Thanks so much Frank. I really appreciate your kind words. I’m really liking this RT6600AX, especially since the Eth1 is configurable as either 2.5G LAN or WAN.
Excellent Tutorial I great appreciate this as I am going to purchase the Synology RT6600AX to get rid of my TP-Link router, just to be safe, and it has alot more options. Thanks Again
Great video! Lol … You must be my brother from another mother. Both Italian Tony’s, both love our Synology NAS’ and Routers, both love our tech, both are drummers, and both have tats! I have a DS1821+ and DS1621+ at home and a DS920+ at my daughters house for two way Hyper Backups over Tailscale. I have 2 Synology RT660ax’s and an RT2600ac I’m about create a mesh with to replace my old Netgear Orbi 5. One of the main reasons, other than loving Synology’s software is I want to do what you have shared, isolate my IoT from my Compute, wired and wireless. Plus my Orbi is not handling over 100 devices very well. Again thanks for the tutorial. Im hitting the sun button now! 😁👍🏻
Thanks very much for this awesome video Tony. I just got a Synology router and knew this was possible, but was struggling with how to do it. Your video lays it out so well with great examples and easy to follow steps.
That looks pretty easy, although some of the utilities I've recently demoed would get around the ICMP rules. For most home networks this would be a great step!
Hello Michel, thanks for watching and commenting. Here’s a help article direct from Synology you might find useful. Have a great day! kb.synology.com/en-us/DSM/help/ProxyServer/proxy_server_transparent?version=7
Thanks Tony, your videos are top notch. Can I assume that I can use firewall rules to achieve the following? Block specific ports from being used by devices on my network, and, block specific external IP addresses being reached by devices on my network? Amazingly, I couldn't find official Synology documentation describing the usage of the firewall rules.
Excellent video, thank you. Just wondering, in your example, the Mac needs to have a static IP for this to work. Would it be more sensible if you would create an admin VLAN that only the Mac and/or your management laptop sits on and then allow all traffic from this VLAN to IoT?
Hello! Thanks for watching and leaving a comment. Great question - the short answer to your question is yes, you can definitely achieve similar results in that fashion as well. There are many ways to skin a cat so to speak, (figure of speech folks, no animals have been harmed) depending on the given situation. Each situation is unique to itself and should be treated as such. In my environment, it's just two of us. My wife uses her mobile phone for everything. Since being retired, she doesn't even own a computer anymore. So, the network is being utilized primarily by me and the IoT devices. In this scenario, I think of the Primary Network as my management network as well. Basically, they are one in the same. I really don't see the need in my environment to have a separate management vlan. However, in an environment with lots of users, for example a business network, I would most definitely separate out the management network from the Primary network (some folks use the terms "Trusted" network) using vlans. Regarding the use of static IP addresses, I actually use DHCP reservations (in the router) for my devices whereas each host always receives the same IP address from the router based on the MAC address. In essence, the result is a host always gets the same IP address. It's just how I do things; it's a personal preference. Again, just another way to skin a cat, lol. IMO, devices always having the same IP address simplifies the creation of firewalls rules. Hope this addresses your inquiry. Have a wonderful day! :)
@@QuikTechSolutions thank you for the prompt and detailed answer; I am a novice to the VLANs as I am considering adding IP cams in the property thus the need for IoT segregation, so I am trying to educate myself from experienced creators. Btw, I am in a similar family and age situation but I like to explore.
Great explanation, thanks. I’m not sure if synology have changed anything, but I cant cross networks with no firewall rules & network isolation disabled?
@@QuikTechSolutions Yes. Both networks could get to the internet but not each other. I do suspect some changes as I also cant add multiple wifi skids to one network, from the spec of the router & even the wording on the gui, I thought this should be possible.
@paulthomas-vo5vf I’m not aware of any changes, however, not saying Synology hasn’t made any. Going on the premise that something has changed, have to tried creating firewall rules allowing traffic to flow between the two networks?
@@QuikTechSolutions Yes, I tried that too. I followed the synology doc, just leaving off the deny rules. It still didnt work. I assume wifi connected devices work the same as wired, I was testing from an ipad?
Great video but I have a head scratcher. Setup network isolation, main and IoT networks but I can still ping the IoT network but not the other way around.
Thanks for watching! That’s not a bad thing. But, if you want to isolate in both directions, make sure you enable isolation on the main network. Or, you can create a firewall rule manually. Have a great day.
@@QuikTechSolutions thanks for the quick reply, hats off sir. Both are isolated, strange one. I can’t ping a device on the IoT network but the main IP I can. Cheers
@@QuikTechSolutions last question. That first rule, you don’t mention. I’m sure you did elsewhere but can’t find. Could you tell me what the windows part is?
@@QuikTechSolutions okay, thank you. Mine didnt have that by default. Wonder if the new update removed it. I believe it is so you don’t lock yourself out of SRM when changing rules
For my home security cameras, I didn't want to get into the complexity of setting up a VLAN and related firewall rules. Instead, I created a filter in the safe access app so that the only external access the cameras were allowed was to update their time clocks. My rationale was that, even if the cameras could access my entire LAN, they couldn't do anything with info that they gathered such as communicating it back to their mother ship in China. They won't get firmware updates, but since they work exactly as I want, I'm ok with that.
Very good video. You not only explain how to do something but why.
Thank you! Appreciate you taking the time to leave a comment. Have a great day!
What an excellent video Tony! Wow, that was such a delight to watch, explained beautifully! Loved it!
Wow, Avi what a kind comment. I really do appreciate it very much. Have a great day!
Amazing video, Tony - one of the best firewall videos I've ever watched! Extremely easy to understand and learned a lot - thanks!
Thanks so much Frank. I really appreciate your kind words. I’m really liking this RT6600AX, especially since the Eth1 is configurable as either 2.5G LAN or WAN.
Excellent Tutorial
I great appreciate this as I am going to purchase the Synology RT6600AX to get rid of my TP-Link router, just to be safe, and it has alot more options.
Thanks Again
Great choice! Thanks for watching. Happy Holidays!
Great job Tony. Very clear and thorough.
Thanks for watching Michael
Great video! Lol … You must be my brother from another mother. Both Italian Tony’s, both love our Synology NAS’ and Routers, both love our tech, both are drummers, and both have tats!
I have a DS1821+ and DS1621+ at home and a DS920+ at my daughters house for two way Hyper Backups over Tailscale. I have 2 Synology RT660ax’s and an RT2600ac I’m about create a mesh with to replace my old Netgear Orbi 5. One of the main reasons, other than loving Synology’s software is I want to do what you have shared, isolate my IoT from my Compute, wired and wireless. Plus my Orbi is not handling over 100 devices very well. Again thanks for the tutorial. Im hitting the sun button now! 😁👍🏻
Hello Italian Tony! Yes, it appears we have lots of parallels. Glad you found the video helpful. Thanks for subbing the channel.
Easy to understand. I get asked all the time about segregating networks. I didn't even know synology had this.
Thanks for watching
Thanks very much for this awesome video Tony. I just got a Synology router and knew this was possible, but was struggling with how to do it. Your video lays it out so well with great examples and easy to follow steps.
Hey Phil! Glad you found the information in the video helpful! Great choice of router, btw! Have a great day!
Great video (as usual Tony) you have another 'Like' 🙂
Thank you David! Much appreciated!
@@QuikTechSolutions You are very welcome Tony 🙂
Pretty sweet, I do this on all my firewalls too. Guest network gets 80 443 & 53, & CFS.
Thanks for watching
That looks pretty easy, although some of the utilities I've recently demoed would get around the ICMP rules. For most home networks this would be a great step!
I agree! Thanks for watching.
Great video. Great explained. Is there a way to use a proxy with synology nas and synology router ?
Hello Michel, thanks for watching and commenting. Here’s a help article direct from Synology you might find useful. Have a great day! kb.synology.com/en-us/DSM/help/ProxyServer/proxy_server_transparent?version=7
@@QuikTechSolutions Great thx for Link, is it better dhcp with nas or leave it on the synology router
@@HoekNoot my personal preference would be leave it on the router.
Thanks Tony, your videos are top notch. Can I assume that I can use firewall rules to achieve the following? Block specific ports from being used by devices on my network, and, block specific external IP addresses being reached by devices on my network? Amazingly, I couldn't find official Synology documentation describing the usage of the firewall rules.
Excellent video, thank you. Just wondering, in your example, the Mac needs to have a static IP for this to work. Would it be more sensible if you would create an admin VLAN that only the Mac and/or your management laptop sits on and then allow all traffic from this VLAN to IoT?
Hello! Thanks for watching and leaving a comment. Great question - the short answer to your question is yes, you can definitely achieve similar results in that fashion as well.
There are many ways to skin a cat so to speak, (figure of speech folks, no animals have been harmed) depending on the given situation. Each situation is unique to itself and should be treated as such. In my environment, it's just two of us. My wife uses her mobile phone for everything. Since being retired, she doesn't even own a computer anymore. So, the network is being utilized primarily by me and the IoT devices. In this scenario, I think of the Primary Network as my management network as well. Basically, they are one in the same. I really don't see the need in my environment to have a separate management vlan. However, in an environment with lots of users, for example a business network, I would most definitely separate out the management network from the Primary network (some folks use the terms "Trusted" network) using vlans. Regarding the use of static IP addresses, I actually use DHCP reservations (in the router) for my devices whereas each host always receives the same IP address from the router based on the MAC address. In essence, the result is a host always gets the same IP address. It's just how I do things; it's a personal preference. Again, just another way to skin a cat, lol. IMO, devices always having the same IP address simplifies the creation of firewalls rules. Hope this addresses your inquiry. Have a wonderful day! :)
@@QuikTechSolutions thank you for the prompt and detailed answer; I am a novice to the VLANs as I am considering adding IP cams in the property thus the need for IoT segregation, so I am trying to educate myself from experienced creators. Btw, I am in a similar family and age situation but I like to explore.
Great explanation, thanks. I’m not sure if synology have changed anything, but I cant cross networks with no firewall rules & network isolation disabled?
Thanks for watching. That’s interesting. Have you checked to make sure isolation is off on all networks?
@@QuikTechSolutions Yes. Both networks could get to the internet but not each other. I do suspect some changes as I also cant add multiple wifi skids to one network, from the spec of the router & even the wording on the gui, I thought this should be possible.
@paulthomas-vo5vf I’m not aware of any changes, however, not saying Synology hasn’t made any. Going on the premise that something has changed, have to tried creating firewall rules allowing traffic to flow between the two networks?
@@QuikTechSolutions Yes, I tried that too. I followed the synology doc, just leaving off the deny rules. It still didnt work. I assume wifi connected devices work the same as wired, I was testing from an ipad?
Just curious, can you plug-in wired devices one on each network and try doing a ping from wired device to wired device?
Great video but I have a head scratcher. Setup network isolation, main and IoT networks but I can still ping the IoT network but not the other way around.
Thanks for watching! That’s not a bad thing. But, if you want to isolate in both directions, make sure you enable isolation on the main network. Or, you can create a firewall rule manually. Have a great day.
@@QuikTechSolutions thanks for the quick reply, hats off sir. Both are isolated, strange one. I can’t ping a device on the IoT network but the main IP I can. Cheers
@@QuikTechSolutions last question. That first rule, you don’t mention. I’m sure you did elsewhere but can’t find. Could you tell me what the windows part is?
@Ilikeridin it’s a system rule created by default. I didn’t create that rule. If you click on it, you should be able to see exactly what it does.
@@QuikTechSolutions okay, thank you. Mine didnt have that by default. Wonder if the new update removed it. I believe it is so you don’t lock yourself out of SRM when changing rules
For my home security cameras, I didn't want to get into the complexity of setting up a VLAN and related firewall rules. Instead, I created a filter in the safe access app so that the only external access the cameras were allowed was to update their time clocks. My rationale was that, even if the cameras could access my entire LAN, they couldn't do anything with info that they gathered such as communicating it back to their mother ship in China. They won't get firmware updates, but since they work exactly as I want, I'm ok with that.
Hello David! Thanks for sharing. Very creative work around and if it’s working for you that’s awesome.