I ran into a few troubles with this, so maybe someone will find it helpful.

The problem: I have a Synology DS1512+ with two ethernet ports. One of them is connected to my home network, the other unused. I wanted to use the free port to extend the network to another computer.

The solution: The interfaces should be separated under Control Panel-Network, not bridged. Both interfaces have a static ip in my case, I guess it would also be OK to let the one that is connected to internet be managed by DHCP.
I have installed DHCP server (the one from Synology) and turned it on only for the interface not connected to my home network (LAN2).
The interfaces should be different subnets – I have 10.0.0.x on the first and 192.168.1.x on second. DHCP enabled on diskstation distributes ip adresses on the same subnet (192.168.1.x) and with the Diskstation (192.168.1.1) as gateway.

VPN server should be enabled too, because it loads the iptables modules. Also possible to do this manually.

On command line I turned on NAT with the command:

Code: Select all

iptables -t nat -A POSTROUTING -j MASQUERADE

I do not recommend this without IP filters for Diskstations connected directly to the Internet, but mine is in my home network, so I didn’t add any.

The last problem was, how to make the iptables rule survive a reboot. That one took a while to solve – adding a startup script didn’t work – the rules were being flushed at some time after startup. Finally I added the command to

Code: Select all

/volume1/@appstore/VPNCenter/scripts/openvpn.sh

after the command which it add’s by itself

Code: Select all

 /sbin/iptables -t nat -A POSTROUTING -s ${LOCALIP}/24 -j MASQUERADE

That did the trick.
Also, ip-forwarding should be enabled, but I guess it is by default. Mine was.

Have fun.

Hey, thanks for your post. I spent quite a while getting the same functionality working the first time, and just had to redo it (with rather imperfect notes) after upgrading to DSM 4.2.

Your message would have helped me a lot, had we not both being doing it at very much the same time!

To add my own experiences and thoughts, in case they help others…

I have a DS 412+, with two lan ports also, so same idea. In my case my two separate subnets are 192.168.1.1 and 192.168.2.1 – with DHCP running on the second, internal port. In particular, my goal was (without buying a gigabit switch) to get a gigabit link between my NAS and laptop, but also to have internet through that link, since I found that plugging in the lan cable disabled my laptop’s internet over wifi. Since the NAS was net connected to my router – it seemed to make sense.

I didn’t much like the idea of having OpenVPN enabled when I wasn’t using a VPN – and I also found that IP Forwarding was DISABLED by default.

My current solution is to add a startup script called

Code: Select all

/usr/syno/etc.defaults/rc.d/S01iptables_nat.sh

that contains

Code: Select all

# Script to enable port forwarding and IP Masquerading, to share
# the primary internet connection to the second port of DS412+

# Enable port forwarding, in case not enabled by default
echo 1 > /proc/sys/net/ipv4/ip_forward
 
# Load the required modules
/usr/syno/etc.defaults/rc.d/S01iptables.sh load_nat_mod forwarding_test

# Define the masquerading rule
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

I’m not sure of the actual intended purpose of the ‚forwarding_test‘ – but it seems to load the required modules with minimal extra stuff, though perhaps that’s little different to the openvpn approach.

The name of the script ensures it’s run after S01iptables.sh, which I think might be important.

Works like a charm, when done right. some minor details for noobs like me:

You need the Config File Editor. Open the ‚Package Center‘, click ‚Settings‘ and under ‚Package sources‘ add ‚http://packages.quadrat4.de‘. Now, install the Config File Editor found under ‚community‘.

with DSM 4.2 and up,the Config File Editor may tell you (something in the regions of) ‚Please log in as admin‘. For this to work, log in as admin, then go to control panel, select ‚DSM settings‘, tab security, and deselect ‚improve protection against cross-site request forgery attacks‘.

Now, open the Config File Editor. From the drop down ‚Choose config file‘, select ‚Config File Editor‘ (yes, we’ll config the config editor using the config editor). Now add the line:

Code: Select all

/usr/syno/etc.defaults/rc.d/S01iptables_nat.sh,IP Forwarding

and click ‚save‘. Now, restart the config file editor, and from the ‚choose config file‘ dropdown, select ‚IP Forwarding‘.

next, add these lines (same as in the post above, but I stripped the comments):

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward
/usr/syno/etc.defaults/rc.d/S01iptables.sh load_nat_mod forwarding_test
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

hit the save button (which may be grayed out when just pasting the text; in that case, just add an enter to the config file. This should enable the save button again).

now reboot your DS, and forwarding works, using eth0 as the interface facing internet, and eth1 as your lan network.