Proxmox VM with 4 GB RAM and 128 GB HDD on Intel NUC12 Pro i7 Host
Roon ROCK v2.0 (build 1311) production,
Networking Gear & Setup Details
Ubiquiti
Connected Audio Devices
Multiple RPi 4B’s with Digi IO Hats.
Number of Tracks in Library
Testing with < 500 tracks.
Description of Issue
I am not having an issue per say, I am requesting confirmation from Roon support about the availability / usage status of SMB v1 in Roon ROCK.
When I connect as ‘Guest’ from my MacBookPro to the ‘data’ share exposed by ROCK I can see that the connection is established using SMB v2 by running the following command on my Mac terminal…
smbutil statshares -a
However, the results returned indicate the ‘SMB_NEGOTIATE’ attribute is set to ‘SMBV_NEG_SMB1_ENABLED’ and I wondered if this means SMB v1 connections are allowed?
It appears I can connect via SMB v1 if I pass in the parameter at the cli…
smbclient -m NT1 --option=“client min protocol=NT1” -U guest “//nnn.nnn.nnn.nnn/data”
Password for [WORKGROUP\guest]:
Try “help” to get a list of possible commands.
smb: >
… and an nmap scan from another machine indicates SMB v1 too…
nmap --script smb-protocols nnn.nnn.nnn.nnn
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 23:59 BST
Nmap scan report for cccc.cccc.ccc (nnn.nnn.nnn.nnn)
Host is up (0.0091s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
9200/tcp open wap-wsp
Host script results:
| smb-protocols:
| dialects:
| NT LM 0.12 (SMBv1) [dangerous, but default]
|_ 2.02
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
Please can someone confirm if SMB v1 connections are allowed and if so are there any plans to enforce a min connection of SMB 2+ ?
I cannot state anything, other than i believe SMB 1 is active for compatibility reasons.
But, why does this bother you so much? Do you have bad perimeter security or rogue computing units on your network or what?
Hi Mikael - thanks for responding.
I posed the question to help me understand and mitigate the risks involved.
In answer to your question, No, I do not believe I have bad perimeter security or rogue computing units on my network. I treat my music equipment as IOT devices, place them in a separate VLAN and hope the firewall does its job. Does this mean I can say for certain that my network is secure? No.
With respect to rogue computing units, there are many IOT devices on peoples networks that will never get a security patch or a firmware fix in their life. Why make it any easier than it needs to be for them to access other devices? I do not think it is unreasonable to expect a device to require authentication and to transmit data securely.
If SMB v1 connections are allowed for compatibility reasons then I would argue they should not be. The sooner devices stop allowing SMB v1 the sooner other devices will not need to allow it for compatibility reasons.
As I said at the start, I posed the question to help me understand and mitigate the risks involved for my network. Let’s see what Roon Support say as they will know for sure.
I completely agree that there are very valid reasons why protocols with low security or known breaches should be disabled.
As always, every choice made is a compromise though.
I’ll monitor for any official response also! Enjoy the tunes’ while!
Thanks Robert.
I did see a similar / updated article (link below) which states that SMB v2 or v3 can be used however it does not (as far as I can see) state what the minimum allowed SMB version is.
FAQ: What’s the best way to configure my NAS for Roon?
We’ll need Roon staff to comment when they are in the office next week, but I believe SMB1 is removed now that Microsoft deleted support for it from Windows.
I believe Roon ROCK is locked down and users do not have access to SSH so no way to edit /etc/samba/smb.conf (as far as I am aware).
I am still waiting to hear anything from Roon Support - hopefully someone there is monitoring this thread so when they respond we may get confirmation on that too.
They do monitor the Support area but they are never blessed with a surplus of capacities, and currently it’s probably the first priority to sort out remaining issues caused by the recent big update, so I guess you need a bit of patience
Ok. I did not know there was a recent big update - let’s hope there are not too many issues to sort. Hopefully this ticket will not get auto closed in the mean time…
Yeah, this one I linked below I don’t think it’s super bad but it changed the fundamental setup and some people are experiencing issues where things didn’t go fully automatically. And with 200K or more updates, even a very small percentage causes noticeable fallout…
As the last reply is coming up to 1 month ago I guess this ticket may just close with no answer.
At $830 USD Roon is probably the most expensive piece of software I have bought and I am a little disappointed there has been no official response from Roon Support.
Assuming that SMBv1 is allowed and cannot be disabled on Roon ROCK (as I have not heard anything to the contrary), my advice to anyone setting up Roon Rock / Nuqleus on their network would be to consider the following…
If possible, segment your network and place the Roon Rock / Nuqleus device in a separate VLAN (maybe a separate IOT VLAN).
Set up firewall rules to block SMB v1 where possible (maybe host music files on a separate device (NAS etc.) that enforces SMB v2 as a minimum).
Only allow SMB v1 traffic to the Nuqleus / Roon Rock when needed (such as to access logs / database backups etc.) and block at other times.
If setting up VLANS is not an option then consider placing the device in a Guest network to provide a level of isolation from your primary network - many home routers have this facility now.
I chose to run Roon Rock as I like the idea of a light weight software device that updates itself, however perhaps installing the Roon Server Software on top of Linux might be a better option as this may be more flexible? Just my thoughts.
Yes, Roon ROCK still supports v1, we also support v2. As of now, there are no current configuration options for ROCK/RoonOS. We have shared your concerns with our development team for further investigation.
I don’t think it’s super bad but it changed the fundamental setup and some people are experiencing issues where things didn’t go fully automatically. And with 200K or more updates, even a very small percentage causes noticeable fallout…