Cannot Access File Shares after upgrading to 22.1.8

[somnuk_s]

Last night, we upgrade from 21.7.8 to 22.1.8, Windows File sharing across IPsec VPN is not working. Using Microsoft diagnostic it said server is listening but not responding. Now, our work around is to create a rule on LAN to allow LANnet (172.16.33.x) to access File Server on remote site (10.3.32.x) on Firewall Server (172.16.33.x network).

Prior upgrade, every thing is working fine. No change to firewall on both sites. Both sites are using Opnsense 22.1.8. Any idea what might have cause this?

Regards,
Somnuk

[_Alchemist_]

In the 22.1.8 Changelog the only things about the Firewall I could find is this:

• firewall: various usability and visibility improvements for aliases
• firewall: performance improvement for large numbers of port type aliases
• firewall: simplify sort and add natural sorting in alias diagnostics

I suppose your Network looks something like this?

Code: [Select]

[SMB Clients] <-- 172.16.33.x --> [OPNsense 1] <-- IPSec (WAN) --> [OPNsense 2] <-- 10.3.32.x --> [SMB Server]
Can you show how your Firewall Rules Look like? And do you have multiple Gateways?
I haven't used IPSec with OPNsense yet, only with OpenVPN and WireGuard, but from the other recent Posts, it seems like there might be issues with both IPSec and Aliases in 22.1.8.

[somnuk_s]

We created an alias SMB_Ports 137:139;445. This SMB_Ports alias uses on the WAN Rules  that block incoming traffic from WAN and also on LAN rules to WAN Net. For IPsec rules, allow any to any no blocking. I have tried disables all these rules, but the problem persist. Client cannot access SMB shares on remote sites.

Regardds,
Somnuk

[somnuk_s]

On the Source Firewall, I disable any relate to SMB ports but the error still show below.
LAN      2022-05-28T10:50:05   172.16.33.84:55654   10.3.32.12:139   tcp   Default deny / state violation rule   
LAN      2022-05-28T10:50:04   172.16.33.84:55654   10.3.32.12:139   tcp   Default deny / state violation rule   
LAN      2022-05-28T10:50:04   172.16.33.84:55653   10.3.32.12:445   tcp   Default deny / state violation rule   
LAN      2022-05-28T10:50:03   172.16.33.84:55653   10.3.32.12:445   tcp   Default deny / state violation rule

So, I create a rule to allow LAN Net to access remote Network now traffic go through and the log look like below. Since I use IPsec Tunneling, it should look at IPsec Rule in the first place but while it looks in LAN Rule first. Is my understanding correct? Old version of OpnSense has no problem, problem occur in 22.1.8.

IPsec      2022-05-28T10:58:32   172.16.33.84:55718   10.3.32.12:445   tcp   IPsec internal host to host   
IPsec      2022-05-28T10:58:32   172.16.33.84:55716   10.3.32.12:445   tcp   IPsec internal host to host   
IPsec      2022-05-28T10:58:30   172.16.33.84:55694   10.3.32.30:445   tcp   IPsec internal host to host   

Regards,
Somnuk

[meyergru]

Are you really talking about 22.1.8 or 22.1.8_1? 22.1.8 has a known problem with network aliases which might account for all your described problems.

[Electr0nik]

I have a similar problem with 22.1.8_1 but it is not permanent. my smb shares are working most of the time, but sometimes they stopped working over ipsec tunnel while still pinging ok. after some time it will work again