Synology SRM 1.3 Software Review Part 2 – Safety & Security


 

Synology Router Manager 1.3 Review Chapters

SRM 1.3 Synology Router Software Review, ALL Parts - HERE
SRM 1.3 Synology Router Software Review, Part 1, Design & Control - HERE
SRM 1.3 Synology Router Software Review, Part 3, Network Management - HERE
SRM 1.3 Synology Router Software Review, Part 4, Safe Access - HERE
SRM 1.3 Synology Router Software Review, Part 5, USB Storage Services & Conclusion - HERE 

Synology SRM 1.3 Review – General Security & Safety


Regardless of whether you are a home or business user, the security of your network is going to be one of your priorities very early on. Both internal network security with the devices that are exchanging packets of data via the router, right the way to how the router governs and manages the stream of data coming from your internet connection, if a router isn’t particularly secure, you will all too quickly find out! Worse still, if you are an inexperienced network technology user or a business lacking in-house IT support, then the ease of configuring a router to be as secure as possible within your specific network environment is going to be even more of an uphill battle. SRM 1.3 tackles this in several very clear ways. First off, despite its incredibly user-friendly browser GUI, the majority of its more potentially insecure architecture elements (i.e those that if you mishandle them or let them open could be disastrous in the wrong hands) are either disabled by default or are locked behind more advanced configuration windows/portals. Some are more obvious than others, such as port forwarding (common to all routers and not something anyone should touch without reason) settings and IP/Mac address blocking, which are all quite useful, but common. However, there are little things of note that are impressively specific to SRM 1.3, such as the power-use admin account being disabled by default. Something that even now in 2022 is still not the case for many routers (including ISP ones) and with those same power user crenedtials printed on the base of the router.



Additionally, all devices (both current and for a period, historical) are monitored in SRM and this allows you to monitor their behaviour, block them, label for for later use in ‘Safe Access’ or simply keep an eye on their behaviour.



If you had additional SRM 1.3 software user accounts, there are several options for restricting an accounts access (IP locking, resritcing individual app/storage access, removing SRM 1.3 dashboard access, etc) and that also extends to auto-block methods that will change the parameters for a scenario where someone is trying to log into an account erroniously.



When it comes to what services, features and applications the router with SRM 1.3 is running, there is a single portal full control list that allows you to quickly disable these quickly in the event you need to shut everything down tight or just want to troubleshoot each service one by one. This list of services and level of control will differ on whether you are using the router as a primary or secondary system, but this single page means to shut down any active internet/network service is really handy.



Then there are the inbuilt firewall settings that allow you to use present configurations for securing your internet access point, as well as the means to create a much more customized set of firewall rules. It has to be said that the bulk of things covered in security in SRM 1.3 so far are available on the bulk of prosumer routers, just not presented in a way as user-friendly as here and not to the same extent in most cases.



Then there is the inclusion of the Synology VPN software within SRM 1.3. VPN Plus allows your Synology Router to host a powerful VPN server that is easy to set up and manage. It supports SSTP, OpenVPN, L2TP over IPSec, as well as Synology’s own SSL VPN protocol and lightweight desktop client. Web-based portal VPN gives users direct access to company intranet sites and there is even an option to provide employees with browser-based remote desktop access. The Synology VPN is a service that supports SSL fast authentication and encryption access to webpages, files, and applications on the Internet (as well as local networks). Here, you can customize things like the Client IP range, Self-owned domain name, ports, security level, authentication, and others. You can also enable split tunnelling, which allows users to connect to destination webpages, applications, and servers in certain local subnets or local IP ranges.

This slideshow requires JavaScript.


Each Client VPN Access License allows one concurrent user account to use Synology WebVPN, SSL VPN and SSTP, with permanent validity upon activation. Every Synology product that supports VPN Plus comes with a free license. To add more concurrent user accounts at no additional cost, simply sign in to Synology Router Manager (SRM) as an administrator to activate additional free licenses. You can assign permissions to more user accounts than installed licenses. All the accounts are given access on a first-come, first-served basis. When the license quota is reached, no more accounts will be given access until other accounts are disconnected from all Synology SSL VPN, WebVPN, and SSTP services. Once a user account is connected to VPN Plus and starts using any of the three features, it will be allowed to use any of the other features on the same or different devices at once without requiring extra licenses. Each additional connection beyond the first requires registration of a free license.

Features Pre-installed free license Additional free client VPN access licenses
Service Synology SSL VPN 1 concurrent account Up to product specifications
WebVPN
SSTP
OpenVPN Unlimited connections (up to product specifications)
L2TP over IPsec
PPTP
Management Real-time traffic monitor V
Connection history V
Service-based permissions V
Bandwidth control V
Block list V

For those that want to get even more beefed up in the security stakes when accessing the controls and complete GUI of SRM 1.3, you also have the option to create/install a secure tunnel with free and easy installation of the Let’s Encrypt certificates from within the control panel. This is a small extra that you can of course manage for the most part with many other paid certificates if you prefer, but it is still good to have this option available from within the software and that it guides you through the process too.



Speaking of guiding the user through the process, SRM 1.3 also includes the Security Advisor tool (much like the one found in NAS and DSM) that analyzes your system and then provides you with details on how you can strengthen the safeguards, settings and setup of your router. The extent to which it will check and report can be configured in its settings menu, but even in the default configuration, it is quite thorough.



Upon completion of a scan, SRM 1.3 will then provide suggestions on what you need to correct/improve upon. Again, a lot of this is going to be a bit comment-internet-sense-101 (eg don’t use ‘password’ as your password), but it does include several more business-focused recommendations if you chose that level of scanning. The scanning with the security advisor can be triggered manually or set to a regular schedule from with the software and can also be linked to notifications if a potential vulnerability or router weakness is highlighted. This then allows you to connect with the router, access the severity of it and then proceed accordingly.



When it comes to accessing the router and SRM 1.3, local access (eg from on the same network) will be relatively straight forward and unless you have blocked SRM access on a specific account or your IP/Subnet/etc are different to the system, you should have fairly direct and secure access up to this point. But what about remote/internet access? Sometimes you will want to access the router and SRM 1.3 to quickly access a setting/service (perhaps for IT troubleshooting or simply a family memory having difficulty with the network). In that case, you can use the popular Synology Quick Connect service (much like their NAS) to tunnel into the router and SRM 1.3 securely from anywhere in the world, via Synology’s encrypted servers. This is a completely free service that is included with ALL Synology products and can also be customized to only allow access via very specific means and by very specific people too.



Then you have ‘Safe Access’, one of the jewels of the crown in SRM 1.3. I will go into more detail on the Safe Access service later on, but in terms of security, alongside a whole bunch of ways to craft a safe and trusted internet access point for your router users, Safe Access also allows you to enable forced Google Safe Browsing and enable the Threat Intelligence database tool. So, let’s go through these two forms of network protection, what they do and how they help.



The safe search functionality allows you to automatically shift the results of popular internet search tools and some social platforms to automatically enable ‘safe’ mode or disable any NSFW content. This will also overwrite any custom policies that users logged into those sites will have (i.e having a Google account logged in and set to show all results’ will be overwritten by the router enforcing safe search rules). This is a feature that is widely available on ISP routers and other paid premium routers, HOWEVER, on those you lack the scaled options of off/low/moderate/high, as well as the option to scale these to individual users/devices on the system and different policies to different sites. Eg you want your employees to have full and unrestricted access to YouTube and Social sites for marketing purposes, but want adult content restricted on typical Google search results in the workplace.



Now Synology’s Threat Prevention dynamically guards the security of your Synology Router as data is handled and manages packets on network devices by inspecting Internet traffic to detect and drop malicious packets and also records network events, for statistical analyses regarding malicious sources to check their severity. Threat prevention is arguably less advanced in its architecture compared with Safe Access, ut is still a great tool in a much broader way.

This slideshow requires JavaScript.


Understanding the difference between these two approaches to protect your network and your network client base is quite straightforward. They represent two different approaches to your network security. Safe Access is DNS-and IP-based. It integrates several external databases (including Google Safe Browsing) that identify domains and IPs related to malware, phishing, botnets, command and control servers, social engineering, etc. When a device in the network attempts to access the blacklisted destinations, Synology Router prevents the connection from even being established. Threat Prevention, on the other hand, is signature-based. It monitors incoming and outgoing traffic using Deep Packet Inspection (DPI) – not just checking the domain or IP – and is able to drop any malicious packet detected in real-time. In addition to Internet attacks, Threat Prevention can alert you to inappropriate user behaviour, such as sending passwords through unencrypted HTTP traffic. Both packages work automatically. You can review the event logs and adjust the actions, but even if you don’t, they still silently protect you in the background.



The know target lists and algorithms that each of these tools (and other connected databases that feed into the intelligent actions and alerts) are updated regularly in the system database and by default, these are automatically downloaded to their latest versions. It is recommended that you never change these settings.



Overall the background and passive security settings that are configurable in SRM 1.3 are not an enormous leak, at least in terms of the broad result, than more premium routers in the market. What sets SRM 1.3 out from them though is that it is presented in a much more user-friendly fashion, is considerably more scalable and provides a considerable amount of flexibility that most other routers would limit to an ON/OFF switch. The Threat Prevention tool is can be a little underwhelming (perhaps needing more attention than it has, especially compared with Safe Search) but overall the security and safety of internet connectivity via a Synology router and SRM 1.3 is still very good.


 

Synology Router Manager 1.3 Review Chapters

SRM 1.3 Synology Router Software Review, ALL Parts - HERE
SRM 1.3 Synology Router Software Review, Part 1, Design & Control - HERE
SRM 1.3 Synology Router Software Review, Part 3, Network Management - HERE
SRM 1.3 Synology Router Software Review, Part 4, Safe Access - HERE
SRM 1.3 Synology Router Software Review, Part 5, USB Storage Services & Conclusion - HERE 

You can watch the FULL review of the latest WiFi 6 Router from Synology, the RT6600ax, over on YouTube below:



Alternatively, you can watch my full review of Synology SRM 1.3 on this NAS in the video below:



My FULL review of the Synology DS Router application will be available on NASCompares shortly. You can find the video below:


Summary
Review Date
Reviewed Item
Synology SRM 1.3 Software Review Part 2 - Safety & Security
Author Rating
41star1star1star1stargray

DISCUSS with others your opinion about this subject.
ASK questions to NAS community
SHARE more details what you have found on this subject
CONTRIBUTE with your own article or review. Cick HERE
IMPROVE this niche ecosystem, let us know what to change/fix on this site

ASK YOUR QUESTIONS HERE!

63 thoughts on “Synology SRM 1.3 Software Review Part 2 – Safety & Security

  1. Ill agree to a Great rewiew, and you have mentioned a lot of things which are really helpfull (not for me) but for other sure.
    What i want to comment on, is your surprise that the RT6600ax comes with the SRM 1.3 and the older devices are still SRM 1.2, well this is what synology was presenting from the “Day One” when the RT6600 was presented by end of 2021 so no surprise for me here, the SRM 1.3 for the RT2600 and MR2200 will be or according to synology should be in June so we need to wait for this one as well.
    What im glad and really glad that the support for the MR2200 and the mesh is there, and also with another RT6600, which you cannot do with a RT2600 so a huge step forward i like, AAAANND well if you do a MESH then you will have TWO USB ???? Ports, the question is if the can be used but i think this is an alternative for those who will be having a MESH network.
    REPLY ON YOUTUBE

  2. Amazing review. Thanks a lot for your effort. It’s almost like we’re dealing with a Nas Station here. In terms of user experience anyway. I think if they added Plex, a lot of basic users wouldn’t have bought a Nas Station anymore, so I think is is a selling strategy here. Anyway, great review, I am considering buying an unit after watching your video. Well done mate! Keep up the good work!
    REPLY ON YOUTUBE

  3. Looks fantastic. As mentioned previously, I am using a net gear R9000 which to be fair has been working brilliantly. I flashed it with DDWRT recently using my iPad Pro, it took an absolute age to login but finally it worked. I am registered as a blind person but enjoy fiddling around with technology. I am waiting for your video next week for The router shootout vid but, am quite taken with the RTÉ 6600.
    Thank you for all of your videos they are very helpful
    REPLY ON YOUTUBE

  4. Synology does produce nice devices but it’s all fine when you have warranty. When it’s over and your device will stop working, synology won’t repair it even if you could just pair for the repair. They just dont give a f**k. Think twice before you buy an synology router.
    REPLY ON YOUTUBE

  5. This looks like an unboxing, not an actual review. You’re holding a device that is capable of sophisticated beam-forming, but we don’t have any speed tests / comparisons / ping results for a typical wood-frame house for example. I like the new features, but I was really into that I’d just set up a pfSense box, or a UDM pro. Why would I buy this thing instead of a cheaper WiFi6 AP/router? Why would I buy it instead of a UDM pro + AP? I had an ac2200 before and I returned it, because SRM is a far cry from DSM, and here they are cramming features into a device with just 1GB of RAM. If you’re saying that it strikes the perfect balance, I’d like to see come figures proving that. Otherwise the video should be titled either “unboxing” or “first impressions”.
    REPLY ON YOUTUBE

  6. When the videos get this long ( which I do very much appreciate ), I head straight to the conclusion. If you conclusion is positive, I generally go back to the beginning. That’s what I’m doing here. Your opinion at the end is exactly what some of us need. I currently have an RT2600ac but now I will buy a new 6600 model and use the 2600 as an access point in the upstairs of my home. Many thanks for all of the time that you put into these reviews.
    REPLY ON YOUTUBE

  7. That’s for a great review. Worth watching it all. Look forward to future videos on this router.

    Three questions; Do you think Synology will release a WiFi 6 upgrade to the MR2200ac? Maybe an MR6600ax?

    Also, can devices be assigned a frequency? Orbi takes control of that an many times connects 5GHz devices (like FireTV) to 2.4GHz when only in the next room. ????????‍♂️

    Lastly, I’m sure the answer is yes, but I didn’t see it covered, can you assign static IP’s or reserve IP’s for devices?

    Thanks again! I really love the ability to create a VLAN that merges with an SSID to isolate my IoT.
    REPLY ON YOUTUBE

  8. The usual lan limitation of all router you have only one 2.5gbe port. Now a router should have at least one 2.5 gbe (Better 5gbe as in Italy a phone company started to sell a FTTH 5gbe fiber connection at a good price in selected city) wan AND one 2.5 lan port (better 5gbe) and let a multi-g switch to manage the signal. Also it should manage analog phone otherwise we must pay for the router that provider offer
    REPLY ON YOUTUBE

  9. Very interesting review so thank you. You say you will be reviewing the Asus RT AX series….will you be doing this one?
    ASUS RT-AX89X 12-Stream AX6000 Dual Band Wi-Fi 6 802.11ax Router
    Cheers
    REPLY ON YOUTUBE

  10. Felicidades, es un buen ejemplo.
    250 sentadillas son unos 4.FO/L-J27g1 muchas y un buen ejercicio.
    5:25 Se deja ver que hay muy buenos resultados ????????

    Saludos desde la Cd.. de world ????????????
    los mortales abian apreciado tan hermosa mujer.
    REPLY ON YOUTUBE

  11. Hey
    Thanks so much for this very informative Video! 2 Questions though:
    1. Can you connect the router to a VPN, so your whole home internet traffic is secure? If so, what VPNs can be used?
    2. As some might know, wireguard is a very simple, fast and secure VPN solution. Is it possible to run wireguard as a server or as a client on this router? If there’s a option to install packages, really one should be able to potentially develop or manually install the option for wireguard as a client and perhaps even as a wireguard VPN server…..

    Many thanks!
    REPLY ON YOUTUBE

  12. Great review – thank you. Is there any way to limit the internet bandwidth available to a specific user / device or IP range? I usually allocate only 80% of the available internet bandwidth to make sure that no single user or device hogs all the bandwidth and that my downloads always have bandwidth available without impacting anyone else.
    REPLY ON YOUTUBE

  13. I have a Net Gear r9000 x10, do you think this rt6600 would be a good upgrade? R9000 has started dropping Wi-Fi and kicking me out of plex, on paper they seem to have similar specs, although net gear have tried to kill the router with firmware numerous times.
    REPLY ON YOUTUBE

  14. Just wondering. The new software disabled support for 4G dongle. But I noticed in your video around minute 31.45 that there is a mobile network section in the settings.

    I hope I can use my SIM with dongle. Been wanting to switch to Synology router for the longest time but couldn’t due to the poor support for SIM card.
    REPLY ON YOUTUBE

  15. Thanks for the thorough review but this is too little too late from Synology as an existing customer… I welcome SRM 1.3 VLAN and multiple SSID but these were promised and should have been out several years ago however they stalled SRM development to focus on DSM7. It has left a really sour taste in my mouth as I invested heavily with RT2600ac and 2x MR2200ac (along with multiple NAS) but have had to relegate the RT2600ac to just doing WiFi as an access point because of all bugs and the lack of development. I’m now using a PFsense router which is far more stable and has had better features, scalability and resilience for years. I’ll look at SRM 1.3 when it lands for my existing devices but when it is time to upgrade my mesh WiFi hardware I have no loyalty to Synology or confidence in their support for their network devices so i’ll be looking at other offerings.
    REPLY ON YOUTUBE