# SMB over WAN and VPN



## freejlr (Oct 4, 2022)

I have read many comments and threads on the net that the SMB/CIFS protocol is not a good idea to implement under WAN due to high latencies.

But I want to expose the following, I am a student but at the same time I work in a company giving IT support under the category "Junior" Well in our IT room we have some synology equipment and some servers working with proxmox, the VPNs work with SonicWall.

Well, in this company they use the SMB/CIFS protocol under the VPN to share information at a national level with the other offices distributed throughout the country.

On the other hand, I think that Azure offers service with SMB 3.0x at the WAN level if I'm not mistaken.

Is that my question, how crazy is it to have a stage like that? I don't understand, why so many comments of "No, SMB is not for that..." Could it be that the company I work for is not doing things right? I was very surprised to see this kind of scenario.

For example, I have an r320 at home under ZFS and it works with samba, I am waiting for an r220 to configure it as a router, I would also like it to be a VPN and I would like to do something similar for practice. But for example when I was reading an example on the oracle website about ZFS snapshots, apparently you can send them through SSH, so it makes me understand that SSH can be used to share data, but at the SMB or NFS level? I understand that it is not only used to make specific file transfers, right? sorry for the ignorance.

I know of protocols like SFTP, but isn't it the same as SSHD from freebsd?

On the other hand when I do a snapshot transfer or whatever with ssh or even netcat, don't the latencies affect it as negatively as SMB?

Thanks.


----------



## SirDice (Oct 4, 2022)

freejlr said:


> But for example when I was reading an example on the oracle website about ZFS snapshots, apparently you can send them through SSH


See zfs-send(8). This basically produces an output stream, like any other command or process that produces output. That output is piped over an SSH connection. The other side receives this output stream as input and connects it to zfs-receive(8) that 'converts' this input stream back to something ZFS understands. 

It's really not that different from doing `ssh me@some.host tar -zcf - /some/directory | tar -zxvf -` or `tar -zcf - /some/directory | ssh me@some.host tar -zxvf -`

Simpler example: `echo "Hello World" | ssh me@some.host cat` or `ssh me@some.host echo "Hello World" | cat`



freejlr said:


> I know of protocols like SFTP, but isn't it the same as SSHD from freebsd?


SFTP is a standard feature of OpenSSH. It looks and feels just like the 'old' FTP client/server but does everything over an SSH connection. 


```
# override default of no subsystems
Subsystem       sftp    /usr/libexec/sftp-server
```


----------



## freejlr (Oct 5, 2022)

If you've been skimming the sftp-server manual, Subsystem is a declaration of sshd_config.

Ok, but the ssh pipe doesn't use any protocol such as SFTP since it gives me to understand that this is an option, and that it is simply passing the snapshots like this:

`nc @myhost @myport < file`

I think I'm mixing a lot of things and I can be misunderstood, sorry. 

But in the example of oracle with the sending of snapshots it uses ssh, as it could use nc, well nc does not offer encryption by default but with openssl the snapshot could be encrypted and the file sent securely.

But that is not my point, for example if we want to transfer files to a host with 300-400ms of latency, practice says that SMB under a VPN will be a disaster.

I understand that in this case it would be better to use a protocol like FTP or by default SFTP so I would not need a VPN thanks to SSH.

Since the FTP protocol is designed to work with high latencies and SMB is not.

But for example, how would that type of latency affect an ssh pipe or a netcat pipe?

Here Microsoft says the following:

SMB 3



> Traditional storage for end-user data. The SMB 3.0 protocol provides enhancements to the Information Worker (or client) workloads. These enhancements include reducing the application latencies experienced by branch office users when accessing data over wide area networks (WAN) and protecting data from eavesdropping attacks.




I don't understand, so SMB3 is prepared to operate under high latency WAN networks? Or up to a certain limit?

I understand that FTP or HTTP works better than SMB3 since they are designed for WAN. But that is confusing to me, apparently samba 4.3x supports SMB3.

So for that reason would it be feasible to use SMB3 for a WAN network under a VPN?

I can understand that it would be better to use SFTP. But that paragraph from Microsoft leaves me a little out of place, and the practices that are used in my work.

Thanks.


----------



## SirDice (Oct 5, 2022)

Lets circle back to the beginning. What are you going to transfer and why do you think latency is important? Lets prevent an XY problem.


----------



## im (Oct 5, 2022)

I have used SMB even over ssh tunnel. It is hard but it works.
Please specify overall size of  files/snapshots and amount of files.

When I need to copy some data over Internet - I use *rsync *or *SFTP*.
Both are supported by windows/Linux/FreeBSD.
If you need to sync some files beetwen windows machines - use native windows tool *robocopy* over any VPN.


----------



## freejlr (Oct 7, 2022)

Ok, let's forget everything else and let's just SMB.

Let's take a hard example, I need X users to exchange X files from anywhere.

I understand that the SMB/CIFS protocol is not good or is designed to work with high latencies, the performance is poor. That rules out to be used in WAN environments.

But according to that Microsoft text SMB v3 is more adapted to work in high latency WAN networks.

My question is practically, is it good practice to use SMB v3 in this case, so that users can exchange files remotely through the WAN?

In a harder example, from the other side of the world, with latencies of 300-400ms etc...

Ok there ends my question about SMB/CIFS.

About the VPN, simply because this is how we have it at work, users when they travel or when they work from home connect to the VPN to access the network drives applied in the SMB/CIFS protocol, also to access to the intranet and to SAP servers etc...

That would be my question in relation to the title of the topic. I think now it is better understood, it was my mistake to mix ssh, ZFS and netcat.

Ok I think that based on the example above it would be better to use a protocol designed for the WAN such as FTP in this case SFTP or HTTP, right?

Thanks.


----------

