NET

Posted on | In
Networks basics

Proxy

Reverse Proxy

  • to expose different services need open ports.
  • Is always using: 80 for HTTP & 443 for HTTPS - should be open » and use domain to for subdomains.
  • NAS > loigin portal > advanced
  • HSTS - enable header,
  • destination can be http

Reverse proxy with docker https://mindsers.blog/post/https-using-nginx-certbot-docker/

Network

  • Modem - establish dedicated connection. Comuter digital sygnal - from internet analog - modulate sygnal for Ethernet and Wifi,
  • Router - after modem

IP

> ip config

Link-local IPv6 Address . . . . . : fe80::5c06:b938:7e5a:8fa9%9
IPv4 Address. . . . . . . . . . . : 192.168.0.x   // lokalne ip urządzenia
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1   // powinien pokazywac na router
Subnet mask 255.255.255.0

Protocols

  Reliability Package transfer method Error detection Congestion control Acknowledgement Usage
TCP (Transmission Control Protocol) for P4 High / Slow in a sequence Y Y Y  
UDP (User Datagram Protocol) Lower / Faster in a stream N N checksum  

UPnP

Easy internet - Universal Plug and Play

DHCP

Assign compputer static ip adress automaticly from dhcp server on local network.

  • Set up in Network/Netowrk Interface/ RMB > Ipv4 or in the router
  • https://youtu.be/jtCoTuGuGL0

DDNS

Dynamic Domain Name Service. track external id by domain name if static ip not availabe. (services like: no-ip / dynu / Dyn)

  1. Alias provider
    • Set up for domain - Add A / AAAA - record to let google know
    • using DNSSEC
    • get user / pass credentials - Name Servers - - Google example
  2. Synology
    • LetsEncrypt - SSL (https) certificates (not self signed) allow to encription but can be spoofet if public and private key is known. - Router Configuration
    • port forrowarding settings
  3. Router Settings
    • Settings
    • IPv4 / v6 (tuneling) - (Ip / brama domyslna)
    • DHCP - router adress pool (pisze przy wtycznach do lanu) jak przydziela adresy IPv4.
    • UPnP - protocol (Universal Plug and Play ) Configure UPnP port forwarding - MUST BE ENABLE FOR SYNOLOGY - Port Forrowarding
    • Ustaw na routerze numery portów do przepuszczania.
    • Synology gateway ip adress of the router if not Network > general > Manualy configure network ports - Filtering
    • filtrowanie / block by MAC
    • filtrowanie portów i IP
    • zapora sieciowa
    • wyzwalanie portów - Gateway
    • Urządzenia musi wskazywać na ip routera

DNS

  • dynamic name server. Convert name to ip adress (DNS using port 53)
  • names instead of IP adresses: YT
  1. Resolution < if dont know where to go
    • enable
    • enable ffd
    • add ips for external dns servers
  2. Zones
    • ffd - maps name to ip
    • reverse - maps ip to name

DNS Encryption

Can encrypt dns:

  • DoH DNS OVER HTTPS - 443 port
    • fire fox have but better on router.
  • DoT > DNS over TLS > similar > but using 853 port

External access DDNS ???

Network Secure

Direct attack (by port or vonurability), indirect attack (smb share or other share). Levels of saftey: 0: No Acces / local access only. 2: VPN 3: Port Forrowarding. 4: Proxy…. (firewall?)

  • Recent version of the software updates.
  • 2fa - something they know and something they have. - good to use 2 account with 2 authy.
  • Separate admin account and disable default admin.
  • Keep encription on folders - easiest store in synology and have own copy OR: keys on flash drives.
  • Disable SSH - close if possible, easier to bruteforce pass rather throu dsm login portal. Shh have no 2fa.
  • Auto Block - login atempts in minutes, help with ssh & notification if someone is blocked.

.

  • quick connect relay - all data throu synology - risk for data
  • quickconnect - not throu relay but risk same
  • direct connection (DNAT) - destination network adress tanslation / port ffd - more cotroll but risk high by ip
  • synology reverse proxy - no more security
  • synology VPN - expose one service but risk lower - u need to be authenticated but still expose services
  • 3rd party ReverseProxy & WebAplicationFirewall - hard to configure - still expose to internet but way to block comment injection or sss atack
  • 3rd party on premise VPN - high security - on vpn and nas - 2 logins
  • 3rd party bastion - for administation stuff only

Certs

SSL

  • Secure Socket Layers with public key encription. Part of TlS ?
    1. get domain
    2. turn on ddns External Acces > DDNS > Add
    • domain name
    • user and pass to configurate:
      1. Open port 80:80 on router or by synology External Acces > Router Configuration setup.
      2. Security > Certificate
        • full domain name tahnt can be resolved into ip
        • adress
      3. Instal DNS Server
        • https://youtu.be/daIelVuKlYQ?t=558 - dns
        • https://www.youtube.com/watch?v=5RYYI6ax8iI - ddns
  • DNSSEC - is therefore a security measure which is additional to a site’s SSL certificate.

TLS

  • latest better than ssl
  • SSL is a cryptographic protocol that uses explicit connections to establish secure communication between web server and client. TLS is also a cryptographic protocol that provides secure communication between web server and client via implicit connections.

Ports

Port Block

Port Forwarding

  • Make ports enable
    • https port forroward on router! - technilay open acces for world
    • must firewall use !!!! ————- can do safely !!!!! but be careful
    • change port > login portal > https from 5001 to sth def. !!!!!

VPN

Synology

  • Synology VPN Server app: PPTP - point to point tunnel- old from 95 not recommended . easy platform friendly. L2TP/IPSec - for ios L to tunel. IKE v2 - wind/ BB integrated. But best is OpenVPN
    1. Split tunnel - no need dns
    2. Whole tunneling - always on
    • can open one port and creat tunel

OpenVPN

  • OpenVPN is protocol with different server client apps. Open VPN GUI is free one. all devices must have cert!! YT
  • check if port ffd i& firewall 1194 enable on: NAS & Router
  • downnload ziped file VPNConfig.ovpn
    • change IP (ip spacebar and prot) //
    • redirect-geteway def1 - for full tunneling
    • setenv CLIENT_CERT 0 - for no client cert
    • dhcp-option DNS 192.168.0.xxx - full tunneling acces for services /
  • in options log to synology account

Wireguard

SoftEther

Zerotier

  • Network architecture
  • app for synoilogy
  • app for android

Synology Plus VPN

Firewall

ssh with firewal https://youtu.be/BCCIMRbAUp8

what is https://youtu.be/G3BJo4B1GgU

  • filter trafic
  • port ffd opens a port to one internal device.
  • synology cal filter internal and ext trafic

Domains

Domain Records

  • A / AAAA - DNS (for pi 4 / 6)
  • MX - Mail server https://support.google.com/domains/answer/9428703?hl=en
  • CAA - SSL cert
  • CNAME - Alias (only for subdomains) for main »> radirect

Local network

  • PPPoE - over cable
  • LAN -
  • What is Carrier-grade NAT (CGN/CGNAT)?
  • IPv6 Tunneling

Website

Need:

  • dns adress, (like on google domain )
  • port forroward in router
    • cgnet / Carrier-grade NAT (CGN or CGNAT) - CANNT SETUP
  1. external acces ddns -

web station
video station
vebfav server