SMB to remote devices

Hello,
I have working samba share in my local network with user security for each directory.
but i need to share some directory to wan.

So i add interface wan to template of samba.

[global]
netbios name = |NAME|
display charset = |CHARSET|
interfaces = 127.0.0.1/8 lo 192.168.1.1/24 br-lan x.x.x.x eth1
server string = |DESCRIPTION|
unix charset = |CHARSET|
domain master = yes
encrypt passwords = true
workgroup = |WORKGROUP|
browseable = yes
deadtime = 30
enable core files = no
guest account = nobody
guest ok = no
invalid users = root
local master = yes
load printers = no
map to guest = Bad User
max protocol = SMB2
min receivefile size = 16384
null passwords = yes
obey pam restrictions = yes
os level = 20
passdb backend = smbpasswd
preferred master = yes
printable = no
security = user
smb encrypt = disabled
smb passwd file = /etc/samba/smbpasswd
socket options = TCP_NODELAY IPTOS_LOWDELAY
syslog = 2
use sendfile = yes
writeable = yes

Next step i create samba rules in firewall:

config rule
option target 'ACCEPT’
option src 'wan’
option proto 'tcp’
option name 'SMB-TCP’
option dest_port ‘445 139’

config rule
option target 'ACCEPT’
option src 'wan’
option proto 'udp’
option name 'SMB-UDP’
option extra '137 138’
option dest_port ‘137 138’

When i try remote access there from linux / kodi connection is established and i successfully can remote play my films.

In netstat i see established connection on 445 from local network and linux user from wan

netstat -tapn | grep smbd

tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 2479/smbd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2479/smbd
tcp 0 0 192.168.1.1:445 192.168.1.106:53347 ESTABLISHED 2974/smbd
tcp 0 0 192.168.1.1:445 192.168.1.171:52689 ESTABLISHED 4486/smbd
tcp 0 0 x.x.x.x.x 91.221.212.191:40285 ESTABLISHED 7089/smbd
tcp 0 0 :::445 :::* LISTEN 2479/smbd
tcp 0 0 :::139 :::* LISTEN 2479/smbd

But when i try to add network drive in windows.
Windows can´t access to remote drive.
But everythink is same as when i had it first time… when it work some time before.
I did wireshark on remote windows, and there is not any smb packets to my turris.

Please any idea where should be issue ? :confused:

I am not a samba expert…
but there are two things, which come into my mind:
first, what about the ports 137 and 138, where typically nmbd is listening?
second, not too long ago samba did fix some security issues, which can break access. what is the version of samba running (smbd -V). And, er, M$ did fix the security holes, too. But I presume, the share is working from inside, isn’t it? Then samba itself should be OK. Maybe that isn’t applicable (I always used samba4 with the domain feature, and I presume, You don’t have a domain running). So it might be worth checking the excellent samba wiki. I’d start here: https://wiki.samba.org/index.php/Setting_up_a_Samba_Standalone_Server.
HTH
-peter

PS: exposing SMB to the outside is regarded as a security nightmare. But most probably You’re aware of that… You have been warned. One would typically create a VPN connection, and then access the shares via VPN.

PS2: the enormous computing power (for a router) of the TO should speed up OpenVPN, which is exactly the reason I need it so badly…

Using samba over internet is worst thing you can do, as its not encrypted and everyone can listen you traffic. If you need to share films/series/images I would recommend you to use PLEX media server. Other things you can do is setup SFTP server or use samba trough OpenVPN (or similar VPN service).

I think the situation is much worse. The video material itself should not be too confidential (and he should not use a password, which helps to attack his router). But pretty soon his box will be hacked. SMB is notoriously insecure.