Windows share - problem

jiri · February 4, 2019, 8:51am

Hi,

I replaced my old router with Mikrotik HAP AC2 and I am happy with it.
However some network service stopped working after the replacement and I have not been able to solve this issue after 2 days playing with RouterOS. I need some help.

I have SMB server running on some other device (Android) for file sharing. It’s been working when the device was connected to the LAN port of old router. The configuration of the Android device did not change.

When connected to Mikrotik LAN port I am trying to reach from other device from other LAN port.
I am able to connect to following ports, using nmap connect scan or telnet:

PS C:\WINDOWS\system32> nmap -sT 192.168.88.248
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-03 19:53 Central Europe Standard Time
Nmap scan report for 192.168.88.248
Host is up (1.0s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
25/tcp open smtp
110/tcp open pop3
119/tcp open nntp
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
465/tcp open smtps
563/tcp open snews
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s

However if I try nmap scan without full connect (for example SYN scan), I get all the ports FILTERED.
I did not find any place in RouterOS where such TCP connections could be blocked and I am suspicious this could cause trouble with SMB also (not sure).

So when I try to map network share, I always get same error, no matter what I try:
PS C:\WINDOWS\system32> net use z: \192.168.88.248\storage
System error 53 has occurred.

The network path was not found.

Can anybody help me to troubleshoot this problem?

Thank you
BR, Jiri

mkx · February 4, 2019, 10:25am

Post configuration of routerboard (output of /export hide-sensitive) …

jiri · February 4, 2019, 5:50pm

See below:
Thanks, Jiri

[admin@MikroTikJiri] > /export hide-sensitive
# feb/04/2019 18:43:42 by RouterOS 6.43.8
# software id = Q0Z4-XN49
#
# model = RBD52G-5HacD2HnD
# serial number = ***
/interface bridge
add admin-mac=*** auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto \
    hide-ssid=yes mode=ap-bridge ssid=jiri wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors \
    frequency=auto hide-ssid=yes mode=ap-bridge ssid=jiri wireless-protocol=802.11 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=192.168.200.133/24 comment="staticka adresa" interface=ether1 network=192.168.200.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,9.9.9.9
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip proxy access
add action=deny dst-host=www.seznam.cz
/ip route
add distance=1 gateway=192.168.200.1
/ip smb
set enabled=yes
/ip smb shares
add directory=/disk1/EFI name=disk1
/ip smb users
add name=jiri read-only=no
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=MikroTikJiri
/system ntp client
set enabled=yes primary-ntp=81.2.248.189 secondary-ntp=37.187.104.44
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

mkx · February 4, 2019, 6:43pm

Nothing in config doesn’t pop up as suspicious.

A question: when you replaced old router, did windows pop up message about new network detected? I’ve heard a rumour that windows associate network to gateway’s MAC address. So it might happen that windows firewall thinks it’s not in home network and blocks some services/protocols?

The same goes to the android device …

pcunite · February 4, 2019, 7:58pm

You probably need to change your Windows network configuration from Public back to Private.

jiri · February 4, 2019, 9:42pm

Thanks both to direct me on right track. Network was “private” in Windows.
But I completely forgot I am using ZoneAlarm. After turning it off, SMB works well again.
ZonaAlarm must remember something about old router or network.
I will investigate more tomorrow and post info here if anybody is interested.

jiri · February 5, 2019, 7:02pm

The new network 192.168.88.0/24 was automatically set up in ZoneAlarm as Public.
I changed it to Trusted.