not a pro in networking, generally i know how to set up things or find necesarry on the google, but these things do stop me...