Solved SMB access to a NAS on a different subnet?

[heddy]

Short version:
What is the best way to get SMB access to a NAS on a different subnet? I have discovered a way to do this using hosts file edits and Windows Firewall rule modifications, but this creates ongoing labor, so I want to know if there is a better way.

Long version:
I have 2 networks on my Asus RT-BE88U router: the main network, and the ad-blocking network created in Guest Network Pro.
I have installed ASUSWRT-Merlin 3006.102.3 to maximize the number of features available to me.
I want all networks to be able to access the NAS that is wired to the router.
Currently, devices on the ad-blocking network do not have SMB access to the NAS. They can access the NAS using its IP address on a web browser.

With many hours of googling and trying to accomplish this, I have discovered the following:

• I have to edit the hosts file to add the NAS IP address AND adjust the Windows Firewall SMB rules on all devices outside the main subnet that want SMB access to the NAS. This method is SUCCESSFUL, but I am UNSATISFIED with the lack of auto-magic or simplicity, as well as the fact that it creates ongoing labor for any future devices, or existing devices that get their OS reset.
• Just using the same subnet would be the easiest way to solve my problem, but I can't do that, because independent DNS settings per-network (for ad-blocking) requires different subnets.
• There's something called "DNS multicast" that might be able to prevent the need to edit hosts files, but I'm not sure how to enable it or troubleshoot it.
• It might be possible to prevent the need to edit hosts files by adding the NAS IP/hostname to "/jffs/configs/dnsmasq.conf.add" on the router, but I tried that to no effect, so I might have done something wrong or misunderstood the purpose of "dnsmasq.conf.add". The documentation also mentions "dnsmasq-INDEX.conf.add" so I'm not sure if I need to use that file instead (also not sure where I would get the necessary index number).
• The ASUSWRT-Merlin website mentions some SMB-related features, but I'm not sure if they apply to my situation. I would love to know if there's a checkbox somewhere to "make SMB work auto-magically across subnets".

This is just a home network. If possible, I want a simple solution that avoids the need to configure each device connected to the network. I'm not a network expert.

 

[bennor]

What Guest Network Pro preset are you using and how is it configured? If the Guest Network Pro preset has the option "Use same subnet as main LAN", how is that set?

Depending on the setting of the Guest Network Pro network it may block access to main LAN clients. The issue comes down to what exactly do you want to achieve with the Guest Network Pro network. For example:
Do you want the Guest Network Pro clients to ONLY access the NAS and not access anything else on the main LAN?
Do you want main LAN clients to be prevented from accessing the Guest Network Pro clients?

If you want limited access to a single main LAN client from the Guest Network Pro network then you may have to look into using scripting to add IPTables rules to allow the traffic to flow between the two networks. There are a number of other discussions on using IPTables scripting in the Asus-Merlin 3006 firmware to try and emulate features of YazFi like one-way-to guest. See here, and here, and here, and here for more.

Otherwise if one wants full communication between the main LAN and the Guest Network Pro network one can enable "Use same subnet as main LAN" option (if available) in the Guest Network Pro preset. And enable the Access Intranet option if it is available in the Guest Network Pro preset.

 

[ColinTaylor]

I don't see why you need to change any hosts/DNS settings unless you're trying to access the NAS using it's host name rather than it's IP address.

But the main problem is the Windows Firewall. You don't say what operating system your NAS is using so I'm assuming it's not Windows. So the Windows Firewall rule you are referring to would just be the clients' outbound rule (File and Printer Sharing (SMB-Out))? It is simply not possible for the clients to access SMB on non-local networks without modifying this rule - which you say you don't want to do. So the other possibility is to have the NAS on the same subnet as the clients - possibly dual-host the NAS?

 

[bennor]

So the only other possibility is to have the NAS on the same subnet as the clients - possibly dual-host the NAS?

To add to what Colin indicated here, if the NAS has two network ports (or can emulate two ports) one could try to use the VLAN feature of the 3006 firmware to assign one of the two network ports to the Guest Network Pro network via the LAN > VLAN page in the router GUI. But at the end of the day the Guest Network Pro feature has its quirks and limitations. And it may be limited in how it can be configured through the GUI.

 

[heddy]

I don't see why you need to change any hosts/DNS settings unless you're trying to access the NAS using it's host name rather than it's IP address.

But the main problem is the Windows Firewall. You don't say what operating system your NAS is using so I'm assuming it's not Windows. So the Windows Firewall rule you are referring to would just be the clients' outbound rule (File and Printer Sharing (SMB-Out))? It is simply not possible for the clients to access SMB on non-local networks without modifying this rule - which you say you don't want to do. So the only other possibility is to have the NAS on the same subnet as the clients - possibly dual-host the NAS?

You are correct, the NAS is mapped in the Windows file explorer using the host name. I don't know if it's possible to use the IP address for this, but I will look into it.

And yes, I was referring to the File and Printer Sharing (SMB-In) rule in the Windows firewalls, and the NAS is not running Windows. Before making this post, I found that disabling that (or modifying to remove local subnet restriction) successfully allowed SMB access.
I was afraid it wouldn't be possible to avoid modifying firewall rules on each device. I'll just have to deal with it.
As for the dual host idea, it's a Buffalo Linkstation NAS, and it only has one ethernet port, so I might be stuck with changing firewalls on each device, but I will research information specific to that NAS model.

 

[heddy]

What Guest Network Pro preset are you using and how is it configured? If the Guest Network Pro preset has the option "Use same subnet as main LAN", how is that set?

Depending on the setting of the Guest Network Pro network it may block access to main LAN clients. The issue comes down to what exactly do you want to achieve with the Guest Network Pro network. For example:
Do you want the Guest Network Pro clients to ONLY access the NAS and not access anything else on the main LAN?
Do you want main LAN clients to be prevented from accessing the Guest Network Pro clients?

If you want limited access to a single main LAN client from the Guest Network Pro network then you may have to look into using scripting to add IPTables rules to allow the traffic to flow between the two networks. There are a number of other discussions on using IPTables scripting in the Asus-Merlin 3006 firmware to try and emulate features of YazFi like one-way-to guest. See here, and here, and here, and here for more.

Otherwise if one wants full communication between the main LAN and the Guest Network Pro network one can enable "Use same subnet as main LAN" option (if available) in the Guest Network Pro preset. And enable the Access Intranet option if it is available in the Guest Network Pro preset.

Different subnets ("use same subnet" not enabled). Access Intranet enabled.
I understand using same subnet would fix my problem.
It's just that, ad blocking on only one network (instead of network wide ad blocking) seems to require different subnets.
Also, access in general doesn't seem to be the problem: I can ping the NAS just fine. I can access by IP in web browser.

 

[ColinTaylor]

And yes, I was referring to the File and Printer Sharing (SMB-In) rule in the firewall. Before making this post, I found that disabling that (or modifying to remove local subnet restriction) successfully allowed SMB access..

Sorry, I made a mistake in my first post. I was looking at the outbound rule (SMB-Out) and misread it as a blocking rule, which it isn't. Additionally all outbound traffic is allowed by default anyway.

It's interesting that you say you have to change the SMB-In rule. That rule should only apply to incoming connections to shares being hosted on the Windows PC, not outgoing connection to your NAS.

 

[degrub]

Maybe there is auto-syncing of files between the PC and the NAS ?

 

[ZebMcKayhan]

Just using the same subnet would be the easiest way to solve my problem, but I can't do that, because independent DNS settings per-network (for ad-blocking) requires different subnets.

One way I have used with some success is to widen the lan network mask that the nas is on to also include the adjecent network. It won't solve your dns issue but it may work around your windows firewall issue.
You wouldn't want to increase the network mask more than nessisary so adjust your subnets accordingly.
But the proper way would be to allow incoming packets from the other subnet in windows firewall.

 

[ColinTaylor]

One way I have used with some success is to widen the lan network mask that the nas is on to also include the adjecent network. It won't solve your dns issue but it may work around your windows firewall issue.
You wouldn't want to increase the network mask more than nessisary so adjust your subnets accordingly.
But the proper way would be to allow incoming packets from the other subnet in windows firewall.

I don't see how this would help (unless it was a firewall issue on his NAS). I can see the logic if he was trying to access SMB shares on the guest network from the main LAN, but his problem is the other way around.

 

[ZebMcKayhan]

I don't see how this would help (unless it was a firewall issue on his NAS). I can see the logic if he was trying to access SMB shares on the guest network from the main LAN, but his problem is the other way around.

Sorry, I have not heard of this issue before, I rarely use Windows for, well, anything anymore really. but doing a quick read-up on it sounds that you are right... I never thought they would block outgoing access like this.

but again, if the guest windows machine limits SMB usage to own network, then wouldn't it be possible to increase the guest network mask? I wouldn't dare to suggest doing this for both networks but it should be good for any one of them.
as I don't use guest network pro (yet) I don't know if this is possible to set, with less than dnsmasq tweaks or nvram variable tweaks...

It might be possible to prevent the need to edit hosts files by adding the NAS IP/hostname to "/jffs/configs/dnsmasq.conf.add" on the router, but I tried that to no effect, so I might have done something wrong or misunderstood the purpose of "dnsmasq.conf.add". The documentation also mentions "dnsmasq-INDEX.conf.add" so I'm not sure if I need to use that file instead (also not sure where I would get the necessary index number).

I may just be adding to the list-of-bad-ideas but I would expect it to work assuming you are using dnsmasq from your guest network and add it as a known host in dnsmasq.conf. I would also expect there to be several "dnsmasq.conf" with different names under /etc/ which would provide you with the dnsmasq instance your guest network are using.

 

[ColinTaylor]

You are correct, the NAS is mapped in the Windows file explorer using the host name. I don't know if it's possible to use the IP address for this, but I will look into it.

Yes you can use an IP address instead of a hostname. You can also type it directly into the Windows Run box (Windows-R) in the following format: \\192.168.50.5\MYSHARE

And yes, I was referring to the File and Printer Sharing (SMB-In) rule in the Windows firewalls, and the NAS is not running Windows. Before making this post, I found that disabling that (or modifying to remove local subnet restriction) successfully allowed SMB access.

Can you test the connection to your NAS again after undoing any changes you have made to this firewall rule please? It makes no sense as this rule has nothing whatsoever to do with outgoing connections to SMB servers.

 

[heddy]

Can you test the connection to your NAS again after undoing any changes you have made to this firewall rule please? It makes no sense as this rule has nothing whatsoever to do with outgoing connections to SMB servers.

You're right! I re-enabled the SMB-In rule, restarted the PC, and it still worked.
I didn't test things properly and became deluded into thinking firewall rule changes were necessary.
I had read 2 webpages saying it was necessary, but I now realize that only applies when trying to access an SMB share hosted by a Windows machine, and in that case it would only be necessary on that one Windows machine acting as NAS.

So in summary, my "firewall problem" wasn't a problem at all, and the DNS problem is easily avoided by using the IP address in the file explorer.
I might still try messing with the dnsmasq settings, simply because hostnames are easier to remember than IP, but I'm basically satisfied at this point!
Thank you to Colin for solving the issue so quickly, and thanks to everyone else who replied to help.