Wireguard & LAN-LAN SMB

Started by JMini, November 17, 2025, 09:52:32 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 17, 2025, 09:52:32 PM
New to OPNSense and this is my first post. Coming from Astaro/Sophos UTM.
I have a 6 port firewall appliance (Topton)
I also have a QNap NAS with 2 ports (one on the LAN2 network and the other on the DMZ4 network)
These are just named based on their subnet. 10.10.20.0/24 for LAN2 and 10.10.40.0/24 for DMZ4
For this let's call its network connections Qnap-LAN2 and QNap-DMZ4
The QNap gets assigned DHCP addresses from hosts definitions so they're always the same.
So far most things work great. DNS, internet connectivity, etc.
I have WireGuard set up and clients can connect.
I can connect to QNap-LAN2 from computers on the LAN2 network. No sweat.
I have FW rules to allow LAN2 & WireGuard addresses to the DMZ4 network.
I can ping QNap-DMZ4 from my PC on LAN2. (All of this using IP addresses, not host names)
However I have some questions regarding 2 things.
1 Allowing SMB access w/user&PW authentication to the QNAP-DMZ4 from the LAN2 network
2 Allowing SMB access w/user&PW authentication to the QNap-DMZ4 from the WireGuard network

Issue 1: An issue I have is that, If I create a Masq rule (outbound NAT) such that traffic from LAN2 to DMZ4 is masqed to the DMZ4 interface address and it's placed before the LAN2-to-WAN masq, I get a windows explorer message that denies access to QNap-DMZ4 from my LAN2 windows PC due to authentication. If I disable that Masq rule, it instantly accepts authentication and I can browse folders on the share. If I then re-enable the masq rule, it continues to work. Is there any need for inbound SMB traffic to look like it's on the same subnet?

Issue 2: I guess this would apply to the WireGuard connections as well.

Thanks in advance.
November 17, 2025, 10:49:56 PM #1
I connected a laptop to the internet through my cell phone and connected the Wireguard VPN so the PC is completely separated from my home network.

FW Rules:
WireGuard Net any,any,any,any Pass

Outbound NAT
Interface DMZ4, Source WireGuard net, Dest DMZ4 net

I can ping QNap-DMZ4 when connected.

I get authentication errors when trying to connect to QNap-DMZ4 using windows explorer.
Outbound NAT rule ON or OFF. Same authentication error
Today at 12:50:50 AM #2
Update:
I can Telnet to QNap-DMZ4 from the WireGuard connected PC.
Today at 09:59:07 AM #3
Just an idea: NAS only allowing access from LAN IPs?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Today at 02:50:57 PM #4
I'm looking into that now.
I can access SMB on QNap-LAN2 from LAN2 and can access SMB on QNap-DMZ4 from LAN2. No problem.

Since I can ping and Telnet from WireGuard to QNap-DMZ4 I think the firewall is working correctly.
In the QNap logs, I can see the connection authorization from the WireGuard IP. It says "xxxx Logged in". So communication is working and authentication is happening.

I'm focusing on the QNap share permissions as a likely culprit.

I appreciate you poking your head in with some feedback.
Print
Go Up Pages1
User actions