Samba "bind interfaces only = yes" does not seem to work

Hello, everyone
First, thank you for this great router software and community.
I really appreciate it.
I installed openwrt on rasp pi 4 and this replaced the fios router.
It has been working great!

I have a question though regarding Samba
I configured samba to be bound to certain interfaces( in my case, lo, br-lan, eth1.1 ), but I can still access the samba share from other interfaces( my case eth1.107 - network for iot ).
There is no forward rule betwen interface eth1.1 and eth1.107 in /etc/config/firewall and computers on eth1.107 could not reach computers on eth1.1.
The only exception seems to be samba service hosted on the router.

Here is the snippet of the smb.conf:

        interfaces = lo eth1.1
        bind interfaces only = yes

here is the outcome from smbstatus:

# smbstatus

Samba version 4.13.8
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing              
3547   xxxxxx     nogroup ( SMB3_11           -                    partial(AES-128-CMAC)

Service      pid     Machine       Connected at                     Encryption   Signing     
IPC$         3547 Sat Jun 26 18:12:09 2021 EDT     -            -           
xxxxxx      3547 Sat Jun 26 18:12:09 2021 EDT     -            -

Please let me know what setup I did incorrectly?
Appreciate your help on this.



It's better to limit the access using the firewall. If the iot firewall zone has accept in INPUT, then it will be able to access any service running on the router, on any address the router might have. Therefore use reject on INPUT for iot zone and allow only the necessary, like dns and dhcp.

1 Like

works ok...

### grep interfaces /etc/samba/smb.conf.template 
	interfaces = usb0
### lsof -i -nP | grep smb
smbd      1041    root   41u  IPv4 235099      0t0  TCP (LISTEN)
smbd      1041    root   42u  IPv4 235100      0t0  TCP (LISTEN

1.Try using IP/mask (bit lenght) instead of interface names.

interfaces = lo

2.If you don't want to play with the firewall, use option hosts allow to allow access to the samba server only from a specific range of hosts.

hosts allow = 192.168.1.

1 Like

thank you for your suggestions, I will try it later.
I did netstat -tapn and got following:

# netstat -tapn
tcp        0      0   ESTABLISHED 3547/smbd

so, it seems that my issue is firewall issue actually..
I know I have option input ACCEPT on the interface 192.168.107. However there is no forwarding rule between 192.168.1 and 192.168.107.
Not sure how traffic thru 192.168.107 is connected 192.168.1.
quite confused now.
any help would be appreciated.


Forward policy applies to interfaces of the same zone.
Forwarding policy applies to traffic between zones.
Any traffic destined to the OpenWrt is regulated from the input policy of the zone.
I hope this clears things out.

Sorry, let me clarify. So, eth1.1( and etth1.107( belong to different firewall zones and there is no forwarding policy between them.
So, I expected computers on 192.168.107 won't be able to connect on services bound to eth1.1(

Thanks, HP

I think you have a typo there, as both are 192.168.1.X
However you get the point. No forwarding means 192.168.1.x hosts cannot reach 192.168.107.x hosts and vice versa. If you have INPUT policy as accept, then the lan host can reach the OpenWrt router on any IP, or

yup.. that was my typo. understood that input accept means computers on lan can reach the router on any ip's.
thanks, HP

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.