Port forwarding problems with Merlin firmware

[Frankecito]

I have been struggling the last couple of days to get port forwarding to work with the Merlin firmware on the Asus RT-AC68U. I am trying to access the Synology NAS from the outside network and I can only get the router to forward ports for a very short period of time.
I have narrowed the problem down that it looks like it has something to do with the UPNP setting.

Router: Asus RT-AC68U
Current firmware: 380.58
NAT hardware acceleration: off
DMZ: off

Now I have set up the DDNS service from asus so I can easily access my (dynamic) IP from the outside. I have made the forwarding rules in the router (port 5000 for DSM and 873 & 22 for Backup).

And now for the strange part. Whenever I toggle upnp (so on->off or off->on) port forwarding works for around maximum 10 seconds and then it stops working again. The behavior is exactly the same turning upnp on and turning it off.

I already tried putting the NAS temporarily in the DMZ, but also to no avail (same behavior as with port forwarding).

I am a little bit at a loss of where else I can look, but any suggestion is welcome. Please let me know if you need more information.

 

[octopus]

What config do you have on: WAN - Virtual Server / Port Forwarding?
What do you have on: System Log => System Log - Port Forwarding?
Did you get your NAS static ipnumber?
@Frankecito

 

[Frankecito]

Octopus,

See settings & log below:
NAS IP is static

 

[octopus]

Try to remove "Local port" and only use "Port rangne" on 192.168.0.33
@Frankecito

 

[mattiL]

I think I remember the Synology having a feature of setting up the port forwarding for you in your router, mine did at least.

 

[Frankecito]

@octopus Removing the "local port" doesnt fix the issue. It still only works after toggling the upnp functionality.

@mattiL Going through the Synology it did not want to connect/find the router, so I ended up changing the settings manually

 

[octopus]

@octopus Removing the "local port" doesnt fix the issue. It still only works after toggling the upnp functionality.
@mattiL Going through the Synology it did not want to connect/find the router, so I ended up changing the settings manually

Okey, port forwarding only works if listener port is active other way it's closed.
Under Tools => Tools - System Information => Network => Link State, can you see your NAS is active?
@Frankecito

 

[Frankecito]

We might be on to something,

As you can see in my earlier post the MAC for the NAS is 00:11:32:xxxxxxx

Now because of the wiring here in my building the router is in a central location and than the wall socket (LAN 1) has a unmanaged switch connected to it that has the NAS and a long cable to another unmanaged switch. The final switch has the computer (which you can see under "Regouin-PC"), the media player and the receiver.
LAN 2 only connects to the music in the living room and LAN 3 connects to the VOIP phone.

Should my NAS be the "last device seen" or not necessarily?

 

[octopus]

I should try to put NAS directly to a LAN-port and see if that change anything.
@Frankecito

 

[uwish]

I have over 25 ports forwarded on a unique DNS on my router. Never had an issue.

 

[Frankecito]

@octopus Nah, that doesnt change anything. Still only works after toggling upnp

Any change that updating the firmware might help?

 

[RMerlin]

Make sure it's not some security feature on the Synology disabling services due to numerous failed access coming from the Internet.

Disable the Synology's UPnP support if you are manually forwarding ports, to prevent conflicts.

Make sure you do your test from outside the network. Tests done from inside have to go through the NAT loopback, which can introduce its own issues.

 

[Frankecito]

@RMerlin The Synology blocks an IP after 3 false attempts, however if I toggle the upnp feature in the asus I can login normally in the short time period after that, so that does not seem to be the problem. By disabling the upnp support I assume you are referring to the automatic router settings from the Synology correct? I tried that as well, but then disabled it since it was not working.
All tests I am doing on my phone over 4G so coming for outside the network. Funny enough, trying the external URL from within my own network does resolve to the NAS.

Any suggestions?

 

[RMerlin]

@RMerlin The Synology blocks an IP after 3 false attempts, however if I toggle the upnp feature in the asus I can login normally in the short time period after that, so that does not seem to be the problem. By disabling the upnp support I assume you are referring to the automatic router settings from the Synology correct? I tried that as well, but then disabled it since it was not working.
All tests I am doing on my phone over 4G so coming for outside the network. Funny enough, trying the external URL from within my own network does resolve to the NAS.

Any suggestions?

I can't think of any logical explanation that would explain why a forwarded port would quit working after 10 seconds, sorry.

 

[bayern1975]

Any suggestions?

i think you need firewall-start script and iptables rule for that.....i have same situation with my iptv over udpxy.....i can access from outside my network with firewall-start script and port forward (firmware 380.60 beta)....just port forward is not enough to access from outside....you can access only in your local, home network.....

 

[Frankecito]

Ok, after another couple of hours of breaking my head over this I finally found the culprit. The NAS was still set to use the VPN when using the internet, removing this rule from the VPN routing rules solved it. As always the answer was hiding in plain sight.
Thank you all for your support!