dip
October 9, 2020, 4:03pm
1
Hello everybody
I have a network where a file server has been running for a long time.
Now I have made another network in another location, connected to the first one over a VLAN with Mikrotik routers. The first network is in class 192.168.0.0/24 and the second network in 192.168.15.0/24.
Also in network 2 I have a windows 2019 server as a file server with ip 192.168.15.155 and gateway 192.168.15.1. It can be accessed in the 192.168.15.0/24 network but it cannot be accessed by any device from 192.168.0.0/24 (on SMB, ping and web it works well).
Where is the problem?
Please help me with a tip or a solution.
Is SMB port (TCP 445) enabled on the file server firewall?
dip
October 9, 2020, 4:57pm
3
Yes, file server works ok, both win server and qnap, each in their IP class. The problem occurs when I try to access from one IP class to the other IP class.
I don’t think it’s a desktop firewall problem, possibly from mikrotik. Both on the desktop and on the server I turned off the firewall but the result was the same.
mkx
October 9, 2020, 5:35pm
4
How do you access the share on Qnap, using its name (e.g. \qnap\share)? If so, does it work if you access the share using its IP address (i.e. \192.168.0.55\share)? SMB uses NMB protocol for resolving names. Unlike DNS it is not centralized[], it uses broadcasts and those don’t pass routers. ] In case where there’s a donain controller (or AD controller) resolving actually is centralized, but that’s not usual in SOHO environment.
gnro
October 9, 2020, 5:44pm
5
Check the firewall from the Mikrotik router. Maybe it blocks some samba ports. See https://www.samba.org/~tpot/articles/firewall.html
dip
October 9, 2020, 5:56pm
6
I access the folder with \ 192.168.0.55 \ folder
gnro
October 9, 2020, 6:04pm
7
Can you post your configuration?
Run in terminal:
/export hide-sensitive
dip
October 9, 2020, 6:53pm
8
Configuration of the router where the qnap fileserver is, ip class 192.168.0.0/24:
# oct/09/2020 21:07:41 by RouterOS 6.47.1
# software id = 8QR9-9N95
#
# model = CRS125-24G-1S-2HnD
# serial number = 786F07A73D1D
/interface bridge
add admin-mac=xxxxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge
add name=bridge-guest
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-Ce country=no_country_set disabled=no \
distance=indoors frequency=auto frequency-mode=manual-txpower mode=ap-bridge ssid=Mirdatod station-roaming=enabled \
wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] speed=1000Mbps
set [ find default-name=ether2 ] name=ether2-master speed=1000Mbps
set [ find default-name=ether3 ] comment="QNAP server-NIC1" speed=1000Mbps
set [ find default-name=ether4 ] speed=1000Mbps
set [ find default-name=ether5 ] speed=1000Mbps
set [ find default-name=ether6 ] speed=1000Mbps
set [ find default-name=ether7 ] speed=1000Mbps
set [ find default-name=ether8 ] speed=1000Mbps
set [ find default-name=ether9 ] speed=1000Mbps
set [ find default-name=ether10 ] speed=1000Mbps
set [ find default-name=ether11 ] speed=1000Mbps
set [ find default-name=ether12 ] speed=1000Mbps
set [ find default-name=ether13 ] speed=1000Mbps
set [ find default-name=ether14 ] speed=1000Mbps
set [ find default-name=ether15 ] speed=1000Mbps
set [ find default-name=ether16 ] speed=1000Mbps
set [ find default-name=ether17 ] speed=1000Mbps
set [ find default-name=ether18 ] speed=1000Mbps
set [ find default-name=ether19 ] speed=1000Mbps
set [ find default-name=ether20 ] comment=Qnap2-NIC2 disabled=yes speed=1000Mbps
set [ find default-name=ether21 ] speed=1000Mbps
set [ find default-name=ether22 ] speed=1000Mbps
set [ find default-name=ether23 ] speed=1000Mbps
set [ find default-name=ether24 ] speed=1000Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pppoe-client
add add-default-route=yes interface=ether1 name=pppoe-out1 use-peer-dns=yes user=xxxxxxxxxxxxxxx
/interface vlan
add interface=ether1 name=vlan205 vlan-id=205
add interface=ether1 name=vlan318 vlan-id=318
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan318 name=pppoe-out2 use-peer-dns=yes user=xxxxxxxxxxxxxxx
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=profile-guest \
supplicant-identity=""
/interface wireless
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=66:D1:54:B3:92:A9 master-interface=wlan1 \
multicast-buffering=disabled name=guest-wifi security-profile=profile-guest ssid=X2 wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.0.12-192.168.0.254
add name=dhcp_pool1 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1d10m name=defconf
add address-pool=dhcp_pool1 disabled=no interface=bridge-guest lease-time=1d10m name=dhcp1
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=ether11
add bridge=bridge interface=ether12
add bridge=bridge interface=ether13
add bridge=bridge interface=ether14
add bridge=bridge interface=ether15
add bridge=bridge interface=ether16
add bridge=bridge interface=ether17
add bridge=bridge interface=ether18
add bridge=bridge interface=ether19
add bridge=bridge interface=ether20
add bridge=bridge interface=ether21
add bridge=bridge interface=ether22
add bridge=bridge interface=ether23
add bridge=bridge interface=ether24
add bridge=bridge interface=sfp1
add bridge=bridge-guest interface=guest-wifi
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=wlan1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=ether11 list=discover
add interface=ether12 list=discover
add interface=ether13 list=discover
add interface=ether14 list=discover
add interface=ether15 list=discover
add interface=ether16 list=discover
add interface=ether17 list=discover
add interface=ether18 list=discover
add interface=ether19 list=discover
add interface=ether20 list=discover
add interface=ether21 list=discover
add interface=ether22 list=discover
add interface=ether23 list=discover
add interface=ether24 list=discover
add interface=sfp1 list=discover
add interface=bridge list=discover
add interface=pppoe-out1 list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/interface wireless access-list
...
...
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2-master network=192.168.0.0
add address=10.10.10.2/29 interface=vlan205 network=10.10.10.0
add address=192.168.2.1/24 interface=bridge-guest network=192.168.2.0
/ip arp
add address=192.168.0.10 interface=bridge mac-address=28:57:BE:84:39:62
add address=192.168.0.11 interface=bridge mac-address=C4:2F:90:92:E1:61
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.0.80 client-id=1:30:cd:a7:fe:43:3a mac-address=30:CD:A7:FE:43:3A server=defconf
add address=192.168.0.104 always-broadcast=yes client-id=1:f4:a9:97:de:49:dc comment="Canon printer" mac-address=\
F4:A9:97:DE:49:DC server=defconf
...
...
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=185.206.144.149 name=asia1.ethermine.org type=A
...
/ip firewall address-list
add address=192.168.2.2-192.168.2.254 list="guest users"
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=input comment="port winbox" dst-port=8291 protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=\
new disabled=yes in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input disabled=yes in-interface=pppoe-out1
add action=drop chain=input comment="Drop DNS" disabled=yes dst-port=53 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input comment="Drop DNS" dst-port=53 in-interface=pppoe-out2 protocol=tcp
add action=drop chain=input comment="Drop DNS" disabled=yes dst-port=53 in-interface=pppoe-out1 protocol=udp
add action=drop chain=input comment="Drop DNS" dst-port=53 in-interface=pppoe-out2 protocol=udp
add action=drop chain=input comment="Block guest - port local" dst-address=192.168.2.1 dst-port=80,21,22,23,8291 protocol=tcp \
src-address-list="guest users"
add action=drop chain=input comment="Block guest local LAN" dst-address=192.168.0.0/24 src-address-list="guest users"
add action=drop chain=input comment="Block guest local location2 LAN" dst-address=192.168.15.0/24 src-address-list="guest users"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=pppoe-out2
add action=dst-nat chain=dstnat comment="DVR1" dst-port=554 protocol=tcp to-addresses=192.168.0.9 to-ports=554
add action=dst-nat chain=dstnat comment="DVR1" disabled=yes dst-port=8000 protocol=tcp to-addresses=192.168.0.9 to-ports=\
8000
add action=dst-nat chain=dstnat disabled=yes dst-port=93 protocol=tcp to-addresses=192.168.0.56 to-ports=80
add action=dst-nat chain=dstnat comment="DVR2" disabled=yes dst-port=8001 in-interface=pppoe-out1 protocol=tcp to-addresses=\
192.168.0.11 to-ports=8001
add action=dst-nat chain=dstnat comment="QNAP VPN" dst-port=1194 in-interface=pppoe-out2 protocol=udp to-addresses=192.168.0.55 \
to-ports=1194
add action=dst-nat chain=dstnat comment="DVR1" dst-address=x.x.x.x dst-port=88 in-interface=pppoe-out2 protocol=tcp \
to-addresses=192.168.0.9 to-ports=88
add action=dst-nat chain=dstnat comment="DVR1" dst-address=x.x.x.x dst-port=8000 in-interface=pppoe-out2 protocol=tcp \
to-addresses=192.168.0.9 to-ports=8000
/ip route
add distance=1 dst-address=192.168.15.0/24 gateway=10.10.10.1
/ip service
set telnet disabled=yes
set ftp disabled=yes port=61000
set www disabled=yes
set ssh disabled=yes port=62000
set api disabled=yes port=64000
set winbox address=192.168.0.0/24
set api-ssl disabled=yes port=63000
/ip socks
set port=4153
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/system logging
add prefix=Pppoe-out topics=poe-out
add prefix=Pppoe topics=pppoe,!debug
add prefix=Ppp topics=ppp,!debug
add prefix=Acount topics=account
add action=email topics=system
/tool e-mail
set address=x.x.x.x from="Mikrotik location1" port=xxx start-tls=yes user=xxx@xxx.com
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
gnro
October 9, 2020, 7:29pm
9
I’m not sure, but you may be reaching the 192.168.15.x subnet being masqueraded and samba does not always work masqueraded.
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=pppoe-out2 dst-address=!192.168.15.0/24
to exclude masquerading to 192.168.15.0/24 subnet
Also you can use a tool like tcpdump on one of the 192.168.15.xx hosts when pinging to see what is the source ip.
Also check the router with 10.10.10.1 ip to see if it’s not blocking samba ports.
dip
October 9, 2020, 7:47pm
10
The VLAN with 10.10.10.0 is given by the ISP. I have the same ISP in both locations with mikrotik router and the ISP gave me the IP addresses 10.10.10.0 for VLAN. I asked if he had a filter on samba ports and he told me no.
Does it help if I put the configuration here from the router in location 2 where the class 192.168.15.0 is?
gnro
October 10, 2020, 6:05am
11
It may help to put other router config, but first, please, modify the masquerade rule and check to see if you reach the destination lan (192.168.15.x) with internal lan (192.168.0.x).
dip
October 14, 2020, 7:54pm
12
I changed the masquerade rule as you told me and the situation remained the same. I can reach any destination 192.168.15.x from the 192.168.0.x network with ping, http but not with smb.
I also tried telnet, but it doesn’t work on SMB ports.
I found something on the internet but I don’t know how to apply it to myself.
https://www.reddit.com/r/networking/comments/6vcncc/accessing_a_smb_share_over_vlans_can_ping_but/dm0ky5g/?utm_source=share&utm_medium=web2x&context=3
I found the solution!
I had to add an ACL
permit ip VLAN1 -> VLAN50 on ports 135-139 for both UDP and TCP