SMB over WAN

[furiah95]

Yes, I know that sounds very crazy. I am trying to make an SMB connection over WAN, it is a W10 client.

But it is impossible for me to make the connection, I called my ISP to find out if for security they were blocking the SMB/CIFS ports but they do not, only port 25. But still external SMB packets don't route to my Truenas. With the NFS service it does work over the WAN.

I correctly set the ports for redirection, I even put my Truenas in a DMZ but without result.

I understand that the smb config file is as follows /etc/local/smb4.conf It is as follows:

[global]
dns proxy = No
aio max threads = 2
max log size = 5120
load printers = No
printing = bsd
disable spoolss = Yes
dos filemode = Yes
kernel change notify = No
directory name cache size = 0
server multi channel support = No
nsupdate command = /usr/local/bin/samba-nsupdate -g
unix charset = UTF-8
log level = 1 auth_json_audit:3@/var/log/samba4/auth_audit.log
obey pam restrictions = False
enable web service discovery = True
logging = file
server min protocol = SMB2_02
unix extensions = No
restrict anonymous = 2
server string = TrueNAS Server
bind interfaces only = Yes
netbios name = truenas
netbios aliases =
server role = standalone
workgroup = WORKGROUP
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
registry shares = yes
include = registry

Adding the following rule but without result:

host allow = 0.0.0.0/0

Restarted the service:

service smbd restart

But without any result I have used tcpdump to see if any smb packet arrives from outside, but negative again. Also it seems when I reboot my machine the smb4.conf file gets overwritten, and removes all the options I added.

So guys I don't understand where the problem is, does the default SMB client of W10 have any restrictions to make remote SMB connections?

Any extra settings in my smb4.conf that I'm ignoring?

Finally, that the firewall of my ISP's router is doing some blocking, according to them no, but well I can't see the logs of the firewall, it's pure garbage. If I understand again that what I am doing is crazy, but they are only tests. I will not implement VPN or security policies, when it does not work in plain text.

Thanks.

Edit:

tcpdump -i bge0 > capture
cat capture | grep SMB

But without any results, the packages are not arriving.

 

[WN1X]

Tunnel your SMB traffic via VPN. You do not want direct SMB access over the internet.

 

[anodos]

Tunnel your SMB traffic via VPN. You do not want direct SMB access over the internet.

Many ISPs will block SMB traffic as well. This is one of reasons why MS was working on SMB over QUIC.

 

[furiah95]

As I said in my first post, according to my ISP they are not blocking the ports of the SMB protocol. To rule out any problems with the W10 smb client and the Truenas server, I put netcat on port 445 and they are in effect blocking the port.

The wait time exceeds the time, and the connection never arrives.

Well I'll call them again, but in the end I'll have to use the VPN, so I don't have to use the default SMB ports and it can bypass the block.

And yes, I know that using it without VPN is poorly implemented, I said it in my first post, but I don't understand this type of blockage, why does my ISP have to do these things? It's my problem if I want to use SMB without security.

They are just tests, I do not want to put a VPN in the middle, but I will have to do it.

Also, is there any way to trace the smb connection? To know where the connection is being lost, as if using traceroute. Sorry if what I say is something fictitious.

Regards.

 

[xness]

The reason ISPs block SMB is because it was the cause for the single biggest worldwide ransomware attack – WannaCry.

SMB is a protocol from a different era that wasn't built to be on the internet and regularly has major security flaws that result in remote code execution (this is usually the worst a vulnerability can get).

With that in mind, you're better off using something like NextCloud and synchronizing the files using their client. Or using SFTP. Or simply using a VPN.

 

[elvisimprsntr]

+1 VPN

@furiah95

Any firewall worth its salt has support for VPN. If yours doesn't, get one that does.

https://pfsense.com has support for OpenVPN, IPSec, WG

 

[furiah95]

The reason ISPs block SMB is because it was the cause for the single biggest worldwide ransomware attack – WannaCry.

SMB is a protocol from a different era that wasn't built to be on the internet and regularly has major security flaws that result in remote code execution (this is usually the worst a vulnerability can get).

With that in mind, you're better off using something like NextCloud and synchronizing the files using their client. Or using SFTP. Or simply using a VPN.

I had no intention of using software like NextCloud or some kind of WebAdv. Of there you plan to use services such as NFS or SMB that are already in any system by default.

So there is no way to use SMB without VPN? Since ISP's block them, but it's funny my ISP told me no.

Is it crazy to use SMB OR NFS through a VPN? How insecure would it be?

Of course I had thought to create a VPN, but not in Truenas but in my Router/firewall, I wanted to build one with OpenBSD but I see that I will have to move forward otherwise SMB will not work over the WAN.

+1 VPN

@furiah95

Any firewall worth its salt has support for VPN. If yours doesn't, get one that does.

https://pfsense.com has support for OpenVPN, IPSec, WG

Yes, I was planning to use OpenBSD, and use default tools like isakmpd etc...

 

[xness]

So there is no way to use SMB without VPN? Since ISP's block them, but it's funny my ISP told me no.

Is it crazy to use SMB OR NFS through a VPN? How insecure would it be?

Even if your ISP does not block incoming SMB, you can easily be in a spot where outgoing SMB is blocked. That's just aside from the security aspect – a pure practicality aspect of the whole thing.

Using SMB over VPN is generally safe; most businesses do it like this – as always the security depends on how you configure your VPN server. Alternatively you can try using a SSH tunnel with public key authentication if setting up a VPN server is too complicated. It's relatively easy to configure and offers similar security benefits.