QNAP QuFirewall blocks Naim Core - RESOLVED

Lownote · December 5, 2024, 6:38pm

I finally have a resolution to the problem where my QNAP NAS was blocking my Core due to multiple failed login attempts, although it worked fine until being blocked - and I had to turn off the error alert messages because they were flooding my email. I know it has happened to some people in the past. I’m posting here just to make a record of it in case someone else gets a similar problem . . .

Details are below, but the TLDR version is that (1) On your NAS, you have to hide or remove QNAP shared folders that are impossible to log into (thus the Core is seen to repeatedly fail to log in) and (2) NAIM found a couple of lines of code in the Core that cause it to request an SMB1 protocol, which should be fixed when the next Core firmware update comes out (written Dec 2024 - currently version 2.5.8(4064)).

Details:
This was a tough problem, with both QNAP and Naim playing a part in it. My QNAP NAS was kicking off two errors “Deny – Login Fail (SMB)” and “Naim Login Fail (SMB)”, with the IP address of my Core being the culprit. The errors happened frequently enough that the NAS blocked the Core’s IP address, even though I had a firewall rule specifically allowing that IP address. Apparently QNAP blocks repeated failed logins before the QuFirewall looks at the rules that might allow that device.

On the QNAP side, the “Naim Login Fail (SMB)” error occurs because they were presenting two share folders that were impossible to mount (access) even using the NAS admin credentials. One folder was “Browser Station”, and the other was a legacy folder called “Family”. The Core would see those two shared folders in its network scan and, failing to mount them, would repeatedly attempt to access them, causing the NAS to generate a “Naim Login Fail (SMB)” error with every attempt. If it happened frequently enough then the NAS would block the Core’s IP address. The “fix” suggested by QNAP was to delete the app that created the folder, then delete the folders. This was OK for me for now since I don’t use that app, but others might NOT want to delete those folders, and those errors would continue until QNAP finds a way to either allow them to be hidden from the network like their other share folders can be, or to allow the login credentials to be changed so the Core can access them. I’ve made QNAP aware of this problem, but I have no news on their intention to fix it, or not.

On the Naim side, a Naim software engineer found two lines of code that were causing an SMB 1 prototcol request to be sent, which the NAS would reject, triggering the “Deny – Login Fail (SMB)” message unless I was allowing (the unsecure) SMB1 as my lowest protocol. QNAP had reported seeing this SMB1 request in the packet capture I sent them, but Naim was unaware that it was happening (until today). He tested a code change to prove that it resolved the problem, but the final fix requires a Core firmware update. Fortunately that error occurs too infrequently to trigger my NAS to block the Core. All I need to do in the meantime is periodically to clear out the accumulating error messages. The Core itself works perfectly. Bottom line, my NAS-Core error issues will be resolved with the next Core firmware update.

This was a long arduous journey, and I want to thank Naim for its outstanding support and persistence with this issue.

davidhendon · December 5, 2024, 7:29pm

Very interesting. Well done in finding the solution and thank you for feeding it back to us here.

sound-hound · December 6, 2024, 11:36am

Would you mind sharing the model of your Qnap NAS?

Lownote · December 6, 2024, 12:38pm

Certainly. My QNAP NAS is a TS 453D.

agisthos · December 10, 2024, 11:36am

Qnap did a firmware update a few years back that automatically disabled SMB1 sharing, so older devices found they could not connect to folder shares after the update. Its not that its unsecure, its just old and they want you to use v2 or v3.

I was using an Oppo 103 and that era of devices could only connect with SMBv1. Easy to change in the QNAP menu.

Lownote · December 10, 2024, 1:40pm

The problem on the Core side was not about SMB compatibility - it works just fine reading from the QNAP folders (now that QNAP has fixed their side of the problem). It sounds strange, I know, that the Core works fine while the QNAP reports login fail errors from the Core IP address. The problem here was that although the Core uses SMB3, it was unknowingly also sending out a protocol request for SMB1 via those two lines of code that the Naim engineer found in the Core firmware. It is that SMB 1 request that continues to cause the QNAP to report login errors from the Core, while the SMB3 transactions work as intended.

I can make the errors stop by enabling SMB1 as the lowest protocol on the QNAP, but that is not a satisfactory solution. Now that Naim knows the cause, they will apply a fix in the next Core firmware update. Meanwhile, I have the QNAP minimum SMB setting at SMB2 (or SMB3), and I let the QNAP login errors accumulate without concern.

agisthos · December 10, 2024, 3:15pm

No need to repeat yourself, we get it. Maybe some NAS work with a false protocol request, if its a lower level.

If Qnap had not force shut SMBv1 maybe some would not have even noticed, as it would still work. But its good to find bugs in the system and good that Naim development is active and responsive.

I wonder if Synology and other NAS makers have done the same. Maybe Naim was testing with Synology NAS, which possibly had SMBv1 enabled, thus not seeing the problem.

system · February 8, 2025, 3:15pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.