Sanity Check & Assistance Requested Enabling SMB Across Networks

[Apathy]

Hey all, first time setting up my own Router/Firewall and it's been a bit of a learning curve!

Firstly my setup: (apologies for the verbosity)
OPNsense router is connected via WAN port to ISP Modem for internet connectivity.

The default LAN interface is connected to a switch for my trusted devices (Desktop, NAS, Pi) and has the a static IP of 10.27.36.1/24. On this network the Pi has a static IP 10.27.36.13 and is hosting Pi-Hole and Immich services. The Pi-hole is configured to upstream DNS to 10.27.36.1 for Unbound DNS running on OPNsense which is configured for DNS over TLS to Quad9.

I also have configured another LAN interface called LAN2 which has the IP 10.0.0.1/24. this LAN2 interface is directly connected to my ASUS AX88U router, via that routers WAN port.

Both interfaces in the DHCPv4 services tab, are providing 10.27.36.13 (Pi IP) as the DNS Server.

The ASUS router is managing a network on the subnet 192.168.50.0/24. To this I have connected all the typical smart home devices via Wifi, TV, Work Laptop, Games Consoles. This is the network I am trying to migrate from. In addition, attached to this router via USB is an external HDD. Through the ASUS router interface I am able to host this as an SMB share at 192.168.50.1 (the IP of the router on that network). This contains the library for the Immich server as until I had setup the OPNSense router, the ASUS router was my entire home network, so the Pi was also part of it.

In order to allow communication between the 10.27.36.1/24 and 192.168.50.1/24 networks, I created a gateway on the LAN2 interface with the IP of 10.0.0.2 (The IP of the ASUS Routers WAN). I then created a route for the network address: 192.168.50.0/24 over this new gateway. I also disabled the firewall on the ASUS router.

With the following firewall rules (the disabled rule on LAN2, is normally enabled to stop communication from LAN2 to LAN, but disabled for testing)





DNS is working as expected on all devices connected to either network: [Pi-Hole -> Unbound -> Quad9]. I can also reach all devices on the 192.168.50.0/24 network from the 10.27.36.0/24 network, but not the other way round as intended (when that disabled rule is enabled).

The ONLY thing I haven't been able to get working is access to the SMB share hosted from the ASUS router. I can access it fine from the 192.168.50.0/24 network, so the share hosting is definitely working on that side, but I am not able to access it at all from the 10.27.36.0/24 subnet.


Now for the questions:

1. What have I missed to be able to facilitate access to the SMB share from the 10.27.36.0/24 network?

2. Is everything i've configured reasonable or have I been a big dumb?

3. What steps should I take to harden my network from the WAN side?


Extra:
I know this is a really long post, but I wanted to make sure I included as much information as possible to help diagnose whatever the issue might be. I'm very new to networking, but i'm eager to learn. My entire weekend was spent learning as much as I can about the basics and then attempting to apply them in OPNsense. I completed the amazing networking fundamentals series (the first module is all that's available right now), subnetting and NAT courses from Practical Networking, which gave me a basic level of understanding, but I still have a lot to learn.

Thanks in advance for any help/assistance, if you need more information I'm more than happy to provide it :)

[Saarbremer]

Hi,

do you access the SMB share with the asus router's LAN or WAN (aka lAN2) IP?

I can imagine the latter is not possible for security reasons. However, on LAN there might be an IP filter configured to allow local area IPs only. Furthermore, you don't allow access to LAN2 directly from LAN. You should run a packet capture and/or firewall live log inspection to check for possible blocks and/or no traffic at all.

Routes seem good, firewall rules for LAN 2 do not permit access to LAN when the respective rule is enabled. It's that intended? I didn't get that

[Apathy]

Hey, thanks for responding!

I am attempting to access the SMB share over the Asus routers LAN from the 10.27.36.0/24 network, more specifically i'm attempting to mount it to the Pi on 10.27.36.13 using the IP 192.168.50.1 (the LAN IP of the Asus router). I will have a look at performing an inspection and see if I can spot any traffic being blocked.

on LAN there might be an IP filter

This is a great suggestion, I will have a look into that

As I have many of devices connected to the LAN2 network via the Asus router I didn't necessarily 'trust' (specifically IoT devices), I wanted to disallow access to LAN from LAN2, which is the reason for that rule. For now I've disabled it, just incase it was interfering with the SMB traffic in some way

[Apathy]

Hi,

do you access the SMB share with the asus router's LAN or WAN (aka lAN2) IP?

I can imagine the latter is not possible for security reasons. However, on LAN there might be an IP filter configured to allow local area IPs only. Furthermore, you don't allow access to LAN2 directly from LAN. You should run a packet capture and/or firewall live log inspection to check for possible blocks and/or no traffic at all.

Routes seem good, firewall rules for LAN 2 do not permit access to LAN when the respective rule is enabled. It's that intended? I didn't get that

Hey, just wanted to get back to you to let you know I was able to figure out the problem thanks to you! I was able to determine that I had to modify the `smb.conf` file on the router to expand the `hosts allow =` to include my other subnet. Once I did that everything worked! The only issue I have is with the default ASUS firmware it doesn't seem to run the script I added to `/jffs/scripts/smb.postconf` automatically. I rarely restart that router so hopefully it remains a non-issue to run it manually every now and again. If it does i'll look to install the custom Merlin firmware which I think will run the scripts automatically in that directory.

Anyway, thanks again! :)

I was wondering if you had any insights on my third question regarding hardening my WAN side? I'm reasonably confident in the security between the two local LAN networks, but I've not figured out how to have some level of confidence in my network security from the Internet. A link to some resources, or quick tips would be really helpful if you have any to hand? Is the default configuration of OPNsense out of the box OK?

[Saarbremer]

Hi,

good to hear that it now works for you now.

Regarding network security: This is a (very) wide field of work. It depends on your intended security level and your intended use of the network (services, etc)

However, in general, incoming traffic on WAN shall be blocked. Exception for ICMPv6 apply. Furthermore, consider blocking the spamhaus drop and dropv6 lists. When using unbound: Check for available DNS blacklists that may block a lot of stuff you don't need.

Restrict the traffic also within your LAN(s). You should not consider your own network secure. So, allow between the segments what is needed. And nothing else.

Make sure your software is up to date. Not only on infrastructure. Regarding your SMB service: Restrict it to those who require it. Enforce strict authentication with strong passwords. No "password" is not enough in a local area network. Make sure your users keep an eye on unusual activity.

But again, it depends on what you want and what you do. A honeypot operator will have different requirements to a home user or an enterprise with DMZ and connected cloud services across multiple sites.