Ksmbd not responding correctly to routed traffic

chris88 · January 1, 2023, 6:55pm

             | ---------------------- Router ----------------------|
Desktop <--> [LAN Interface]   [DMZ Interface]   [DMZ_NAS Interface]
| ----- 192.168.0/24 ------|   |---------- 10.0.225.0/24 ----------|

In the above configuration I try to connect to ksmbd, which is configured to listen on the router interface DMZ_NAS. I'd expect traffic to go to the 192.168.1.1 interface on my router, go through the routing process to the 10.0.225.0/24 network, then be handed over to ksmbd. The DMZ interface has the IP 10.0.225.1, while the DMZ_NAS interface has the IP 10.0.225.111.

The interfaces seen from the CLI will probably be of interest:

19: br-trunk: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether XXX brd ff:ff:ff:ff:ff:ff
20: br-trunk.10@br-trunk: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether XXX brd ff:ff:ff:ff:ff:ff
[...]
22: br-trunk.225@br-trunk: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether XXX brd ff:ff:ff:ff:ff:ff

The interfaces DMZ and DMZ_NAS are tied to br-trunk.225. LAN is br-trunk.10

ksmbd is configured to listen on the interface DMZ_NAS.

What works?

On the router itself, nc 10.0.225.111 445 connects to ksmbd
On a device connected to the DMZ network, nc 10.0.225.111 445 also connects to ksmbd
From my desktop the following will connect to an independent NAS on the DMZ network: nc 10.0.225.110 445

What doesn't work?

My desktop cannot connect using nc 10.0.225.111 445. The router responds to my SYN packets with RST,ACK.
I can ping the DMZ_NAS interface, 10.0.225.111.

What allows my desired configuration to work is, in smb.conf.template, setting the following line:
interfaces = br-trunk.225 br-trunk.10

To be clear - telling ksmbd to listen on the router's LAN interface allows it to respond to requests made to its DMZ_NAS interface.

My non-technical takes is that the router accepts the SMB traffic on 192... then says "I'll save some time and just hand this straight to ksmbd," then ksmbd says "I don't listen on that interface." The problem is that the missing copy from LAN -> DMZ never takes place.

Anyway.. have I configured something wrong? I can just block port 445 on the LAN interface, but, it would be nice if I didn't even have to do that.

Thanks!

lleachii · January 3, 2023, 1:30pm

Firewall rules?

chris88 · January 3, 2023, 7:02pm

This was my default assumption, but after making several different rules allowing all traffic from my desktop IP to the target DMZ_NAS interface I decided it wasn't the firewall. In particular, I:

Allowed from my IP to DMZ_NAS IP in the DMZ zone, in the LAN zone, and "to device" (which I believe means "the router itself")
I removed any default deny rules between LAN and DMZ
I created a new firewall zone of DMZ_NAS, removing it from the DMZ zone, and allowed forwarding.
I also allowed "Forwarding" between the LAN and DMZ zones
For rules involving the DMZ zone / subnet, I verified they were acting as expected my testing connectivity to a device in the DMZ

As well, all my dropping rules are "reject," so when I enabled logging but wasn't witnessing any logged messages related to the DMZ_NAS IP or my desktop, I had to assume it wasn't a firewall rule blocking the traffic.

Further to all this, whether or not it's the firewall, I don't understand why allowing ksmbd to listen on the LAN interface should mean that SMB traffic is suddenly able to make it to the DMZ_NAS interface in a different subnet.