If you have enabled and configured the Synology Firewall you will need to create exceptions for any containers that have a Web UI or have any incoming or outgoing connections.
Make a note of the ports used in the compose section of the guide you are following, these will be the ones you need to create exceptions for.
Please note this is a generic section and will not show the specific ports used in the guide you came from, however it applies in the same way.
Also, I would like to refer people to the great guide on getting the Firewall correctly configured over on WunderTechs site.
Head into the Control Panel> Security > Firewall, from here click Edit Rules for the profile you set up when you enabled the Firewall.
Next click on Create and you will see the screen below. Source IP and Action will be automatically selected to All and Allow, I will leave it up to you as to your own preference on whether you want to lock down specific Source IPs from having access. In this example we will leave as All.
You will now choose ‘Custom‘ and then the Custom button
Now select Destination from the drop-down menu, most web based containers require TCP access but check the guide as it will show the port and protocol. Then add comma separated ports. Then press OK.
Click OK a couple of times to get back to the main screen. You will see by default the new rule is added to the bottom of the list. You must always have your Block All rule last in the list as the rules are applied top down so move your container up.
The changes are complete, so you can move on with the rest of the instructions from the guide you were following.
Thanks for the great guide. I had to reconfigure the YAML to have the container run on the Host Network. Otherwise I could connect to the VPN, but I couldn’t reach anything on the local network.
How would it work with a Bridge network – as I haven’t been able to get it to work. It basically can’t connect the local network then.
Essentially with the Firewall enabled you need to add exceptions for every single service and subnetwork you set up, so in the case of the VPN (GlueTUN) you would add exceptions for the ‘synobridge’ subnet 172.20.0.1, if you set up WGEasy then it would require the inbound port as an exception. With containers with no set bridge network this can be challenging as the IPs change on each start up, so you could set up a user defined bridge like the original synbridge guide e.g vpnbridge (note this does not route VPN traffic!) and add its subnet as an exception… essentially the Firewall is doing its job but adds the layer of complexity to everything you add..