Samba access from blue to green does not work

Hello NG,
I have a problem. I have clients in the blue network that cannot connect to a NAS via net use (samba3). There is a firewall rule that allows blue on green and there is a setting that excludes mac filtering according to the documentation. Where could the error be? The strange thing is that this worked until 2 weeks ago. If you connect via openvpn (local or remote) then it works. Ping works no matter if ip or DNS.

Where could my error be?

Translated with DeepL.com (free version)

image760×32 3.8 KB

image975×836 40.6 KB

image955×97 7.09 KB

Please see the end of the section entitled

Improve the Discussion

that is in the Forum FAQ

Its because it creates a rules loop in the firewall joining two networks this way. Because they are seperate segments. What you do in this case, is assign a static address to a server and then grant it access to what network you want it to communicate with.

For a samba server on blue to be shared with green, the best way to achieve this is assign the samba sever an address outside of the dhcp pool. Then assign a firewall rule so that blue static IP has access to green.

for example, if the blue network is 192.168.191.xxx with a dhcp pool of addresses from 192.168.191.2 to 192.168.191.80.

go to Network => DHCP Server page, find the samba server in the dchp pool list at the bottom of the page, click “add” to add it to a fixed lease. Then the page refreshes and auto fills the entries to edit this fixed lease, then scroll down to the edit fixed lease section, and change the ip address to something outside of the Blue pool, but within the blue network, for example, 192.168.191.90. Click update to apply the new static address. It should appear in the current fixed leases.

Then go to Firewall => Firewall rules
click “new rule” button

Source:
Source address (MAC/IP address or network): 192.168.191.90

Destination:
Standard networks:192.168.190.0/24 (Green)

Allow

This is the standard way to host a server on the blue network. If your samba server was on the orange network, you have to set both outgoing and incoming rules.

If you want green to access all of blue devices, then you set the net mask on green to encompass the blue. Then the rule from blue to green, allow, you had set would be a valid entry. But this is not a good method to use because all rules between green and blue, not allowed, will be ignored.

Your firewall rule should point to the server ip not the whole network.

You can strengthen this buy
Creating a Samba “service group”.
Instead of all ports.

Screenshot_20241112_131139_Firefox1072×1090 113 KB

Thank you, but this doesn’t solve my problem. I solved it differently by moving the access point to the green network and leaving the MAC filtering to the access point.
After that, all clients were able to log in immediately. I don’t know what the problem was, but I needed a quick solution so that the site could start working.

The way I explain it worked unless there are firewall rules in place, then you would treat it like a server on the orange network.

But I will tell everyone know, that mac filtering is a useless item since the hacking tools for wifi defeats mac filtering because of the exploits in wifi itself. Because the mac address is transmitted unencrypted along with the wifi password. The password is the only thing encrypted and they are getting better at solving them.