Unable to get SMB/CIFS to work with Firewall Rules

    First off, this is my first forum post and I just wanted to say I LOVE OMV. Thank you to everyone who has made this spectacular, wonderful thing possible. I hope great things happen to you.



    THE BACKGROUND

    ===================

    I am trying to set up Firewall Rules to allow the least connectivity to my NAS. Part if it is paranoia, and the other part is I am studying to become a Network Engineer and learning Firewalls is a huge part of that. So don't judge me too hard, please. :)



    THE ISSUE

    ===================

    When I set up a rule with source 0.0.0.0/0 that drops All Input Traffic I can no longer connect with SMB/CIFS from my Windows 11 Devices.
    I make sure the rule is at the bottom of my Firewall Rules, and I make sure to allow TCP on 445 for the required IP Addresses.



    TROUBLESHOOTING

    ===================

    -Verified 445-TCP is allowed on my Windows 11 Device

    -Verified the SMB/CIFS Service is enabled on OMV

    -Verified SMB is set to use SMB3 on OMV

    -Opened the following ports on OMV:

    *137-UDP (NetBIOS)

    *138-UDP (NetBIOS)

    *139-TCP (NetBIOS)

    *445-TCP (SMB3/CIFS)

    *487-TCP (SAFT)

    -Added a rule to allow the IP address in question to allow all protocols and SMB works (too open for my liking)

    -Verified no Outbound rules are setup



    I noticed adding the 0.0.0.0/0 Drop Input All also breaks my Notifications, which is a bit weird.


    Attaching screenshot just for proof of my work.




    Any help would be greatly appreciated!


    It's almost as if OMV is using an ephemeral port for SMB connections, or the SMB/CIFS is using another protocol to enforce SMB3 (such as RDMA or the like).

  • KM0201

    Hat das Thema freigeschaltet.

    Update

    ===================


    I removed all but the 487-TCP and 445-TCP rules, and now I can connect to the NAS based on IP address, but not based on Hostname.

    \\192.168.0.x\SharedFolder -> Works
    \\Hostname\SharedFolder -> Does not work


    I believe this is also causing my Notification errors, as the logs state:
    Host or domain name not found. Name service error for name=smtp.gmail.com type=A: Host not found, try again.



    So I believe I need another Firewall Rule to allow DNS resolution.



    Any Advice would be welcome!

    Update


    ===================

    Boy, howdy. I do declare this one was a doozy, but I did fix it with a workaround. If anyone knows a more official way to fix it, please post it still!


    The Workarounds:

    A) Add an "A Record" on your Router or DNS Server to force resolve the Hostname to an IP address. (works for all devices).

    or

    B) Modify your "Hosts" File to have a DNS resolution. Some antivirus programs may try to overwrite your changes, so you have to put the document to "Read-only" for Services after.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden