Text only | Text with Images

OPNsense Forum

English Forums => 25.7, 25.10 Series => Topic started by: JMini on November 17, 2025, 09:52:32 PM

Title: Wireguard & LAN-LAN SMB
Post by: JMini on November 17, 2025, 09:52:32 PM
New to OPNSense and this is my first post. Coming from Astaro/Sophos UTM.
I have a 6 port firewall appliance (Topton)
I also have a QNap NAS with 2 ports (one on the LAN2 network and the other on the DMZ4 network)
These are just named based on their subnet. 10.10.20.0/24 for LAN2 and 10.10.40.0/24 for DMZ4
For this let's call its network connections Qnap-LAN2 and QNap-DMZ4
The QNap gets assigned DHCP addresses from hosts definitions so they're always the same.
So far most things work great. DNS, internet connectivity, etc.
I have WireGuard set up and clients can connect.
I can connect to QNap-LAN2 from computers on the LAN2 network. No sweat.
I have FW rules to allow LAN2 & WireGuard addresses to the DMZ4 network.
I can ping QNap-DMZ4 from my PC on LAN2. (All of this using IP addresses, not host names)
However I have some questions regarding 2 things.
1 Allowing SMB access w/user&PW authentication to the QNAP-DMZ4 from the LAN2 network
2 Allowing SMB access w/user&PW authentication to the QNap-DMZ4 from the WireGuard network

Issue 1: An issue I have is that, If I create a Masq rule (outbound NAT) such that traffic from LAN2 to DMZ4 is masqed to the DMZ4 interface address and it's placed before the LAN2-to-WAN masq, I get a windows explorer message that denies access to QNap-DMZ4 from my LAN2 windows PC due to authentication. If I disable that Masq rule, it instantly accepts authentication and I can browse folders on the share. If I then re-enable the masq rule, it continues to work. Is there any need for inbound SMB traffic to look like it's on the same subnet?

Issue 2: I guess this would apply to the WireGuard connections as well.

Thanks in advance.
Title: Re: Wireguard & LAN-LAN SMB
Post by: JMini on November 17, 2025, 10:49:56 PM
I connected a laptop to the internet through my cell phone and connected the Wireguard VPN so the PC is completely separated from my home network.

FW Rules:
WireGuard Net any,any,any,any Pass

Outbound NAT
Interface DMZ4, Source WireGuard net, Dest DMZ4 net

I can ping QNap-DMZ4 when connected.

I get authentication errors when trying to connect to QNap-DMZ4 using windows explorer.
Outbound NAT rule ON or OFF. Same authentication error
Title: Re: Wireguard & LAN-LAN SMB
Post by: JMini on November 18, 2025, 12:50:50 AM
Update:
I can Telnet to QNap-DMZ4 from the WireGuard connected PC.
Title: Re: Wireguard & LAN-LAN SMB
Post by: chemlud on November 18, 2025, 09:59:07 AM
Just an idea: NAS only allowing access from LAN IPs?
Text only | Text with Images