SMB over port forwards

Check our new Geekzone Price Comparison web site for electronics prices in New Zealand.

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › SMB over port forwards

bigal_nz

524 posts

Ultimate Geek

Trusted

Topic # 113875 30-Jan-2013 18:32
Hi All, I have two different subnets linked with a router between them. I need to access a SMB share over a port forward across the WAN interface - not as bad a security threat as you might think because the WAN interface is not exposed to the internet in this case, just a different subnet. I opened 135/137/139 and 445 TCP and UDP and cant access the share by typing in \\SERVER\Share Am I missing something? Cheers -Al

bigal_nz

524 posts

Ultimate Geek

Trusted

Reply # 753416 30-Jan-2013 18:33
PS: I tried making the server a DMZ and that didnt work either!

bigal_nz

524 posts

Ultimate Geek

Trusted

Reply # 753418 30-Jan-2013 18:40
First problem : I can ping one particular device on the LAN subnet, but the SERVER with the SMB share(same subnet) wont reply to pings. Guess thats the first problem to over come. -AL

Zeon

2377 posts

Uber Geek

Trusted

Subscriber

Reply # 753447 30-Jan-2013 19:33
Hang on, why are you using NAT at all? If the 2 subnets are directly connected via a single router than you don't even need port forwarding as one subnet can route directly to a host in the other? What devices etc. are you using and what are you trying to achieve?

lyonrouge

1497 posts

Uber Geek

Trusted

Subscriber

Reply # 755113 3-Feb-2013 16:26
Replace SERVER with the IP address of your router. The server behind the NAT is not visible by its name from the outside.

bigal_nz

524 posts

Ultimate Geek

Trusted

Reply # 755173 3-Feb-2013 18:49
Yeah your right, it needs to be the IP of the router, but still doesnt work. I wonder if it has to do with the reply address? Here is my diagram of what I think might be happening? https://www.dropbox.com/s/dt7q9owe5y997ug/Drawing1%20%282%29.jpg?m HTH -Al

bigal_nz

524 posts

Ultimate Geek

Trusted

Reply # 755203 3-Feb-2013 20:28
bigal_nz: Yeah your right, it needs to be the IP of the router, but still doesnt work. I wonder if it has to do with the reply address? Here is my diagram of what I think might be happening? https://www.dropbox.com/s/dt7q9owe5y997ug/Drawing1%20%282%29.jpg?m HTH -Al Yip - the air router needs to change the source to 192.168.150.243 for SMB requests going across it. iptables -t nat -o eth0 -s 192.168.0.0/24 -J MASQUERADE Or something like that!

lyonrouge

1497 posts

Uber Geek

Trusted

Subscriber

Reply # 755338 4-Feb-2013 08:39
What are your client and server SMB hosts. Recent (6.1 and above) windows versions do not require return path.

Zeon

2377 posts

Uber Geek

Trusted

Subscriber

Reply # 755364 4-Feb-2013 09:22
Hi Bigal_nz, OKKKKK I think you need to look at a major redesign of your network. Firstly why have you got 2x routers connecting to the internet? Have you got connections with 2 different ISPs? Unless these are seperate networks due to one being say for you and one being say your neighbour you only need one router for everything. You have double NAT going on there which is REALLY bad with the stuff behind the air router. The answers will come from this I think!

lyonrouge

1497 posts

Uber Geek

Trusted

Subscriber

Reply # 755373 4-Feb-2013 09:43
I've only just looked at the diagram, honestly, left me a bit perplexed.

Dairyxox

185 posts

Master Geek

Reply # 755388 4-Feb-2013 09:53
I'm no expert in this particular field, but if it were me, I'd look at using a VPN over the WAN perhaps.

bigal_nz

524 posts

Ultimate Geek

Trusted

Reply # 755697 4-Feb-2013 17:48
Zeon: Hi Bigal_nz, OKKKKK I think you need to look at a major redesign of your network. Firstly why have you got 2x routers connecting to the internet? Have you got connections with 2 different ISPs? Unless these are seperate networks due to one being say for you and one being say your neighbour you only need one router for everything. You have double NAT going on there which is REALLY bad with the stuff behind the air router. The answers will come from this I think! There are reasons for doing it this way, and constrictions on what I can change and what I cant. I guess I am fudging a solution with my hands tied to some extent. Yes both the routers at the top of the diagram connect to the internet. There are two different organisations involved. I only control the 192.168.150.0 subnet. Proper routing would be best solution...but again I dont control the 192.168.0.0 network.

Zeon

2377 posts

Uber Geek

Trusted

Subscriber

Reply # 755712 4-Feb-2013 18:11
bigal_nz: Zeon: Hi Bigal_nz, OKKKKK I think you need to look at a major redesign of your network. Firstly why have you got 2x routers connecting to the internet? Have you got connections with 2 different ISPs? Unless these are seperate networks due to one being say for you and one being say your neighbour you only need one router for everything. You have double NAT going on there which is REALLY bad with the stuff behind the air router. The answers will come from this I think! There are reasons for doing it this way, and constrictions on what I can change and what I cant. I guess I am fudging a solution with my hands tied to some extent. Yes both the routers at the top of the diagram connect to the internet. There are two different organisations involved. I only control the 192.168.150.0 subnet. Proper routing would be best solution...but again I dont control the 192.168.0.0 network. Hmm I see. Would it be an option to perhaps connect router2 to router1? Can we get some mroe info on the situation and your limitations? Don't need to name names of course ;p

Spyware

959 posts

Ultimate Geek

Subscriber

Reply # 755729 4-Feb-2013 18:48
So you have a static route on Router 1 (192.168.150.1)?? 192.168.0.0 255.255.255.0 gw=192.168.150.243 Ross ADSL2+ sync (Kbps): 11577/945, attenuation (dB): 33.0/16.9, Noise margin (dB): 11.5/11.5

bigal_nz

524 posts

Ultimate Geek

Trusted

Reply # 756766 7-Feb-2013 04:11
Zeon: bigal_nz: Zeon: Hi Bigal_nz, OKKKKK I think you need to look at a major redesign of your network. Firstly why have you got 2x routers connecting to the internet? Have you got connections with 2 different ISPs? Unless these are seperate networks due to one being say for you and one being say your neighbour you only need one router for everything. You have double NAT going on there which is REALLY bad with the stuff behind the air router. The answers will come from this I think! There are reasons for doing it this way, and constrictions on what I can change and what I cant. I guess I am fudging a solution with my hands tied to some extent. Yes both the routers at the top of the diagram connect to the internet. There are two different organisations involved. I only control the 192.168.150.0 subnet. Proper routing would be best solution...but again I dont control the 192.168.0.0 network. Hmm I see. Would it be an option to perhaps connect router2 to router1? Can we get some mroe info on the situation and your limitations? Don't need to name names of course ;p Dont worry the iptables rule to do SNAT fixed it, so it had a return path: iptables -t NAT -A POSTROUING -o br0 -j SNAT --to-source 192.168.150.243 Giving the packs a return address of 192.168.150.243 when crossing the Air Router. Cheers -Al