On my router (RouterOS7.11) I have SMB activated and it works. I defined various some shares and users. The native access control of SMB in RouterOS seems to be limited to read-write and read only. There is no access level ‘None’. Reading the various manuals and instructions I have not found out how I can limit the access of certain users to see just certain directories.
Would it be possible to use the firewall to further limit the access of users, e.g. if user x tries to access anything (TCP on port 445) on directory /disk/private it is blocked whereas any read on /disk/public would be allowed.
No, firewall in ROS is L4 … which works with connections on protocol level (TCP, UDP, …), but (generally) doesn’t look into application protocols (e.g. SMB/CIFS). There are some hooks into L7 (layer7-protocol, content, …) which allow some (very limited) application-level awareness, but it’s very costly (with regard to CPU burden they impose on firewall device) and it’s only good for breaking the connection (in your use case that would be fine). You can read more in Layer7 help.
In short: I wouldn’t do it. But then I’m not a fan of all-in-one devices, at home I’m running a general-purpose linux server which is more fit to offer such services and I let router to route.
OK clear. I fully agree that using a router as fileserver is not ideal but in some cases it can be useful. My router is at my holiday house where I want my guests to be able to download some information about the environment, just a few MB of data with extremely low trafic. As there is only (costly) LTE connection to the internet its more convenient to store the data locally. But it would be an overkill to arrange for a separate file server although a RPi with an USB stick might do as well.
Anyway, pity that it is not possible within RouterOS to define a per-user SMB share access level.