How do I set up port forwarding rules on my Synology Router?

Purpose

In an IPv4 environment, your Synology NAS and other devices are usually assigned virtual IP addresses within a local area network. Such virtual IP addresses cannot be accessed directly over the Internet. Any packets sent to terminal devices, such as your Synology Router, must be forwarded from the Internet by the router/gateway in your home or office. This article will give you a brief introduction on port forwarding and guide you through the setup of port forwarding rules on Synology Router Manager (SRM).

Contents

The mechanisms of port forwarding
Set up port forwarding rules on SRM
Set up port forwarding rules on SRM for external access to multiple Synology NAS
What can I do if port-forwarding doesn't work properly?

Resolution

The mechanisms of port forwarding

Port forwarding is a technique employed to allow external devices to access computer services on a local area network. If you want the devices behind NAT devices (e.g., routers or gateways) to be accessed over the Internet, you should set up port forwarding rules to forward packets.
If you want your Synology NAS within your local network to be accessible over the Internet, multiple port forwarding rules may be required. Since Synology NAS can become a multifunctional server providing more than one service (e.g. Synology MailPlus, Surveillance Station, DSM desktop, etc.), you may need to set up different port forwarding rules depending on the IP ranges defined for certain services.¹
For example, suppose you have set up a Synology NAS behind your router and it is assigned the virtual IP "10.0.0.6".² You may set up a port forwarding rule to forward the packets from the port 5001 of the public IP "210.61.203.200" to port 5001 of the virtual IP "10.0.0.6". You can then access the DSM desktop over the Internet by visiting "https://210.61.203.200:5001". For details on the network ports used by particular Synology services, please check out the following articles:³
- What network ports are used by DSM services?
- What network ports are used by SRM services?

Set up port forwarding rules on SRM

Go to SRM > Network Center > Port Forwarding.
Under the Port Forwarding tab, click Create.
In the pop-up window, fill in the fields accordingly, and then click Create to finish.
Click Save to apply settings.⁴⁵

Set up port forwarding rules on SRM for external access to multiple Synology NAS

To access multiple Synology NAS within a local network over the Internet, you have to set port forwarding rules for each NAS. For example, if you want to make the web servers hosted respectively by two Synology NAS accessible over the Internet, you need to set up a port forwarding rule on your router for each Synology NAS, as shown below (refer to this article for more details):
The private ports can be the same (e.g., port 443 for Web Station). However, do not assign the same public port for both Synology NAS.⁶
After setting up the port forwarding rules, you can access website services hosted by the two Synology NAS via the same public IP address and attached using different port numbers:⁷
- Web server of Synology NAS 1: https://Public IP address of NAS: 443
- Web server of Synology NAS 2: https://Public IP address of NAS: 7001

What can I do if port forwarding doesn't work properly?

There are a few ways to troubleshoot port-forwarding issues:

Check the DMZ functioning:⁸ As a specialized form of port forwarding, DMZ helps you find out if the networking problem is with port forwarding. Follow the steps below.
- Activate DMZ on your SRM: Please refer to this article for detailed instructions.
- Check the functioning of your DMZ:
  - If the DMZ works properly, it means that some error has occurred with your port-forwarding settings. Make sure the private IP address of your host device matches the port-forwarding target, and confirm that the firewall allows external ports.
  - If the DMZ doesn't work properly, it means that some error has occurred with the network service of your host device, so check your device's network status. For example, examine if the host device is accessible over the Internet. It may be firewall settings that caused the failure of the network connection.
Check the firewall settings: If the firewall is enabled on the router, try suspending the firewall function for a while.
Check the service port functioning: Contact your Internet Service Provider to find out if the service port is blocked.

Notes:

Synology Photo Station uses the ports 80 (HTTP) and 443 (HTTPS) by default. For more information on customized ports for Photo Station, please check out this article.
Common ranges of virtual IP addresses are listed below:

10.0.0.0 ~ 10.255.255.255
172.16.0.0 ~ 172.31.255.255
192.168.0.0 ~ 192.168.255.255

You can also register for a DDNS for your physical IP address. You may check out the related articles below:

If you set up your network with a non-Synology networking product, the settings may vary. You can check out the guide provided by your device's vendor.
If your router or switch is on a shared Internet connection, consult your service provider for port forwarding setup assistance.
Each assigned public port must be unique within the same network.
If the firewall is enabled on your Synology Router, go to Network Center > Security > Firewall, and create firewall rules to allow the forwarded public ports (ports 443 and 7001 in this example) to be accessed over the Internet. For detailed instructions on firewall configurations, refer to this article.
DMZ is less secure than the local area network (it exposes all external-facing services to an untrusted network), so we recommend disabling the DMZ after troubleshooting.

Was this article helpful?

Yes ／ No