Menu
Cart

Synology NAS Port Forwarding & NAT Configuration Guide

Synology NAS Port Forwarding and NAT Made Easy

One of the best things about modern infrastructure is being able to access your NAS from anywhere. Teams need to be able to access files, backups need to be able to run from remote devices, and many applications hosted on the NAS need to be able to connect to the internet.

For this to work, your router needs to know how to send incoming internet traffic to the right device on your network. Port forwarding is the name of that process, and it works with NAT.

A lot of connection problems happen because people don’t understand how these two work together. When you know how the flow works, configuration becomes less of a guessing game.

What NAT Means in Simple Terms

A private IP address is used by every device on your office network. Your ISP gives you a public IP address that the internet can see.

NAT changes requests between your internal devices and the outside world.

The router doesn’t automatically know which device should get the request when someone connects to the internet. Port forwarding is like a map that tells the router where to send traffic.

Request from the Internet → Public IP → Router → Port forwarded → NAS

The router blocks the request for security reasons if it doesn’t forward it.

Before You Begin: What You Need to Know

  • First, give your NAS an internal IP address that won’t change.
    Forwarding rules stop working right away if the address changes.
  • Second, make sure you have the right application ports.
    Don’t open ports that aren’t needed because every open service makes you more vulnerable.
  • Third, find out if your ISP uses CGNAT.
    Port forwarding won’t work if your public IP is shared. Instead, you need to use a relay service or VPN.

Example 1: Accessing DSM from a distance

Goal: Get to the NAS dashboard from outside the network.

The default DSM port is 5001 (HTTPS is recommended).

Rule for the router: External Port: 5001
192.168.1.50 is the internal IP.
Port inside: 5001
TCP is the protocol.

To connect from your browser, go to https://your-public-ip:5001.

The best thing to do is change the external port to something other than 55001 and leave the internal port the same.

Example 2: Using SFTP to Access Files Securely

SFTP lets you send files over the internet without showing the web interface.

First, turn on SFTP in the NAS settings.

Port by default: 22

Rule for the router: Port 2222 on the outside
192.168.1.50 is the internal IP address.
Port 22 on the inside
TCP is the protocol.

To connect, type sftp user@your-public-ip -p 2222.

Changing the external port makes it much less likely that automated attacks will happen.

Example 3: Using NAS to host a website

You need to forward HTTP or HTTPS if your NAS has a web server.

HTTP: Port 80 on the outside goes to Port 80 on the inside.

HTTPS: Port 443 on the outside and 443 on the inside

If your ISP blocks port 80, try using port 8080 instead and connecting with:
http://your-public-ip:8080

Always use HTTPS in production environments.

Example 4: Accessing a VPN server from a remote office

Forwarding just one VPN port is safer than exposing multiple services.

Example of OpenVPN:
Port on the outside: 1194
IP address inside: NAS
Port 1194 on the inside
Protocol: UDP

Users first connect to the VPN, and then they can access the NAS as if they were on the office network. This keeps management interfaces from being directly accessible from the internet.

Things to think about for security

Port forwarding is powerful, but you need to be careful with it.
Don’t ever show services that aren’t needed.

Suggested protections:
Only use HTTPS
Turn on firewall rules on NAS
Set up policies for locking accounts
Turn off default admin accounts
Allow two-factor authentication

If you need more than one service, it’s usually safer to use a VPN than to open a lot of ports.

When Port Forwarding Doesn’t Work

Common causes are double routers, ISP modem routers, or CGNAT connections.

Put the ISP modem in bridge mode to fix common problems.
Forward ports on both routers in networks that are connected in a chain
Use dynamic DNS to change your public IP address.

About Epis Technology

Epis Technology helps companies make virtualization storage environments that can handle real business workloads without crashing. The team looks at the performance needs, picks the right storage architecture, and sets up networking to avoid slowdowns. They combine NAS virtualization with backup systems, Microsoft 365 security, and planning for hybrid cloud continuity. Instead of waiting until later to fix slow systems, deployments are set up to work well from the start. Long-term reliability and predictable performance for growing infrastructure come from regular monitoring and maintenance.

Related Posts