Windows: unblocking SMB/NetBIOS/CIFS/File-and-Printer-sharing traffic from other subnets
Posted by jpluimers on 2021/10/29
If you enable File and Printer sharing on Windows, by default the firewall only enables it on private networks for the local subnet as remote address (for domain networks, it allows “Any”) as seen on the picture below.
When your network consists of multiple subnets, for instance when it is large, or multiple sites are connected via site-to-site VPN (often called LAN-to-LAN VPN) solutions, then these subnets cannot access each others files or printers.
Realising these default blocks, they are easy to resolve as explained in for instance [WayBack] Windows firewall blocking network shares through VPN server – Server Fault by [WayBack] Brian:
I realize this is almost three years late, but I just spent today fighting with the same problem. I did get it working, so I figured I’d share. Note that I’m using a Windows 7 PC as the file server; other versions might need slightly different configuration.
In the “Windows Firewall with Advance Security”, there are several “File and Printer Sharing” rules:
- File and Printer Sharing (NB-Datagram-In)
- File and Printer Sharing (NB-Name-In)
- File and Printer Sharing (NB-Session-In)
- File and Printer Sharing (SMB-In)
(There are additional rules, but I didn’t care about printer sharing. The same changes would apply if you want those.)
File and Printer Sharing appears to default to “Local subnet” only. You’ll need to add the subnet of your VPN clients.
Modify each of those rules as follows:
- Open the Properties dialog for the rule.
- Navigate to the Scope tab.
- In the Remote IP address section, the “These IP addresses” radio button should be selected.
- Click “Add…” next to the list of addresses. By default, only “Local subnet” is in the list.
- In the “This IP address or subnet:” field, enter the subnet assigned to your VPN clients (this is probably 192.168.1.0/24 in the OP, but if not, it’s the subnet assigned to the VPN adapter on the client side), then click OK.
- If you’re also using IPv6, add the VPN client IPv6 subnet as well.
That was enough for me to access file shares over the VPN.
(If you want to do it manually, you need to open TCP ports 139 and 445, and UDP ports 137 and 138, in the file server’s firewall.)
Hopefully I will find some time in the future to automate this using PowerShell, as netsh names are localised do hard to make universal.
These links might help me with that:
- Firewall settings are in the registry under
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Defaults\FirewallPolicy\FirewallRules] - [WayBack] windows firewall – Enable file and print sharing command line – how to enable it just for profile=private – Server Fault (netsh)
- [WayBack] windows firewall – Enable file and print sharing command line – how to enable it just for profile=private – Server Fault (PowerShell with DisplayName)
- [WayBack] windows firewall – Enable file and print sharing command line – how to enable it just for profile=private – Server Fault (PowerShell with Name)
- PowerShell Get-NetConnectionProfile will list the NetworkCategory of your network connections (Private, Public, Domain); [WayBack] Get-NetConnectionProfile via [WayBack] networking – Shares not accessible by other computers if Windows 10 firewall is ON – Super User)
The solution, in my (DHCP) case, was to edit rules to extend the scope; basically, I added “10.1.0.0/16” to the scope of the private “File and Printer Sharing (SMB-In)”, which opens port 445 to requests from that IP range. That was enough in my use case.
Alternatively, I guess I could have changed my IP configuration to have all computers on the same subnet.
- Explanation of the various subcategories [WayBack] File and Printer Sharing Firewall Rules Explained | Tritone Consultants
- [WayBack] Get-NetFirewallRule to get information about your firewall (example at [WayBack] Pinging Windows 10 machine)
- [WayBack] Unable to Share C Drive · Issue #114 · docker/for-win · GitHub
Get-NetFirewallRule –DisplayGroup "File and Printer Sharing"shows how to filter [WayBack] Get-NetFirewallRule and displays details for all entries under “File and Printer Sharing”.
- [WayBack] Get-NetFirewallAddressFilter shows the addresses (which next to one or more CIDRs can be
AnyorLocalSubNet) for a firewall rule. - [WayBack] “FPS-SMB-In-TCP-NoScope” – Google Search is the name for the rule named
"File and Printer Sharing (SMB-In)"in the profile namedDomain. - [WayBack] windows – How do I run multiple commands on one line in PowerShell? – Super User
- [WayBack] ; (Command Separator) – Windows drivers | Microsoft Docs
- Chaining example where the correct overload of Get-NetFirewallAddressFilter is automatically selected:
PS C:\bin> Get-NetFirewallRule -Name "FPS-SMB-In-TCP-NoScope" | Get-NetFirewallAddressFilter LocalAddress : Any RemoteAddress : Any - Chaining example showing the rule names as well involves using [WayBack]
ForEach-Object, the$_variable to represent the current object, specifying whichGet-NetFirewallAddressFilterneeds to be called by adding-AssociatedNetFirewallRule, and separating the commands using the;operator:
PS C:\bin> Get-NetFirewallRule -Name "FPS-SMB-In-TCP-NoScope" | ForEach-Object { Write-Host $_.DisplayName ; Get-NetFirewallAddressFilter -AssociatedNetFirewallRule $_ } File and Printer Sharing (SMB-In) LocalAddress : Any RemoteAddress : Any
- [WayBack] Firewall RemoteAddress fails test if CIDR notation is used · Issue #404 · dsccommunity/NetworkingDsc · GitHub
Get-NetFirewallAddressFilteralways returns CIDR with subnet mask notation for the address filters no matter the input notation. - [WayBack] windows task: Sharing files across different subnets – sigmoid
- “Home network”, which means the network you are connecting to is Private in your firewall rules,
- “Work network”, which means the network you are connecting to is Domain in your firewall rules,
- “Public network”, which means the network you are connecting to is Public in your firewall rules.
Routing NetBIOS traffic
Routing NetBIOS traffic can be tricky, especially name resolution.
That’s why many just use IPv4 addresses without names.
If you want to get it to work, these links might help:
- [WayBack] Chapter 11 – NetBIOS over TCP/IP | Microsoft Docs (via [WayBack] VPN LAN to LAN, wierd NetBIOS issues – DrayTek)
- [WayBack] Netbios over VPN Tunnel – Can it be Done – Networking
–jeroen
Much longer list of all file and Printer Sharing network addresses on a default Windows installation; one day I might research that into making a nice tabular lay-out:
PS C:\bin\> Get-NetFirewallRule –DisplayGroup "File and Printer Sharing" | ForEach-Object { Write-Host $_.DisplayName ; Get-NetFirewallAddressFilter -AssociatedNetFirewallRule $_ } File and Printer Sharing (NB-Session-In) LocalAddress : Any RemoteAddress : Any File and Printer Sharing (NB-Session-Out) LocalAddress : Any RemoteAddress : Any File and Printer Sharing (SMB-In) LocalAddress : Any RemoteAddress : Any File and Printer Sharing (SMB-Out) LocalAddress : Any RemoteAddress : Any File and Printer Sharing (NB-Name-In) LocalAddress : Any RemoteAddress : Any File and Printer Sharing (NB-Name-Out) LocalAddress : Any RemoteAddress : Any File and Printer Sharing (NB-Datagram-In) LocalAddress : Any RemoteAddress : Any File and Printer Sharing (NB-Datagram-Out) LocalAddress : Any RemoteAddress : Any File and Printer Sharing (Spooler Service - RPC) LocalAddress : Any RemoteAddress : Any File and Printer Sharing (Spooler Service - RPC-EPMAP) LocalAddress : Any RemoteAddress : Any File and Printer Sharing (Echo Request - ICMPv4-In) LocalAddress : Any RemoteAddress : Any File and Printer Sharing (Echo Request - ICMPv4-Out) LocalAddress : Any RemoteAddress : Any File and Printer Sharing (Echo Request - ICMPv6-In) LocalAddress : Any RemoteAddress : Any File and Printer Sharing (Echo Request - ICMPv6-Out) LocalAddress : Any RemoteAddress : Any File and Printer Sharing (NB-Session-In) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (NB-Session-Out) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (SMB-In) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (SMB-Out) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (NB-Name-In) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (NB-Name-Out) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (NB-Datagram-In) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (NB-Datagram-Out) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (Spooler Service - RPC) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (Spooler Service - RPC-EPMAP) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (Echo Request - ICMPv4-In) LocalAddress : Any RemoteAddress : LocalSubnet4 File and Printer Sharing (Echo Request - ICMPv4-Out) LocalAddress : Any RemoteAddress : LocalSubnet4 File and Printer Sharing (Echo Request - ICMPv6-In) LocalAddress : Any RemoteAddress : LocalSubnet6 File and Printer Sharing (Echo Request - ICMPv6-Out) LocalAddress : Any RemoteAddress : LocalSubnet6 File and Printer Sharing (LLMNR-UDP-In) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (LLMNR-UDP-Out) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (LLMNR-UDP-Out) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (LLMNR-UDP-In) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (Echo Request - ICMPv6-Out) LocalAddress : Any RemoteAddress : LocalSubnet6 File and Printer Sharing (Echo Request - ICMPv6-In) LocalAddress : Any RemoteAddress : LocalSubnet6 File and Printer Sharing (Echo Request - ICMPv4-Out) LocalAddress : Any RemoteAddress : LocalSubnet4 File and Printer Sharing (Echo Request - ICMPv4-In) LocalAddress : Any RemoteAddress : LocalSubnet4 File and Printer Sharing (Spooler Service - RPC-EPMAP) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (Spooler Service - RPC) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (NB-Datagram-Out) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (NB-Datagram-In) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (NB-Name-Out) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (NB-Name-In) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (SMB-Out) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (SMB-In) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (NB-Session-Out) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (NB-Session-In) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (LLMNR-UDP-Out) LocalAddress : Any RemoteAddress : LocalSubnet File and Printer Sharing (LLMNR-UDP-In) LocalAddress : Any RemoteAddress : LocalSubnet
The Wiert Corner - irregular stream of stuff 
Leave a Reply