[Solved] Accessing SMB share via WWAN

Hegabo · March 13, 2019, 11:40pm

So after some struggle with relayd and trelay, I decided to abandon the relay scenario form my third party router to Archer C7 OpenWrt until I get another QC/Ath router on which I can install OpenWrt, have proper setup and implement WDS.

Current configuration is that OpenWrt router get internet form main router AP. Now I would like to be able to access OpenWrt router from main router's AP by SSH and also have access to SMB shares. Right now I can't even ping the OpenWrt router's WWAN IP when connected via main router's AP (though both routers can ping each other).

Below my config. I tried haveing the WWAN on lan or wan zone. I also tried bridging the wwan with Switch VLAN and also without doing that.

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd65:9350:dea5::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option mtu '1420'
	option ipaddr '192.168.2.1'
	option stp '1'
	option igmp_snooping '1'
	option ifname 'eth1.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'
	option vid '2'

config interface 'WAN_IP'
	option proto 'dhcp'
	option ifname 'eth0.2'
	option clientid 'root'
	option auto '0'

config interface 'WAN6_IP'
	option proto 'dhcpv6'
	option ifname 'eth0.2'
	option reqaddress 'try'
	option reqprefix 'auto'
	option clientid 'root'
	option auto '0'

config interface 'WAN_PPPoE'
	option proto 'pppoe'
	option ifname 'eth0.2'
	option username '******'
	option password '******'
	option ipv6 'auto'
	option mtu '1420'
	option auto '0'

config interface 'wwan'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option dns '192.168.1.1'
	option type 'bridge'
	option ifname 'eth1.1'

/etc/config/wireless


config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:01/0000:01:00.0'
	option country 'US'
	option legacy_rates '1'
	option htmode 'HT20'
	option disabled '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/qca955x_wmac'
	option htmode 'HT20'
	option country 'US'
	option legacy_rates '1'
	option disabled '0'
	option channel '1'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option ssid 'T'
	option encryption 'psk2'
	option key 'bassbort'
	option network 'lan'

config wifi-iface
	option ssid 'A'
	option device 'radio1'
	option mode 'sta'
	option bssid '60:********:1A'
	option key '********'
	option encryption 'psk2+ccmp'
	option network 'wwan'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wwan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'WAN_IP WAN6_IP WAN_PPPoE'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

/etc/config/dhcp


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wwan'
	option interface 'wwan'
	option ignore '1'

Sparks · March 14, 2019, 9:43am

Could be many different things. Maybe start with validating the traffic is actually getting to your wan port on your open wrt device

Tcpdump would be a good option , the below link shows how to use openwrt as the network tapping point of a stream that feeds into wireshark. But that might be overkill for something like you’re facing , you probably only need to run it on the console to get a feel for what’s happening:
https://openwrt.org/docs/guide-user/firewall/misc/tcpdump_wireshark

Install tcpdump with opkg install tcpdump

Then on the openwrt device console, run this below to start a capture. You’ll see rows appearing as packets hit the wan interface in near real-time.

tcpdump -n -i eth0.2

Then ctrl+c when you want to stop

With the capture running, try pinging from the other device which you said was working before. You should see 2 rows in tcpdump output , one ping and one pong reply. Compare that output with the other tests where your not seeing connectivity.

Issue Will boil down to one of 3 things :

Either the packets are not getting sent back to your main router from the openwrt device (could be firewall, missing routes, something else)
The packets are being sent back to your main router but not getting to the endpoint device (implying a problem with the main router, firewall, routes, something else)
The packets never even make it into the wan port on your openwrt router from your main router (implying problem with config on the main router)

Armed with the answer(s) to the above question you’ll know where to look next. Feel free to update this thread as you go, might take a few tests to figure this one out.

Hegabo · March 14, 2019, 11:57am

Thanks @Sparks

I had to remove the WWAN interface and add it again. Not setting the IP to static this time, it appears I can ping the WWAN IP from main routers AP, and I also have SSH access to OpenWrt WWAN IP form main router's AP. I don't understand what the problem was with setting static IP for the WWAN, as I was setting the gateway to the other router's IP, but anyway I used static lease instead, so that point is sorted out.

Surprisingly, if I happen to change the firewall zone of WWAN to WAN then revert it to LAN again, I lose access to the WWAN interface from the other router's AP.

I am not sure if this is a bug or something I am doing wrong, but I don't imagine I have enough technical info to make a bug report for that.

Anyway, now I have SSH and GUI access to WWAN IP form other router's AP, but I am still not able to access SMB share form the WWAN side, even though I have it's firewall zone set to LAN.

ahmar16 · March 14, 2019, 11:59am

That should be simple configuration and it doesnt require much setup even if your main router is not OpenWrt based.

I find this one hard to believe, if it is possible at all. You are getting internet from your main router and I think it's in bridge mode probably. I really dont think if this is possible at all or maybe through some hack with static routes?

Hegabo · March 14, 2019, 12:06pm

@ahmar16

Main router is in router mode, doing NAT etc.

OpenWrt gets internet via WWAN. Now I can access its WANN IP from GUI and SSH from main router's AP, but still no SMB access.

ahmar16 · March 14, 2019, 12:22pm

Well SMB should be avialable at LAN interface as default but since your OpenWrt router uses different IP range you'll need to forward it to WWAN in otder to access it from main router. I think SMB uses some specific ports that will need to be forwarded from LAN to WWAN in order to make main router aware that there is a SMB share at the WWAN IP address. But then again you may need to assign a static IP to WWAN so it doesnt keep changing.

vgaetera · March 14, 2019, 12:25pm

Start troubleshooting from the runtime configuration:

ip a; ip r; ip ru
iptables-save
sysctl net 2>/dev/null | grep forward
netstat -l -n -p
pgrep -f -a "samba|smb|nmb"

Verify you are using IPv4, otherwise check IPv6 as well:

ip -6 a; ip -6 r; ip -6 ru
ip6tables-save

Hegabo · March 14, 2019, 1:37pm

The thing is that WWAN is on LAN, so it doesn't mean much to forward the port. I did it anyway and it didn't make a difference.

Hegabo · March 14, 2019, 3:07pm

@vgaetera

root@C7:~# ip r
default via 192.168.1.1 dev wlan1  src 192.168.1.2
192.168.1.0/24 dev wlan1 scope link  src 192.168.1.2
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1

Not sure what I should be looking for in terms of forwarding

root@C7:~# sysctl net 2>/dev/null | grep forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.br-lan.forwarding = 1
net.ipv4.conf.br-lan.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.1.forwarding = 1
net.ipv4.conf.eth1.1.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.wlan1.forwarding = 1
net.ipv4.conf.wlan1.mc_forwarding = 0
net.ipv4.conf.wlan1-1.forwarding = 1
net.ipv4.conf.wlan1-1.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.br-lan.forwarding = 1
net.ipv6.conf.br-lan.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.eth1.1.forwarding = 1
net.ipv6.conf.eth1.1.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.wlan1.forwarding = 1
net.ipv6.conf.wlan1.mc_forwarding = 0
net.ipv6.conf.wlan1-1.forwarding = 1
net.ipv6.conf.wlan1-1.mc_forwarding = 0

I see SMBd listening on 192.168.2.1 (LAN IP) and it's accessible from there, but not from the WWAN IP (192.168.1.2)

root@C7:~# netstat -l -n -p
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:8200            0.0.0.0:*               LISTEN      4290/minidlna
tcp        0      0 127.0.0.1:139           0.0.0.0:*               LISTEN      1614/smbd
tcp        0      0 192.168.2.1:139         0.0.0.0:*               LISTEN      1614/smbd
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1457/uhttpd
tcp        0      0 192.168.1.2:53          0.0.0.0:*               LISTEN      966/dnsmasq
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      966/dnsmasq
tcp        0      0 192.168.2.1:53          0.0.0.0:*               LISTEN      966/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1301/dropbear
tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN      1614/smbd
tcp        0      0 192.168.2.1:445         0.0.0.0:*               LISTEN      1614/smbd
tcp        0      0 fe80::1ad6:c7ff:fe6d:330e:139 :::*                    LISTEN      1614/smbd
tcp        0      0 fd65:9350:dea5::1:139   :::*                    LISTEN      1614/smbd
tcp        0      0 ::1:139                 :::*                    LISTEN      1614/smbd
tcp        0      0 :::80                   :::*                    LISTEN      1457/uhttpd
tcp        0      0 fe80::18d6:c7ff:fe6d:330d:53 :::*                    LISTEN      966/dnsmasq
tcp        0      0 fe80::1ad6:c7ff:fe6d:330d:53 :::*                    LISTEN      966/dnsmasq
tcp        0      0 fe80::1ad6:c7ff:fe6d:330e:53 :::*                    LISTEN      966/dnsmasq
tcp        0      0 fd65:9350:dea5::1:53    :::*                    LISTEN      966/dnsmasq
tcp        0      0 fe80::1ad6:c7ff:fe6d:330e:53 :::*                    LISTEN      966/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      966/dnsmasq
tcp        0      0 :::22                   :::*                    LISTEN      1301/dropbear
tcp        0      0 fe80::1ad6:c7ff:fe6d:330e:445 :::*                    LISTEN      1614/smbd
tcp        0      0 fd65:9350:dea5::1:445   :::*                    LISTEN      1614/smbd
tcp        0      0 ::1:445                 :::*                    LISTEN      1614/smbd
udp        0      0 192.168.1.2:53          0.0.0.0:*                           966/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           966/dnsmasq
udp        0      0 192.168.2.1:53          0.0.0.0:*                           966/dnsmasq
udp        0      0 239.255.255.250:1900    0.0.0.0:*                           4290/minidlna
udp        0      0 192.168.2.255:137       0.0.0.0:*                           1615/nmbd
udp        0      0 192.168.2.1:137         0.0.0.0:*                           1615/nmbd
udp        0      0 0.0.0.0:137             0.0.0.0:*                           1615/nmbd
udp        0      0 192.168.2.255:138       0.0.0.0:*                           1615/nmbd
udp        0      0 192.168.2.1:138         0.0.0.0:*                           1615/nmbd
udp        0      0 0.0.0.0:138             0.0.0.0:*                           1615/nmbd
udp        0      0 192.168.2.1:49342       0.0.0.0:*                           4290/minidlna
udp        0      0 :::547                  :::*                                1060/odhcpd
udp        0      0 fe80::18d6:c7ff:fe6d:330d:53 :::*                                966/dnsmasq
udp        0      0 fe80::1ad6:c7ff:fe6d:330d:53 :::*                                966/dnsmasq
udp        0      0 fe80::1ad6:c7ff:fe6d:330e:53 :::*                                966/dnsmasq
udp        0      0 fd65:9350:dea5::1:53    :::*                                966/dnsmasq
udp        0      0 fe80::1ad6:c7ff:fe6d:330e:53 :::*                                966/dnsmasq
udp        0      0 ::1:53                  :::*                                966/dnsmasq
udp        0      0 :::123                  :::*                                4385/ntpd
raw        0      0 ::%1:58                 ::%4448412:*            58          1060/odhcpd
raw        0      0 ::%1:58                 ::%4448412:*            58          1060/odhcpd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING       2332 1521/nlbwmon        /var/run/nlbwmon.sock
unix  2      [ ACC ]     STREAM     LISTENING        327 555/ubusd           /var/run/ubus.sock
unix  2      [ ACC ]     STREAM     LISTENING       2674 1615/nmbd           /var/nmbd/unexpected

Hegabo · March 14, 2019, 3:18pm

Created a port forwarding rule to LAN IP. When creating it, LuCI allows only to have the source zone as WAN. But when editing it, I could select LAN as the source zone as well. This seems to have done the trick.

Thanks @ahmar16, the credit goes to you. I will only mark my post as solution so that the details are easy to find.

vgaetera · March 14, 2019, 3:23pm

https://openwrt.org/docs/guide-user/services/nas/samba_configuration

uci set samba.@samba[0].interface="loopback lan wwan"
uci commit samba
service samba restart

Hegabo · March 14, 2019, 3:53pm

Thanks @vgaetera

It works. I can access the share and I also can see the update reflected in /etc/samba/smb.conf. But when I reboot the router, it's gone!

vgaetera · March 14, 2019, 4:17pm

Inviting samba maintainer: @Andy2244
You can use "firewall-forward" workaround for now.

Hegabo · March 14, 2019, 4:32pm

Many thanks @vgaetera

Andy2244 · March 14, 2019, 4:35pm

Try edit
interfaces = |INTERFACES|
to
interfaces = loopback lan wwan
via luci in the smb.conf.template or on disk /etc/samba/smb.conf.template

vgaetera · March 14, 2019, 4:46pm

I suggest to define default value for option interfaces in the /etc/config/samba instead of /etc/init.d/samba.
This way it would be easier to override it with empty value if required.

Hegabo · March 14, 2019, 6:23pm

So it appears that the solution lies in a mix of what @vgaetera and @Andy2244 said.

This provides access but is not retained after restart.

This is retained after restart, but it does'nt provide access. In fact, it doesn't even allow access form the LAN side.

I noticed that the original /etc/samba/smb.conf contained interfaces = lo br-lan, and after runnnig the uci commands it reads interfaces = lo br-lan wlan1, so I edited that in /etc/samba/smb.conf.template, and that seems to work.

vgaetera · March 14, 2019, 6:38pm

You can disable interface binding completely:

sed -i -e "/\sinterfaces\s/s/^/#/" /etc/samba/smb.conf.template
service samba restart

And use firewall if you need to limit access to the service.

Hegabo · March 14, 2019, 7:31pm

Thanks.

I rather keep it bound to br-lan wlan1 as it's now, as it's much simpler.

system · March 24, 2019, 7:31pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.