[Solved] Windows Share not working but SMB-share on Linux Server working



  • Hi Forum!

    I have a ipsec tunnel between my office and my home. Most traffic between the networks is working. My SIP-phones at home can connect to the PBX at my office and work perfect. The SMB-Shares on the Qnap-NAS at home can be accessed in office and the SMB-share on the Qnap-NAS in the office can be accessed from home. All clients can be pinged through the tunnel. But Windows Shares can not be accessed through the tunnel. The both Windows machines run Windows 10 without active firewall.

    My topology:

    HOME-LAN <-> Linksys WRT600 <-> Internet <-> DD-WRT <-> OFFICE-LAN

    On each LAN is a pfsense client as Virtual Machine running on each Qnap-NAS, with only a Adapter called "WAN" active.

    What works:
    Ping clients through tunnel
    Register SIP Clients on PBX through tunnel
    RTP and SIP packets go through tunnel, because Calls work (Ports 5060 and 49152-49408)
    SMB-Shares on Qnap can be accessed through tunnel

    What does not work:
    Windows Share on Windows 10 machines
    Lanbench on Port 8998

    Wireshark says, that there are packets marked RST, ACK that seem to be a problem (But I do not know what that means).

    Have you any idea where i could start to solve the problem? Do you need more infformation?

    I would be very glad if you could help me!



  • Hi,

    • what rules do you have for ipsec and lan?
      Make sure you open ports 137, 138 UDP and 137, 139, 445 TCP. The NAS might use older SMB-Versions

    • can the windows-shares be accessed by other Win10 machines on the same network? Or do you have older Windows machines with win7 to test with?

    • are the windows users the same or are they different?
      If they are different: open the internetoptions and in tab security open the settings for local intranet. There is a point with user authentication. Change it from "automatic logon only in intranet" to "ask for user/pw". Then try again.
      If you are asked for user/pw, then the sharing should work and it was an authentication-error.



  • Hi Birke,

    thx for answering and helping me.

    • on IPSEC i have "allow any to any" like on WAN (Only one Adapter is assigned, since pfsense is only a client for the tunnel behind the router).
    • The shares on the Win10 machines can be accessed by other Win10 machines within the same subnet on each site. I do not have any Win7 machines
    • Windows Users are always the same with the same passwords. BTW there is no AD involved.
    • i tried your tip (ask for u/pw) but it did not help

    What i tried else:
    I activated "any Flag" in the rules for all four rules (WAN rule and IPSEC rule on each site)

    I also configured an OpenVPN server on the pfsense, but there are the same problems. The OpenVPN server-pkg on the Qnap does route the smb packets through but is extremely slow.

    Would screenshots of the settings be of any use?


  • Galactic Empire

    What version of SMB?

    W10 dropped support for SMB1 a month or so ago.

    https://www.windowscentral.com/how-access-files-network-devices-using-smbv1-windows-10


  • Rebel Alliance Global Moderator

    @syserr_01 said in Windows Share not working but SMB-share on Linux Server working:

    RST, ACK

    If your seeing RST that is CLOSURE of the connection.. Running a vpn into a box on your lan, ie your qnap is going to more than likely cause you to have asymmetrical issues.

    If you are sniffing when you try to access the file share - posting such a sniff as a pcap so can open in wireshark will more than likely shed some light to your problem. But RST is something telling you to F off!!

    Host or host firewall could for sure be doing that - normally firewalls do not send RST unless configured specifically to do that, and then they should only do that when the traffic is local. You would never want to answer an outside connection..



  • Thank you NogBadTheBad, but since the shares work when i am in the same subnet (physically), do you thinbk it really can be the abandonment of smb1?

    Thank you very much johnpoz, i upload the pcapng-file. My local machine in my homesubnet (site-home: 192.168.1.0/24) is 192.168.1.247, the pfsense-home is on 192.168.1.250, the router on 192.168.1.1. The machine i want to reach in the office-subnet (site-office: 192.168.10.0/24) is 192.168.10.110, the pfsense-office is on 192.168.10.250 and the router is 192.168.10.1.

    So do you think the RST is sent by one of the routers (or should i better call them gateways?)?

    I hope you can help me further!

    0_1539014568847_smb not working.pcapng


  • Galactic Empire

    @syserr_01 said in Windows Share not working but SMB-share on Linux Server working:

    Thank you NogBadTheBad, but since the shares work when i am in the same subnet (physically), do you thinbk it really can be the abandonment of smb1?

    Nope.

    Just I came across the W10 SMB1 issue the weekend round at a friends, thought maybe it was that, I missed your comment about the RST & ACKs.


  • Rebel Alliance Global Moderator

    Looks like you auth fine - but there there is some sort of problem for sure See all the retrans..

    0_1539015758080_smbproblems.png



  • But you can not see, where the problem could be found? Maybe i should really change my DD-WRT router to a pfsense-appliance. i do not know why, but i guess that the problem is soimewhere in the "virtual switch" of the Qnap, where the pfsense is residing on, or the DD-WRT router.



  • I changed on the Phase 2 on both ends:
    Local network: "Network" and not "XYZ subnet"
    And i disabled Hardware checksum offload.

    Now i am able to reach the shares at least of one of the windows 10 machines. The other Machine still has a bitdefender firewall running, that i try to turn of, to see if that also works.

    EDIT:
    I was able to turn of the Bitdefender firewall again. Voila: Shares are accessible through Tunnel.

    So for all Virtual Machine driven pfsense installations on Qnap: Turn of Hardware checksum offload and in IPsec tell him exactly what networks you are running. Do not trust the "XYL subnet" option.