Question Synology NAS & Fire TV not communicating (through VPN router)

Matt Newman

Novice Member
Joined
Jan 12, 2014
Messages
11
Reaction score
0
Points
2
Age
44
Location
Stockton-on-Tees
Hi all,

I'm looking for some help in relation to an Amazon Fire TV (running Kodi 17.3) and Synology DS212j NAS talking to each other, via NFS, while connected to a VPN router.

Just to give some background: My original setup was that I had all devices in my home connected to my home network (ISP is Virgin Media). The 2 devices in question were both connected via ethernet cable, to LAN ports on my Virgin Media Superhub 3. I had NFS permissions set up for all my shared folders on the NAS, to allow connections from any other device within a specified local IP range (i.e. the Amazon Fire TV). This setup allowed me to use Kodi on the Fire TV, to access my media library stored on the NAS. This worked without a hitch.

I have since bought a new router, on which I have flashed DD-WRT firmware and have set it up as a VPN router (using OpenVPN protocol with IPVanish VPN service). I have an ethernet cable running from a Superhub 3 LAN port, to the WAN / Internet port of the VPN router (this is because I want to run both normal and VPN networks in tandem - one from each router).

The router setup is now as follows:

* Superhub 3 LAN IP is 192.168.0.1
* VPN router LAN IP is 192.168.2.1
* VPN router WAN IP is 192.168.0.25 (as given by the DHCP on the Superhub 3)

The Fire TV and the NAS are both connected to the VPN router's LAN ports:

* NAS LAN IP is 192.168.2.49 (as given by the DHCP on the VPN router)
* Fire TV LAN IP is 192.168.2.12 (as given by the DHCP on the VPN router)

I have changed the NFS permissions on the NAS to accept connections from any device with 192.168.2.X range (as I assume that these devices are connecting internally via local IPs and not using external IP, which would be that of the IPVanish VPN service).

Now the issue I'm having, is that Kodi on the Fire TV can see the NFS shares on the NAS, but it won't connect to them or access them. The symptoms are the same as would happen if the NFS permissions had not been set in the NAS. The strange thing is, if I connect the NAS back to the Superhub 3, but leave the Fire TV connected to the VPN router, it works!! But I need both devices connected to the VPN router.

I realise this is a complex question, but any help would be much appreciated.

Thanks in advance

Matt
 
May I suggest, you put in a wildcard,, *.* under ipaddress settings, just to try it.

As an aside, I don't have a router which enables me to setup vpn. But I do use ipvanish, this allows connections to 5 devices, So, I have openvpn on the synology & kodi,

Kodi has an addon for managing vpn's

How to Install Zomboided VPN Manager on Kodi 17 - The VPN Guru
 
So somehow, using the wildcard has worked. Which means that it must be another address that is connecting to it... Not the internal address!!
 
I actually have 192.168.1.1/255.255.255.0 under the nfs ip address.

Not sure where I got that from

So, your's would be 192.168.2.1/255.255.255.0 ?

I assume you have set the fire tv up with a fixed ip address, of 192.168.2.12 ?
 
The Fire TV has a fixed IP of 192.168.2.49 and the Nas 192.168.2.12 (I got them the wrong way around in my post above). But I'd already set permissions for 192.168.2.*, which didn't work. Only wildcarding the whole thing seemed to work, so I still don't get it. Though at least I have it working now.

Would be good for some networking guru to be able to explain it...I like to be able to logically understand how these things work.
 
Why the change to a VPN service?
What make and model did you put DD-WRT on to?
Your network has 2 routers on it which appear fully operational. Also by your opening post you appear to have 2 DHCP services running so you have ended up with 2 subnets.
 
VPN/NFS issues are out of my league, you'd probably need to be looking at the log files of NAS/Kodi and someone who understands them to point out the exact issue.

That said have you tried SMB instead, it should work over VPN too ?

Alternatively it is also possible to setup WebDAV shares on Synology and use them with Kodi to access remote file shares.
 
Instead of x.x.x.x did you try 192.168.0.x to see if it some weird routing issues.

Do you have a pc/laptop you can put on the vpn network to test the routing. Ping the nas by name and ip to see if it comes back as expected. Also do tracert to the ip and name to see if it goes direct or via some strange route
 
It might be helpful if you cite the exact make/model of your VPN router.

That said, it doesn't sound like a networking issue to me. Separating a network into multiple subnets is rare in a SOHO regime, (though we do it all the time in businesses.) If you had a networking issue, I'd expect the symptoms to be more akin to not seeing anything at all (particularly between the two subnets) rather than being able to "see" the NAS but not access it's content within the same subnet. That sounds more like a permissions and/or firewall/ACL issue in the NAS.

It might also be useful if you plugged a laptop (or similar) into your 192.168.2.X subnet and try pinging both devices (and their router) and check that they all answer. If so, you can infer that the network and the IP addressing is fundamentally working OK.
 
Caveat: I am not a network guru, VPN or Synology user.

Would be good for some networking guru to be able to explain it...I like to be able to logically understand how these things work.

Only wildcarding the whole thing seemed to work, so I still don't get it.

All 192.168.2.x is being routed through the VPN.

The strange thing is, if I connect the NAS back to the Superhub 3, but leave the Fire TV connected to the VPN router, it works!!

That would imply 192.168.0.x is being routed locally.

I want to run both normal and VPN networks in tandem

'route' command would seem to be the answer not two physical routers.

Can you access the CLI of the NAS?
If so, does it have a netstat or ss command?
 
In data networking, the terms "route" or "routing" have a specific meaning - in means we're talking about activities in "layer 3" of the protocol stack if you know the ISO 7 layer networking model.

Hosts (physically) connected to the same subnet would not be "routing" their traffic at layer 3, it would be "bridged/switched" at layer 2 (most likely ethernet in this case) so it wouldn't pass through the routing engine in the VPN router, it would be switched through said router's in built ethenet switch.

Very basically, when an IP host wants to send a packet, it examine the source/destination IP addresses combined with the subnet mask and based on that assessment the sending host can determine whether the destination host is on "the same" subnet as itself or a "different" subnet.

If "the same" the packet is sent directly to the target using the local LAN transport mechanism (ethernet.) If "different" the packet is sent to the "default gateway" IP address - ie the routing engine in the local router and the local router has to figure out where to send (route) the packet next.

Thus, one of the beauties of IP is that hosts only need to have knowledge of their local subnet (which is what "IP address," "subnet mask" and "defult gateway" settings are all about,) and not the rest of the world - the local router is lumbered with the latter, though in a typical SOHO LAN "the rest of the world" just means "send it up the line to the ISP."

So in the case of the OP, two hosts on the 192.168.2.0/24 subnet that can "see" each other using one IP protocol, should be able to "see" each other using all protocols as the traffic doesn't pass through the routing engine in the VPN router (where the VPN is probably homed,) hence I suspect it's not an issue with routing, VPN etc and more likely to be an issue in the source or sink device.

However, it would be worth checking the "VPN router" really is a "router" to be sure.

OP has a network split into two subnets separated by the VPN Router. "Joining subnets together" is what "routers" do. So traffic on the 192.168.2.0/24 subnet never crosses onto the 192.168.0.0/24 subnet (and vice versa) unless it's explicitly addressed to the other subnet.
 
Last edited:
My point is that we know that traffic can get from Kodi\Fire TV to the NAS so its technically not a routing being blocked issue as such.

The question is the NFS security permissions on that NAS. Restricting them to the the same local LAN appears not to work, so there is either a configuration issue or some weird routing problem, where it maybe not connected or routing as the OP intended.
 
Indeed - that's why I think there's some value checking out that the "VPN Router" really is a router.
 
Thanks for all of the replies.

So the VPN router is a Netgear R7000 Nighthawk, on which I have flashed DD WRT v3 firmware. I have set up Openvpn protocol using an ipvanish account.

The VPN router is connected to a LAN port of my Virgin SH3. Both routers are on different subnets, as you mention above.

I think you are right about it being more of a permissions issue with NFS on the NAS, but just couldn't work out why, even when I set permissions to accept anything on the subnet 192.168.2.x, it didn't work. So the only thing that made it work was to set permissions to accept anything (i.e. *.*).
 
Last edited:
One slightly left-field thought - have you got "jumbo frames" enabled on anything - especially the source and sink device. If so, turn it off.

If you don't know what "jumbo frames" means, then don't worry, you are probably not using it.

Is there any particular reason you've split your network into two subnets...? If might make life simpler if you only had a single subnet.

DD-WRT is reputed to be s decent OS. You might get better results using the R7000 as the sole router, either talking direct to VM (I believe VMhave relaxed their posture on requiring you to use their router) or switch the VM router into modem mode (if it supports it,) though the means you'll loose the VM's Wi-Fi and all but one of it's ethernet ports.
 
I don't know about Jumbo frames.

In terms of the 2 subnets, I'm by no means an expert on networking, and I actually did this as part of following a guide to setting up the VPN router (was a techradar guide). I assumed it needed to be set up that way.

I wanted to keep both routers, as I still have some devices that I don't want to send traffic through the VPN, so just have them hooked up to the Virgin Media hub (devices I want the option of remotely accessing).
 
On the back of the previous comment... Does anyone know if it's possible to remotely access the NAS, which is behind the VPN router?

I realise I can't connect via the VPN IP address, but didn't know if there's a way to do it by somehow connecting through my Superhub 3, which is still accessible through my ISP's external IP address.
 
Is it just a case of forwarding a port on the SH3, to point to the Internal IP of the NAS (which is attached to the VPN router and on a separate subnet)?

SH3 will only let me forward ports for IPs in the same subnet?
 
Last edited:
There's a few of ways to do it:

Best would be to set up a "static route" on the SH3 to tell it how to reach the .2 subnet - if it will let you, a lot of SOHO routers lack the facility to create additional routes.

Otherwise would have to connect to 192.168.0.25 and let the VPN router port forward to the NAS by setting up PF's on the VPN Router.

Either way you then need PF's on the VPN router to the NAS.

However, unless you restrict the scope of the VPN Router PF rules to certain IP addresses, you open up the NAS to all hosts on the 192.168.0.0 subnet. Whether you can control/restrict the PF to only certain hosts depends on the VPN routers capabilities.

Because you've ascribed the VPN routers WAN interface address using DHCP, if it ever changes, it'll all break. Probably simplest to ensure you "fix" the DHCP lease in the SH3 so it always presents 192.168.0.25 to the VPN Routers WAN interface.

Alternatively, if VPN router will let you turn off it's NAT and firewall, you won't need the PF's on the VPN router as essentially everything will be open inbound, but you'll still need the static route on the SH3. Again, many SOHO routers won't let you disable the NAT/Firewall on their WAN interface.

If you want to access from the Internet - you can PF from the SH3 to the WAN
port on the VPN router (to it's 192.168.0.25 address.)

Thence to access from the Internet (if you need to) you probably want to register a domain name with a DDNS provider as your ISP provided SH3 external address can change.

Bear in mind, that whatever ports you so open up on the SH3, are open to the whole world, so it would be a good idea to institute some kind of authentication mechanism (userid & password) on the NAS to police access and open up the bearest minimum of ports. Personally, I'd never open up SMB/CIFS/NFS to the outside world, but it's your dime.
 
Last edited:
Thanks for the reply. The SH3 doesn't have the option for static routes, so the second option is probably best.

So just to get my head around the port forwarding:

Say if I want to open port 5001 for my NAS, do I have to port forward 5001 to the 192.168.0.25 address of the VPN router? How do I then have that reach the NAS on IP 192.168.2.12?
 

The latest video from AVForums

Is 4K Blu-ray Worth It?
Subscribe to our YouTube channel
Back
Top Bottom