[GH-ISSUE #977] Unable to add Synology NAS as resource (Gateway Timeout) #1710

Closed
opened 2026-04-16 08:28:22 -05:00 by GiteaMirror · 8 comments
Owner

Originally created by @youenl-dev on GitHub (Jun 27, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/977

Hi,

I have a working instance of Pangolin on a VPS where I've been able to add various services (Pihole, Proxmox, Plex, etc) as resources without any issue.

Pangolin has been fantastic and very stable over the last few months, but I can't manage to add my Synology NAS as a resource at all. Using http and port 5000, or https and port 5001, I always end up with a Gateway Timeout error.

Local and remote access with Quickconnect or Netbird works fine, so I'm not sure if the issue comes from DSM or Pangolin.

Any help or idea would be much appreciated. Many thanks!

Originally created by @youenl-dev on GitHub (Jun 27, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/977 Hi, I have a working instance of Pangolin on a VPS where I've been able to add various services (Pihole, Proxmox, Plex, etc) as resources without any issue. Pangolin has been fantastic and very stable over the last few months, but I can't manage to add my Synology NAS as a resource at all. Using http and port 5000, or https and port 5001, I always end up with a Gateway Timeout error. Local and remote access with Quickconnect or Netbird works fine, so I'm not sure if the issue comes from DSM or Pangolin. Any help or idea would be much appreciated. Many thanks!
Author
Owner

@adrianeastles commented on GitHub (Jun 27, 2025):

Hi,

With exposing your Synology NAS and Proxmox directly to the public internet; it's not recommended for security reasons.

Regarding your issue with adding the Synology NAS as a resource in Pangolin and encountering a "Gateway Timeout" error, here's what I recommend checking:

  1. Newt Container Mode on NAS:

    • On your Synology NAS, ensure that the Newt container is running in Host mode. This is crucial for network communication.
  2. Pangolin Resource Configuration:

    • In Pangolin, when adding your Synology NAS as a resource, ensure the configuration is set as follows:
      • Method: HTTPS
      • IP/Hostname: {Your Synology NAS's Local IP Address} (e.g., 192.168.1.X or 10.0.0.X).
      • PORT: 5001 (This is the default HTTPS port for DSM. If you've changed it on your Synology NAS, use your custom port.)

If you're still experiencing issues after verifying these settings, it might be worth checking:

  • Firewall Rules: Double-check your Synology NAS's firewall rules to ensure that the port (5001 or your custom port) is open and allows connections from your VPS's IP address (or from the network that Pangolin is operating on, especially if it's within a VPN tunnel).
  • Network Connectivity: try a simple ping or telnet {NAS IP} 5001 from your VPS to your Synology NAS's IP address to confirm basic network reachability on that specific port.

Let me know how it goes!

<!-- gh-comment-id:3012678857 --> @adrianeastles commented on GitHub (Jun 27, 2025): Hi, With exposing your Synology NAS and Proxmox directly to the public internet; it's not recommended for security reasons. Regarding your issue with adding the Synology NAS as a resource in Pangolin and encountering a "Gateway Timeout" error, here's what I recommend checking: 1. **Newt Container Mode on NAS:** * On your Synology NAS, ensure that the **Newt container is running in Host mode**. This is crucial for network communication. 2. **Pangolin Resource Configuration:** * In Pangolin, when adding your Synology NAS as a resource, ensure the configuration is set as follows: * **Method:** `HTTPS` * **IP/Hostname:** `{Your Synology NAS's Local IP Address}` (e.g., `192.168.1.X or 10.0.0.X`). * **PORT:** `5001` (This is the default HTTPS port for DSM. If you've changed it on your Synology NAS, use your custom port.) If you're still experiencing issues after verifying these settings, it might be worth checking: * **Firewall Rules:** Double-check your Synology NAS's firewall rules to ensure that the port (5001 or your custom port) is open and allows connections from your VPS's IP address (or from the network that Pangolin is operating on, especially if it's within a VPN tunnel). * **Network Connectivity:** try a simple `ping` or `telnet {NAS IP} 5001` from your VPS to your Synology NAS's IP address to confirm basic network reachability on that specific port. Let me know how it goes!
Author
Owner

@robtec commented on GitHub (Jun 28, 2025):

With exposing your Synology NAS and Proxmox directly to the public internet; it's not recommended for security reasons.

Curious on this point. As Pangolin manages access and security to resources, is it still dangerous to expose certain services to the www via Protected Pangolin? Is there a chance pangolin won't protect services under different circumstances?

<!-- gh-comment-id:3016122561 --> @robtec commented on GitHub (Jun 28, 2025): > With exposing your Synology NAS and Proxmox directly to the public internet; it's not recommended for security reasons. Curious on this point. As Pangolin manages access and security to resources, is it still dangerous to expose certain services to the www via Protected Pangolin? Is there a chance pangolin won't protect services under different circumstances?
Author
Owner

@youenl-dev commented on GitHub (Jun 29, 2025):

Thank you for your reply, you definitely pointed me in the right direction.

My Newt container is running on a lxc container on 192.168.10.16 and cannot ping my NAS on 192.168.20.11, while being perfectly able to ping other services running on 192.168.20.x, including VMs running on the NAS itself.

This would point to a network config issue in DSM directly, and I believe has nothing to do with Pangolin.

I think I'll also take your advice of not exposing my NAS to the internet, but would be interested to know as well if Pangolin is as secure as Tailscale or NetBird when used for remote access.

Many thanks,
Y.

<!-- gh-comment-id:3016577067 --> @youenl-dev commented on GitHub (Jun 29, 2025): Thank you for your reply, you definitely pointed me in the right direction. My Newt container is running on a lxc container on `192.168.10.16` and cannot ping my NAS on `192.168.20.11`, while being perfectly able to ping other services running on `192.168.20.x`, including VMs running on the NAS itself. This would point to a network config issue in DSM directly, and I believe has nothing to do with Pangolin. I think I'll also take your advice of not exposing my NAS to the internet, but would be interested to know as well if Pangolin is as secure as Tailscale or NetBird when used for remote access. Many thanks, Y.
Author
Owner

@adrianeastles commented on GitHub (Jun 29, 2025):

Sorry about not responding before, never got the notification sent to me.

You're correct that Pangolin is designed to manage access and add a layer of security to your resources. It acts as a reverse proxy and authentication/authorization layer, which is a significant improvement over directly exposing services. However, the primary concern with exposing services like your Synology NAS or Proxmox, even through Pangolin, is that these services themselves are complex applications that can have their own security vulnerabilities (software bugs, misconfigurations, unpatched exploits, etc.). If a vulnerability exists in DSM (Synology's operating system) or Proxmox, an attacker might still be able to exploit it, even if they first have to bypass Pangolin's access controls.

Pangolin is secure for what it is designed to do: act as a robust, authenticated reverse proxy for exposing services to the public internet in a controlled manner. It's a fantastic self-hosted Cloudflare Tunnel alternative. However, the biggest difference with using Tailscale/NetBird's is your Synology NAS or Proxmox never directly listens for incoming connections from the public internet. Instead, your devices (laptop, phone, NAS, server) connect outbound to a control server (Tailscale's cloud, or your self-hosted Headscale/NetBird server) to discover each other and exchange WireGuard keys. Thus, because your services aren't listening for public connections, they are effectively "invisible" to general internet scans. This drastically reduces the attack surface compared to a public-facing proxy.

Disclaimer: Please note that these are my own insights and observations based on my experience as a software engineer. I'm not speaking on behalf of the Pangolin team or any other product mentioned in this post.

<!-- gh-comment-id:3016762343 --> @adrianeastles commented on GitHub (Jun 29, 2025): Sorry about not responding before, never got the notification sent to me. You're correct that Pangolin is designed to manage access and add a layer of security to your resources. It acts as a reverse proxy and authentication/authorization layer, which is a significant improvement over directly exposing services. However, the primary concern with exposing services like your Synology NAS or Proxmox, even through Pangolin, is that these services themselves are complex applications that can have their own security vulnerabilities (software bugs, misconfigurations, unpatched exploits, etc.). If a vulnerability exists in DSM (Synology's operating system) or Proxmox, an attacker might still be able to exploit it, even if they first have to bypass Pangolin's access controls. Pangolin is secure for what it is designed to do: act as a robust, authenticated reverse proxy for exposing services to the public internet in a controlled manner. It's a fantastic self-hosted Cloudflare Tunnel alternative. However, the biggest difference with using Tailscale/NetBird's is your Synology NAS or Proxmox **never** directly listens for incoming connections from the public internet. Instead, your devices (laptop, phone, NAS, server) connect outbound to a control server (Tailscale's cloud, or your self-hosted Headscale/NetBird server) to discover each other and exchange WireGuard keys. Thus, because your services aren't listening for public connections, they are effectively "invisible" to general internet scans. This drastically reduces the attack surface compared to a public-facing proxy. **Disclaimer**: Please note that these are my own insights and observations based on my experience as a software engineer. I'm not speaking on behalf of the Pangolin team or any other product mentioned in this post.
Author
Owner

@youenl-dev commented on GitHub (Jun 29, 2025):

This makes perfect sense, thank you very much for the detailed explanation. Much appreciated!

<!-- gh-comment-id:3016877145 --> @youenl-dev commented on GitHub (Jun 29, 2025): This makes perfect sense, thank you very much for the detailed explanation. Much appreciated!
Author
Owner

@oschwartz10612 commented on GitHub (Jun 30, 2025):

Sounds resolved but feel free to reopen if needed. Thanks for the great write up @adrianeastles !

<!-- gh-comment-id:3019917882 --> @oschwartz10612 commented on GitHub (Jun 30, 2025): Sounds resolved but feel free to reopen if needed. Thanks for the great write up @adrianeastles !
Author
Owner

@ghost commented on GitHub (Dec 9, 2025):

IP/Hostname: {Your Synology NAS's Local IP Address}

Curious, why all containers I do have working with Newt by the name, but only this one needs to be pointed directly on to the IP of Synology?

Stumbled across this post while searching what I'm missing and still do not understand.

(https is clear to me, as otherwise nginx of Synology log-in portal complain "The plain HTTP request was sent to HTTPS port")

ensure that the Newt container is running in Host mode.

Didn't anyhow set this by myself.
It working, basically inserted the Docker config from Site configuration from Pangolin, just the ports added.

Is this anyhow unsafe?

<!-- gh-comment-id:3634764634 --> @ghost commented on GitHub (Dec 9, 2025): > IP/Hostname: {Your Synology NAS's Local IP Address} Curious, why all containers I do have working with Newt by the name, but only this one needs to be pointed directly on to the IP of Synology? Stumbled across this post while searching what I'm missing and still do not understand. (https is clear to me, as otherwise nginx of Synology log-in portal complain "The plain HTTP request was sent to HTTPS port") > ensure that the Newt container is running in Host mode. Didn't anyhow set this by myself. It working, basically inserted the Docker config from Site configuration from Pangolin, just the ports added. Is this anyhow unsafe?
Author
Owner

@eppjo commented on GitHub (Mar 2, 2026):

I had the same problem. Paperless and Portainer worked fine via Pangolin on a VPS and Newt on the Synology, but Synology itself was not accessible. After a long search on the web, I found the solution: Leave the field for the custom domain blank in the login portal settings.
In Pangolin I added the resource via http, hostname and port 5000.

<!-- gh-comment-id:3987055091 --> @eppjo commented on GitHub (Mar 2, 2026): I had the same problem. Paperless and Portainer worked fine via Pangolin on a VPS and Newt on the Synology, but Synology itself was not accessible. After a long search on the web, I found the solution: Leave the field for the custom domain blank in the login portal settings. In Pangolin I added the resource via http, hostname and port 5000.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#1710