MikroTik

Community discussions
https://forum.mikrotik.com/

Wireguard: how to access to SMB active on RouterOS?

https://forum.mikrotik.com/viewtopic.php?t=193846

Page 1 of 1

Wireguard: how to access to SMB active on RouterOS?

Posted: Wed Feb 22, 2023 5:50 pm
by massinia
Hi, I would like to access remotely and with wireguard to SMB sharing active on hAP ax3.

Once connected with Wireguard I can access to the entire hAP ax3 network, but not to the active sharing in the router.
Have I forgotten something in firewall?

Thanks for your help.
Code: Select all
# feb/22/2023 16:19:38 by RouterOS 7.8rc3
# software id = BH9H-NUQS
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HDG08XXXXXX
/container mounts
add dst=/minidlna name=DLNA src=/usb1/containers/minidlna-data
add dst=/Film name="DLNA Media" src=/usb1/Dati/Film
/interface bridge
add admin-mac=48:A9:8A:0E:18:EB auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5180-5500 \
    .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.country=\
    Italy .mode=ap .ssid=MikroTik disabled=no security.authentication-types=\
    wpa2-psk .management-protection=disabled .wps=disable
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.country=Italy .mode=ap .ssid=\
    MikroTik disabled=no security.authentication-types=wpa2-psk \
    .management-protection=disabled .wps=disable
/interface veth
add address=192.168.10.3/24 gateway=192.168.10.1 name=veth1
/interface wireguard
add listen-port=31077 mtu=1420 name=wireguard1
/interface vlan
add interface=ether1 name=vlan835 vlan-id=835
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan835 name=pppoe-out1 \
    use-peer-dns=yes user=user
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add add-arp=yes address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/queue type
add kind=fq-codel name="fq codel"
/queue tree
add max-limit=295M name="FTTH Upload" packet-mark=no-mark parent=pppoe-out1 \
    queue="fq codel"
/container
add envlist=DLNA interface=veth1 mounts="DLNA,DLNA Media" root-dir=\
    usb1/containers/minidlna start-on-boot=yes
/container config
set registry-url=https://registry-1.docker.io tmpdir=/usb1/containers/tmp
/container envs
add key=MINIDLNA_MEDIA_DIR name=DLNA value=/Film
add key=MINIDLNA_FRIENDLY_NAME name=DLNA value="Router MikroTik"
add key=MINIDLNA_ROOT_CONTAINER name=DLNA value=B
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge comment="minidlna container" interface=veth1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="FTTH" interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=172.20.1.2/32 interface=wireguard1 public-key=\
    "cut"
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
    192.168.10.0
add address=172.20.1.1/24 comment=WireGuard interface=wireguard1 network=\
    172.20.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.10.10 client-id=1:70:85:c2:62:34:b2 comment="PC" \
    mac-address=70:85:C2:62:34:B2 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=\
    192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=31077 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    172.20.1.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no domain=WORKGROUP enabled=yes interfaces=bridge,wireguard1
/ip smb shares
set [ find default=yes ] disabled=yes
add directory=usb1/Dati name=Router
/ip smb users
add name=smb read-only=no
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Rome
/system package update
set channel=testing
/tool e-mail
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Wed Feb 22, 2023 6:09 pm
by anav
Good question, I have no idea what SMB is??
I dont see any thing in the firewall rules either way..........

I prefer a drop all rule in the forward chain and removal of this rule
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

and replace it with better security focussed and clear rules................
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

Then for wireguard for example.....
add action=accept chain=forward comment=internet in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 out-interface=bridge { or perhaps to a specific server dst-address=IPofServer }
add action=accept chain=forward comment=P-forwarding connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

In this case is SMB an interface, an IP address a subnet, something indentifiable in a rule. ???????

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

If its a layer2 construct you may be SOL, but then better off use zerotier for a Layer2, or multicast use case..........

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Wed Feb 22, 2023 6:20 pm
by massinia
In this case is SMB an interface, an IP address a subnet, something indentifiable in a rule. ???????

SMB is Samba WinBox IP -> SMB
Sorry I didn't explain well :roll:

Image
but then better off use zerotier for a Layer2
I confirm that with Zerotier the same configuration works perfectly, unfortunately clients must necessarily use wireguard.

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Wed Feb 22, 2023 6:46 pm
by holvoetn
Odd because SMB is supposed to work over TCP... if your TCP connection works, SMB should as well.
How did you try to access the share ? Using netname or IP address ? If the former, try the latter.

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Wed Feb 22, 2023 6:51 pm
by anav
Odd for sure, especially since I clearly laid out a case that a firewall rule with, interface name, or IP ADDRESS, would be needed.

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Wed Feb 22, 2023 7:16 pm
by massinia
Using netname or IP address ?
IP address.
Yes it's odd because when I connect with wireguard I can connect to one NAS (IP 192.168.10.254) always with smb...
I can reach also all the router services (192.168.10.1) so I guess the problem is in the SMB configuration:
Code: Select all
/ip smb
set allow-guests=no domain=WORKGROUP enabled=yes interfaces=bridge,wireguard1
Or maybe it's a 7.8rc bug...

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Wed Feb 22, 2023 7:28 pm
by massinia
OK with
Code: Select all
/ip smb
set allow-guests=no domain=WORKGROUP enabled=yes interfaces=all
It works perfectly, but not it seems to me very safe :roll:

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Wed Feb 22, 2023 7:32 pm
by holvoetn
Why not ? You're behind a firewall and using vpn.

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Wed Feb 22, 2023 7:36 pm
by anav
Concur with Hoelve, from the practical viewpoint, I am just sorry I dont have the technical acumen to explain why the ALL works and the other setting didnt... :-(

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Wed Feb 22, 2023 7:53 pm
by massinia
Why not ? You're behind a firewall and using vpn.
You're right, I thought it was dangerous to expose smb on all interfaces, PPPoE included.
I am just sorry I dont have the technical acumen to explain why the ALL works and the other setting didnt...
Thanks anyway, you've been very helpful.

I think I figured out why... wireguard1 interface IP is 172.20.1.1/24 and on log, when I set interfaces=all, there is
Image

May be that SMB is expecting a connection from 172.20.1.1 and not 172.20.1.2?

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Wed Feb 22, 2023 8:03 pm
by holvoetn
Unless i missed something your wireguard interface is not part of LAN nor WAN ?
Can you set it to LAN ?

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Wed Feb 22, 2023 8:11 pm
by sindy
May be that SMB is expecting a connection from 172.20.1.1 and not 172.20.1.2?
Nope. This shows the IP address of the connecting client, not of the SMB server (the router) itself.

If you can afford it temporarily, remove bridge from the list of interfaces in the SMB settings and try with wireguard1 alone. If that also works, it means that the version has a problem with handling a list of interfaces.

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Wed Feb 22, 2023 8:19 pm
by massinia
Can you set it to LAN ?
Sure!
Image
Unfortunately smb is always not available...
Nope. This shows the IP address of the connecting client, not of the SMB server (the router) itself.
OK, thank you!
If you can afford it temporarily, remove bridge from the list of interfaces in the SMB settings and try with wireguard1 alone.
Doesn't work also with wireguard1 only, it works with "any" only...

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Wed Feb 22, 2023 11:30 pm
by optio
I can also confirm that I'm unable to connect to ROS SMB share over Wireguard and wireguard interface is in SMB interface list.
For eg. OVPN client binding interfaces are also in SMB interface list and over OpenVPN connection works.
I have ip filter rule that accepts input for all VPN interfaces and connection to other ROS services (http, ssh, UPnP...) are working, but SMB on Wireguard not.

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Thu Feb 23, 2023 5:54 pm
by massinia
Thanks for the confirmation, I contacted support.

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Fri Mar 17, 2023 1:29 am
by sysf
Thanks for the confirmation, I contacted support.
Hey, have you received any update from support? I'm experiencing the same problem.

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Fri Mar 17, 2023 9:44 am
by massinia
Yes, they replied that:
Thank you for your report. We will try to find a root cause of this problem as soon as possible.
SUP-108546

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Tue Oct 03, 2023 10:53 pm
by gbtest85
Hello! Any news about this exact problem I also have?

hAP ax^3 with ROS 7.11.2

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Wed Oct 04, 2023 10:23 am
by massinia
Hi, no nothing new... the ticket closed automatically and I don't think they are thinking about resolving it.

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Thu Feb 08, 2024 6:43 pm
by ianiovski
I have the same problem, is there any development on the matter as of today?

Re: Wireguard: how to access to SMB active on RouterOS?  [SOLVED]

Posted: Thu Feb 08, 2024 9:50 pm
by massinia
I have the same problem, is there any development on the matter as of today?
I just received the notification for the SUP today:
smb.png
Will probably be fixed with 7.14 and the new build-in SMB

Thanks MikroTik

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Thu Feb 08, 2024 10:25 pm
by ianiovski
Wow, great, so we'll wait for 7.14. Thanks for the clarification.

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Thu Feb 08, 2024 11:28 pm
by Mesquite
Good to know, SMB issue not wireguard.

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Sat Feb 24, 2024 9:26 am
by massinia
Fixed with 7.14rc2 :)

Re: Wireguard: how to access to SMB active on RouterOS?

Posted: Mon Mar 04, 2024 9:16 pm
by ianiovski
And what turns out that new SMB does not work with all architectures and more specifically mmips.......
ROSE - package adds additional enterprise data center functionality to RouterOS - for supporting disk monitoring, improved formatting, RAIDs, rsync, iSCSI ,NVMe over TCP, NFS and improved SMB. This functionality currently is supported on arm, arm64, x86 and tile platforms."
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/