Synology Tech Support told me the DS1819 (4-ports) can't serve the Internet from the other ports, but they will forward my request for this functionality to the product team. I figured out how to turn the Synology NAS into a NAT router using info from https://galaxysd.github.io/linux/ 20170804/2017-08-04-iptables-on-Synology-DSM-6. I also corrected a typo in that script.
My difference from that post is that I want to bond LAN1 and LAN2 for adaptive load balancing, so I plugged both into my home router, which gave 192.168.2.20 and 192.168.2.21 on each port respectively. Then using Control Panel->Network->Network Interface, I created a bonded connection on LAN1 and LAN2, which is called Bond1 in DSM, but note that the ifconfig label is " bond0"
1) Install the package called VPN Server, and new as of Apr.29/2019 DSM update, you need to enable OpenVPN Server in order to enable the various iptables and NAT modules. Prior to this, none of the 3 VPN servers needed to be turned on to enable the required modules. 2) Enable Telnet, log in using your admin credentials 3) sudo -i, type in your admin password again, now you have root access 4) cd /usr/syno/etc/rc.sysv/ 5) Create a new file by typing "vi Galaxy_NAT.sh" 6) Press the letter i to go to insert mode, then paste in the following script:
#!/bin/bash # # Change this variable to match your private network. PRIVATE_NETWORK="10.0.0.0/24" # # Change this variable to match your public interface. eth0 = LAN1, eth1 = LAN2, eth2=LAN3, eth3=LAN4, and in my case, bond0 = LAN1+LAN2 PUBLIC_INTERFACE="bond0"
# Set PATH to find iptables PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/syno/sbin:/usr/syno/bin"
# Module list where KERNEL_MODULES_NAT are defined. IPTABLES_MODULE_LIST="/usr/syno/etc/iptables_modules_list" source "${IPTABLES_MODULE_LIST}"
# Tool to load kernel modules (modprobe does not work for me) BIN_SYNOMODULETOOL="/usr/syno/bin/synomoduletool"
# My service name - let's make sure we don't conflict with synology SERVICE="Galaxy_NAT"
# iptable binary IPTABLES="iptables"
start() { # Log execution time date
# Make sure packet forwarding is enabled. # 'sysctl -w net.ipv4.ip_forward=1' does not work for me echo 1 > /proc/sys/net/ipv4/ip_forward
# Count the number of modules so that we can verify if the module # insertion was successful. We replace whitespaces with newlines # and count lines. MODULE_COUNT=$( echo "${KERNEL_MODULES_NAT}" | gawk '{ print gensub(/\s+/, "\n", "g") }' | wc -l )
# Load the kernel modules necessary for NAT "${BIN_SYNOMODULETOOL}" --insmod "${SERVICE}" ${KERNEL_MODULES_NAT} RV=$?
# $BIN_SYNOMODULETOOL returns the number of loaded modules as return value [[ "${RV}" == "${MODULE_COUNT}" ]] || { echo >&2 "Error: Modules were not loaded. The following command failed:" echo >&2 "${BIN_SYNOMODULETOOL}" --insmod "${SERVICE}" ${KERNEL_MODULES_NAT}exit 1 }
# Turn on NAT. "${IPTABLES}" -t nat -A POSTROUTING -s "${PRIVATE_NETWORK}" -j MASQUERADE -o "${PUBLIC_INTERFACE}" RV=$? [[ "${RV}" == "0" ]] || { echo >&2 "Error: MASQUERADE rules could not be added. The following command failed:" echo >&2 "${IPTABLES}" -t nat -A POSTROUTING -s "${PRIVATE_NETWORK}" -j MASQUERADE -o "${PUBLIC_INTERFACE}" exit 1 }
# Log current nat table iptables -L -v -t nat }
case "$1" in start) start exit ;; *) # Help message. echo "Usage: $0 start" exit 1 ;; esac
7) Hit ESC to exit vi's Insert Mode 8a) Save and exit vi by typing ":wq!" excluding the quotes 8b) Run the script by typing "./Galaxy_NAT.sh start" 8c) If the script is not executable, trying typing "chmod +777 Galaxy_NAT.sh" and then try to run it again
9) At Control Panel->Network->Network Interfaces 9a) For LAN3, disable DHCP, set IP to 10.0.2.2, netmask 255.255.255.0, gateway 10.0.2.1, DNS 10.0.2.1, alternate DNS 8.8.4.4 9b) For LAN4, disable DHCP, set IP to 10.0.0.2, netmask 255.255.255.0, gateway 10.0.0.1, dns 10.0.0.1
Note the different subnets. As far as I can tell, DHCP Server needs LAN3 and LAN4 on different subnets.
10) Control Panel->DHCP Server 10a) Enable DHCP on LAN3: IP range 10.0.2.3 - 10.0.2.9, netmask 255.255.255.0, gateway 10.0.2.2, DNS 10.0.2.2, alternate DNS 8.8.4.4
10b) Enable DHCP on LAN4: IP range 10.0.0.3 - 10.0.0.9, netmask 255.255.255.0, gateway 10.0.0.2, DNS 10.0.0.2, alternate DNS 8.8.4.4
11) The NAS will now function as a router using NAT. Enjoy the Internet from LAN3 and LAN4, served through the bonded load-balanced interface "bond0"
LAN3 will then pick up an IP in 10.0.2.3 to 10.0.2.9, and LAN4 will pick up an IP in 10.0.0.3 to 10.0.0.9. Note the different subnets. This means devices on your home router, 192.168.2.x will not be able to see these 2 devices since they are NATted. However, these 2 devices will be able to see the DS1819 and outside Internet, so anything on your 192.168.2.x LAN that you can use the DS1819 to mount/link/etc, then LAN3 and LAN4 will be able to access by connecting to the DS1819.
I found threads on the old forums describing how to turn the Synology NAS into a switch (as opposed to a router), and I successfully got that working by bridging the interfaces, but the problem with using the NAS as a switch is that while the LAN3 and LAN4 devices can pick up IPs on the 192.168.2.x subnet and reach the Internet, the NAS itself (192.168.2.20) will be invisble and non-reachable by the LAN3 and LAN4 devices. I believe the home router needs to have advanced routing functions in order to make the NAS visible to devices that are switched using the NAS, and my home router doesn't have these functions.
12) To enable NAT automatically after NAS reboot, place the following configuration file to /etc/init/Galaxy_NAT.conf
description "NAT with iptables" author "Galaxy" start on syno.network.ready console log script /usr/syno/etc/rc.sysv/Galaxy_NAT.sh start end script # vim:ft=upstart
13) To enable the computers behind the router to be seen on the main network, forward ports one at a time using this pair of iptables commands:
The first line says where the incoming interface is bond0 and destination port 5151, send it to the routed IP 10.0.0.7:5151. The second line says where the routed IP 10.0.0.7 with source port 5151, send it to the IP of the bond0 interface, which in my case is 192.168.2.20.
Enjoy and free free to post any enhancements. I would be very interested in using the NAS as a switch instead of a router, someone just needs to post detailed instructions on how to make the NAS visible to the LAN3 and LAN4 ports when using bond0 (LAN1+LAN2) as a bridge.
楼主家里用的 NAS 是 QNAP 的。接触 Synology 是几个月前入手了它家的 router (
RT2600AC)。主要是冲着 Parental Control 和 Dual WAN 去的。另外一个考虑因素是
看到 firmware 一直有更新。
RT2600AC 是 2016 年发布的“老”产品。难得5年来,firmware 一直有更新。最近两
次更新是今年的 5/25 和 5/11。
入手这个 router 之后,跟售后技术支持开了5个 case,其中4个是理解的问题,只有
一个是真正的 bug。我自己的亲身经历,售后和其他家用大厂比(Linksys, Netgear,
Asus),好得太多。
一、本土客服。
不要说歧视偏见,(美国)本土客服不仅技术上比阿叉靠谱,soft skill 更是天壤之
别。Soft skill 是指理解用户的应用场景。譬如,小屁孩的 time quota exhausted
了,家长要做什么。阿叉就是不能理解。
二、台湾开发团队
客服是美国本土,但开发团队却是在台湾。互相之间配合得很好。如果是软件的 bug,客服要 escalate 到开发团队,通常24小时内有回复。而且回复得言之有物,不是那种一看就是 copy/paste 的官样回复。
三、很棒的排错工具
Router 软件中内置了很齐全的排错工具。譬如生成 debug file 的工具。让技术支持
远程登录 router 的工具(可以设置时限)。这些工具,可以让支援队伍“亲临现场”排错,加快了解决的速度。
当然,这些都拜它家 NAS 产品线所赐。NAS 是 Synology 的主要收入来源,在家用和
中小企市场占有率很大。因此建立了一套完善的技术支持体系。Router 的软件架构和
技术支持,基本上是照搬 NAS 的现成,不需要 reinvent the wheels。
记得两年前跟 Asus 开了个 case,关于 Dual WAN 的问题。爱理不理,顶多就是叫你
拔网线。偶的天,如果要拔网线才能 failover,我要你 Dual WAN 何用?估计Asus 就是专攻家用市场,基本不涉及企业。所以技术支持就得过且过了。
不知道为什么 Synology 还没推出 WIFI6 产品。希望不要砍掉现有的 router 产品线
,firmware 持续更新就好了。
其实它可以出个不带WiFi的router
【 在 helloguys (Skywalker) 的大作中提到: 】
: 楼主家里用的 NAS 是 QNAP 的。接触 Synology 是几个月前入手了它家的 router (: RT2600AC)。主要是冲着 Parental Control 和 Dual WAN 去的。另外一个考虑因素是
: 看到 firmware 一直有更新。
:
: RT2600AC 是 2016 年发布的“老”产品。难得5年来,firmware 一直有更新。最近两
: 次更新是今年的 5/25 和 5/11。
:
: 入手这个 router 之后,跟售后技术支持开了5个 case,其中4个是理解的问题,只有
: 一个是真正的 bug。我自己的亲身经历,售后和其他家用大厂比(Linksys, Netgear,
: Asus),好得太多。
:
: 一、本土客服。
: 不要说歧视偏见,(美国)本土客服不仅技术上比阿叉靠谱,soft skill 更是天壤之
: 别。Soft skill 是指理解用户的应用场景。譬如,小屁孩的 time quota exhausted
: 了,家长要做什么。阿叉就是不能理解。
:
: 二、台湾开发团队
: 客服是美国本土,但开发团队却是在台湾。互相之间配合得很好。如果是软件的 bug,
: 客服要 escalate 到开发团队,通常24小时内有回复。而且回复得言之有物,不是那种
: 一看就是 copy/paste 的官样回复。
:
: 三、很棒的排错工具
: Router 软件中内置了很齐全的排错工具。譬如生成 debug file 的工具。让技术支持
: 远程登录 router 的工具(可以设置时限)。这些工具,可以让支援队伍“亲临现场”
: 排错,加快了解决的速度。
:
: 当然,这些都拜它家 NAS 产品线所赐。NAS 是 Synology 的主要收入来源,在家用和
: 中小企市场占有率很大。因此建立了一套完善的技术支持体系。Router 的软件架构和
: 技术支持,基本上是照搬 NAS 的现成,不需要 reinvent the wheels。
:
: 记得两年前跟 Asus 开了个 case,关于 Dual WAN 的问题。爱理不理,顶多就是叫你
: 拔网线。偶的天,如果要拔网线才能 failover,我要你 Dual WAN 何用?估计Asus 就
: 是专攻家用市场,基本不涉及企业。所以技术支持就得过且过了。
:
: 不知道为什么 Synology 还没推出 WIFI6 产品。希望不要砍掉现有的 router 产品线
: ,firmware 持续更新就好了。
他家的router对比ubiquiti EdgeRouter 4 怎么样?
EdgeRouter4 也有dual wan的支持。
Ubiquiti router更倾向于企业,譬如它的 EdgeOS 支持OSPF路由协议。但家庭用户用
不着 OSPF。
Synology router更倾向于家庭,譬如它的 parental control 功能,文件共享 (share by link) 功能等等都是自带的,不需要另外安装第三方软件。
如果家里没小孩,又喜欢折腾,可以选 Ubiquiti。如果有小孩,喜欢折腾,选
Synology。不喜欢折腾,随便选。
【 在 foolboylei (如歌的行板) 的大作中提到: 】
: 他家的router对比ubiquiti EdgeRouter 4 怎么样?
: EdgeRouter4 也有dual wan的支持。
Guide: Turn Synology DS1819 NAS into router
Synology Tech Support told me the DS1819 (4-ports) can't serve the Internet from the other ports, but they will forward my request for this
functionality to the product team. I figured out how to turn the Synology
NAS into a NAT router using info from https://galaxysd.github.io/linux/
20170804/2017-08-04-iptables-on-Synology-DSM-6. I also corrected a typo in
that script.
My difference from that post is that I want to bond LAN1 and LAN2 for
adaptive load balancing, so I plugged both into my home router, which gave
192.168.2.20 and 192.168.2.21 on each port respectively. Then using Control Panel->Network->Network Interface, I created a bonded connection on LAN1 and LAN2, which is called Bond1 in DSM, but note that the ifconfig label is "
bond0"
1) Install the package called VPN Server, and new as of Apr.29/2019 DSM
update, you need to enable OpenVPN Server in order to enable the various
iptables and NAT modules. Prior to this, none of the 3 VPN servers needed to be turned on to enable the required modules.
2) Enable Telnet, log in using your admin credentials
3) sudo -i, type in your admin password again, now you have root access
4) cd /usr/syno/etc/rc.sysv/
5) Create a new file by typing "vi Galaxy_NAT.sh"
6) Press the letter i to go to insert mode, then paste in the following
script:
#!/bin/bash
#
# Change this variable to match your private network.
PRIVATE_NETWORK="10.0.0.0/24"
#
# Change this variable to match your public interface. eth0 = LAN1, eth1 =
LAN2, eth2=LAN3, eth3=LAN4, and in my case, bond0 = LAN1+LAN2
PUBLIC_INTERFACE="bond0"
# Set PATH to find iptables
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/syno/sbin:/usr/syno/bin"
# Module list where KERNEL_MODULES_NAT are defined.
IPTABLES_MODULE_LIST="/usr/syno/etc/iptables_modules_list"
source "${IPTABLES_MODULE_LIST}"
# Tool to load kernel modules (modprobe does not work for me)
BIN_SYNOMODULETOOL="/usr/syno/bin/synomoduletool"
# My service name - let's make sure we don't conflict with synology
SERVICE="Galaxy_NAT"
# iptable binary
IPTABLES="iptables"
start() {
# Log execution time
date
# Make sure packet forwarding is enabled.
# 'sysctl -w net.ipv4.ip_forward=1' does not work for me
echo 1 > /proc/sys/net/ipv4/ip_forward
# Count the number of modules so that we can verify if the module
# insertion was successful. We replace whitespaces with newlines
# and count lines.
MODULE_COUNT=$(
echo "${KERNEL_MODULES_NAT}" |
gawk '{ print gensub(/\s+/, "\n", "g") }' |
wc -l
)
# Load the kernel modules necessary for NAT
"${BIN_SYNOMODULETOOL}" --insmod "${SERVICE}" ${KERNEL_MODULES_NAT}
RV=$?
# $BIN_SYNOMODULETOOL returns the number of loaded modules as return value
[[ "${RV}" == "${MODULE_COUNT}" ]] || {
echo >&2 "Error: Modules were not loaded. The following command failed:"
echo >&2 "${BIN_SYNOMODULETOOL}" --insmod "${SERVICE}" ${KERNEL_MODULES_NAT}exit 1
}
# Turn on NAT.
"${IPTABLES}" -t nat -A POSTROUTING -s "${PRIVATE_NETWORK}" -j MASQUERADE -o "${PUBLIC_INTERFACE}"
RV=$?
[[ "${RV}" == "0" ]] || {
echo >&2 "Error: MASQUERADE rules could not be added. The following command failed:"
echo >&2 "${IPTABLES}" -t nat -A POSTROUTING -s "${PRIVATE_NETWORK}" -j
MASQUERADE -o "${PUBLIC_INTERFACE}"
exit 1
}
# Log current nat table
iptables -L -v -t nat
}
case "$1" in
start)
start
exit
;;
*)
# Help message.
echo "Usage: $0 start"
exit 1
;;
esac
7) Hit ESC to exit vi's Insert Mode
8a) Save and exit vi by typing ":wq!" excluding the quotes
8b) Run the script by typing "./Galaxy_NAT.sh start"
8c) If the script is not executable, trying typing "chmod +777 Galaxy_NAT.sh" and then try to run it again
9) At Control Panel->Network->Network Interfaces
9a) For LAN3, disable DHCP, set IP to 10.0.2.2, netmask 255.255.255.0,
gateway 10.0.2.1, DNS 10.0.2.1, alternate DNS 8.8.4.4
9b) For LAN4, disable DHCP, set IP to 10.0.0.2, netmask 255.255.255.0,
gateway 10.0.0.1, dns 10.0.0.1
Note the different subnets. As far as I can tell, DHCP Server needs LAN3 and LAN4 on different subnets.
10) Control Panel->DHCP Server
10a) Enable DHCP on LAN3: IP range 10.0.2.3 - 10.0.2.9, netmask 255.255.255.0, gateway 10.0.2.2, DNS 10.0.2.2, alternate DNS 8.8.4.4
10b) Enable DHCP on LAN4: IP range 10.0.0.3 - 10.0.0.9, netmask 255.255.255.0, gateway 10.0.0.2, DNS 10.0.0.2, alternate DNS 8.8.4.4
11) The NAS will now function as a router using NAT. Enjoy the Internet from LAN3 and LAN4, served through the bonded load-balanced interface "bond0"
LAN3 will then pick up an IP in 10.0.2.3 to 10.0.2.9, and LAN4 will pick up an IP in 10.0.0.3 to 10.0.0.9. Note the different subnets. This means
devices on your home router, 192.168.2.x will not be able to see these 2
devices since they are NATted. However, these 2 devices will be able to see the DS1819 and outside Internet, so anything on your 192.168.2.x LAN that
you can use the DS1819 to mount/link/etc, then LAN3 and LAN4 will be able to access by connecting to the DS1819.
I found threads on the old forums describing how to turn the Synology NAS
into a switch (as opposed to a router), and I successfully got that working by bridging the interfaces, but the problem with using the NAS as a switch
is that while the LAN3 and LAN4 devices can pick up IPs on the 192.168.2.x
subnet and reach the Internet, the NAS itself (192.168.2.20) will be
invisble and non-reachable by the LAN3 and LAN4 devices. I believe the home router needs to have advanced routing functions in order to make the NAS
visible to devices that are switched using the NAS, and my home router doesn't have these functions.
12) To enable NAT automatically after NAS reboot, place the following
configuration file to /etc/init/Galaxy_NAT.conf
description "NAT with iptables"
author "Galaxy"
start on syno.network.ready
console log
script
/usr/syno/etc/rc.sysv/Galaxy_NAT.sh start
end script
# vim:ft=upstart
13) To enable the computers behind the router to be seen on the main network, forward ports one at a time using this pair of iptables commands:
iptables -t nat -A PREROUTING -p tcp -i bond0 --dport 5151 -j DNAT --to-
destination 10.0.0.7:5151
iptables -t nat -A POSTROUTING -p tcp -s 10.0.0.7 --sport 5151 -j SNAT --to-source 192.168.2.20
The first line says where the incoming interface is bond0 and destination
port 5151, send it to the routed IP 10.0.0.7:5151. The second line says
where the routed IP 10.0.0.7 with source port 5151, send it to the IP of the bond0 interface, which in my case is 192.168.2.20.
Enjoy and free free to post any enhancements. I would be very interested in using the NAS as a switch instead of a router, someone just needs to post
detailed instructions on how to make the NAS visible to the LAN3 and LAN4
ports when using bond0 (LAN1+LAN2) as a bridge.