Sep 132021
 
Synology C2 Cloud Logo

So if you’re like me, you’ve just deployed your Synology DiskStation DSM NAS to backup to the Synology C2 Cloud (C2 Backup) or access Synology Hybrid Shares (C2 Storage).

But wait, you’re having issues with disconnections or slow speeds? It could be your firewall!

If you have an advanced firewall or an enterprise grade firewall, you’ll need to make some exceptions to avoid HTTPS scanning and interception, IPS, and other mechanisms that could be blocking traffic destined for the Synology’s C2 Cloud.

The Problem

While I wouldn’t necessarily call it a problem, your Synology NAS uses HTTPS (Port 443) to connect to Synology’s C2 Cloud. This actually makes things very easy and in most cases works off the bat with most firewalls.

When it comes to more complicated firewalls or enterprise firewalls, you may have the following technologies deployed which could be causing connection issues to the Synology C2 Cloud:

  • HTTPS Scanning
  • IPS (Intrusion Prevention System)
  • Traffic tagging and identification
  • QoS

The above technologies may either be slowing down or causing issues with communication.

The Fix

Here’s how we’ll configure the Synology C2 Firewall Exceptions!

To fix this, we need to make a few exceptions on the firewall. In my case I’m using a Sophos UTM, however using the information below you should be able to create rules for your own firewall even if the vendor is different.

First, let’s start with Synology’s C2 Cloud DNS hostnames, domains, and IP ranges. I identified these through my own troubleshooting and packet analysis:

Synology C2 Cloud DNS

  • synology.com
  • c2.synology.com
  • us.c2.synology.com

Synology C2 IP Range (CIDR Block)

  • 66.150.175.0/24

Please Note that the above are for the Synology C2 Cloud datacenter in the US region.

We’ll need to create exception rules for the above hosts, and IP range to avoid any type of traffic interception or scanning.

HTTPS Scanning Exclusion

On the Sophos UTM, I created an exception on the HTTPS Scanner to exclude any type of scanning for web (HTTP and HTTPS) traffic destined for these hosts. The entries in the exception are below:

^https?://([A-Za-z0-9.-]*\.)?synology\.com/
^https?://([A-Za-z0-9.-]*\.)?c2\.synology\.com/
^https?://([A-Za-z0-9.-]*\.)?us\.c2\.synology\.com/

I also created a Network Definition Group (called it Synology C2 Group) for the IP CIDR range, along with the DNS hostnames, and added it to the transport mode skiplist under “Skip Transparent Destination Hosts/Nets”.

IPS (Intrusion Prevention)

IPS systems can slow down traffic significantly as they scan inbound and outbound data. This shouldn’t disrupt the connection to the Synology C2 Cloud, but will slow it down.

Using the network definition created above (Synology C2 Group), we’ll go to the IPS settings and create an exception. We’ll disable all IPS features on traffic “Going to these destinations” and apply it to the “Synology C2 Group” network group definition.

QoS and other Systems

You’ll also want to make sure that if your using QoS that you configure the applicable rules to put the priority you want on the Synology C2 Cloud traffic.

After that, you should be good to go and now enjoying the Synology C2 Cloud!

  2 Responses to “Synology C2 Firewall Exceptions for C2 Backup, and C2 Storage”

  1. I spoke with Synology Support and they gave me the IP address ranges for all their C2 datacenters:

    Europe – Frankfurt
    • 159.100.4.10 ~ 159.100.4.19
    • 84.200.39.10 ~ 84.200.39.19
    US – Seattle
    • 66.150.175.15 ~ 66.150.175.22
    • 66.150.175.128 ~ 66.150.175.133
    • 64.124.13.11 ~ 64.124.13.13
    Taiwan
    • 112.121.122.129
    • 112.121.122.11 ~ 112.121.122.13

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)