[Firewall] No SMB access via VPN

Currently reading
[Firewall] No SMB access via VPN

4,147
1,428
NAS
DS4l8play, DS202j, DS3623xs+, DSM 8.025847-𝘣𝘦𝘵𝘢
Recently I've lost the ability to reach my NAS file when my phone is connected by VPN Server. I've discovered that dropping the firewall allows me to see the NAS files.

I'm puzzled by what firewall rule I need to add to obtain SMB file access. I've allowed the VPN IP range (101.10.10.1-10.10.10.255), all ports/protocols... but that has no effect.

Obviously I'm missing something simple, and I'd appreciate any feedback.
 
Solution
If you're talking about mounting shared folders from the NAS (not from a server on the LAN) via SMB, then no need for explicit rules. I'm using a Mac and if I connect to my NAS using OpenVPN, I can mount the shares (using SMB) on my laptop.

These are my rules on this particular DS (nothing special):

E63D4FE1-DF69-45B2-85D6-261F60DC1D79.jpeg
The VPN rule is as I explained in the post above.
10.10.10.255
I don’t think this it it, but the 255 is for broadcast. Don’t know if it works or not (depends on the device) but it’s not a host‘s IP address. Use 10.10.10.254.

The way I do it with VPN:
On the ports I select VPN server (Open VPN). If you scroll through the list you’ll find it.
Source IP: I restrict by location (allow one country only for example).
Action: Allow.
 
Upvote 0
Looking in the list of applications I see two that have port ranges suffixed with '(Source port)'. One is for SMB (TCP 445).
1617967699029.png


It may be that the FW rule has to be explicitly stated for Windows File Sharing? But it doesn't make much sense if there's a rule of "<VPN subnet> / <NAS> / <all destination ports>".
 
Upvote 0
If you're talking about mounting shared folders from the NAS (not from a server on the LAN) via SMB, then no need for explicit rules. I'm using a Mac and if I connect to my NAS using OpenVPN, I can mount the shares (using SMB) on my laptop.

These are my rules on this particular DS (nothing special):

E63D4FE1-DF69-45B2-85D6-261F60DC1D79.jpeg
The VPN rule is as I explained in the post above.
 
Upvote 0
Solution
Thank you both. The screenshot cleared it up. I was using LAN1 versus All Interfaces. So I selected VPN and added "all" and access was fine.

I suppose I need to move a bunch of rules from LAN1 where they are in effect for LAN2 or VPN.

A picture is worth a thousand words!
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Hello! Yes I did indeed find the problem, there are some special firewall rules that you need to make for...
Replies
4
Views
1,140
  • Question
Just wondering what the general consensus is regarding the move online for access control solutions...
Replies
1
Views
1,123

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top