Wireguard & LAN-LAN SMB

Started by JMini, November 17, 2025, 09:52:32 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 17, 2025, 09:52:32 PM
New to OPNSense and this is my first post. Coming from Astaro/Sophos UTM.
I have a 6 port firewall appliance (Topton)
I also have a QNap NAS with 2 ports (one on the LAN2 network and the other on the DMZ4 network)
These are just named based on their subnet. 10.10.20.0/24 for LAN2 and 10.10.40.0/24 for DMZ4
For this let's call its network connections Qnap-LAN2 and QNap-DMZ4
The QNap gets assigned DHCP addresses from hosts definitions so they're always the same.
So far most things work great. DNS, internet connectivity, etc.
I have WireGuard set up and clients can connect.
I can connect to QNap-LAN2 from computers on the LAN2 network. No sweat.
I have FW rules to allow LAN2 & WireGuard addresses to the DMZ4 network.
I can ping QNap-DMZ4 from my PC on LAN2. (All of this using IP addresses, not host names)
However I have some questions regarding 2 things.
1 Allowing SMB access w/user&PW authentication to the QNAP-DMZ4 from the LAN2 network
2 Allowing SMB access w/user&PW authentication to the QNap-DMZ4 from the WireGuard network

Issue 1: An issue I have is that, If I create a Masq rule (outbound NAT) such that traffic from LAN2 to DMZ4 is masqed to the DMZ4 interface address and it's placed before the LAN2-to-WAN masq, I get a windows explorer message that denies access to QNap-DMZ4 from my LAN2 windows PC due to authentication. If I disable that Masq rule, it instantly accepts authentication and I can browse folders on the share. If I then re-enable the masq rule, it continues to work. Is there any need for inbound SMB traffic to look like it's on the same subnet?

Issue 2: I guess this would apply to the WireGuard connections as well.

Thanks in advance.
November 17, 2025, 10:49:56 PM #1
I connected a laptop to the internet through my cell phone and connected the Wireguard VPN so the PC is completely separated from my home network.

FW Rules:
WireGuard Net any,any,any,any Pass

Outbound NAT
Interface DMZ4, Source WireGuard net, Dest DMZ4 net

I can ping QNap-DMZ4 when connected.

I get authentication errors when trying to connect to QNap-DMZ4 using windows explorer.
Outbound NAT rule ON or OFF. Same authentication error
November 18, 2025, 12:50:50 AM #2
Update:
I can Telnet to QNap-DMZ4 from the WireGuard connected PC.
November 18, 2025, 09:59:07 AM #3
Just an idea: NAS only allowing access from LAN IPs?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
November 18, 2025, 02:50:57 PM #4
I'm looking into that now.
I can access SMB on QNap-LAN2 from LAN2 and can access SMB on QNap-DMZ4 from LAN2. No problem.

Since I can ping and Telnet from WireGuard to QNap-DMZ4 I think the firewall is working correctly.
In the QNap logs, I can see the connection authorization from the WireGuard IP. It says "xxxx Logged in". So communication is working and authentication is happening.

I'm focusing on the QNap share permissions as a likely culprit.

I appreciate you poking your head in with some feedback.
November 18, 2025, 06:31:01 PM #5
It's a QNap problem.


If I connect my laptop directly to the DMZ4 network and try to connect to (\\10.10.40.205) I get a list of shared folders.
If I select the Multimedia folder, I get prompted for user/PW. That fails and I'm prompted again.
If (still from DMZ4 network) I try to connect to the SMB host (\\10.10.20.205) I get a listing of all shared folders.
If I select the Multimedia folder, I get prompted for user/PW. That fails and I'm prompted again.

However, I have another PC on the LAN2 network that has access to the share via \\10.10.20.205 AND \\10.10.40.205. No idea why
November 19, 2025, 02:22:49 PM #6
Quote from: chemlud on November 18, 2025, 09:59:07 AMJust an idea: NAS only allowing access from LAN IPs?
It's allowing PCs on the LAN network to connect to the LAN facing interface.
It's NOT allowing PCs on the DMZ network to connect to the DMZ facing interface.

Someone pointed it out that a real DMZ would be bad for this QNap machine. I just call this network "DMZ" for a name since it hosts SMB that is accessible via external connection (VPN). It is NOT a true DMZ. It has a private IP range and sits safely behind the OPNSense.
November 19, 2025, 11:11:52 PM #7
It was a shared folder network permission setting in QNap.
Under Shared folder permissions. It defaults to user & group permissions, but there's also microsoft networking host access in a drop down list.
Once there, only my 10.10.20.* network was entered. So I added the 10.10.40.* network and my WireGuard 10.10.70.* network.

It works like a charm now
Print
Go Up Pages1
User actions