DDNS and Synology Photos

Hello all,

I have consolidated all my network related services under Cloudflare. One of these services is dynamic DNS. At home I have an IP from my provider that is not static. I setup NO IP, so I could ensure that when my IP changed it would be updated, so I could always get to services on my local network. One of these services is Synology Photos, which allows me to upload photos I take on my Android phone straight to my Synology NAS. It was operating fine under NO IP but I am now trying to move this to Cloudflare.

I have setup Cloudflare, so that a specific hostname is proxied by Cloudflare, but in turn knows the IP of my Internet connection. I have ddclient running on my OPNsense firewall, so that when it sees an IP change on my Internet connection it will then go and update the IP for the specific hostname I setup on Cloudflare. I have tested this functionality successfully.

My problem is that I cannot upload the photos to my Synology NAS. The Photos app comes back saying there is something wrong with the IP. As mentioned I have this hostname proxied by Cloudflare. Does this proxy cause any issues for gaining access via the app? If I enter my IP address in the Photos app I am able to make a connection, so I know this is working. It seems the Cloudflare piece is mucking things up.

Thoughts?

Thanks,
Steve

On your OPNsense firewall, do you have DNS rebinding protection active? Does disabling it while using the CF proxy fix the issue?

Which port is your Syno Photo app running on and what port are you trying to reach it publicly? Please notice that Cloudflare does not allow all ports. But you could change ports on your config or at least implement Port-Forwarding at your router etc.

Just to add on top: as Syno Photo can also upload Video (if I am not mistaken?) the videos can quickly exceed Cloudflares uploadlimit, so you probably would be off just unproxying the DNS you are using. But again, that will expose your home IP to the public.

Aaaand if I have to recommend against using synos own SSL certs as their CA is not accepted everywhere, so you could run into some problems down the road. Please use Let’s Encrypt, or if behind Cloudflare, Cloudflares origin SSL Cert and select them for PhotoStation aswell.

1 Like

@M4rt1n thank you for your responses!

So I have port forwarded 443 out as 6443. That has been in place since I was using NO IP. I did some more testing and when I turn Cloudflare proxy off I can connect! Its when proxy is on that I cannot connect.

I would prefer not to turn proxy off but not sure if there is a way to get it on and get this app to work with it on. Since I am behind Cloudflare I will look into the origin certs. That would be helpful also.

Ports could be the issue. I found this listing the allowed ports (unless on the Enterprise plan, which allows all).

https://developers.cloudflare.com/fundamentals/get-started/reference/network-ports/

2 Likes

What is the:

  1. External Port
  2. Internal Port

?

Also with no error code it’s hard to understand what exactly is going wrong. You also might have cosen the wrong SSL settings in the dashboard. What SSL Mode are you in?

About the error code:

If there is one: provide it to us
If there is none: please open a ticket at Synology and ask them to trigger proper error codes on failure.

Just so I am reding this right. If any of the following ports are in use caching is disabled:

2052
2053
2082
2083
2086
2087
2095
2096
8880
8443

For instance my Synology Photos is NAT’ed, with 6443 on the outside back to 443 at the NAS. Based on that information proxy should work for 6443 correct?

External port is 6443 and the internal port is 443.

Well this is interesting. I have deployed a Cloudflare origin cert and have configured Cloudflare to go Full-Strict. I had kept proxy off and was able to connect, with the Photos app on my Android phone showing the Cloudflare certificate.

I just turned proxy on and the app can still connect but its not showing the Cloudflare origin cert. Does having the proxy on get in the way of the cert?

My understanding is you need to use the same home WAN port that’s on the CF’s list of approved http/https edge ports, else you’ll need CF’s Enterprise plan:

If traffic for your domain is destined for a different port than the ones listed above, for example you have an SSH server that listens for incoming connections on port 22, either:

  • Change your subdomain to be gray-clouded , via your Cloudflare DNS app, to bypass the Cloudflare network and connect directly to your origin.
  • Configure a Spectrum application for the hostname running the server. Spectrum supports all ports. Spectrum for all TCP and UDP ports is only available on the Enterprise plan. If you would like to know more about Cloudflare plans, please reach out to your Cloudflare account team.

The problem is those are well known (i.e., often scanned) ports that you’d have to expose. You may be better off bypassing the CF proxy and using a high numbered port like 65020 on your home WAN, along with strong security measures to lock it down.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.