New security appliance kills smbfs performance
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    matt3
    Posts: 704 from 2004/2/10
    Just updated to a new security appliances with lots of performance and smbfs is greatly slowed down and/or stops when connection to my NAS (linux based appliance (QNAP)). It will then lock up Ambient or really slow it down but I can still use the task bar to load apps.

    Wayfarer and Iris seem fine however and seem a bit faster.

    Any ideas why SMBFS is not working? It worked fine with my slower/older appliance.

    Is there a better substitute?

    [ Edited by matt3 26.08.2022 - 23:24 ]
  • »27.08.22 - 03:00
    Profile
  • MorphOS Developer
    cyfm
    Posts: 537 from 2003/4/11
    From: Germany
    It is probably caused by the fact that SMBFS is still supporting the old SMB1 protocol only and QNAP has taken some measures to prevent accessing it via this protocol due to security concerns.

    Ambient probably lags and/or is slowed down because some internal network communication inside the filesystem takes way too much time. And SMBFS can only deal with one request at a time, so it basically blocks if there are more requests incoming ...

    Unfortunately, supporting a newer protocol version would basically mean a complete rewrite of SMBFS more or less - which should probably be done anyway.
    I guess we need to do it at some point but it is not on our top priority list right now.

    AFAICT, there is no substitute for it currently. Is there some way in your NAS to allow legacy SMB support again maybe ?
  • »27.08.22 - 13:09
    Profile Visit Website
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    matt3
    Posts: 704 from 2004/2/10
    @CYFN Thanks for that.

    I did a lot more testing and I found if I turned off IPS on the new security device it fixed the issue. Not only with Morphos but also other computers trying to play large movie files.

    Strange that IPS would do this? So I don't think it is the QNAP but the new security appliance. Strange because is has a lot of cpu grunt and power and is a new next gen device...

    [ Edited by matt3 27.08.2022 - 13:39 ]
  • »27.08.22 - 17:21
    Profile
  • MorphOS Developer
    Piru
    Posts: 587 from 2003/2/24
    From: finland, the l...
    Quote:

    matt3 wrote:
    @CYFN Thanks for that.

    I did a lot more testing and I found if I turned off IPS on the new security device it fixed the issue. Not only with Morphos but also other computers trying to play large movie files.

    Strange that IPS would do this? So I don't think it is the QNAP but the new security appliance. Strange because is has a lot of cpu grunt and power and is a new next gen device...

    It's hard to know for sure, but this is my take on this:

    IPS typically works by inspecting the network traffic realtime. Since it has to be able to prevent intrusion, it will need to do decisions on each packet whether to pass or block it. This adds latency, which will have negative impact on network performance. MorphOS network stack specifically is rather sensitive to excessive latency.
  • »27.08.22 - 18:15
    Profile
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    matt3
    Posts: 704 from 2004/2/10
    Thanks Piru,

    How much of a risk is it to turn off IPS?



    Quote:

    Piru wrote:
    Quote:

    matt3 wrote:
    @CYFN Thanks for that.

    I did a lot more testing and I found if I turned off IPS on the new security device it fixed the issue. Not only with Morphos but also other computers trying to play large movie files.

    Strange that IPS would do this? So I don't think it is the QNAP but the new security appliance. Strange because is has a lot of cpu grunt and power and is a new next gen device...

    It's hard to know for sure, but this is my take on this:

    IPS typically works by inspecting the network traffic realtime. Since it has to be able to prevent intrusion, it will need to do decisions on each packet whether to pass or block it. This adds latency, which will have negative impact on network performance. MorphOS network stack specifically is rather sensitive to excessive latency.
  • »27.08.22 - 19:51
    Profile
  • MorphOS Developer
    Piru
    Posts: 587 from 2003/2/24
    From: finland, the l...
    Quote:

    matt3 wrote:
    Thanks Piru,

    How much of a risk is it to turn off IPS?


    I can't possibly know what your threat model is so it would be unwise for me to give absolute advice on this.

    If it is possible to exclude hosts or protocols from IPS you could try excluding the MorphOS box or samba/CIFS protocol. It's possible that this way it would not have the detrimental effect on the samba performance.

    As always, disabling IPS coverage does reduce the security it provides. It's up to you to decide if this is acceptable.

    [ Edited by Piru 27.08.2022 - 23:06 ]
  • »27.08.22 - 20:06
    Profile
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    matt3
    Posts: 704 from 2004/2/10
    I will trying turning off IPS for the LAN and leaving it on for the WAN.
  • »27.08.22 - 20:37
    Profile
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    matt3
    Posts: 704 from 2004/2/10
    Quick update, I turned off everything (Geoblocking, IPS, Virus, Maleware, Bots) so in my mind it is just a router with a NAT firewall. MorphOS sorta works now, at least. It can read the NAS. It still is slow and sometimes I get the hourglass when I click the nas or its folders. Sometimes it locks ambient and will eventually come back.

    I'm having other issues just streaming movies well across it on the pc. Getting out to the internet works fine for the most part, just issues on the lan.

    Quote:

    matt3 wrote:
    I will trying turning off IPS for the LAN and leaving it on for the WAN.
  • »02.09.22 - 20:23
    Profile
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    matt3
    Posts: 704 from 2004/2/10
    OK, I figured it out.

    Something in my network (switches or wires maybe) are the issue. I portshielded directly to the device a bunch of stuff including MOS. Every worked perfect even with everything turned on.

    Crazy since the old linksys router I used works perfect in the same network...

    Oh well..
  • »03.09.22 - 00:11
    Profile
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    matt3
    Posts: 704 from 2004/2/10
    Quick update:

    I updated the firmware on the NAS and SMB1 was disabled. I was able to get around it in the end, but as mentioned earlier in this thread SMBv1 is being phased out because of all the ransomware attacks that exploit v1.
  • »18.09.22 - 05:03
    Profile
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    KennyR
    Posts: 880 from 2003/3/4
    From: #AmigaZeux, Gu...
    Quote:

    matt3 wrote:
    Quick update:

    I updated the firmware on the NAS and SMB1 was disabled. I was able to get around it in the end, but as mentioned earlier in this thread SMBv1 is being phased out because of all the ransomware attacks that exploit v1.




    "Being phased out" is a curious choice of words. It may be almost a decade now that it's been disabled in Windows by default. CIFS filesystem on Linux, and Windows via adjusting group management settings, can still access it via switches if required. I suppose you mean that these workarounds may someday be removed, which is likely at least for Windows.

    I know this pain, as I own two NAS and a SMB-capable media player and they all, while being still in perfect working order and daily use, require SMBv1 connections. (I was kinda copying for new EU legislation to force vendors to push security updates to their devices for a decade to come in soon, but then we left the EU and now we have sewage in our sea and bankers bonuses caps removed, so there's that...) Wouldn't help me though, my stuff is ancient.

    Edit: I think it's a shame that standalone computers like Raspberry Pi are so badly limited when it comes to SATA and handle all their USB on the same PCI lane, or they'd make a nice NAS. The Pi4 at least separates network and USB on different lanes but it runs too hot to be a real NAS. There has been a sudden price drop in a lot of Mini x64 PCs lately, but they do tend to also run hot... and suck.

    [ Edited by KennyR 18.09.2022 - 12:26 ]
  • »18.09.22 - 11:17
    Profile
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    KennyR
    Posts: 880 from 2003/3/4
    From: #AmigaZeux, Gu...
    I'm not even sure it's still possible to configure smbd itself to accept SMBv1 connections. I just ran testparm on my Pi and it said all the options were deprecated.

    Edit: The addition of

    ntlm auth = ntlmv1-permitted

    to smb.conf will still allow SMBv1 and access via MorphOS.

    ...for now.

    [ Edited by KennyR 18.09.2022 - 12:44 ]
  • »18.09.22 - 11:35
    Profile
  • MorphOS Developer
    cyfm
    Posts: 537 from 2003/4/11
    From: Germany
    We sure need to come up with a replacement solution at some point but this is nowhere near right now, at least not from any of the MorphOS Team developers afaict.
  • »18.09.22 - 12:26
    Profile Visit Website
  • Caterpillar
    Caterpillar
    xeno74
    Posts: 40 from 2020/6/8
    Just for info: MacOS X 10.5.8 Leopard is connecting via SMB1(NT1) to a new Samba Server (simple smb.conf): Hyperion-Forum

    [ Editiert durch xeno74 18.09.2022 - 18:16 ]
  • »18.09.22 - 16:14
    Profile
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    matt3
    Posts: 704 from 2004/2/10
    I'm good to go now that I know how to change to SMB1. Lots of warnings that I will be letting ransomware in and destroying the known universe. But I'm good.

    I appreciate that MorphOS works well on the NAS now. The Sync2 also does a nice job keeping a few folders updated.
  • »18.09.22 - 16:39
    Profile
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    KennyR
    Posts: 880 from 2003/3/4
    From: #AmigaZeux, Gu...
    The risks are much less if you're just operating on your own LAN. (The internet should never be allowed to access SMB ports regardless of how secure, obviously.)

    If you're operating on a laptop though and take it onto a work, library or uni LAN with SMBv1 active and that's where you'll have trouble.
  • »18.09.22 - 21:05
    Profile
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    matt3
    Posts: 704 from 2004/2/10
    Thanks for the explanation Kenny.

    Think I'm good to go now, everything is running well. I wish 2.5Gb switches were cheaper and more plentiful!

    Quote:

    KennyR wrote:
    The risks are much less if you're just operating on your own LAN. (The internet should never be allowed to access SMB ports regardless of how secure, obviously.)

    If you're operating on a laptop though and take it onto a work, library or uni LAN with SMBv1 active and that's where you'll have trouble.
  • »20.09.22 - 14:17
    Profile
  • Paladin of the Pegasos
    Paladin of the Pegasos
    Acill
    Posts: 1926 from 2003/10/19
    From: Port Hueneme, Ca.
    The latest QNAP updates have disabled SMB1 by default. IF you want to still use it they have an option in the settings to enable legacy 1.0 services again. Turn it on and it will be faster again at the risk of less security of course.
    Powermac Dual 2.0 GHZ G5 PCI-X (Registration #1894)
    Powerbook 1.67GHZ
    Powermac Dual 2.0 GHZ G5 PCIE (Registration #6130)
    A4000T CSPPC, Mediator
    Need Repairs, upgrades or a recap in the USA? Visit my website at http://www.acill.com
  • »21.09.22 - 13:10
    Profile Visit Website
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    KennyR
    Posts: 880 from 2003/3/4
    From: #AmigaZeux, Gu...
    Quote:

    Acill wrote:
    The latest QNAP updates have disabled SMB1 by default. IF you want to still use it they have an option in the settings to enable legacy 1.0 services again. Turn it on and it will be faster again at the risk of less security of course.


    See #12.
  • »24.09.22 - 20:05
    Profile