dns server are locally hosted at xxx.xxx.2.42 and 43
my I got a new NAS and i designated my old DS214play (running DSM 7.1.1-42962 Update 6) as a Mediaserver that gets to live in the IoT net:
changed the ip from xxx.xxx.2.50 to xxx.xxx.83.50
updated the gateway and subnet
added the vlan tag 83 on the network port
updated the firewall to allow all necessary ports from and to the default network (so I can stream plex to my notebooks etc.)
The Firewall on the NAS is not activated
Issue:
My NAS doesn’t accept any outside connections after moving it to the IoT subnet, neither from my default network nor the internet.
What I tried:
allowed full access between LAN and IoT subnet for the NAS.
tried it with another port -> same issue
connected another device to this port (and setup the same firewall rules) -> this one works fine.
checked the unifi firewall logs --> requests get sent from the nas and answers from the other device
checked logs of other devices (DNS, NetCat etc.) --> they receive the requests outside of the subnet, and return their anser but the NAS seems to block/ignore any incoming packages.
What I didn’t try:
setting the VLAN id under "Network Interface" > "LAN" > "Enable VLAN(802.1Q)" since, as far as I understand, the Unifi VLAN implementation terminates the VLAN tag at the port of the switch (and all other devices work without specifying it locally)
fully reset the NAS
I’m completely stuck how to solve the issue, so I have moved the NAS back to the default net, but some use cases are not working properly that way, so I’d really like to move it to the IoT subnet. Does anybody have (has?) any hints or knows of some obscure settings which need to be updated? I’d be really grateful for any pointers.
It’s normal for a switch to strip a vlan tag when it sends a packet out, so that the endpoint doesn’t have to support vlans. Don’t worry about that. As far as the endpoint is concerned, it’s just normal subnetting.
When it’s on the other vlan, can you even ping it? When you check the packet capture, can you see the ping and response? Where does it get dropped?
It’s normal for a switch to strip a vlan tag when it sends a packet out, so that the endpoint doesn’t have to support vlans. Don’t worry about that. As far as the endpoint is concerned, it’s just normal subnetting.
okay that’s what I thought
When it’s on the other vlan, can you even ping it? When you check the packet capture, can you see the ping and response? Where does it get dropped?
if I try to ping it it doesn’t answer, the unifi logs do show that the packages have been forwarded to the subnet. If I use netcat to open a port on the other device it receives the connection request, but the NAS doesn’t recognize it. Maybe I have to do some Wiresharking on a mirror port to see what exactly comes back, hoped I could get around it
Surely you want to enable 802.1q? Like, that is vlan aware switching and routing. Or is that on the nas?
Edit:
Some troubleshooting:
Connect a laptop into the same subnet as your Nas (so same vlan and IP range/subnet) and connect to the nas. This either eliminates the NAS or the router from the equation
I’m a bit hesitant to activate the tag in the DSM, as it states that it then needs a tagged counterpart to be reachable, and since all the other devices in this subnet aren’t tagged anymore (as the switch untags the vlan at the port)
Connect a laptop into the same subnet as your Nas (so same vlan and IP range/subnet) and connect to the nas. This either eliminates the NAS or the router from the equation
did that, the NAS is easily reachable from within the subnet it’s only a problem from another subnet
So if I understand this right you will need to change the network on the port attached to the synology in your UniFi configuration or set the vlan tag in the synology OS, I would do the former. It sounds like you just added a second network/vlan to the existing interface which means you actually created a trunk and are getting the old network untagged and the new network with vlan tags which the synology is dropping. Synology OS also doesn’t really support trunked ports through the UI (even though it does support a port that only uses a vlan tag) so it’s much easier to just leave them untagged.
So if I understand this right you will need to change the network on the port attached to the synology in your UniFi configuration or set the vlan tag in the synology OS, I would do the former.
doesn’t the switch terminate any VLAN tagging at the port? so if I add the VLAN to the DSM configuration it doesn’t receive any tagged packages and refuses them?
It sounds like you just added a second network/vlan to the existing interface which means you actually created a trunk and are getting the old network untagged and the new network with vlan tags which the synology is dropping.
with all the other devices in the IoT subnet it works with setting the VLAN on the port of the switch. If I check back on the unifi site, I found this:
'Applying a VLAN to a Switch Port
Native VLAN
The Native VLAN is the VLAN assigned to "untagged" traffic passing through a switch port. Devices physically connected to a switch port will be placed on this Native VLAN.
Tagged Networks and Trunk Ports
Ports can be configured to allow traffic from other networks. Allowing specific networks/VLANs is referred to as “tagging” them on the switch port. You can see all ports’ VLAN tags in the VLAN Viewer, found in the Ports tab.
Ports that have been tagged to allow traffic from multiple VLANs are referred to as “trunk” ports. By default, all ports on UniFi Switches are trunked to allow all VLANs. '
if I understand that in combination with your comment correctly: I set the native VLAN to 83 so everything tagged with 83 is correctly forwarded to the NAS and accepted there, stuff tagged with 1 are non native, the tag stays on and the NAS doesn’t accept it?
But that would make the Synology NAS quite hard to use in any corporate setting with multiple VLANs which need to interconnect
and why does it work the other way around? while being in the default net 1 it does accept stuff from VLAN 83
Synology OS also doesn’t really support trunked ports through the UI (even though it does support a port that only uses a vlan tag) so it’s much easier to just leave them untagged.
Did you change the native VLAN to IoT or just added the tag and left the native VLAN on the switch port set to default? You should be able to change the native VLAN and leave tagged VLANs as “allow all”.
My only other thought is how did you isolate the IoT network and are you able to access other devices from default to IoT?
Others have given you a good idea, but since you appear to be using Unifi for switch and firewall, o can give you a clear answer:
Don’t set vlan on the Synology. Set it as the “Native” VLAN on the switch port going to the Synology.
Synology can be vlan aware, but you don’t need it. Let the switch do the talking.
On the Synology I recommend putting it on DHCP while you test. Once it starts getting an IP in the right subnet, you can then switch it to static. Just make sure your gateway is right, putting it wrong will cause the device to not be able to reach outside its own subnet.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
selfh.st Newsletter and index of selfhosted software and apps
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
5 acronyms in this thread; the most compressed thread commented on today has 6 acronyms.
[Thread #768 for this sub, first seen 28th May 2024, 08:15] [FAQ] [Full list] [Contact] [Source code]
It’s normal for a switch to strip a vlan tag when it sends a packet out, so that the endpoint doesn’t have to support vlans. Don’t worry about that. As far as the endpoint is concerned, it’s just normal subnetting.
When it’s on the other vlan, can you even ping it? When you check the packet capture, can you see the ping and response? Where does it get dropped?
okay that’s what I thought
if I try to ping it it doesn’t answer, the unifi logs do show that the packages have been forwarded to the subnet. If I use netcat to open a port on the other device it receives the connection request, but the NAS doesn’t recognize it. Maybe I have to do some Wiresharking on a mirror port to see what exactly comes back, hoped I could get around it
Surely you want to enable 802.1q? Like, that is vlan aware switching and routing. Or is that on the nas?
Edit:
Some troubleshooting:
Connect a laptop into the same subnet as your Nas (so same vlan and IP range/subnet) and connect to the nas. This either eliminates the NAS or the router from the equation
I’m a bit hesitant to activate the tag in the DSM, as it states that it then needs a tagged counterpart to be reachable, and since all the other devices in this subnet aren’t tagged anymore (as the switch untags the vlan at the port)
did that, the NAS is easily reachable from within the subnet it’s only a problem from another subnet
So if I understand this right you will need to change the network on the port attached to the synology in your UniFi configuration or set the vlan tag in the synology OS, I would do the former. It sounds like you just added a second network/vlan to the existing interface which means you actually created a trunk and are getting the old network untagged and the new network with vlan tags which the synology is dropping. Synology OS also doesn’t really support trunked ports through the UI (even though it does support a port that only uses a vlan tag) so it’s much easier to just leave them untagged.
doesn’t the switch terminate any VLAN tagging at the port? so if I add the VLAN to the DSM configuration it doesn’t receive any tagged packages and refuses them?
with all the other devices in the IoT subnet it works with setting the VLAN on the port of the switch. If I check back on the unifi site, I found this:
if I understand that in combination with your comment correctly: I set the native VLAN to
83so everything tagged with83is correctly forwarded to the NAS and accepted there, stuff tagged with1are non native, the tag stays on and the NAS doesn’t accept it?But that would make the Synology NAS quite hard to use in any corporate setting with multiple VLANs which need to interconnect and why does it work the other way around? while being in the default net
1it does accept stuff from VLAN83which would mean, I can’t put it in the IoT net?
Did you change the native VLAN to IoT or just added the tag and left the native VLAN on the switch port set to default? You should be able to change the native VLAN and leave tagged VLANs as “allow all”.
My only other thought is how did you isolate the IoT network and are you able to access other devices from default to IoT?
I changed the native vlan to ‘83’ and allowed all others
The isoöation is done with firewall rules blocking access from the IoT net to default, with some exceptions (dns, media nas (currently), etc.)
Others have given you a good idea, but since you appear to be using Unifi for switch and firewall, o can give you a clear answer: Don’t set vlan on the Synology. Set it as the “Native” VLAN on the switch port going to the Synology.
Synology can be vlan aware, but you don’t need it. Let the switch do the talking.
On the Synology I recommend putting it on DHCP while you test. Once it starts getting an IP in the right subnet, you can then switch it to static. Just make sure your gateway is right, putting it wrong will cause the device to not be able to reach outside its own subnet.
I’ll try that one thanks
Something like this happened to me. Change the static IP (configure your NAS to get its IP from DHCP) and fix the IP on the UniFi UI.
Worth a try, will try it when Im back home