Its kinda hard to say without knowing how you have setup Wireshark, the basic setup of Wireshark is the monitor a particularly interface such as an ethernet port or wifi but local to the device where it is installed, IE you dont want to just see whats coming in to the laptop as that would defeat the purpose. How have you set it up?

Also more importantly what is the nature of the hacking attempts on the NAS, what are they?

I'm not too concerned with hackers scanning for open ports and attempting login to admin account, which has been disabled, and I've also implemented  indefinite ip blocking after a single failed attempt to any account. Synology does not provide details of which port ie the application to which an attempt was made. I have disabled remote port forwarding for direct DSM access, as I don't need this, but I do have access via port forwarding on SH2 for videos, files, photos, and surveillance cameras appplications. I guess hackers are continually scanning for ports on all ip addresses to identify open ones and what they think is at the end of it to attempt admin logins. I intend to setup wireshark to monitor all LAN traffic to the Synology NAS, and wifi (after I install a managed switch to allow monitoring to LAN traffic). I have a main switch connected directly to SH2 to avoid overloading SH2 for local heavy traffic (file transfers/video streaming etc) and this is where I should be able to monitor all LAN traffic to NAS. However I was unsure on how the Wifi complete network operates, ie if my laptop logs into the SH2 wifi, will it be able to see all traffic on the wifi network, do the wifi complete disks act as basically dumb ethernet hubs (not switches)? and all wifi traffic should be visible to my laptop (once I have configured the wifi port for monitoring)? or will my laptop only be able to see wifi traffic on the SH2 or disk it is connected to?  I also just wanted to verify that none of my smart devices eg smartplugs/lights made in china are being used as a backdoor. I don't really want to spend a lot of time reconfiguring my network with VLANs to isolate them (and I don;t think SH2 and wifi complete support multiple vlans)

 

Nte, the hacking attempts are sporadic, tend to come in groups (roughly anywhere from 10 to 100) from mainly china/us (although who knows in reality). Once the attempt and IP is blocked, it is usually  followed immediately by another attempt from a different IP address since the previous one is blocked, always using the admin username (this acount is blocked, and I have long password for accounts with admin access. Looking up these ip addresses shows they are commonly observered as frequent hacking ips, no douby someone's PC is infected as a trojan.  Reported a whole block previously to BT security but too many to deal with 

cheers for the response

Ethernet switches filter by MAC address so packets are only sent on the port that is connected to the destination MAC address, unlike multiport repeaters that send all packets to all ports.   It is very difficult to therefore use Wireshark on a PC that only has 1 interface to see packets directed to a MAC address on another port of a switch even in promiscuous mode. 

A switch that supports MAC address monitoring is one way to see what is sending packets to a given MAC, or allows port mirroring, alternatively configuring a PC with 2 interfaces so that it acts as a router allowing Wireshark to monitor packets to a given MAC address as everything passes through the PC. Does you NAS allow you to install any ethernet monitoring on it's ethernet interface?

Yeah you could infact build a Raspberry Pi and install an eth1 onto it via USB adapter and run it there monitoring the in and out, placing it between your SH2 and a core switch.

But if I understand it right your NAS is externally facing so you can access your content remotely? If that’s what you’re saying just use a VPN server. The OpenVPN Pi Server project is so easy to setup and free for your first two users, in fact unless multiple users will need to be connected at one time you can indefinitely share the same two users.

So you’ll have a VPN server at home and then client installations on the devices who need access to the NAS, instead of accessing via and external IP you’ll just be safely going through your VPN and your client device will just use local IP’s like they are actually sitting on your home network. Then you can turn off ALL external access to the NAS.

In my opinion you’re gonna be chasing your tail looking for ‘China’ etc

You could use a Pi-Hole project if you wanted a little more monitoring of what you’re devices are doing and have a little more faith that you are protected, you’ll have to turn off the SH2 DHCP server and enable it on the Pi-Hole as you cannot configure the SH2 to use alternative DNS.

Lastly if you’re that into this sort of stuff you might want to move away from the SH2 all together and give yourself far more data to work with off the bat.

Good luck with it though if you decide to proceed.

 

Thanks - my primary switch connected to SH2 allows port mirroring (to send all LAN packets from one or more ports to a designated port, and I understand wireshark can simultaineosly monitor ethernet and wifi network ports. However, I was not sure whether the "mesh" wifi part (SH2 wifi + complete disks) act like a hub or a switch ie whether all the wifi traffic is visible to laptop irrespective of which node your are connected to. Guess I'll just try to access NAS via devices connected to either SH2 or disks. Many thanks

Thanks for the suggestions, Synology NAS comes with a OpenVPN server so I'll explore that. You are correct that my NAS setup provide remote access (https only) from the internet to music/photos/videos and files using 4 port forwarding rules. I have disabled remote access to the O/S itself, and any single failed attempt to login results in ip address being blocked indefinitely. I'm not bothering chasing down IP as this is whack a mole on steriods, but I was curious as to which ports/apps they are trying to access, and whether there is any chance of backdoors in the various smartplugs/lights I have. I briefly considered getting a better router, but now I have the complete wifi and the 4g backup, seems like a simple integrated solution albeit less configurable

'Hackers', and I use the term loosely in this example as I dont consider it real hacking, just scan for stuff they can hit over the internet then try to log in with generic usernames. Your 'hacking attempts' I would put money on have nothing to do with your IOT devices such as smart plugs and switches. These groups just know Synology uses certain ports so chances are alot of them are going to be open, Synology being a major brand and have a variety of methods for external access, many users will have one of the methods open.

At work we have an external facing SFTP server which I sometimes see 100's of daily attempts to generic accounts such as 'vmware', 'root', 'admin', 'linuxadmin', and so on....no such generic accounts exist and any attempt to log in with a username that doesnt exist immediately blacklists the IP....then the same stuff comes in from another IP, quite the waste of IPV4 addresses if you ask me. It also sits behind an enterprise firewall and web application filtering, belt and braces.

Generally i'd never recommend a single device being open to the internet especially one that contains all of your stuff, for me its not a concern of privacy its just a concern of how long it took me to collect it all, 1000's of photo's over the years etc. OpenVPN will use certs plus you can set a mental password ontop, it has further benefits as well because once you are connected to the VPN you have access to your entire network so your media client on your phone/tablet/laptop or whatever it is you take away with you.....can just remain configured with the local IP of your NAS.

You can buy your own domain name for next to nothing, setup dynamic DNS and have your VPN clients configured to connect to it.

There are far better Complete WIFI solutions out there and routers but your integrated 4G backup is a good thing to have but I wouldnt have that over having my own gear that I can play with, I can dump out all sorts from my router and create completely custom firewall rules, multi VLANs to segregate my IOT from my NAS.....if you are concerned about hacking attempts then take the power back 🙂

Anyway, I guess you didnt ask for my advice like this so ill leave you to consider the options now.

Many thanks for all the information. Guess its always a balance between how much effort it takes to create and maintain a much more secure network vs increased risk and less time. I certainly find that these attempts happen every few months, use alternate admin and system usernames, as soon as one ip is blocked, wait 5mins then try agaion using another IP, whioch can last a couple hours. Given I find it useful to have access to my files from outside of home, I think I'll stick with the following security: Non-standard high range port numbers for the 4 applications I need, blacklist IP address indefinitely on a single login failure and immediate alerts, disabled admin account, long passwords (applicable to all LAN devices), nightly backup of NAS. I think the VPN is probably overkill for my setup, the synology phone apps are simple to use and reliable for remote photo/file access. I've also enabled the Synology own firewall with DDOS protection for more persistant attacks, I'll just monitor it for now, but I'm curious to see what traffic goes to and from my smart devices. Many thanks

If it makes you feel better, I have 20 ish smart bulb/switches/plugs, all 3rd party brands, by that I mean not Hive, Hue etc....the ones you connect to the Smart Life app.....none have exhibited even a packet of suspicious behavior the entire time ive had them (years).

Your web browsing/purchasing and Alexa's (if you have them) will be tracking more of what you do, these dumb smart devices probably dont even have the capability to log or track anything.