External Access to Synology (Port Forwarding/Dynamic DNS)

New to Synology with a DS220+. Where to begin…

Everything was pretty straight forward and appear to have the apps working as needed and external access is working when using QuickConnect. QuickConnect is convenient and fantastic, and QuickConnect also has a few limitations when it comes to how apps interact remotely.

Looking to set up an external subdomain to point to the server. While I have been pouring through loads of tutorials on the topic something keeps getting tripped up which I am guessing is somewhere in the port-forwarding space.

Made a ton of progress and now just spinning…so many rabbit holes and each empty.
Also a little overwhelming now and think getting the dynamic url forwarder working to synology admin page would be the next hiccup to resolve.


  • AFP access to mount server from remote network (& smb if required for other apps)
  • HTTPS access to admin page
  • WebDav
  • Primarily for iOS Files and various applications to access seamlessly
  • Everything secured w/certificates and working through VPN.
    Certificates reserved for next step and after that VPN…both of these are disabled for now.


  • Apple Time Capsule
  • Port forwards from pre Synology hardware that appear to work…
  • Hardware mapped to MAC IDs (except synology)
  • Mac desktop running BigSur 11.1
  • Synology DS220+ running DSM 7.0-41890 (same issues on previous version)
  • Dynamic DNS relay
  • Custom domains available (have a few)
  • Firewall / VPN disabled on Synology
  • VPN disabled on Mac


  • Synology services internally (all)
  • Outside access to Synology DS via QuickConnect (browser/iOS “DS file” and Drive)
  • Dynamic DNS relay (think it works as it requests asks for credentials, however see below)
    Evidenced by request for credentials when using Connect to Server + DynamicDNS url


  • Outside access to Synology DS via dns forwarder as credentials not accepted…see below…
  • Expecting more to add here…first things first to get forwarder to the synology admin page.
  • Assigning synology Mac ID in Time Capsule seems to screw things up…
  • Assigining a fixed IP via Time Capsule and/or Synology seems to screw things up…


  • To be added

This appears to connect in so far as a screen appears requesting credentials. From there, however, the following error…and error which appears could be from anything…
“The version of the server you are trying to connect to is not supported. Please contact your system administrator to resolve the problem.”

This might seem like a lot for anyone reading…that or people understand and either something easy to those w/more experience, or still a lot either way. Any support is appreciated…

From a security point of view, I would really recommend you get the VPN up and running first of all. There are a lot of services you plan to expose here, so it will potentially be a big task to secure all of them. Better perhaps to tunnel all traffic through the VPN first. That way you can hide from the bots scanning for additional open ports.


Absolutely! :slight_smile:

I went with QuickConnect, I disabled every service and protocol I do not need and I did not bother with anything else. QuickConnect provides security and ease of use. Accessing the Synology via VPN might a good option if you do not stick with QuickConnect.

If you really plan connecting the Synology directly to the internet, you will have to deal with security on an ongoing basis. You will have to monitor the network and logs. You potentially will be dealing with ongoing attacks. And if one succeeds, your data will be compromised. And if the Synology gets hijacked, every other device on your local network is being exposed to it, too. What I am trying to say is that connecting a server to the internet is not an easy task. When it is working, it is something that has to be secured.

I did not feel comfortable or capable doing that. If I need a server on the internet, it definitely is not being located within my local network at home… I do not trust my abilities enough to get this done in a safe way.


Yes yes… understand.

Thinking is there is nothing much of value at the moment, and the VPN issues are a world onto their own so looking to get everything stood up and working, then add in the certificates and then lastly the vpn…and after that is up to start using the Synology w/data.

How do you get quick connect working, then, with apps and such that are looking for for domains?
Any way to get quickconnect working w/a customer url?

That would be much easier…stick w/QuickConnect from a custom domain name so long it is available to all apps/services?

That’s not how Quick Connect works. It’s is “simply” remote
access into your NAS, with support for the Synology apps.

Here is the white paper which might help with understanding

Synology Quick Connect White Paper

1 Like

Fist question its not clear if you have a static IP or not.

1 Like

Certificates are a huge PITA. I never did get mine working. Certs don’t work well with moving targets (ie. IP addresses).


That’s the intent of the Dynamic DNS Relay.

While they can work, the challenge is in the “timing”
A query is made to @pixr’s idontwanttovpn.com, an
address of is returned. Connection is made.
Then ISP reissues address to, no connection
can be made to the FQDN until the Dynamic DNS
services “catches up” to the changed address.

So you have 2 factors at work, 1) how often does your
ISP reissue addresses? and 2) how often does your DDNS
service poll?

Agree, certs can be problematic. I would think though of
how much volume am I planning for? Is it going to be me
and one other person? Nothing is mission/time critical?
Then sure skip the cert, and try the DDNS. If we can’t tell
that we are on the site we requested (which is the purpose
of the cert) and are willing to experience “some” network
miscues, this approach will work

Here is an excellent (paid) series of tutorials on Synology that will answer most of your questions. Only problem is that’s in German. Luckily its my 2nd language so I was able to follow them all.

Right, and since that is not how it works…it looks like I need to go the harder route as outlined by the original post.

Clarification for static ip:
When assigning a static ip on the internal network, synology connections break. I have other devices mapped to static IPs with their MAC IDs, however when I do the same for Synology things break…

Short answer: Internal static ip is not active.

  1. Thankfully the IP itself does not change all that often.
  2. When the IP does change, the Dynamic DNS ip updater informs the service of the new up,
    and the service then informs the domain prefix (in theory) of the change so it is often updated.

Mainly just me; wife would only need a dropbox webdav solution to save photos and such.
Mission critical, well, the intention would by for the synology server to be the heartbeat of everything.

Had a little German in college and didn’t go anywhere w/it…LOL

Found all kinds of excellent online tutorials for setting up components of Synology and I was actually surprised how quick it was up and running from opening the box to having the needed services running smoothly. Equally surprised how everything (including drive trays) are 100% plastic.

Do you mean a static ip for the Synology unit?

(How do you map the MAC addresses? Through your router? Which one?)

Yes, that is the way it is supposed to work.
Obviously some services are better than others

OK - maybe I am overthinking this and there is a much easier simpler and safer way…

Here is the goal:

Easy access to a centralized personal file server, regardless if at home or while traveling, from Mac and iOS devices where applications on either platform can easily interact (retrieve, save, copy, move etc)

So when using the Camera Roll on iPhone, I can easily save images to a number of different locations on the remote server. When on the laptop, mount the file server in the left side as if it were a usb drive plugged in, from the same network (which works fine) or when traveling (connects but that message posted above.) When using Apple Number or Pages (regardless if iOS of Mac, home or traveling) they are reading the same golden file from the same location.

A simple self hosted webdav cloud would suffice andI have spent years on-and-off taking passes at accomplishing this goal…a use case one would expect isn’t that unique…a use case that would have been solved by now (w/o the dependency of 3rd party cloud services.).

As have been suggested in this thread and the one prior,
a VPN is a better fit for your use case.

As you know, your Synology comes with a VPN “package”
While not enterprise level, it is certainly a viable solution.

However, in all cases, a static IP solves a lot of problems.
I would shop the various DDNS providers