Firewall smb setting

Currently reading
Firewall smb setting

334
67
NAS
Synology DS920+
Operating system
  1. Windows
Mobile operating system
  1. Android
Hey guy. Am sorry for bugging you with this. Am rebuilding my firewall and can never remember this one setting. It allows windows explorer through the firewall to view files. TIA
 
It allows windows explorer through the firewall to view files

Perhaps you are thinking of...

Screenshot 2023-02-14 104335.jpg


more info here...
and here...

Windows 10/11 plays nice with SMB.

Control panel > File services > [SMB]. Just activate SMB 2/3.

Reminder: Best practice to use a USER profile (not ADMIN) to connect through SMB.
 
Thank you! I had discovery but missed transfer. Call it spring cleaning as I had a mess of firewall settings that I'm pretty sure weren't needed. Yes, I'm set as a user, not admin.
 
What would cause it to stop working as I haven't change anything since yesterday's success?

I presume your NAS is running HDDs. And a PC running Windows 10/11.

In this case, your NAS can go to sleep and requires a few seconds to wake up. Also, are you setting your NAS SMB to version 2 and 3?

Lastly, try including these typical firewall rule...

Screenshot 2023-02-15 122348.jpg


Your last FW rule should be a Deny all as Synology FW rules read from top to bottom. But be careful. Make sure all your rules are running well and you can connect to DSM before applying the last Deny rule.
 
@PunchCardBoss I see some rules there that say source ip all and I don’t think they should be; this can be tighten down. As an example windows file server ports should only be allowed for the local lan, unless you have a bit more of an advanced thing going on.

@Cyberwasp Honestly the best way to solve your problems is to create one entry of allow all ports/services to source ip your local subnet (example 192.168.1.0); so long as all the devices on your local lan are trusted.
 
Last edited:
Honestly the best way to solve your problems is to create one entry of allow all ports/services to source ip your local subnet (example 192.168.1.0); so long as all the devices on your local lan are trusted.
I like that. Good idea.

windows file server ports should only be allowed for the local lan, unless you have a bit more of an advanced thing going on.
Tks for the recommendation. My list is made up of what I saw several others doing on videos. So some of my rules are undoubtedly superfluous.

I see your point on the Source IP issue. It looks like all but the
  • Management UI (I have a reverse proxy set up for remote access)
  • Web Station & Web mail / 80
  • HTTPS & Reverse proxy / 443
... could/should be changed to my LAN Source IP.

But what about shared Drive or Calendar links? Wouldn't the recipient of a shared link outside of my LAN need access? In this case, Some services should have the Source IP set to "All" or "USA".
 
@PunchCardBoss you could essentially eliminate/delete the windows file services, the WD discovery, and adjust the all ports lan devices to allow all to lan subnet.

I have management ui, vpn, hyper backup all under one rule for my country. You could add drive and snapshot rep in one rule too. You can add additional countries if needed to that one rule.
 
Yikes, you guys are way beyond me. Anyway after an hour, I tried it again and it worked without changing a thing. I'll post what I have below, pretty basic I think.

firewall.JPG
 
Last edited:
Yikes, you guys are way beyond me. Anyway after an hour, I tried it again and it worked without changing a thing. I'll post what I have below, pretty basic I think.

View attachment 12196

My first rule in the firewall is all all 192.168.1.0. This allows local devices to have access to the nas without restrictions, again so long as their trusted devices.

My 2nd rule is for management ui, vpn, hyper backup or any other similar services that are external looking to come in. source ip is country.

If you set it up that way you can eliminate rules 1,2,3,4,7. For rules 5&6 is this for your local lan; if so then it’s covered by my first rule, if it’s for your external access and need it only for your country as a source ip then add it to the my 2nd rule I listed.
-- post merged: --

I also have a 10.8.0.0 subnet allow all/all to the nas, that is for the vpn subnet so devices coming in on vpn have unrestricted access.

1676495674843.png

-- post merged: --

Think of each of the 2 main rules as internal local connections, and the 2nd rule is for external outside the network connections.
 
@Cyberwasp Make sure you have "Enabled Windows network discovery ..." in Control panel > File Services > [SMB] > WS-Discovery.

View attachment 12200
I think his issue is mostly firewall. Aside from the 2 ws discovery there’s no opening for local connections such as smb; unless that’s ticked off in rules 1 and or 2 where source ip is all (meaning internal ips and external ips)
 
If you set it up that way you can eliminate rules 1,2,3,4,7. For rules 5&6 is this for your local lan; if so then it’s covered by my first rule, if it’s for your external access and need it only for your country as a source ip then add it to the my 2nd rule I listed.

Nicely done. EXCELENT suggestion.​

Bravo!
 
Last edited:
Also it’s ok to separate a synology service rather than grouping into one rule. This is just preference , keep the rules tidy so it’s easy for you to see what’s going on and when you do a random check of what I got a year later you’re not confused.

Another example I have a site where when I do maintenance I want to prevent anyone from vpn’in. I have a separate rule just for the vpn package under the management rule, with source ip country. Now it’s a one click button to disable vpn from the firewall while I do updates.

I’ve tried disabling the actual vpn service in the von package and later realized my users were still locked out when I was done and re-enabled. I found out when you disable the vpn from the package it removes the rule from the fw.
-- post merged: --

But what about shared Drive or Calendar links? Wouldn't the recipient of a shared link outside of my LAN need access? In this case, Some services should have the Source IP set to "All" or "USA"

Sorry missed this. That is correct if you know all of your recipients are in the USA then you’re good. However if you have some in different countries you will need to allow those as well. I’d rather add as needed before reverting to the ALL for external access things. But obviously this depends on the scenario.

Someone running a forum or website on their nas will need ALL source ip because you won’t know everywhere people are coming from. In this case leave that specific service as the source ALL. Something like Drive or management ui should be your country or countries you’re in often. If I’m traveling outside my country I will just go to the vpn rule and tick on the additional country; another benefit to having the vpn rule as a separate line item so that it doesn’t alter the other services too and open them up.
 
@PunchCardBoss "Enabled Windows network discovery ..." in Control panel > File Services > [SMB] > WS-Discovery. I do.

Am sorry to say guys but when I read your suggestion my eyes glaze over. If I attempt anymore changes my heads going to explode. As someone said combining two instances to one, I tried with WS-Discovery and WS - Transfer and SMB failed!
 
I found out when you disable the vpn from the package it removes the rule from the fw.
Hmmmm... Good to know.

@Cyberwasp If I am following @Gerard correctly, you should add a #1 rule that looks something like this...

Screenshot 2023-02-15 133217.jpg


Instead of using 192.168.1.1, you should use yours LAN Gateway IP. This rule will allow your LAN devices to access your NAS including your LAN PC for an SMB connection.
 
Hmmmm... Good to know.

@Cyberwasp If I am following @Gerard correctly, you should add a #1 rule that looks something like this...

View attachment 12202

Instead of using 192.168.1.1, you should use yours LAN Gateway IP. This rule will allow your LAN devices to access your NAS including your LAN PC for an SMB connection.

Use a .0 at the end of the ip rather than .1. The .1 is most likely the router, whereas the .0 captures the whole subnet. Either way actually works, probably synology doing it on the backend, but to the eye .0 is the subnet which means all devices on that network.
-- post merged: --

Create a fw test profile to experiment with if needed so that you can switch back while still learning it. It takes a bit to understand but it’s really easy, don’t give up this is for your benefit of good fw rules.
 
Last edited:
@Cyberwasp There are 5 things you must do to make SMB work for a PC
  1. Enable SMB in Control panel > File Services > [SMB] DONE
  2. Enable WS-Discovery in Control panel > File Services > [SMB] > WS-Discovery DONE
  3. Enable FW rule for WS-Discovery (both Transfer and Discovery) DONE
  4. Users must have SMB permissions in Control panel > User & Group > User > Applications [SMB] ???
  5. If your FW has a DENY ALL rule at the end, Add a FW rule that allows your LAN device IPs to pass through the NAS FW NOT DONE
If you want to test this, turn off your DENY FW rule temporarily and test your SMB connection to your PC. If it works, you know you must add #5 in my list above.

Edited per @Gerard next post. Add User permissions for SMB access as item #4
 
Ok, I removed the several firewalls and started over. It "seems" everything is working including SMB via windows, but am going to post what I have. I also run Plex but that shouldn't be phased by this:
 

Attachments

  • firewall.JPG
    firewall.JPG
    57.1 KB · Views: 57

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
I had the exact same problem. In my case, I found 2 rules for dsassistant in the firewall inbound rules...
Replies
2
Views
7,992
You know, Mt T., that if this didn’t happen, this whole post wouldn’t exist! 3 NAS’s set identically, with...
Replies
6
Views
449
Are you absolutely certain your cables are good for GB. I went so far as only use CAT6.
Replies
9
Views
929
  • Question
Excellent tip! I had the same issue, I stumbled into this forum as I was looking for a solution and it...
Replies
11
Views
6,436
Many vulnerabilities are due to malformed packets that don't conform fully to the specification: the...
Replies
13
Views
7,136

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top