REQUEST: Enable WAN access for Samba

[Chris Smith2]

Thanks to all for the wonderful firmware.

My RT-AC68U works very well in Wireless router mode inside our Network. The 8TB Toshiba HDD attached to it works also flawlessly.

The WAN Connection is actually connecting to another internal Network. From this network the FTP access to the HDD works with the switch Enable WAN access for FTP activated in the GUI.

Can you please also add a similar switch "Enable WAN access for Samba"?

Thanks a lot!

Chris

Possible solution:
My current way to activate it is to edit /etc/smb.conf and for the simplicity I just delete all the lines with IP addresses in this file. Afterwards I kill and start the smb daemon again.

 

[Nullity]

Is SMB secure enough for public access? (I think not.)

The probably better approach is to enable SMB locally then access it externally through a VPN.

 

[RMerlin]

No, as this would be a recipe for disaster, as plenty of users without the necessary technical knowledge would start enabling this on their WAN connection, and then complain as to how they are getting hacked, or why it doesn't work (as many ISPs will block those ports by default).

If you need such a specialized setup, I recommend you configure it manually through firewall-start and smb.postconf.

 

[Chris Smith2]

Is SMB secure enough for public access? (I think not.).

Again: The WAN Connection is actually connecting to another internal Network.

So this has nothing to do with public access.

 

[Chris Smith2]

No, as this would be a recipe for disaster, as plenty of users without the necessary technical knowledge would start enabling this on their WAN connection, and then complain as to how they are getting hacked...

Your argument is okay. But why do you then apply it only to smb and not to ftp?

 

[RMerlin]

Your argument is okay. But why do you then apply it only to smb and not to ftp?

The FTP server is more "self-contained" than SMB, which can effectively open access to the rest of your LAN, as Samba talks to the rest of it.

Also, FTP is still somewhat widely used on the Internet. The protocol is less at risk to exploiting than the SMB protocol. Distributing files over a read-only anonymous account is fine, for instance.

Note that WAN access to FTP is part of the original firmware, it's not something I added. In fact, it's a unique feature of my firmware to have the option to disable it - stock firmware will automatically open it to the WAN when enabled.

 

[Chris Smith2]

file /jffs/scripts/smb.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "interfaces = " "interfaces = eth0 " $CONFIG

How can I manually invoke this postconf script for testing?

 

[Fitz Mutch]

How can I manually invoke this postconf script for testing?

service restart_samba

 

[Jack Yaz]

Don't most ISPs block ports for SMB these days?

 

[Chris Smith2]

service restart_samba

/jffs/scripts/smb.postconf /etc/smb.conf

works but

service restart_samba

ignores the file.

EDIT:

Solution (LOL)

Enabling support for custom configs
Starting with 378.50, this functionality is disabled by default. To enable it, go to Administration -> System, then enable it under the JFFS section.

 

[RMerlin]

/jffs/scripts/smb.postconf /etc/smb.conf

works but

service restart_samba

ignores the file.

Sorry!

Enabling support for custom configs
Starting with 378.50, this functionality is disabled by default. To enable it, go to Administration -> System, then enable it under the JFFS section.

service restart_nasapps

 

[Fitz Mutch]

ignores the file. Sorry!

It worked when I tried it. Did you spell it correctly?

 

[john9527]

Also check to make sure it's in linux format....

dos2unix /jffs/scripts/smb.postconf

 

[Chris Smith2]

The samba installation is somehow broken (RT-AC68U, Firmware: 380.66_4).

log level = 2 shows

interpret_interface: Can't find address for lo
interpret_interface: Can't find address for br0
...

workaround in smb.conf:

interfaces = 127.0.0.1/255.0.0.0 ...

 

[Chris Smith2]

He is my (not optimal but working) configuration so far:

admin@RT-AC68U:/jffs/scripts# cat firewall-start
#!/bin/sh

iptables -A INPUT -p udp --dport 137 -j ACCEPT
iptables -A INPUT -p udp --dport 138 -j ACCEPT
iptables -A INPUT -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j ACCEPT
iptables -D INPUT -j DROP
iptables -A INPUT -j DROP

admin@RT-AC68U:/jffs/scripts# cat smb.postconf
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "interfaces = lo br0 192.168.1.50/255.255.255.0" "interfaces = 127.0.0.1/255.0.0.0 192.168.0.181/255.255.255.0 192.168.1.50/255.255.255.0" $CONFIG

Ofc, change the IP-Addresses accordingly and please read post #3 before doing this!