Skip to content

Home

Jump to bottom
mattdelco edited this page Jul 27, 2025 · 6 revisions

This page describes the background behind ARPproxy, which is a service you can run on a Raspberry PI (or probably any Linux machine) to allow a Synology NAS to be remotely started on the Internet via Wake-on-LAN (WoL).

To get to the details on how to set things up look here. The rest of this page mostly describes the problem/challenge and how this particular solution works.

There's a few challenges for getting this to work with certain routers like TP-Link's Deco line (e.g., the TP-Link Deco XE75 Pro).

  • The TP-Link doesn't keep a static ARP entry for devices that have been set up as the target for port forwarding (even if you set up the device's MAC address with a static IP address in the router's DHCP server configuration).
    • This means that if you try to set up port forwarding and send a remote WoL packet then the Deco will try to ARP the target device to learn its MAC address. The device isn't on, so it won't respond to the ARP packet and thus the WoL packet won't get sent on the local network.
    • The Synology NAS only listens for WoL packets sent to the broadcast MAC (rather than the device's own MAC address), so even if a router supported static ARP entries then I doubt things would work.
  • The TP-Link Deco app won't allow port forwarding to be configured to use the broadcast IP address (or local subnet broadcast IP address). Presumably somebody at TP-Link figured there wasn't a legitimate reason for this, but there is.
  • The TP-Link Deco app won't allow multicast or broadcast MAC addresses to be used in other places in the app, which would be another way to address this.

Given these issues, I opted to write a service that I can run on my Raspberry Pi to address these limitations. Another approach would be to have the Raspberry Pi itself send the WoL packet, but I don't want to expose the Raspberry Pi directly to the Internet nor worry about securing and safeguarding whatever web interface I cooked up.

The overall flow works like this:

  1. Configure port forwarding for UDP on the Deco to forward an external port on the router (e.g., 45678) to the IP address of the Synology. The safest thing is to forward to a port that's not actually in use on the Synology (it's a common misconception that you need to use a particular port like 7 or 9). If you're already using port forwarding for another service (e.g., a Plex server on the Synology), then you only need to change the forwarding rule from 'tcp' to 'tcp & udp'.
  2. Configure dynamic DNS on the Deco. This step is optional if you already have the Synology configured for DDNS, but I prefer to have the Deco manage it.
  3. Install and run the arpproxy service on the Raspberry Pi. You basically need a Raspberry Pi with a working C compiler, copy in the source code to a directory, modify the "IpTarget targets[]" array to include the IP address(es) of the Synology device(s) you want to be able to wake, then run "make install".
  4. After this it's mostly a matter of, e.g., installing an WoL app on your phone. The app needs to support a custom wake port. You'll specify the wake as the DNS name you set up in step #2, specify the port that was set up in step #1, and you'll also need to specify the MAC address of your Synology NAS (I'll leave this step as an exercise for the reader).

So what's the flow of network traffic?

  1. Your Wake-on-LAN app sends a Wake-on-LAN packet to the Deco router.
  2. The Deco router tries to ARP for the Synology NAS but initially doesn't get a reply because the NAS is off. However, the service running on the Raspberry Pi sees there's multiple ARP requests (presumably unanswered) and after seeing 3 queries in 10 seconds will send an ARP response on the Synology's behalf. The response specifies the broadcast MAC address.
  3. The Deco router gets the ARP response and forwards the wake-on-LAN packet to the Synology's IP address and broadcast MAC address.
  4. The NIC on the Synology sees the magic packet and wakes the system. The NIC doesn't care whether IP or TCP or UDP (or what port) is used.

When I first wrote arpproxy I had it respond with the MAC address of the Synology NAS (this needed to be specified in the source code along with the IP address), but this didn't cause an actual wake. Apparently Synology configures the NIC to only listen for WoL packets that are broadcasted. So, I have arpproxy respond with the broadcast MAC.

So what are the security concerns? No traffic from the Internet is being sent to the Raspberry Pi. The Raspberry Pi only receives ARP queries that come from the Deco router. Anyone on the Internet can now send frames towards the Synology NAS (and actually it gets broadcasted to all devices on your local network). The other devices should ignore the frame since it's for a different IP address. In most cases the Synology NAS is off (presumably), but if you forward the traffic to an unused port on the Synology then the risk is minimal.

In theory anyone can wake your Synology NAS, but to do so they need to know the 48-bit MAC address of your Synology NAS, your IP address (or DDNS name, so I suggest keeping it more unique and harder to guess), and the port you've set up for forwarding.

The main risk is if you send a WoL packet from an unsecured wifi network (e.g., a hotel or cafe), then someone could listen for the wake-on-LAN frame you're sending and learn the MAC address of the Synology NAS and send their own wake packets. If you don't do wakes from a wifi network (e.g., just send from the cellular network), then the risk should be minimal (depends on your paranoia that the NSA is monitoring all traffic in core Internet routers and captures your traffic there).

To get to the details on how to set things up look here.

Clone this wiki locally