Forwarding port 443 to my NAS?


I have a Synology NAS which I use as a photo station. I have made port forwardings (using the LUCI interface) of port 80 and port 443 to the NAS. I can access the photostation on my NAS remotely through HTTP, but not HTTPS.

A friend suggested the cause could be httpd on the router using port 443? How do I change that? I don’t need to access my Turris router from the WAN side.

Do you have troubles with forwarding from WAN or from within LAN?

It’s from WAN to LAN. I have port forwarded other ports. Port 5001 is used to access the webinterface of my NAS through HTTPS (https://url:5001). That works fine. The photo station is https://url/photo. It works on my local network, but not from an external IP.

I used an ASUS router before and I tried to re-create the same port forwards I had on the ASUS router. As mentioned above, the other port forwards I’ve created seem to work.

So you need to make portforward rule from some of yours randomly picked port 123456 (wan) to 5001(lan) and open correspond port on firewall. That should work for http, if you want https you have to take care for 443 port as well.

Generally, having NAS accessible this way is a bit dangerous for me. Opening it to world means you have real trust in that device.

update: and yes 443port on wan might be used by honey/minipot processes (check Foris/DataCollection what you have enabled and what ports are occupied by that) … so as example 22 is open on wan, but it is honeypot in fact, meanwhile same port from lan is your router sshd ; as 443 is generic for tls-https it might be the case you are feeding your own honeypot trying to access it.

I do have data collection enabled, but from what I understand it shouldn’t make a difference:
“One of uCollect’s features is emulation of some commonly abused services. If this function is enabled, uCollect is listening for incoming connection attempts to these services. Enabling of the emulated services has no effect if another service is already listening on its default port (port numbers are listed below).”

However, it only mention HTTP (port 80), not HTTPS (port 443). I have just disabled it just to make sure it didn’t make a difference and it didn’t.

Can you pls post the configuration of the port forwarding / redirection?

The lighttpd server for Foris/Luci shouldn’t conflict as it shouldn’t expose the ports on wan interface. To be on the safe side you may try to rename file /etc/lighttpd/conf.d/sss-enalble.conf to e.g. ss-enable.old (it shouldn’t end with .conf) and then restart lighttpd.

It depends what actually ‘provide access’ means (read,write,edit …sync?) and what ‘app’ is used and what protocol is behind. I have minidlna, vsftpd, ircd,transmission, samba services accesible via openvpn on my TO and all services read data from several devices or containers. There is no central NAS. On a side i have as another server with remote access enabled (paid per device) just to test it (like own netflix :D).

Update: Maybe you can make running on your NAS : NAS Compatibility List | Plex Support

Here’s the configuration:

The photostation service is a website/webservice running on the NAS.

So basically webserver serving each user its own library of pictures and some public/shared ones. And i assume you are using (and want to use) user management on that NAS to handle users-vs-rights. Making that same on TO is too much effort, so now i understand your approach.

That seems correct. Can you try to run something like curl --head -k where instead of the ip address put your https://url/photo curl should show you http header and you might get at least indication of which server is responding. E.g. outcome of the command on my TO is:

HTTP/1.1 200 OK
X-Frame-Options: DENY
Content-Length: 2142
Content-Type: text/html; charset=UTF-8
Set-cookie:; httponly; Path=/
Date: Wed, 25 Jan 2017 23:14:16 GMT
Server: lighttpd/1.4.42

And you can see that the response came from lighttpd/1.4.42 server. At least some indication.

Test done from a remote IP:
curl: (7) Failed to connect to my.url/photo/ port 443: Connection refused

However, if I test the webadministration interface that I’ve got on port 5001 I get:
HTTP/1.1 301 Moved Permanently
Date: Thu, 26 Jan 2017 07:57:51 GMT
Server: Apache
Cache-control: no-store
Location: https://my.url:5001/webman/index.cgi
Content-Type: text/plain

Test done from a internal IP:
HTTP/1.1 301 Moved Permanently
Date: Thu, 26 Jan 2017 08:00:58 GMT
Server: Apache
Location: https://my.url/photo/
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1

The port is blocked, but why?

It might be a stupid question but as it is not obvious from the screenshot I ask - do you have the rule for 443 enabled? Also I assume that it worked for you with old router and therefore your ISP is not blocking it, right?

Yes, it’s marked as enabled in the LUCI interface. I expect I can check it through the command line somehow as well?

Yes, it worked with my previous router.

try to run iptables -t nat -L | grep HTTPS and post the result

SNAT tcp – tcp dpt:https /* HTTPS (reflection) / to:
SNAT udp – udp dpt:https /
HTTPS (reflection) / to:
DNAT tcp – /
HTTPS (reflection) / to:
DNAT udp – /
HTTPS (reflection) / to:
DNAT tcp – anywhere anywhere tcp spt:https /
HTTPS / to:
DNAT udp – anywhere anywhere udp spt:https /
HTTPS */ to:

I see one difference against my entries for the middle ones:

DNAT tcp -- /* HTTPS (reflection) */ to:
DNAT udp -- /* HTTPS (reflection) */ to:

I’m missing tcp (or udp) dpt:https when comparing with my setup.

could you check the entry in /etc/config/firewall file? My looks like:

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'dmz'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip ''
        option dest_port '443'
        option name 'HTTPS to DMZ'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option dest_ip ''
option name 'HTTPS'
option src_port '443'
option dest_port '443'

I’m running out of ideas - last one would be to delete the rule, restart the firewall, create the rule again and restart the firewall once again. It looks to be configured properly to me.

The port 443 is indeed not opened to WAN. I tried to scan your IP and this is the result:

Starting Nmap 7.12 ( ) at 2017-01-26 11:52 CET
Nmap scan report for (
Host is up (0.042s latency).
Not shown: 992 closed ports
22/tcp   open     ssh
25/tcp   filtered smtp
80/tcp   open     http
445/tcp  filtered microsoft-ds
873/tcp  open     rsync
4242/tcp open     vrml-multi-use
5000/tcp open     upnp
5001/tcp open     commplex-link

Interesting are the ports 25 & 445 as they are not listed on your screenshot above. Did you allow them somewhere else?