Connect with me!

Have a question? Want to hire me? Reach out and Connect!
I'm available for remote and onsite consulting!
To live chat with me, Click Here!
Synology C2

Synology C2 Firewall Exceptions for C2 Backup, and C2 Storage

Synology C2 Cloud

So if you’re like me, you’ve just deployed your Synology DiskStation DSM NAS to backup to the Synology C2 Cloud (C2 Backup) or access Synology Hybrid Shares (C2 Storage).

But wait, you’re having issues with disconnections or slow speeds? It could be your firewall!

If you have an advanced firewall or an enterprise grade firewall, you’ll need to make some exceptions to avoid HTTPS scanning and interception, IPS, and other mechanisms that could be blocking traffic destined for the Synology’s C2 Cloud.

The Problem

While I wouldn’t necessarily call it a problem, your Synology NAS uses HTTPS (Port 443) to connect to Synology’s C2 Cloud. This actually makes things very easy and in most cases works off the bat with most firewalls.

When it comes to more complicated firewalls or enterprise firewalls, you may have the following technologies deployed which could be causing connection issues to the Synology C2 Cloud:

  • HTTPS Scanning
  • IPS (Intrusion Prevention System)
  • Traffic tagging and identification
  • QoS

The above technologies may either be slowing down or causing issues with communication.

The Fix

Here’s how we’ll configure the Synology C2 Firewall Exceptions!

To fix this, we need to make a few exceptions on the firewall. In my case I’m using a Sophos UTM, however using the information below you should be able to create rules for your own firewall even if the vendor is different.

First, let’s start with Synology’s C2 Cloud DNS hostnames, domains, and IP ranges. I identified these through my own troubleshooting and packet analysis:

Synology C2 Cloud DNS

  • synology.com
  • c2.synology.com
  • us.c2.synology.com

Synology C2 IP Range (CIDR Block)

  • 66.150.175.0/24

Please Note that the above are for the Synology C2 Cloud datacenter in the US region.

We’ll need to create exception rules for the above hosts, and IP range to avoid any type of traffic interception or scanning.

HTTPS Scanning Exclusion

On the Sophos UTM, I created an exception on the HTTPS Scanner to exclude any type of scanning for web (HTTP and HTTPS) traffic destined for these hosts. The entries in the exception are below:

^https?://([A-Za-z0-9.-]*\.)?synology\.com/
^https?://([A-Za-z0-9.-]*\.)?c2\.synology\.com/
^https?://([A-Za-z0-9.-]*\.)?us\.c2\.synology\.com/

I also created a Network Definition Group (called it Synology C2 Group) for the IP CIDR range, along with the DNS hostnames, and added it to the transport mode skiplist under “Skip Transparent Destination Hosts/Nets”.

IPS (Intrusion Prevention)

IPS systems can slow down traffic significantly as they scan inbound and outbound data. This shouldn’t disrupt the connection to the Synology C2 Cloud, but will slow it down.

Using the network definition created above (Synology C2 Group), we’ll go to the IPS settings and create an exception. We’ll disable all IPS features on traffic “Going to these destinations” and apply it to the “Synology C2 Group” network group definition.

QoS and other Systems

You’ll also want to make sure that if your using QoS that you configure the applicable rules to put the priority you want on the Synology C2 Cloud traffic.

After that, you should be good to go and now enjoying the Synology C2 Cloud!

Stephen Wagner

Stephen Wagner is President of Digitally Accurate Inc., an IT Consulting, IT Services and IT Solutions company. Stephen Wagner is also a VMware vExpert, NVIDIA NGCA Advisor, and HPE Influencer, and also specializes in a number of technologies including Virtualization and VDI.

View Comments

  • I spoke with Synology Support and they gave me the IP address ranges for all their C2 datacenters:

    Europe - Frankfurt
    • 159.100.4.10 ~ 159.100.4.19
    • 84.200.39.10 ~ 84.200.39.19
    US - Seattle
    • 66.150.175.15 ~ 66.150.175.22
    • 66.150.175.128 ~ 66.150.175.133
    • 64.124.13.11 ~ 64.124.13.13
    Taiwan
    • 112.121.122.129
    • 112.121.122.11 ~ 112.121.122.13

Leave a Comment
Share
Published by
Stephen Wagner
3 years ago

Recent Posts

How to properly decommission a VMware ESXi Host

While most of us frequently deploy new ESXi hosts, a question and task not oftenly discussed is how to properly decommission a VMware ESXi host. Some might be surprised to… Read More

4 months ago

Disable the VMware Horizon Session Bar

This guide will outline the instructions to Disable the VMware Horizon Session Bar. These instructions can be used to disable the Horizon Session Bar (also known as the Horizon Client… Read More

4 months ago

vGPU Enabled VM DRS Evacuation during Maintenance Mode

Normally, any VMs that are NVIDIA vGPU enabled have to be manually migrated with manual vMotion if a host is placed in to maintenance mode, to evacuate the host. While… Read More

4 months ago

GPU issues with the VMware Horizon Indirect Display Driver

You may experience GPU issues with the VMware Horizon Indirect Display Driver in your environment when using 3rd party applications which incorrectly utilize the incorrect display adapter. This results with… Read More

4 months ago

Synology DS923+ VMware vSphere Use case and Configuration

Today we're going to cover a powerful little NAS being used with VMware; the Synology DS923+ VMware vSphere Use case and Configuration. This little (but powerful) NAS is perfect for… Read More

4 months ago

How to Install the vSphere vCenter Root Certificate

Today we'll go over how to install the vSphere vCenter Root Certificate on your client system. Certificates are designed to verify the identity of the systems, software, and/or resources we… Read More

5 months ago
Powered and Hosted by Digitally Accurate Inc. - Calgary IT Services, Solutions, and Managed Services