0

Question

Why should NetBios filtering impact SMB3 / the ability to connect to port 445?

Context

Some users (including myself) were having issues accessing file shares hosted in Azure Files from their home connections, receiving the below error.

Windows cannot access \myStorageAccount.file.core.windows.net\my-share\

Check the spelling of the name. Otherwise, there might be a problem with your network. To try to identify and resolve network problems, click Diagnose.

Error code: 0x80070035

The network path was not found

Running an online port test against myStorageAccount.file.core.windows.net showed port 445 as open.

Running Test-NetConnection -ComputerName 'myStorageAccountName.file.core.windows.net' -port 445 from my local machine would fail; despite my local device's firewall software not blocking the connection.

Eventually I found the cause to be the NetBios filter on my router; with this enabled, connections to port 445 on Azure Files shares failed; with it disabled all worked.

My router's documentation also mentions that this filter impacts SMB:

NetBIOS filter enabled

For security reasons, the NetBIOS filter in the FRITZ!Box is on by default. It blocks NetBIOS packets, which are usually not required for communication in the internet. Disable this filter only if you are using applications that have to exchange NetBIOS packets with the internet. This is the case, for instance, for SMB access to the Strato HiDrive.

I'm unsure if this is down to some bug in the router's filter logic, or if there is something more going on.

Should it be relevant, we have RBAC filtering enabled (e.g. my account has the Storage File Data SMB Share Elevated Contributor role assigned), and have AD ACLS enabled on our file share (as described in this John Savill video)... though I would assume that those shouldn't come into play for the simple port test?

JohnLBevan
  • 1,134
  • 7
  • 20
  • 44
  • Note: reading this help page, it may just be a wording thing... this implies that port 445 seems to be considered as NetBIOS? https://en.avm.de/service/fritzbox/fritzbox-7590/knowledge-base/publication/show/835_Shared-files-and-printers-on-a-computer-are-not-available-over-the-internet/ – JohnLBevan Mar 11 '21 at 14:47
  • 1
    That firewall rule is named incorrectly. It should say block SMB because it obviously blocks 445. – Greg Askew Mar 11 '21 at 16:37

1 Answers1

0

As mentioned, this rule is not really named correctly. While port 445 can be used for NetBios, it is also used for SMB over TCP, hence why SMB is not working. You will need to open this up to allow traffic to Azure Files.

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113